Jump to content

Google Redirect - Cannot Remove Trojan.Tracur


Recommended Posts

Hi,

I am running Windows XP on a 5 year old computer. My laptop recently became infected with a Trojan.Tracur virus that I cannot remove no matter how many anti-spyware/virus scan programs I run. Every time I run Malwarebytes the Trojan has returned.

Please find my Malwarebytes and DDS logs below. My GMER log is attached. Thank you.

****************************************

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7268

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

7/24/2011 8:40:30 PM

mbam-log-2011-07-24 (20-40-30).txt

Scan type: Quick scan

Objects scanned: 153861

Time elapsed: 6 minute(s), 41 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

c:\WINDOWS\system32\avtapi32.exe (Trojan.Tracur) -> 3600 -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MESSENGER32 (Trojan.Tracur) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\avtapi32.exe (Trojan.Tracur) -> Quarantined and deleted successfully.

****************************************************

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16

Run by C Level at 20:40:43 on 2011-07-24

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1526.922 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

svchost.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nlsdl32.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\WINDOWS\system32\NOTEPAD.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = local;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Dictionary.com: {11359f4a-b191-42d7-905a-594f8cf0387b} - c:\windows\downloaded program files\lexbar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: WikiSearch: {44e7ef6c-6f5c-4aaf-a080-7725a27878ed} - c:\progra~1\wikise~1\WIKIPE~1.DLL

TB: Dictionary.com: {11359f4a-b191-42d7-905a-594f8cf0387b} - c:\windows\downloaded program files\lexbar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRunOnce: [RunNarrator] Narrator.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Find on Wikipedia... - c:\progra~1\wikise~1\cm.html

IE: Search &Dictionary - c:\program files\lexico\toolbar\dictionary.htm

IE: Search &Thesaurus - c:\program files\lexico\toolbar\thesaurus.htm

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab

DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/58.17/uploader2.cab

DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/24.11/uploader2.cab

DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150982717197

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab

DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553530800} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - hxxp://dictionary.reference.com/tools/toolbar/lexico.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{F640BDAB-ABC9-4E97-96BD-7517A1C2BFE0} : DhcpNameServer = 192.168.1.1

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\c level\application data\mozilla\firefox\profiles\dqpzpm5z.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101040100&s=

FF - prefs.js: network.proxy.ftp - 64.66.192.61

FF - prefs.js: network.proxy.ftp_port - 80

FF - prefs.js: network.proxy.gopher - 64.66.192.61

FF - prefs.js: network.proxy.gopher_port - 80

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 61152

FF - prefs.js: network.proxy.socks - 64.66.192.61

FF - prefs.js: network.proxy.socks_port - 80

FF - prefs.js: network.proxy.ssl - 64.66.192.61

FF - prefs.js: network.proxy.ssl_port - 80

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

.

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - Google

FF - user.js: browser.search.order.1 - Google

FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101040100&s=

.

============= SERVICES / DRIVERS ===============

.

R0 18109242;18109242;c:\windows\system32\drivers\18109242.sys [2011-7-10 133208]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 Messenger32;Messenger ;c:\windows\system32\nlsdl32.exe [2011-7-24 571904]

S1 SABKUTIL;SABKUTIL;\??\c:\program files\superantispyware\sabkutil.sys --> c:\program files\superantispyware\SABKUTIL.sys [?]

S3 gttap1;GoTrusted TAP Adapter;c:\windows\system32\drivers\gttap1.sys --> c:\windows\system32\drivers\gttap1.sys [?]

S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys --> c:\windows\system32\drivers\ivusb.sys [?]

S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-10-4 7680]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-7-25 41272]

S3 ovt530;Webcam Deluxe;c:\windows\system32\drivers\ov530vid.sys [2006-8-3 161792]

S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]

S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2009-10-4 110592]

S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [2009-10-4 105344]

.

=============== Created Last 30 ================

.

2011-07-25 00:40:35 54016 -c--a-w- c:\windows\system32\drivers\qeprsnwd.sys

2011-07-24 23:48:24 571904 -c--a-w- c:\windows\system32\nlsdl32.exe

2011-07-24 01:37:04 -------- dc----w- c:\program files\SpywareBlaster

2011-07-23 20:36:22 -------- dc----w- c:\program files\AVAST Software

2011-07-23 20:36:22 -------- dc----w- c:\documents and settings\all users\application data\AVAST Software

2011-07-19 02:12:42 98816 -c--a-w- c:\windows\sed.exe

2011-07-19 02:12:42 518144 -c--a-w- c:\windows\SWREG.exe

2011-07-19 02:12:42 256000 -c--a-w- c:\windows\PEV.exe

2011-07-19 02:12:42 208896 -c--a-w- c:\windows\MBR.exe

2011-07-19 02:11:40 -------- dc----w- C:\ComboFix14055C

2011-07-19 02:06:14 -------- dc----w- C:\ComboFix117583C

2011-07-19 02:01:52 -------- dc----w- C:\ComboFix130564C

2011-07-16 22:00:21 0 -c-ha-w- c:\documents and settings\c level\iapcyurvze.tmp

2011-07-11 03:31:43 -------- dc----w- C:\ComboFix11498C

2011-07-11 03:00:19 133208 -c--a-w- c:\windows\system32\drivers\18109242.sys

2011-07-11 02:37:21 -------- dc----w- C:\MGtools

2011-07-10 20:01:32 -------- dc----w- C:\ComboFix18274C

2011-07-10 19:50:20 -------- dc----w- C:\ComboFix1

2011-07-10 18:35:41 -------- dc----w- c:\program files\PageRage

2011-06-25 01:24:37 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-25 01:19:58 2106216 -c--a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll

2011-06-25 01:19:57 1998168 -c--a-w- c:\program files\mozilla firefox\d3dx9_43.dll

.

==================== Find3M ====================

.

2011-07-10 18:36:15 0 -c--a-w- c:\windows\Rnehowubucudi.bin

2011-07-06 23:52:42 41272 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 23:52:42 22712 -c--a-w- c:\windows\system32\drivers\mbam.sys

.

