Jump to content

redirect virus


pluck
 Share

Recommended Posts

my google redirects me to different websites, even after scanning with mbam.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_22

Run by Andy Lee at 22:30:04 on 2011-10-18

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.2278 [GMT -7:00]

.

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Program Files\DigitalPersona\Bin\DpHostW.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe

C:\Program Files\Airlink101\Airlink101 WLAN Monitor\RtlService.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\Airlink101\Airlink101 WLAN Monitor\RtWlan.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Program Files\DigitalPersona\Bin\DpAgent.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\WindowsMobile\wmdSync.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Windows\system32\taskeng.exe

C:\Windows\ehome\ehtray.exe

C:\Windows\system32\svchost.exe -k WindowsMobile

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\Windows\system32\conime.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop

uInternet Settings,ProxyOverride = <local>

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: HP Print Clips: {ffffffff-ff12-44c5-91ec-068e3aa1b2d7} - c:\program files\hp\smart web printing\hpswp_framework.dll

TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe

mRun: [WAWifiMessage] c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{0C187B1F-FC4B-45FF-8753-2264EA38E7AD} : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{6088CF7B-3992-4C51-A40C-E38BD55C2C39} : DhcpNameServer = 192.168.0.1

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\andy lee\appdata\roaming\mozilla\firefox\profiles\uin7u6hy.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - google.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\users\andy lee\appdata\roaming\move networks\plugins\npqmp071503000010.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

============= SERVICES / DRIVERS ===============

.

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]

R2 Realtek92SU;Realtek92SU;c:\program files\airlink101\airlink101 wlan monitor\RtlService.exe [2010-1-19 40960]

R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-7-20 2214504]

S2 PcaSvc32;Program Compatibility Assistant Service ;c:\windows\system32\nlslexicons002232.exe --> c:\windows\system32\NlsLexicons002232.exe [?]

S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [2011-6-17 30312]

S3 RTL8192su;Airlink101 AWLL6077v2 Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8192su.sys [2010-1-19 523264]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]

S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-6-17 96488]

S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-6-17 12776]

S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-6-17 121576]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-10-17 21:23:35 -------- d-sh--w- C:\$RECYCLE.BIN

2011-10-17 21:08:40 -------- d-----w- C:\ComboFix

2011-10-08 21:11:05 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE

2011-09-25 23:04:46 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-25 22:52:54 -------- d-----w- c:\users\andy lee\appdata\local\temp

2011-09-25 22:40:12 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys

.

==================== Find3M ====================

.

2011-10-19 05:27:47 5676 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-08-15 00:34:00 0 ---ha-w- c:\windows\wejzedkftl.tmp

2011-08-14 10:44:40 0 ---ha-w- c:\windows\system32\wejzedkftl.tmp

.

============= FINISH: 22:31:27.74 ===============

MBAM LOG

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7963

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.18999

10/19/2011 12:27:47 AM

mbam-log-2011-10-19 (00-27-47).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 448285

Time elapsed: 1 hour(s), 44 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Andy Lee\AppData\LocalLow\Sun\Java\deployment\cache\6.0\5\1dd2dc85-1b48e8db (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Andy Lee\AppData\LocalLow\Sun\Java\deployment\cache\6.0\30\f56f79e-3765c886 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Andy Lee\AppData\LocalLow\Sun\Java\deployment\cache\6.0\33\6ba285e1-4adbf621 (Rootkit.0Access) -> Quarantined and deleted successfully.

edit: forgot to attach my dds attach file.

Attach.txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

Hello, thank you for responding.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8009

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.18999

10/23/2011 6:13:47 PM

mbam-log-2011-10-23 (18-13-47).txt

Scan type: Quick scan

Objects scanned: 204188

Time elapsed: 1 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I ran combofix and a pev.3xe error popped up, I proceeded to close the error box, and combofix finished running.

ComboFix 11-10-23.03 - Andy Lee 10/23/2011 18:19:18.6.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.2195 [GMT -7:00]

Running from: c:\users\Andy Lee\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2011-09-24 to 2011-10-24 )))))))))))))))))))))))))))))))

.

.

2011-10-24 01:27 . 2011-10-24 01:27 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2011-10-24 01:27 . 2011-10-24 01:27 -------- d-----w- c:\users\Public\AppData\Local\temp

2011-10-24 01:27 . 2011-10-24 01:27 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-10-24 01:27 . 2011-10-24 01:27 -------- d-----w- c:\users\Administrator\AppData\Local\temp

2011-10-19 07:48 . 2011-10-19 07:48 -------- d-----w- c:\program files\ESET

2011-09-25 23:04 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-25 22:52 . 2011-10-24 01:27 -------- d-----w- c:\users\Andy Lee\AppData\Local\temp

