Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I have some nasty malware on my machine. I have tried many progs to correct and have had no luck.
When I go to my homepage, (Google) and search, and click on result, it redirects like crazy like 4 or 5 redirects before it lands on a totally undesired page.
Alternatively, I have found DNS changer malware on my machine too, and its wreaking havoc with me accessing my hosted sites. By default my server blacklists my IP after 4 attempts and this has been happening daily. (UGH).The most success I have had was running malwarebytes. Here is the log I got.........
Malwarebytes' Anti-Malware 1.30
Database version: 1335
Windows 6.0.600010/29/2008 5:55:30 AM
mbam-log-2008-10-29 (05-55-30).txtScan type: Quick Scan
Objects scanned: 53758
Time elapsed: 5 minute(s), 4 second(s)Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 2Memory Processes Infected:
(No malicious items detected)Memory Modules Infected:
(No malicious items detected)Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{9233c3c0-1472-4091-a505-5580a23bb4ac} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Somefox (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sexvid (Trojan.DNSChanger) -> Quarantined and deleted successfully.Registry Values Infected:
(No malicious items detected)Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bc64d18a-5f16-4724-997a-e64e40333055}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.11;85.255.112.93 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{bc64d18a-5f16-4724-997a-e64e40333055}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.11;85.255.112.93 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{bc64d18a-5f16-4724-997a-e64e40333055}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.11;85.255.112.93 -> Quarantined and deleted successfully.Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.Files Infected:
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\SAV\sav.ooo (Rogue.SystemAntivirus) -> Quarantined and deleted successfully.I rebooted as directed.
Next I ran Hijack This and have a log if requested......
I am no closer to solving this than I was.....Browser is still highjacked and I kindly ask for your help as this is getting desparate.Please let me know at your earliest convenience.
Thanks, deekz27
Have you turned off system restore and scanned?
You may also want to try Ccleaner and let it clean out the excess junk on your PC and then rescan.
There are some good FREE (fully functional)cleaners listed on one page in the link of my signature.
You may also want to try winpatrol which is also free to see what is running on your PC.Also try this free on-line active x scan:
http://www.spywareguide.com/onlines...
and remove all it findsSome HELP in posting on Computing.net plus free progs and instructions Cheers
0 
Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt
0
OK I made sure system restore was off and rescanned. I cleaned out a bunch of junk with cCleaner and rescanned. I tried many of the progs in your sig like spybot S&D and x-cleaner and spyware blaster and STILL have the problem with 3 entries of DNSChanger trojan found by Malwarebytes.
Here is the last log ......Malwarebytes' Anti-Malware 1.30
Database version: 1340
Windows 6.0.600010/30/2008 6:01:09 PM
mbam-log-2008-10-30 (18-01-01).txtScan type: Quick Scan
Objects scanned: 52415
Time elapsed: 6 minute(s), 21 second(s)Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0Memory Processes Infected:
(No malicious items detected)Memory Modules Infected:
(No malicious items detected)Registry Keys Infected:
(No malicious items detected)Registry Values Infected:
(No malicious items detected)Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bc64d18a-5f16-4724-997a-e64e40333055}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.11;85.255.112.93 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{bc64d18a-5f16-4724-997a-e64e40333055}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.11;85.255.112.93 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{bc64d18a-5f16-4724-997a-e64e40333055}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.11;85.255.112.93 -> No action taken.Folders Infected:
(No malicious items detected)Files Infected:
(No malicious items detected)I am also now getting a popup that states there is a problem with my windows Vista and that something has changed it and needs to be verified. I doesnt verify as valid now and suggests maybe due to malware.
I also cant use windows update, it fails everytime. I have tried countless suggested solutions and fixes and still it doesnt work.
Any ideas where I can go from here.Also with regards to jbucks suggestion about using SDFix.exe, I believe its not supported on Vista.
Please let me know if you have any further ideas ..... this is getting nerve racking.
Thanks,
deekz27
0
Please download and install the latest version of HijackThis v2.0.2:
Download the "HijackThis" Installer from this link:
Hijack This
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
0
Here is the log from HijackThis .........
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:05 AM, on 11/1/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: NormalRunning processes:
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe
C:\hp\kbd\kbd.exe
C:\Windows\System32\mobsync.exe
C:\Windows\System32\notepad.exe
C:\Windows\System32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SLUI.exe
C:\Users\Douglas\Desktop\HiJackThis.exe
C:\Windows\system32\wbem\wmiprvse.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\Userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v1...
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PC...
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda.com/rraaapps/rr...
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v1...
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd...
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xcle...
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/Onlin...
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v1...
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagame...
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewo...