============= FINISH: 20:42:20.25 ===============

attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Thanks for help. I ran Malwarebytes again a few days ago. I will post the most recent log and the previous log as some of the threats appear to have been removed.

*************************************************************************************************

Most Recent Malwarebytes scan - 29 July 2011

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7323

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

7/29/2011 9:08:05 PM

mbam-log-2011-07-29 (21-07-59).txt

Scan type: Quick scan

Objects scanned: 155074

Time elapsed: 6 minute(s), 1 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

c:\WINDOWS\system32\avtapi32.exe (Trojan.Tracur) -> 460 -> No action taken.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\avtapi32.exe (Trojan.Tracur) -> No action taken.

*************************************************************************************************

Previous Malwarebytes scan - 27 July 2011

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7304

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

7/27/2011 8:51:05 PM

mbam-log-2011-07-27 (20-50-59).txt

Scan type: Quick scan

Objects scanned: 154554

Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 1

Registry Keys Infected: 5

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

c:\WINDOWS\system32\avtapi32.exe (Trojan.Tracur) -> 1544 -> No action taken.

Memory Modules Infected:

c:\WINDOWS\system32\avtapi32.dll (Trojan.Tracur) -> No action taken.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{0FE386CE-17FB-4AA6-BE32-3DD59F7B0A0b} (Trojan.Tracur) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0FE386CE-17FB-4AA6-BE32-3DD59F7B0A0B} (Trojan.Tracur) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0FE386CE-17FB-4AA6-BE32-3DD59F7B0A0B} (Trojan.Tracur) -> No action taken.

HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MESSENGER32 (Trojan.Tracur) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\C Level\local settings\temp\tmph8284681445473752384.tmp (Adware.Agent) -> No action taken.

c:\WINDOWS\system32\avtapi32.dll (Trojan.Tracur) -> No action taken.

c:\WINDOWS\system32\avtapi32.exe (Trojan.Tracur) -> No action taken.

*************************************************************************************************

ComboFix

ComboFix 11-07-29.03 - C Level 07/29/2011 21:14:50.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1526.976 [GMT -4:00]

Running from: c:\documents and settings\C Level\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{3da0ccce-88be-413d-8bbb-19294ce9452e}

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{3da0ccce-88be-413d-8bbb-19294ce9452e}\chrome.manifest

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{3da0ccce-88be-413d-8bbb-19294ce9452e}\chrome\xulcache.jar

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{3da0ccce-88be-413d-8bbb-19294ce9452e}\defaults\preferences\xulcache.js

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{3da0ccce-88be-413d-8bbb-19294ce9452e}\install.rdf

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{8505f011-098a-45be-9988-60519b0e33fa}

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{8505f011-098a-45be-9988-60519b0e33fa}\chrome\xulcache.jar

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{8505f011-098a-45be-9988-60519b0e33fa}\defaults\preferences\xulcache.js

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{8505f011-098a-45be-9988-60519b0e33fa}\install.rdf

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{ad5ccd03-6b5c-44ef-8099-77c467eb419e}

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{ad5ccd03-6b5c-44ef-8099-77c467eb419e}\chrome.manifest

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{ad5ccd03-6b5c-44ef-8099-77c467eb419e}\chrome\xulcache.jar

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{ad5ccd03-6b5c-44ef-8099-77c467eb419e}\defaults\preferences\xulcache.js

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{ad5ccd03-6b5c-44ef-8099-77c467eb419e}\install.rdf

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{f6042913-a2de-401d-8220-18a682112650}

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{f6042913-a2de-401d-8220-18a682112650}\chrome\xulcache.jar

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{f6042913-a2de-401d-8220-18a682112650}\defaults\preferences\xulcache.js

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{f6042913-a2de-401d-8220-18a682112650}\install.rdf

c:\documents and settings\C Level\iapcyurvze.tmp

c:\documents and settings\C Level\My Documents\~WRL0001.tmp

c:\documents and settings\C Level\My Documents\~WRL0003.tmp

c:\documents and settings\C Level\My Documents\~WRL0005.tmp

c:\documents and settings\C Level\My Documents\~WRL0695.tmp

c:\documents and settings\C Level\My Documents\~WRL1721.tmp

c:\documents and settings\C Level\My Documents\~WRL2392.tmp

.

c:\windows\regedit.exe . . . is infected!!

.

c:\windows\system32\expand.exe . . . is infected!!

.

c:\windows\system32\netsetup.exe . . . is infected!!

.

c:\windows\system32\netsh.exe . . . is infected!!

.

c:\windows\system32\netstat.exe . . . is infected!!

.

c:\windows\system32\ntsd.exe . . . is infected!!

.

.

((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-30 )))))))))))))))))))))))))))))))

.

.

2011-07-30 01:08 . 2011-07-30 01:08 54016 -c--a-w- c:\windows\system32\drivers\vmefhbhf.sys

2011-07-24 23:48 . 2011-07-24 23:48 571904 -c--a-w- c:\windows\system32\nlsdl32.exe

2011-07-24 01:37 . 2011-07-24 01:38 -------- dc----w- c:\program files\SpywareBlaster

2011-07-23 20:36 . 2011-07-24 01:22 -------- dc----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-07-23 20:36 . 2011-07-23 20:36 -------- dc----w- c:\program files\AVAST Software

2011-07-11 03:00 . 2011-07-11 09:11 133208 -c--a-w- c:\windows\system32\drivers\18109242.sys

2011-07-11 02:37 . 2011-07-23 17:32 -------- dc----w- C:\MGtools

2011-07-10 18:35 . 2011-07-23 20:08 -------- dc----w- c:\program files\PageRage

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-23 17:32 . 2011-07-11 02:37 200453 -c--a-w- C:\MGlogs.zip

2011-07-06 23:52 . 2010-07-25 23:21 41272 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 23:52 . 2010-07-25 23:21 22712 -c--a-w- c:\windows\system32\drivers\mbam.sys

2011-06-25 01:24 . 2011-06-25 01:24 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-25 01:19 . 2011-05-08 16:11 142296 -c--a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-04-14 . 058710B720282CA82B909912D3EF28DB . 146432 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\regedit.exe