2011-09-25 22:40 . 2008-01-21 02:23 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-23 20:08 . 2011-08-21 23:30 5676 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-10-21 17:13 . 2011-07-03 20:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-15 00:34 . 2011-08-15 00:34 0 ---ha-w- c:\windows\wejzedkftl.tmp

2011-08-14 10:44 . 2011-08-14 10:44 0 ---ha-w- c:\windows\system32\wejzedkftl.tmp

2011-09-30 03:17 . 2011-05-03 23:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-06-09 7539232]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-10-24 178712]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]

"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

[HKLM\~\startupfolder\C:^Users^Andy Lee^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\users\Andy Lee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DpAgent]

2007-09-20 18:12 671744 ----a-w- c:\program files\DigitalPersona\Bin\DpAgent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]

2007-08-22 23:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]

2007-09-04 20:54 554320 ----a-w- c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]

2007-09-19 21:31 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]

2007-12-20 02:27 468264 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]

2007-01-17 13:34 634880 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StxTrayMenu]

2007-01-18 20:20 79416 ----a-w- c:\program files\Seagate\SystemTray\FreeAgentLauncher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2009-11-23 16:43 2001648 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

2008-03-28 10:05 1045800 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2010-10-07 01:44 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]

2007-08-17 06:13 218408 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]

2008-01-21 02:23 215552 ----a-w- c:\windows\WindowsMobile\wmdSync.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 PcaSvc32;Program Compatibility Assistant Service ;c:\windows\system32\NlsLexicons002232.exe [x]

R3 14953065;14953065; [x]

R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [2010-12-21 30312]

R3 RTL8192su;Airlink101 AWLL6077v2 Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192su.sys [2009-07-18 523264]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-11-23 7408]

R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [2010-12-21 96488]

R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [2010-12-21 12776]

R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [2010-12-21 121576]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-08-11 717296]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-11-23 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-11-23 74480]

S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]

S2 Realtek92SU;Realtek92SU;c:\program files\Airlink101\Airlink101 WLAN Monitor\RtlService.exe [2009-02-05 40960]

S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - MBAMSwissArmy

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\users\Andy Lee\AppData\Roaming\Mozilla\Firefox\Profiles\uin7u6hy.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - google.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-23 18:27

Windows 6.0.6001 Service Pack 1 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3224421616-3598973662-2292854500-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*X*v*i*D*-*P*M*C*G*@*ŸSR0WMO\OpenWithList]

@Class="Shell"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(3268)

c:\program files\DigitalPersona\Bin\DpoFeedb.dll

.

Completion time: 2011-10-23 18:30:12

ComboFix-quarantined-files.txt 2011-10-24 01:30

ComboFix2.txt 2011-10-21 08:41

ComboFix3.txt 2011-10-17 21:23

ComboFix4.txt 2011-09-25 23:00

ComboFix5.txt 2011-10-24 01:18

.

Pre-Run: 11,955,187,712 bytes free

Post-Run: 11,884,253,184 bytes free

.

- - End Of File - - 78D0D1AC0E66A236C2792839EC906D71

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18999

Run by Andy Lee at 18:31:29 on 2011-10-23

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.1953 [GMT -7:00]

.

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Program Files\DigitalPersona\Bin\DpHostW.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Airlink101\Airlink101 WLAN Monitor\RtlService.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Program Files\DigitalPersona\Bin\DpAgent.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

C:\Windows\system32\svchost.exe -k WindowsMobile

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\conime.exe

C:\Windows\Explorer.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop

uInternet Settings,ProxyOverride = <local>

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: HP Print Clips: {ffffffff-ff12-44c5-91ec-068e3aa1b2d7} - c:\program files\hp\smart web printing\hpswp_framework.dll

TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe

mRun: [WAWifiMessage] c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{0C187B1F-FC4B-45FF-8753-2264EA38E7AD} : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{6088CF7B-3992-4C51-A40C-E38BD55C2C39} : DhcpNameServer = 192.168.0.1

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\andy lee\appdata\roaming\mozilla\firefox\profiles\uin7u6hy.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - google.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\users\andy lee\appdata\roaming\move networks\plugins\npqmp071503000010.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

============= SERVICES / DRIVERS ===============

.

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]

R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-7-20 2214504]

R2 Realtek92SU;Realtek92SU;c:\program files\airlink101\airlink101 wlan monitor\RtlService.exe [2010-1-19 40960]

R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 PcaSvc32;Program Compatibility Assistant Service ;c:\windows\system32\nlslexicons002232.exe --> c:\windows\system32\NlsLexicons002232.exe [?]

S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [2011-6-17 30312]

S3 RTL8192su;Airlink101 AWLL6077v2 Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8192su.sys [2010-1-19 523264]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]

S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-6-17 96488]

S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-6-17 12776]

S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-6-17 121576]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-10-24 01:28:51 -------- d-sh--w- C:\$RECYCLE.BIN

2011-10-24 01:18:07 -------- d-----w- C:\ComboFix

2011-10-19 07:48:54 -------- d-----w- c:\program files\ESET

2011-09-25 23:04:46 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-25 22:52:54 -------- d-----w- c:\users\andy lee\appdata\local\temp

2011-09-25 22:40:12 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys

.