O16 - DPF: {CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_04) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v1...
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.luvmyfurbaby.com/store/u...
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/opti...
O17 - HKLM\System\CCS\Services\Tcpip\..\{bc64d18a-5f16-4724-997a-e64e40333055}: NameServer = 85.255.112.11;85.255.112.93
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdhut.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe--
End of file - 11052 bytes
0
Download FixWareout from this site:
Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.Once the desktop loads please post the text that will open (report.txt) together with the results from look.txt, present on your desktop and a new Hijackthis log.
Note: ONLY if you have connection problems afterwards - go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
0
I have tried using the link you provided to dowload fixwareout and get 404 ERROR: Page Not Found!
I have even attempted to search elsewhere to download and all search results seem to be broken links.
Can you provide a link that works?Thanks
0
Probably been remove from public use.
Please download ComboFix to the desktop from one of the following links:
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.In your case to run Combofix do the following:
1. Go offline turn off your Eset antivirus,Windows Defender and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.
Remember to re-enable the protection again afterwards before connecting to the Internet.
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.
0
OK, I followed your instructions and ran ComboFix.
Here are the log results ................
ComboFix 08-11-01.04 - Douglas 2008-11-02 11:38:32.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.427 [GMT -6:00]
Running from: C:\Users\Douglas\Downloads-Programs\ComboFix.exe
* Resident AV is active.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Program Files\SAV
C:\Users\Douglas\AppData\Roaming\.#
C:\Users\Douglas\AppData\Roaming\.#\MBX@B28@1B62158.###
C:\Users\Douglas\AppData\Roaming\.#\MBX@B28@1B62168.###
C:\Users\Douglas\AppData\Roaming\.#\MBX@D34@1832158.###
C:\Users\Douglas\AppData\Roaming\.#\MBX@D34@1832168.###
C:\Users\Douglas\AppData\Roaming\.#\MBX@E28@1B22158.###
C:\Users\Douglas\AppData\Roaming\.#\MBX@E28@1B22168.###
C:\Users\Douglas\AppData\Roaming\.#\MBX@EC4@1652158.###
C:\Users\Douglas\AppData\Roaming\.#\MBX@EC4@1652168.###.
((((((((((((((((((((((((( Files Created from 2008-10-02 to 2008-11-02 )))))))))))))))))))))))))))))))
.2008-11-01 20:29 . 2008-11-01 20:29 <DIR> d-------- C:\Program Files\Lavasoft
2008-11-01 20:29 . 2008-11-01 20:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-11-01 19:25 . 2008-11-01 20:29 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-11-01 19:25 . 2008-11-01 20:29 <DIR> d-------- C:\ProgramData\Lavasoft
2008-10-30 19:30 . 2008-10-30 19:43 <DIR> d-------- C:\Users\Douglas\AppData\Roaming\Spyware Terminator
2008-10-30 19:30 . 2008-10-30 19:43 <DIR> d-------- C:\Users\All Users\Spyware Terminator
2008-10-30 19:30 . 2008-10-30 19:43 <DIR> d-------- C:\ProgramData\Spyware Terminator
2008-10-30 19:30 . 2008-10-30 19:43 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-10-30 19:30 . 2008-10-30 19:30 141,312 --a------ C:\Windows\System32\drivers\sp_rsdrv2.sys