[-] 2006-08-04 . FEB2251A0A5E4ABB83FA0D2012C7754B . 146432 . . [5.1.2600.2180] . . c:\windows\regedit.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [bU]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 68856]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-06 1047656]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2006-10-04 53760]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 3.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Device Detector 3.lnk

backup=c:\windows\pss\Device Detector 3.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk

backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UvA - Informatiseringscentrum CISCO VPN Client.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\UvA - Informatiseringscentrum CISCO VPN Client.lnk

backup=c:\windows\pss\UvA - Informatiseringscentrum CISCO VPN Client.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk

backup=c:\windows\pss\WDDMStatus.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk

backup=c:\windows\pss\WDSmartWare.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^C Level^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]

path=c:\documents and settings\C Level\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk

backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-12-22 00:57 35760 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

2006-08-04 13:24 90112 -c--a-w- c:\windows\agrsmmsg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

2006-08-04 13:48 196608 -c--a-w- c:\program files\Apoint2K\Apoint.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

2004-08-04 12:00 110592 -c--a-w- c:\windows\system32\bthprops.cpl

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CeEKEY]

2006-08-04 14:38 671744 -c--a-w- c:\program files\Toshiba\E-KEY\CeEKey.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2005-12-10 14:57 133016 -c--a-w- c:\program files\DAEMON Tools\daemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2010-04-01 09:16 357696 -c--a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]

c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

2005-05-31 04:33 122941 -c--a-w- c:\windows\system32\dla\tfswctrl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]

2006-08-04 14:38 28672 -c--a-w- c:\program files\Toshiba\TOSHIBA Applet\HWSetup.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

2006-08-04 13:24 114688 -c--a-w- c:\windows\system32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

2006-08-04 13:24 94208 -c--a-w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-12-13 22:16 421160 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]

2006-08-04 14:38 1081344 -c--a-w- c:\program files\Toshiba\Touch and Launch\PadExe.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 -c--a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2011-06-15 19:02 15141768 -c--a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-09-28 03:13 149280 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2011-04-11 14:35 2423752 -c--a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]

2006-08-04 14:38 65536 -c--a-w- c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2007-06-27 22:56 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCtryIOHook]

2005-08-22 15:49 28672 -c--a-w- c:\windows\system32\TCtrlIOHook.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]

2006-08-04 14:38 65536 -c--a-w- c:\program files\Toshiba\TOSCDSPD\TOSCDSPD.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPNF]

2006-08-04 14:38 53248 -c--a-w- c:\program files\Toshiba\TouchPad\TPTray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]

2005-08-11 13:33 266240 -c--a-w- c:\windows\system32\TPSMain.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]

2006-08-04 14:38 73728 -c--a-w- c:\program files\Toshiba\Tvs\TvsTray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB2Check]

2006-11-06 18:31 81920 -c--a-w- c:\windows\system32\PCLECoInst.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]

c:\program files\Veoh Networks\Veoh\VeohClient.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]

c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

2006-08-04 14:38 114688 -c--a-w- c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zooming]

2005-06-06 08:58 24576 -c--a-w- c:\windows\system32\ZoomingHook.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]

c:\program files\Google\Gmail Notifier\gnotify.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"LxrJD31s"=2 (0x2)

"gusvc"=3 (0x3)

"Bonjour Service"=2 (0x2)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\BitComet\\BitComet.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\rtcshare.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"15334:TCP"= 15334:TCP:BitComet 15334 TCP

"15334:UDP"= 15334:UDP:BitComet 15334 UDP

.

R0 18109242;18109242;c:\windows\system32\drivers\18109242.sys [7/10/2011 11:00 PM 133208]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

R2 Messenger32;Messenger ;c:\windows\system32\nlsdl32.exe [7/24/2011 7:48 PM 571904]

S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]

S3 gttap1;GoTrusted TAP Adapter;c:\windows\system32\DRIVERS\gttap1.sys --> c:\windows\system32\DRIVERS\gttap1.sys [?]

S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys --> c:\windows\system32\DRIVERS\ivusb.sys [?]

S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [10/4/2009 11:05 AM 7680]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/25/2010 7:21 PM 41272]

S3 ovt530;Webcam Deluxe;c:\windows\system32\drivers\ov530vid.sys [8/3/2006 6:58 PM 161792]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]

S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [10/4/2009 11:06 AM 110592]

S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [10/4/2009 11:06 AM 105344]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/22/2006 12:20 PM 691696]

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = local;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Find on Wikipedia... - c:\progra~1\WIKISE~1\cm.html

IE: Search &Dictionary - c:\program files\Lexico\Toolbar\dictionary.htm

IE: Search &Thesaurus - c:\program files\Lexico\Toolbar\thesaurus.htm

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101040100&s=

FF - prefs.js: network.proxy.ftp - 64.66.192.61

FF - prefs.js: network.proxy.ftp_port - 80

FF - prefs.js: network.proxy.gopher - 64.66.192.61

FF - prefs.js: network.proxy.gopher_port - 80

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 61152

FF - prefs.js: network.proxy.socks - 64.66.192.61

FF - prefs.js: network.proxy.socks_port - 80

FF - prefs.js: network.proxy.ssl - 64.66.192.61

FF - prefs.js: network.proxy.ssl_port - 80

FF - prefs.js: network.proxy.type - 4

FF - user.js: browser.search.selectedEngine - Google

FF - user.js: browser.search.order.1 - Google

FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101040100&s=

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-29 21:23

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(724)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

Completion time: 2011-07-29 21:30:52

ComboFix-quarantined-files.txt 2011-07-30 01:30

ComboFix2.txt 2011-07-20 01:37

ComboFix3.txt 2011-07-19 02:32

ComboFix4.txt 2011-07-11 03:24

ComboFix5.txt 2011-07-30 01:13

.

Pre-Run: 202,788,864 bytes free

Post-Run: 221,163,520 bytes free

.