==================== Find3M ====================

.

2011-10-23 20:08:42 5676 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-10-21 17:13:45 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-15 00:34:00 0 ---ha-w- c:\windows\wejzedkftl.tmp

2011-08-14 10:44:40 0 ---ha-w- c:\windows\system32\wejzedkftl.tmp

.

============= FINISH: 18:31:40.58 ===============

Did you want me to attach my DDS attach log as well?

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

Delete your copy of ComboFix. Grab a fresh copy and save it to your Desktop, but do not run it yet. Before you download it, rename it to sega.com

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\sega.com" /killall

Let me know if the error happens again. If so, post it exactly as written.

Link to post
Share on other sites

Hi,

My apologies for the delay.

Delete your copy of ComboFix. Grab a fresh copy and save it to your Desktop, but do not run it yet. Before you download it, rename it to sega.com

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\sega.com" /killall

Let me know if the error happens again. If so, post it exactly as written.

after downloading combofix to my desktop. I renamed it to sega.com. I then rebooted into safemode and typed in "%userprofile%\desktop\sega.com" /killall in run. A windows message popped up saying windows cannot find 'c:\users\andylee\desktop\sega.com'. What should I do now?

Link to post
Share on other sites

Hello,

Again, I get the same error message. Pev.3XE has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available. But I did finish the scan. Below is the combofix log.

ComboFix 11-11-02.01 - Andy Lee 11/01/2011 23:54:05.7.2 - x86 NETWORK

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.2619 [GMT -7:00]

Running from: c:\users\Andy Lee\Desktop\sega.com.exe

Command switches used :: /killall

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2011-10-02 to 2011-11-02 )))))))))))))))))))))))))))))))

.

.

2011-11-02 07:02 . 2011-11-02 07:03 -------- d-----w- c:\users\Andy Lee\AppData\Local\temp

2011-11-02 07:02 . 2011-11-02 07:02 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2011-11-02 07:02 . 2011-11-02 07:02 -------- d-----w- c:\users\Public\AppData\Local\temp

2011-11-02 07:02 . 2011-11-02 07:02 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-11-02 07:02 . 2011-11-02 07:02 -------- d-----w- c:\users\Administrator\AppData\Local\temp

2011-10-24 22:12 . 2011-10-24 22:13 -------- d-----w- c:\users\Andy Lee\{545156b4-e77f-4c2d-ade0-f9255429a4f6}

2011-10-24 22:12 . 2011-10-24 22:12 -------- d-----w- C:\Intel

2011-10-24 22:12 . 2011-10-24 22:12 -------- d-----w- c:\users\Andy Lee\AppData\Roaming\InstallShield

2011-10-24 22:11 . 2011-10-24 22:11 -------- d-----w- c:\users\Andy Lee\{4353fa50-f5fd-4f46-abd8-78eb64935cf1}

2011-10-24 22:08 . 2011-10-24 22:14 -------- d-----w- c:\users\Andy Lee\AppData\Roaming\HpUpdate

2011-10-24 22:08 . 2011-10-24 22:08 -------- d-----w- c:\windows\Hewlett-Packard

2011-10-19 07:48 . 2011-10-19 07:48 -------- d-----w- c:\program files\ESET

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-01 09:00 . 2011-08-21 23:30 5676 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-10-24 22:11 . 2008-07-02 07:56 319456 ----a-w- c:\windows\DIFxAPI.dll

2011-10-21 17:13 . 2011-07-03 20:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-01 00:00 . 2011-09-25 23:04 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-15 00:34 . 2011-08-15 00:34 0 ---ha-w- c:\windows\wejzedkftl.tmp

2011-08-14 10:44 . 2011-08-14 10:44 0 ---ha-w- c:\windows\system32\wejzedkftl.tmp

2011-09-30 03:17 . 2011-05-03 23:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-06-09 7539232]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]

"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

[HKLM\~\startupfolder\C:^Users^Andy Lee^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\users\Andy Lee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DpAgent]

2007-09-20 18:12 671744 ----a-w- c:\program files\DigitalPersona\Bin\DpAgent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2011-05-10 09:41 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]

2007-08-22 23:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]

2007-09-04 20:54 554320 ----a-w- c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]

2007-09-19 21:31 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]

2007-12-20 02:27 468264 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]

2007-01-17 13:34 634880 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StxTrayMenu]

2007-01-18 20:20 79416 ----a-w- c:\program files\Seagate\SystemTray\FreeAgentLauncher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2009-11-23 16:43 2001648 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