2008-10-30 18:01 . 2008-10-30 18:01 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-10-30 18:01 . 2008-10-30 18:01 <DIR> d-------- C:\Program Files\SDHelper (Spybot - Search & Destroy)
2008-10-30 17:58 . 2008-10-30 18:43 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-10-30 17:58 . 2008-10-30 18:43 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-10-30 17:58 . 2008-10-30 18:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-29 22:17 . 2008-10-29 22:17 <DIR> d-------- C:\Program Files\CCleaner
2008-10-29 06:06 . 2008-01-08 12:10 98,304 --a------ C:\Windows\RTKAUDIOSERVICE.exe
2008-10-29 06:06 . 2007-11-14 14:18 553 --a------ C:\Windows\USetup.iss
2008-10-29 06:05 . 2008-01-15 10:26 4,874,240 --a------ C:\Windows\RtHDVCpl.exe
2008-10-29 06:05 . 2008-01-07 18:30 2,156,544 --a------ C:\Windows\System32\RtkAPO.dll
2008-10-29 06:05 . 2008-01-15 18:19 2,047,576 --a------ C:\Windows\System32\drivers\RTKVHDA.sys
2008-10-29 06:05 . 2007-11-07 16:31 1,191,936 --a------ C:\Windows\RtlUpd.exe
2008-10-29 06:05 . 2008-01-09 17:52 636,416 --a------ C:\Windows\System32\RtkPgExt.dll
2008-10-29 06:05 . 2007-11-13 11:35 532,480 --a------ C:\Windows\System32\RTSndMgr.cpl
2008-10-29 06:05 . 2006-12-13 09:30 339,968 --a------ C:\Windows\System32\SRSTSXT.dll
2008-10-29 06:05 . 2008-10-29 06:05 315,392 --a------ C:\Windows\HideWin.exe
2008-10-29 06:05 . 2007-07-25 08:33 135,168 --a------ C:\Windows\System32\SRSWOW.dll
2008-10-29 06:05 . 2008-01-14 15:18 29,696 --a------ C:\Windows\System32\RtkCoInst.dll
2008-10-29 04:41 . 2008-10-29 04:41 <DIR> d-------- C:\Users\Douglas\AppData\Roaming\Malwarebytes
2008-10-29 04:41 . 2008-10-29 04:41 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-10-29 04:41 . 2008-10-29 04:41 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-10-29 04:41 . 2008-10-29 04:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-29 04:41 . 2008-10-22 15:10 38,496 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-10-29 04:41 . 2008-10-22 15:10 15,504 --a------ C:\Windows\System32\drivers\mbam.sys
2008-10-29 04:22 . 2008-10-29 04:22 <DIR> d-------- C:\!KillBox
2008-10-28 12:12 . 2008-10-26 23:01 <DIR> d-------- C:\SDFix
2008-10-28 11:56 . 2008-10-28 11:56 <DIR> d-------- C:\!FixIEDef
2008-10-28 10:25 . 2005-04-16 14:58 1,071,088 --a------ C:\Windows\System32\mscomctl.ocx
2008-10-28 10:25 . 2004-03-10 11:45 132,880 --a------ C:\Windows\System32\msinet.ocx
2008-10-28 10:25 . 2004-02-24 15:42 119,808 --a------ C:\Windows\System32\msstdfmt.dll
2008-10-28 10:23 . 2008-10-30 17:53 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-10-28 09:51 . 2008-10-28 09:50 410,976 --a------ C:\Windows\System32\deploytk.dll
2008-10-27 02:23 . 2008-10-28 05:12 <DIR> d-------- C:\Program Files\Swift Pro 2.0
2008-10-27 01:12 . 2008-10-27 01:12 29,192 --a------ C:\Windows\System32\drivers\ndisprot.sys
2008-10-27 01:12 . 2008-10-27 01:12 113 --a------ C:\RPT23432
2008-10-24 02:50 . 2008-10-27 02:22 <DIR> d-------- C:\Users\Douglas\Downloads-Karaoke
2008-10-17 01:16 . 2008-10-19 11:53 54,156 --ah----- C:\Windows\QTFont.qfn
2008-10-17 01:16 . 2008-10-17 01:16 1,409 --a------ C:\Windows\QTFont.for
2008-10-17 00:04 . 2008-10-17 00:04 <DIR> d-------- C:\Users\Douglas\My Videos
2008-10-14 04:34 . 2008-10-28 03:12 <DIR> d-------- C:\Program Files\Accessdiver
2008-10-10 01:23 . 2008-10-10 01:23 <DIR> d-------- C:\Users\All Users\Submit Suite
2008-10-10 01:23 . 2008-10-10 01:23 <DIR> d-------- C:\ProgramData\Submit Suite
2008-10-10 01:19 . 2008-10-28 04:30 <DIR> d-------- C:\Users\Douglas\Downloads-Website