- - End Of File - - 6009CF7301C2941FF335F5D43BCA2C7F

************************************************************************************

DDS

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16

Run by C Level at 21:37:39 on 2011-07-29

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1526.921 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

svchost.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nlsdl32.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = local;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Dictionary.com: {11359f4a-b191-42d7-905a-594f8cf0387b} - c:\windows\downloaded program files\lexbar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: WikiSearch: {44e7ef6c-6f5c-4aaf-a080-7725a27878ed} - c:\progra~1\wikise~1\WIKIPE~1.DLL

TB: Dictionary.com: {11359f4a-b191-42d7-905a-594f8cf0387b} - c:\windows\downloaded program files\lexbar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRunOnce: [RunNarrator] Narrator.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Find on Wikipedia... - c:\progra~1\wikise~1\cm.html

IE: Search &Dictionary - c:\program files\lexico\toolbar\dictionary.htm

IE: Search &Thesaurus - c:\program files\lexico\toolbar\thesaurus.htm

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab

DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/58.17/uploader2.cab

DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/24.11/uploader2.cab

DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150982717197

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab

DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553530800} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - hxxp://dictionary.reference.com/tools/toolbar/lexico.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{F640BDAB-ABC9-4E97-96BD-7517A1C2BFE0} : DhcpNameServer = 192.168.1.1

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\c level\application data\mozilla\firefox\profiles\dqpzpm5z.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101040100&s=

FF - prefs.js: network.proxy.ftp - 64.66.192.61

FF - prefs.js: network.proxy.ftp_port - 80

FF - prefs.js: network.proxy.gopher - 64.66.192.61

FF - prefs.js: network.proxy.gopher_port - 80

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 61152

FF - prefs.js: network.proxy.socks - 64.66.192.61

FF - prefs.js: network.proxy.socks_port - 80

FF - prefs.js: network.proxy.ssl - 64.66.192.61

FF - prefs.js: network.proxy.ssl_port - 80

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

.

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - Google

FF - user.js: browser.search.order.1 - Google

FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101040100&s=

.

============= SERVICES / DRIVERS ===============

.

R0 18109242;18109242;c:\windows\system32\drivers\18109242.sys [2011-7-10 133208]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 Messenger32;Messenger ;c:\windows\system32\nlsdl32.exe [2011-7-24 571904]

S1 SABKUTIL;SABKUTIL;\??\c:\program files\superantispyware\sabkutil.sys --> c:\program files\superantispyware\SABKUTIL.sys [?]

S3 gttap1;GoTrusted TAP Adapter;c:\windows\system32\drivers\gttap1.sys --> c:\windows\system32\drivers\gttap1.sys [?]

S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys --> c:\windows\system32\drivers\ivusb.sys [?]

S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-10-4 7680]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-7-25 41272]

S3 ovt530;Webcam Deluxe;c:\windows\system32\drivers\ov530vid.sys [2006-8-3 161792]

S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]

S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2009-10-4 110592]

S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [2009-10-4 105344]

.

=============== Created Last 30 ================

.

2011-07-30 01:08:21 54016 -c--a-w- c:\windows\system32\drivers\vmefhbhf.sys

2011-07-24 23:48:24 571904 -c--a-w- c:\windows\system32\nlsdl32.exe

2011-07-24 01:37:04 -------- dc----w- c:\program files\SpywareBlaster

2011-07-23 20:36:22 -------- dc----w- c:\program files\AVAST Software

2011-07-23 20:36:22 -------- dc----w- c:\documents and settings\all users\application data\AVAST Software

2011-07-19 02:12:42 98816 -c--a-w- c:\windows\sed.exe

2011-07-19 02:12:42 518144 -c--a-w- c:\windows\SWREG.exe

2011-07-19 02:12:42 256000 -c--a-w- c:\windows\PEV.exe

2011-07-19 02:12:42 208896 -c--a-w- c:\windows\MBR.exe

2011-07-19 02:11:40 -------- dc----w- C:\ComboFix14055C

2011-07-19 02:06:14 -------- dc----w- C:\ComboFix117583C

2011-07-19 02:01:52 -------- dc----w- C:\ComboFix130564C

2011-07-11 03:31:43 -------- dc----w- C:\ComboFix11498C

2011-07-11 03:00:19 133208 -c--a-w- c:\windows\system32\drivers\18109242.sys

2011-07-11 02:37:21 -------- dc----w- C:\MGtools

2011-07-10 20:01:32 -------- dc----w- C:\ComboFix18274C

2011-07-10 19:50:20 -------- dc----w- C:\ComboFix1

2011-07-10 18:35:41 -------- dc----w- c:\program files\PageRage

.

==================== Find3M ====================

.

2011-07-10 18:36:15 0 -c--a-w- c:\windows\Rnehowubucudi.bin

2011-07-06 23:52:42 41272 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 23:52:42 22712 -c--a-w- c:\windows\system32\drivers\mbam.sys

2011-06-25 01:24:37 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

============= FINISH: 21:38:16.68 ===============

Link to post
Share on other sites

  • Staff

Hi,

Before we continue, please go to VirusTotal, and upload the following files for analysis:

c:\windows\regedit.exe

c:\windows\system32\expand.exe

c:\windows\system32\netsetup.exe

c:\windows\system32\netsh.exe

Post the results in your reply.

Also zip up that file and attach it to your reply.

Link to post
Share on other sites

I do not see any files to save and zip and include as an attachment. Below are the results of the Virus Total analyses.