2008-03-28 10:05 1045800 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2010-10-07 01:44 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]

2007-08-17 06:13 218408 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]

2008-01-21 02:23 215552 ----a-w- c:\windows\WindowsMobile\wmdSync.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

2;2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [x]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 PcaSvc32;Program Compatibility Assistant Service ;c:\windows\system32\NlsLexicons002232.exe [x]

R3 14953065;14953065; [x]

R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [2010-12-21 30312]

R3 RTL8192su;Airlink101 AWLL6077v2 Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192su.sys [2009-07-18 523264]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-11-23 7408]

R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [2010-12-21 96488]

R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [2010-12-21 12776]

R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [2010-12-21 121576]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-08-11 717296]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-11-23 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-11-23 74480]

S2 Realtek92SU;Realtek92SU;c:\program files\Airlink101\Airlink101 WLAN Monitor\RtlService.exe [2009-02-05 40960]

S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\users\Andy Lee\AppData\Roaming\Mozilla\Firefox\Profiles\uin7u6hy.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - google.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

.

**************************************************************************

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files:

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3224421616-3598973662-2292854500-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*X*v*i*D*-*P*M*C*G*@*ŸSR0WMO\OpenWithList]

@Class="Shell"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(3672)

c:\program files\DigitalPersona\Bin\DpoFeedb.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\program files\DigitalPersona\Bin\DpHostW.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\program files\Airlink101\Airlink101 WLAN Monitor\RtWlan.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe

c:\program files\NVIDIA Corporation\Display\nvxdsync.exe

c:\windows\system32\nvvsvc.exe

c:\windows\system32\conime.exe

c:\windows\ehome\ehmsas.exe

c:\program files\Hewlett-Packard\Shared\HpqToaster.exe

c:\program files\Hewlett-Packard\SDP\RemEngine.exe

c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe

.

**************************************************************************

.

Completion time: 2011-11-02 00:09:00 - machine was rebooted

ComboFix-quarantined-files.txt 2011-11-02 07:08

ComboFix2.txt 2011-10-24 01:30

.

Pre-Run: 1,391,542,272 bytes free

Post-Run: 3,450,032,128 bytes free

.

- - End Of File - - 6FEDEC82B6BF08A7F7CC19E8F91A4243

Link to post
Share on other sites

  • Staff

Hi,

Run TFC by OldTimer to clear temporary files:

  • Please download TFC from here and save it to your desktop.
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hello,

EST found nothing. So does this mean I am virus free?

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=ae0774716033a44091293a143bb4af5a

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-11-07 03:25:25

# local_time=2011-11-06 07:25:25 (-0800, Pacific Standard Time)

# country="United States"

# lang=9

# osver=6.0.6001 NT Service Pack 1

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=5892 16776574 66 100 23785999 157237587 0 0

# compatibility_mode=8192 67108863 100 0 697925 697925 0 0

# scanned=263745

# found=0

# cleaned=0

# scan_time=6266

security check below

Results of screen317's Security Check version 0.99.24

Windows Vista Service Pack 1 x86 (UAC is disabled!)

Out of date service pack!!

Internet Explorer 8 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Disabled!

ESET Online Scanner v3

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Adobe Flash Player 11.0.1.152

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

Thank you for helping me as well.

Hi,

Run TFC by OldTimer to clear temporary files:

  • Please download TFC from here and save it to your desktop.
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

  • Staff

Hi,

Run TFC by OldTimer to clear temporary files:

  • Please download TFC from here and save it to your desktop.
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

ESET Online Scanner v3

Adobe Reader 9.0

Restart your computer.

Get the latest version of Adobe Reader.

Next, it is absolutely essential that you upgrade to Windows Vista Service Pack 2. What you currently have, Service Pack 1, has vulnerabilities that leave you wide open for re-infection. To upgrade, please click Start, type in Windows Update, click Windows Update, then download all available critical updates, including Service Pack 2.

Let me know how that goes and if there were any issues updating, and let me know what issues remain.

Link to post
Share on other sites

Hello,

I tried to update my windows but I get an error while doing so. The error number shows up as unknown error 80096001. It stops me from updating my windows, as well as checking for updates. Please help.

Hi,

Run TFC by OldTimer to clear temporary files:

  • Please download TFC from here and save it to your desktop.
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

ESET Online Scanner v3

Adobe Reader 9.0

Restart your computer.

Get the latest version of Adobe Reader.

Next, it is absolutely essential that you upgrade to Windows Vista Service Pack 2. What you currently have, Service Pack 1, has vulnerabilities that leave you wide open for re-infection. To upgrade, please click Start, type in Windows Update, click Windows Update, then download all available critical updates, including Service Pack 2.

Let me know how that goes and if there were any issues updating, and let me know what issues remain.

Link to post
Share on other sites

  • 2 weeks later...
  • 3 weeks later...
  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.