2008-10-10 00:23 . 2008-10-10 00:23 4 -r-hs---- C:\Users\All Users\sysqcl0.dat
2008-10-10 00:23 . 2008-10-10 00:23 4 -r-hs---- C:\ProgramData\sysqcl0.dat
2008-10-10 00:20 . 2008-10-10 00:20 <DIR> d-------- C:\Program Files\plasq
2008-10-10 00:13 . 2008-10-28 04:35 <DIR> d-------- C:\Users\Douglas\Downloads-Grafix
2008-10-09 21:03 . 2008-10-09 21:14 186 --a------ C:\Windows\Hide-IP-Browser.INI
2008-10-09 21:00 . 2008-10-28 03:37 <DIR> d-------- C:\Program Files\Hide-IP-Browser
2008-10-09 20:55 . 2008-10-28 04:35 <DIR> d-------- C:\Users\Douglas\Downloads-Hackz
2008-10-09 18:44 . 2008-10-09 18:44 <DIR> d-------- C:\Users\Douglas\AppData\Roaming\panoramik
2008-10-09 18:35 . 2008-10-28 04:35 <DIR> d-------- C:\Users\Douglas\Downloads-Games
2008-10-08 23:34 . 2008-10-13 01:03 <DIR> d-------- C:\Users\Douglas\AppData\Roaming\muvee Technologies
2008-10-08 23:34 . 2008-10-08 23:34 <DIR> d-------- C:\Users\All Users\muvee Technologies
2008-10-08 23:34 . 2008-10-08 23:34 <DIR> d-------- C:\ProgramData\muvee Technologies
2008-10-08 19:45 . 2008-10-28 04:33 <DIR> d-------- C:\Users\Douglas\Downloads - Movies.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-02 00:33 114 ----a-w C:\sccfg.sys
2008-10-30 23:54 --------- d---a-w C:\ProgramData\TEMP
2008-10-30 21:23 --------- d-----w C:\ProgramData\Microsoft Help
2008-10-29 12:29 --------- d-----w C:\ProgramData\NVIDIA
2008-10-29 12:05 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-10-29 12:05 --------- d-----w C:\Program Files\Realtek
2008-10-28 15:50 --------- d-----w C:\Program Files\Java
2008-10-28 15:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-28 11:15 --------- d-----w C:\Program Files\Google
2008-10-28 09:54 --------- d-----w C:\Program Files\Save Flash
2008-10-28 09:43 --------- d-----w C:\Program Files\Opera 9
2008-10-28 09:43 --------- d-----w C:\Program Files\LeeGTs Games
2008-10-28 09:38 --------- d-----w C:\Program Files\Little Shop Of Treasures 2
2008-10-28 09:37 --------- d-----w C:\Program Files\Hidden Expedition Titanic
2008-10-28 09:33 --------- d-----w C:\Program Files\CeRegEditor
2008-10-28 09:24 --------- d-----w C:\ProgramData\PopCap Games
2008-10-28 09:21 --------- d-----w C:\Users\Douglas\AppData\Roaming\SWF.max
2008-10-28 06:18 --------- d-----w C:\Program Files\KBStudio
2008-10-27 08:22 737,280 ----a-w C:\Windows\iun6002.exe
2008-10-27 07:27 --------- d-----w C:\Users\Douglas\AppData\Roaming\Thinstall
2008-10-24 09:06 --------- d-----w C:\Program Files\KaraFun
2008-10-24 08:22 --------- d-----w C:\Users\Douglas\AppData\Roaming\FrostWire
2008-10-20 01:10 --------- d-----w C:\ProgramData\CanonIJPLM
2008-10-16 20:44 --------- d-----w C:\Program Files\XXXFlash Intro and Banner MakerXXX
2008-10-09 05:35 --------- d-----w C:\Users\Douglas\AppData\Roaming\Vso
2008-10-09 01:29 --------- d-----w C:\ProgramData\Roxio
2008-09-27 15:16 --------- d-----w C:\Users\Douglas\AppData\Roaming\ESET
2008-09-27 15:12 --------- d-----w C:\ProgramData\ESET
2008-09-27 15:12 --------- d-----w C:\Program Files\ESET
2008-09-20 11:51 --------- d-----w C:\Users\Douglas\AppData\Roaming\Download Manager
2008-09-20 11:16 --------- d-----w C:\Program Files\Common Files\AOL
2008-09-10 04:11 --------- d-----w C:\Program Files\Framing Studio
2008-09-07 13:12 --------- d-----w C:\Users\Douglas\AppData\Roaming\Yahoo!
2008-09-07 13:12 --------- d-----w C:\ProgramData\Yahoo!
2008-09-07 13:12 --------- d-----w C:\Program Files\Yahoo!