******************************************************

File name:

regedit.exe

Submission date:

2011-08-07 01:07:40 (UTC)

Current status:

finished

Result:

0/ 43 (0.0%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.08.06.00 2011.08.06 -

AntiVir 7.11.12.233 2011.08.05 -

Antiy-AVL 2.0.3.7 2011.08.06 -

Avast 4.8.1351.0 2011.08.06 -

Avast5 5.0.677.0 2011.08.06 -

AVG 10.0.0.1190 2011.08.07 -

BitDefender 7.2 2011.08.07 -

CAT-QuickHeal 11.00 2011.08.06 -

ClamAV 0.97.0.0 2011.08.06 -

Commtouch 5.3.2.6 2011.08.06 -

Comodo 9654 2011.08.06 -

DrWeb 5.0.2.03300 2011.08.06 -

Emsisoft 5.1.0.8 2011.08.06 -

eSafe 7.0.17.0 2011.08.04 -

eTrust-Vet 36.1.8486 2011.08.05 -

F-Prot 4.6.2.117 2011.08.06 -

F-Secure 9.0.16440.0 2011.08.06 -

Fortinet 4.2.257.0 2011.08.07 -

GData 22 2011.08.07 -

Ikarus T3.1.1.104.0 2011.08.06 -

Jiangmin 13.0.900 2011.08.06 -

K7AntiVirus 9.109.4973 2011.08.02 -

Kaspersky 9.0.0.837 2011.08.07 -

McAfee 5.400.0.1158 2011.08.07 -

McAfee-GW-Edition 2010.1D 2011.08.06 -

Microsoft 1.7104 2011.08.06 -

NOD32 6356 2011.08.07 -

Norman 6.07.10 2011.08.06 -

nProtect 2011-08-06.01 2011.08.06 -

Panda 10.0.3.5 2011.08.06 -

PCTools 8.0.0.5 2011.08.07 -

Prevx 3.0 2011.08.07 -

Rising 23.69.03.03 2011.08.04 -

Sophos 4.67.0 2011.08.06 -

SUPERAntiSpyware 4.40.0.1006 2011.08.06 -

Symantec 20111.2.0.82 2011.08.07 -

TheHacker 6.7.0.1.272 2011.08.06 -

TrendMicro 9.200.0.1012 2011.08.06 -

TrendMicro-HouseCall 9.200.0.1012 2011.08.07 -

VBA32 3.12.16.4 2011.08.06 -

VIPRE 10089 2011.08.07 -

ViRobot 2011.8.6.4609 2011.08.06 -

VirusBuster 14.0.155.0 2011.08.06 -

Additional information

MD5 : feb2251a0a5e4abb83fa0d2012c7754b

SHA1 : 2881e3ca8e57d12b78da65e32616c1fd09667407

SHA256: c86f985457ae1ff1b9b099414fb5bc48ddb8364bea5c1b18ca9e8ddbeeb0a679

***************************************************************

File name:

expand.exe

Submission date:

2011-08-07 01:23:51 (UTC)

Current status:

finished

Result:

0/ 43 (0.0%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.08.06.00 2011.08.06 -

AntiVir 7.11.12.233 2011.08.05 -

Antiy-AVL 2.0.3.7 2011.08.06 -

Avast 4.8.1351.0 2011.08.06 -

Avast5 5.0.677.0 2011.08.06 -

AVG 10.0.0.1190 2011.08.07 -

BitDefender 7.2 2011.08.07 -

CAT-QuickHeal 11.00 2011.08.06 -

ClamAV 0.97.0.0 2011.08.06 -

Commtouch 5.3.2.6 2011.08.06 -

Comodo 9654 2011.08.06 -

DrWeb 5.0.2.03300 2011.08.06 -

Emsisoft 5.1.0.8 2011.08.06 -

eSafe 7.0.17.0 2011.08.04 -

eTrust-Vet 36.1.8486 2011.08.05 -

F-Prot 4.6.2.117 2011.08.06 -

F-Secure 9.0.16440.0 2011.08.06 -

Fortinet 4.2.257.0 2011.08.07 -

GData 22 2011.08.07 -

Ikarus T3.1.1.104.0 2011.08.06 -

Jiangmin 13.0.900 2011.08.06 -

K7AntiVirus 9.109.4973 2011.08.02 -

Kaspersky 9.0.0.837 2011.08.07 -

McAfee 5.400.0.1158 2011.08.07 -

McAfee-GW-Edition 2010.1D 2011.08.06 -

Microsoft 1.7104 2011.08.06 -

NOD32 6356 2011.08.07 -

Norman 6.07.10 2011.08.06 -

nProtect 2011-08-06.01 2011.08.06 -

Panda 10.0.3.5 2011.08.06 -

PCTools 8.0.0.5 2011.08.07 -

Prevx 3.0 2011.08.07 -

Rising 23.69.03.03 2011.08.04 -

Sophos 4.67.0 2011.08.06 -

SUPERAntiSpyware 4.40.0.1006 2011.08.06 -

Symantec 20111.2.0.82 2011.08.07 -

TheHacker 6.7.0.1.272 2011.08.06 -

TrendMicro 9.200.0.1012 2011.08.06 -

TrendMicro-HouseCall 9.200.0.1012 2011.08.07 -

VBA32 3.12.16.4 2011.08.06 -

VIPRE 10089 2011.08.07 -

ViRobot 2011.8.6.4609 2011.08.06 -

VirusBuster 14.0.155.0 2011.08.06 -

Additional information

MD5 : 0113d212bcc20774d8b98e76625b42da

SHA1 : eab2d9e8ea07bf755adb32cfcdd7d5233c8e665e

SHA256: 2ab0a1e7533fe5f7a89c3011fc846cc85b198546dbb195d0fd479d37d23298a0

************************************************************************

File name:

netsetup.exe

Submission date:

2011-08-07 01:26:32 (UTC)

Current status:

finished

Result:

1/ 43 (2.3%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.08.06.00 2011.08.06 -

AntiVir 7.11.12.233 2011.08.05 -

Antiy-AVL 2.0.3.7 2011.08.06 -

Avast 4.8.1351.0 2011.08.06 -

Avast5 5.0.677.0 2011.08.06 -

AVG 10.0.0.1190 2011.08.07 -

BitDefender 7.2 2011.08.07 -

CAT-QuickHeal 11.00 2011.08.06 -

ClamAV 0.97.0.0 2011.08.06 -

Commtouch 5.3.2.6 2011.08.06 -

Comodo 9654 2011.08.06 -

DrWeb 5.0.2.03300 2011.08.06 -

Emsisoft 5.1.0.8 2011.08.06 -

eSafe 7.0.17.0 2011.08.04 Win32.Banker

eTrust-Vet 36.1.8486 2011.08.05 -

F-Prot 4.6.2.117 2011.08.06 -

F-Secure 9.0.16440.0 2011.08.06 -

Fortinet 4.2.257.0 2011.08.07 -

GData 22 2011.08.07 -

Ikarus T3.1.1.104.0 2011.08.06 -

Jiangmin 13.0.900 2011.08.06 -

K7AntiVirus 9.109.4973 2011.08.02 -

Kaspersky 9.0.0.837 2011.08.07 -

McAfee 5.400.0.1158 2011.08.07 -

McAfee-GW-Edition 2010.1D 2011.08.06 -

Microsoft 1.7104 2011.08.06 -

NOD32 6356 2011.08.07 -

Norman 6.07.10 2011.08.06 -

nProtect 2011-08-06.01 2011.08.06 -

Panda 10.0.3.5 2011.08.06 -

PCTools 8.0.0.5 2011.08.07 -

Prevx 3.0 2011.08.07 -

Rising 23.69.03.03 2011.08.04 -

Sophos 4.67.0 2011.08.06 -

SUPERAntiSpyware 4.40.0.1006 2011.08.06 -

Symantec 20111.2.0.82 2011.08.07 -

TheHacker 6.7.0.1.272 2011.08.06 -

TrendMicro 9.200.0.1012 2011.08.06 -

TrendMicro-HouseCall 9.200.0.1012 2011.08.07 -

VBA32 3.12.16.4 2011.08.06 -

VIPRE 10089 2011.08.07 -

ViRobot 2011.8.6.4609 2011.08.06 -

VirusBuster 14.0.155.0 2011.08.06 -

Additional information

MD5 : cf4136f8e60f0700aab57bc145accb9e

SHA1 : a29b0945e5ae93c88abb573b14dcc3e03a6c6528

SHA256: 6a4a10b81a5c1efae89fe76066db0fe66f2341c470490a951d12cf149ad6fdfd

******************************************************

netsh.exe

Submission date:

2011-08-07 01:29:07 (UTC)

Current status:

finished

Result:

0/ 43 (0.0%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.08.06.00 2011.08.06 -

AntiVir 7.11.12.233 2011.08.05 -

Antiy-AVL 2.0.3.7 2011.08.06 -

Avast 4.8.1351.0 2011.08.06 -

Avast5 5.0.677.0 2011.08.06 -

AVG 10.0.0.1190 2011.08.07 -

BitDefender 7.2 2011.08.07 -

CAT-QuickHeal 11.00 2011.08.06 -

ClamAV 0.97.0.0 2011.08.06 -

Commtouch 5.3.2.6 2011.08.06 -

Comodo 9654 2011.08.06 -

DrWeb 5.0.2.03300 2011.08.06 -

Emsisoft 5.1.0.8 2011.08.06 -

eSafe 7.0.17.0 2011.08.04 -

eTrust-Vet 36.1.8486 2011.08.05 -

F-Prot 4.6.2.117 2011.08.06 -

F-Secure 9.0.16440.0 2011.08.06 -

Fortinet 4.2.257.0 2011.08.07 -

GData 22 2011.08.07 -

Ikarus T3.1.1.104.0 2011.08.06 -

Jiangmin 13.0.900 2011.08.06 -

K7AntiVirus 9.109.4973 2011.08.02 -

Kaspersky 9.0.0.837 2011.08.07 -

McAfee 5.400.0.1158 2011.08.07 -

McAfee-GW-Edition 2010.1D 2011.08.06 -

Microsoft 1.7104 2011.08.06 -

NOD32 6356 2011.08.07 -

Norman 6.07.10 2011.08.06 -

nProtect 2011-08-06.01 2011.08.06 -

Panda 10.0.3.5 2011.08.06 -

PCTools 8.0.0.5 2011.08.07 -

Prevx 3.0 2011.08.07 -

Rising 23.69.03.03 2011.08.04 -

Sophos 4.67.0 2011.08.06 -

SUPERAntiSpyware 4.40.0.1006 2011.08.06 -

Symantec 20111.2.0.82 2011.08.07 -

TheHacker 6.7.0.1.272 2011.08.06 -

TrendMicro 9.200.0.1012 2011.08.06 -

TrendMicro-HouseCall 9.200.0.1012 2011.08.07 -

VBA32 3.12.16.4 2011.08.06 -

VIPRE 10089 2011.08.07 -

ViRobot 2011.8.6.4609 2011.08.06 -

VirusBuster 14.0.155.0 2011.08.06 -

Additional information

MD5 : 260d1f3e02bda4512131f1e5e86d7cc4

SHA1 : 455f928ce7062039a83853ddaec0182d552d9d91

SHA256: a2a555a15b6d283c5aae308a2d486fff85485cde48947abcb6294e2648f0268b

Link to post
Share on other sites

If it helps, in addition to google redirect, there is now a window that shows up when I go to certain websites called "Drop Down Deal" that I did not intentionally install. I don't know if these issues are related.

***********************************************************************************************************

ComboFix 11-08-12.01 - C Level 08/12/2011 18:43:17.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1526.1114 [GMT -4:00]

Running from: c:\documents and settings\C Level\Desktop\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{36317ce6-36f1-4ab5-b99c-ecdce6342126}

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{36317ce6-36f1-4ab5-b99c-ecdce6342126}\chrome.manifest

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{36317ce6-36f1-4ab5-b99c-ecdce6342126}\chrome\xulcache.jar

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{36317ce6-36f1-4ab5-b99c-ecdce6342126}\defaults\preferences\xulcache.js

c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\extensions\{36317ce6-36f1-4ab5-b99c-ecdce6342126}\install.rdf

c:\documents and settings\C Level\iapcyurvze.tmp

.

c:\windows\regedit.exe . . . is infected!!

.

c:\windows\system32\expand.exe . . . is infected!!

.

c:\windows\system32\netsetup.exe . . . is infected!!

.

c:\windows\system32\netsh.exe . . . is infected!!

.

c:\windows\system32\netstat.exe . . . is infected!!

.

c:\windows\system32\ntsd.exe . . . is infected!!

.

.

((((((((((((((((((((((((( Files Created from 2011-07-12 to 2011-08-12 )))))))))))))))))))))))))))))))

.

.

2011-08-12 22:35 . 2011-07-24 23:48 571904 -c----w- c:\windows\system32\avtapi32.exe

2011-07-24 23:48 . 2011-07-24 23:48 571904 -c--a-w- c:\windows\system32\nlsdl32.exe

2011-07-24 01:37 . 2011-07-24 01:38 -------- dc----w- c:\program files\SpywareBlaster

2011-07-23 20:36 . 2011-07-24 01:22 -------- dc----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-07-23 20:36 . 2011-07-23 20:36 -------- dc----w- c:\program files\AVAST Software

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-23 17:32 . 2011-07-11 02:37 200453 -c--a-w- C:\MGlogs.zip

2011-07-11 09:11 . 2011-07-11 03:00 133208 -c--a-w- c:\windows\system32\drivers\18109242.sys

2011-07-06 23:52 . 2010-07-25 23:21 41272 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 23:52 . 2010-07-25 23:21 22712 -c--a-w- c:\windows\system32\drivers\mbam.sys

2011-06-25 01:24 . 2011-06-25 01:24 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-25 01:19 . 2011-05-08 16:11 142296 -c--a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-04-14 . 058710B720282CA82B909912D3EF28DB . 146432 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\regedit.exe

[-] 2006-08-04 . FEB2251A0A5E4ABB83FA0D2012C7754B . 146432 . . [5.1.2600.2180] . . c:\windows\regedit.exe

.

((((((((((((((((((((((((((((( SnapShot@2011-07-30_01.24.04 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-08-12 22:35 . 2011-08-12 22:35 16384 c:\windows\temp\Perflib_Perfdata_5fc.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [bU]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 68856]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2006-10-04 53760]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 3.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Device Detector 3.lnk

backup=c:\windows\pss\Device Detector 3.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk

backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UvA - Informatiseringscentrum CISCO VPN Client.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\UvA - Informatiseringscentrum CISCO VPN Client.lnk

backup=c:\windows\pss\UvA - Informatiseringscentrum CISCO VPN Client.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk

backup=c:\windows\pss\WDDMStatus.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk

backup=c:\windows\pss\WDSmartWare.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^C Level^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]

path=c:\documents and settings\C Level\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk

backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-12-22 00:57 35760 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

2006-08-04 13:24 90112 -c--a-w- c:\windows\agrsmmsg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

2006-08-04 13:48 196608 -c--a-w- c:\program files\Apoint2K\Apoint.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

2004-08-04 12:00 110592 -c--a-w- c:\windows\system32\bthprops.cpl

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CeEKEY]

2006-08-04 14:38 671744 -c--a-w- c:\program files\Toshiba\E-KEY\CeEKey.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2005-12-10 14:57 133016 -c--a-w- c:\program files\DAEMON Tools\daemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2010-04-01 09:16 357696 -c--a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]

c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

2005-05-31 04:33 122941 -c--a-w- c:\windows\system32\dla\tfswctrl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]

2006-08-04 14:38 28672 -c--a-w- c:\program files\Toshiba\TOSHIBA Applet\HWSetup.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

2006-08-04 13:24 114688 -c--a-w- c:\windows\system32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

2006-08-04 13:24 94208 -c--a-w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-12-13 22:16 421160 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]

2006-08-04 14:38 1081344 -c--a-w- c:\program files\Toshiba\Touch and Launch\PadExe.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 -c--a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2011-06-15 19:02 15141768 -c--a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-09-28 03:13 149280 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2011-04-11 14:35 2423752 -c--a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]

2006-08-04 14:38 65536 -c--a-w- c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2007-06-27 22:56 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCtryIOHook]

2005-08-22 15:49 28672 -c--a-w- c:\windows\system32\TCtrlIOHook.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]

2006-08-04 14:38 65536 -c--a-w- c:\program files\Toshiba\TOSCDSPD\TOSCDSPD.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPNF]

2006-08-04 14:38 53248 -c--a-w- c:\program files\Toshiba\TouchPad\TPTray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]

2005-08-11 13:33 266240 -c--a-w- c:\windows\system32\TPSMain.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]

2006-08-04 14:38 73728 -c--a-w- c:\program files\Toshiba\Tvs\TvsTray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB2Check]

2006-11-06 18:31 81920 -c--a-w- c:\windows\system32\PCLECoInst.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]

c:\program files\Veoh Networks\Veoh\VeohClient.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]

c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

2006-08-04 14:38 114688 -c--a-w- c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zooming]

2005-06-06 08:58 24576 -c--a-w- c:\windows\system32\ZoomingHook.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]

c:\program files\Google\Gmail Notifier\gnotify.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"LxrJD31s"=2 (0x2)

"gusvc"=3 (0x3)

"Bonjour Service"=2 (0x2)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\BitComet\\BitComet.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\rtcshare.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"15334:TCP"= 15334:TCP:BitComet 15334 TCP

"15334:UDP"= 15334:UDP:BitComet 15334 UDP

.

R0 18109242;18109242;c:\windows\system32\drivers\18109242.sys [7/10/2011 11:00 PM 133208]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

R2 Messenger32;Messenger ;c:\windows\system32\nlsdl32.exe [7/24/2011 7:48 PM 571904]

S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]

S3 gttap1;GoTrusted TAP Adapter;c:\windows\system32\DRIVERS\gttap1.sys --> c:\windows\system32\DRIVERS\gttap1.sys [?]

S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys --> c:\windows\system32\DRIVERS\ivusb.sys [?]

S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [10/4/2009 11:05 AM 7680]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/25/2010 7:21 PM 41272]

S3 ovt530;Webcam Deluxe;c:\windows\system32\drivers\ov530vid.sys [8/3/2006 6:58 PM 161792]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]

S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [10/4/2009 11:06 AM 110592]

S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [10/4/2009 11:06 AM 105344]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/22/2006 12:20 PM 691696]

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = local;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Find on Wikipedia... - c:\progra~1\WIKISE~1\cm.html

IE: Search &Dictionary - c:\program files\Lexico\Toolbar\dictionary.htm

IE: Search &Thesaurus - c:\program files\Lexico\Toolbar\thesaurus.htm

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\C Level\Application Data\Mozilla\Firefox\Profiles\dqpzpm5z.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101040100&s=

FF - prefs.js: network.proxy.ftp - 64.66.192.61

FF - prefs.js: network.proxy.ftp_port - 80

FF - prefs.js: network.proxy.gopher - 64.66.192.61

FF - prefs.js: network.proxy.gopher_port - 80

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 61152

FF - prefs.js: network.proxy.socks - 64.66.192.61

FF - prefs.js: network.proxy.socks_port - 80

FF - prefs.js: network.proxy.ssl - 64.66.192.61

FF - prefs.js: network.proxy.ssl_port - 80

FF - prefs.js: network.proxy.type - 4

FF - user.js: browser.search.selectedEngine - Google

FF - user.js: browser.search.order.1 - Google

FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101040100&s=

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-12 18:51

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(724)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

Completion time: 2011-08-12 18:55:58

ComboFix-quarantined-files.txt 2011-08-12 22:55

ComboFix2.txt 2011-07-30 01:30

ComboFix3.txt 2011-07-20 01:37

ComboFix4.txt 2011-07-19 02:32

ComboFix5.txt 2011-08-12 22:41

.

Pre-Run: 402,345,984 bytes free

Post-Run: 409,792,512 bytes free

.

- - End Of File - - A153EC6B9859C319B6DBA042090834AE

*******************************************************

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16

Run by C Level at 18:57:27 on 2011-08-12

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1526.1043 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

svchost.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nlsdl32.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\avtapi32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = local;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Dictionary.com: {11359f4a-b191-42d7-905a-594f8cf0387b} - c:\windows\downloaded program files\lexbar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: WikiSearch: {44e7ef6c-6f5c-4aaf-a080-7725a27878ed} - c:\progra~1\wikise~1\WIKIPE~1.DLL

TB: Dictionary.com: {11359f4a-b191-42d7-905a-594f8cf0387b} - c:\windows\downloaded program files\lexbar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRunOnce: [RunNarrator] Narrator.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Find on Wikipedia... - c:\progra~1\wikise~1\cm.html

IE: Search &Dictionary - c:\program files\lexico\toolbar\dictionary.htm

IE: Search &Thesaurus - c:\program files\lexico\toolbar\thesaurus.htm

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab

DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/58.17/uploader2.cab

DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/24.11/uploader2.cab

DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150982717197

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab

DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553530800} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - hxxp://dictionary.reference.com/tools/toolbar/lexico.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{F640BDAB-ABC9-4E97-96BD-7517A1C2BFE0} : DhcpNameServer = 192.168.1.1

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\c level\application data\mozilla\firefox\profiles\dqpzpm5z.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101040100&s=

FF - prefs.js: network.proxy.ftp - 64.66.192.61

FF - prefs.js: network.proxy.ftp_port - 80

FF - prefs.js: network.proxy.gopher - 64.66.192.61

FF - prefs.js: network.proxy.gopher_port - 80

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 61152

FF - prefs.js: network.proxy.socks - 64.66.192.61

FF - prefs.js: network.proxy.socks_port - 80

FF - prefs.js: network.proxy.ssl - 64.66.192.61

FF - prefs.js: network.proxy.ssl_port - 80

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

.

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - Google

FF - user.js: browser.search.order.1 - Google

FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101040100&s=

.

============= SERVICES / DRIVERS ===============

.

R0 18109242;18109242;c:\windows\system32\drivers\18109242.sys [2011-7-10 133208]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 Messenger32;Messenger ;c:\windows\system32\nlsdl32.exe [2011-7-24 571904]

S1 SABKUTIL;SABKUTIL;\??\c:\program files\superantispyware\sabkutil.sys --> c:\program files\superantispyware\SABKUTIL.sys [?]

S3 gttap1;GoTrusted TAP Adapter;c:\windows\system32\drivers\gttap1.sys --> c:\windows\system32\drivers\gttap1.sys [?]

S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys --> c:\windows\system32\drivers\ivusb.sys [?]

S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-10-4 7680]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-7-25 41272]

S3 ovt530;Webcam Deluxe;c:\windows\system32\drivers\ov530vid.sys [2006-8-3 161792]

S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]

S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2009-10-4 110592]

S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [2009-10-4 105344]

.

=============== Created Last 30 ================

.

2011-08-12 22:35:06 571904 -c----w- c:\windows\system32\avtapi32.exe

2011-07-24 23:48:24 571904 -c--a-w- c:\windows\system32\nlsdl32.exe

2011-07-24 01:37:04 -------- dc----w- c:\program files\SpywareBlaster

2011-07-23 20:36:22 -------- dc----w- c:\program files\AVAST Software

2011-07-23 20:36:22 -------- dc----w- c:\documents and settings\all users\application data\AVAST Software

2011-07-19 02:12:42 98816 -c--a-w- c:\windows\sed.exe

2011-07-19 02:12:42 518144 -c--a-w- c:\windows\SWREG.exe

2011-07-19 02:12:42 256000 -c--a-w- c:\windows\PEV.exe

2011-07-19 02:12:42 208896 -c--a-w- c:\windows\MBR.exe

.

==================== Find3M ====================

.

2011-07-11 09:11:43 133208 -c--a-w- c:\windows\system32\drivers\18109242.sys

2011-07-10 18:36:15 0 -c--a-w- c:\windows\Rnehowubucudi.bin

2011-07-06 23:52:42 41272 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 23:52:42 22712 -c--a-w- c:\windows\system32\drivers\mbam.sys

2011-06-25 01:24:37 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

============= FINISH: 18:58:07.79 ===============

attach12 august.zip

Link to post
Share on other sites

  • Staff

Hi,

Just saw this.

Please see:

HijackThis Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

It's likely why your issue began in the first place.

This goes for BitComet and anything else you may have installed.

Link to post
Share on other sites

  • 3 weeks later...
  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.