2008-09-06 22:03 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-09-06 22:02 --------- d-----w C:\Program Files\Email-Business
2008-09-05 21:50 --------- d-----w C:\Program Files\Common Files\TweakMarketing
2008-09-04 06:37 --------- d-----w C:\ProgramData\Viewpoint
2008-09-04 06:37 --------- d-----w C:\Program Files\Viewpoint
2008-09-04 06:33 --------- d-----w C:\ProgramData\AOL OCP
2008-09-04 06:32 --------- d-----w C:\ProgramData\AOL
2008-08-23 07:54 434,688 ----a-w C:\Windows\System32\ss2uinst.exe
2008-08-08 16:18 42,281 ----a-w C:\Windows\Keygen.exe
2008-06-25 19:58 74,368 ----a-w C:\Users\Douglas\AppData\Roaming\GDIPFONTCACHEV1.DAT
2007-08-30 08:12 174 --sha-w C:\Program Files\desktop.ini
2007-03-21 07:08 87,608 ----a-w C:\Users\Douglas\AppData\Roaming\ezpinst.exe
2007-03-21 07:08 47,360 ----a-w C:\Users\Douglas\AppData\Roaming\pcouffin.sys
2007-03-13 17:53 0 ----a-w C:\Users\Douglas\AppData\Roaming\wklnhst.dat
2003-09-02 12:55 1,406 ----a-w C:\Program Files\favicon.ico
2007-04-02 15:23 22 --sha-w C:\Windows\SMINST\HPCD.sys
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 125440]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\HP\KBD\KbdStub.exe" [2006-12-08 65536]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-03-13 1443072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-28 136600]
"Windows Mobile Device Center"="C:\Windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 286720]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-22 92704]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 C:\Windows\RtHDVCpl.exe][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="C:\Windows\SMINST\launcher.exe" [2006-11-24 44136]C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-03-20 113664][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Connections.lnk]
backup=C:\Windows\pss\HP Connections.lnk.CommonStartup
backupExtension=.CommonStartup[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\Windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\Windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]
"CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"NvMediaCenter"=RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
"hpsysdrv"=c:\hp\support\hpsysdrv.exe
"Windows Mobile Device Center"=%windir%\WindowsMobile\wmdc.exe[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2232079719-3568914182-275210791-1000]
"EnableNotificationsRef"=dword:00000002[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2232079719-3568914182-275210791-501]
"EnableNotificationsRef"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"EarthLink2"= TCP:Profile=Private|Profile=Public|C:\Program Files\earthlink totalaccess\taskpanl.exe:taskpanl
"EarthLink1"= UDP:Profile=Private|Profile=Public|C:\Program Files\earthlink totalaccess\taskpanl.exe:taskpanl
"Backweb2"= TCP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"TCP Query User{FA4A1AAA-4499-4FC9-94C2-7A575AF7E7CC}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{826A7AA4-74C9-4128-984F-1566D5DA3C0C}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{059AF0BE-F8FB-4DDF-96E5-74BB15D2233F}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{62F48BE3-2A8D-4124-BC85-E130BCD9E814}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{87D2EBE2-061B-4352-828F-A98436C486F9}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{2BFB08B1-8893-462B-A6A6-FFB7B2CC730F}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F0B1B94D-AAD1-426A-B9B8-F5098E4B5059}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{282E9618-1672-4A48-B43E-A7515364CF9E}C:\\program files\\mirc\\mirc.exe"= UDP:C:\program files\mirc\mirc.exe:mIRC
"UDP Query User{DD0AC438-B931-4341-A4EA-1F4ECDA5F4A1}C:\\program files\\mirc\\mirc.exe"= TCP:C:\program files\mirc\mirc.exe:mIRC
"{6E48FE4F-1A98-48B7-889F-9A501D19341E}"= UDP:C:\Program Files\FrostWire\FrostWire.exe:LimeWire
"{59A9C12E-9CC3-4329-BC66-AB30CAD1CEFF}"= TCP:C:\Program Files\FrostWire\FrostWire.exe:LimeWire
"{A56371F4-C294-4035-9BEC-FBB1FED4B8B0}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{6CD0946B-685E-4E80-928E-CE6D05BB6F79}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{46157C5B-4B7C-4EFB-8DDF-EBAC369A75FE}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{031E794B-9109-4925-AB96-929F85DD8AE0}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{BBAFDC41-7777-4C04-9353-BB375A6F6A1B}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{89442442-E71B-4C6D-A349-6DEDA44A10CF}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{BA3163DD-DF21-49D3-8B84-516B438D7F38}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{855F0EC2-DDC4-4D35-AFC6-B6C2AE10F2E6}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:EarthlinkR2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.exe [2006-11-10 99936]
R3 usbprint;Microsoft USB PRINTER Class;C:\Windows\system32\DRIVERS\usbprint.sys [2006-11-02 18944]
S2 Windows Tribute Service;Windows Tribute Service;C:\Windows\system32\kdhut.exe [2007-11-14 69120]
S3 GameConsoleService;GameConsoleService;C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe [2008-01-12 165416]
S3 Ndisprot;ArcNet NDIS Protocol Driver;C:\Windows\system32\drivers\Ndisprot.sys [2008-10-27 29192][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder2008-11-02 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.exe [2007-10-19 11:20]2008-10-17 C:\Windows\Tasks\HPCeeScheduleForDouglas.job
- C:\Program Files\hewlett-packard\sdp\ceement\HPCEE.exe [2006-10-24 17:04]2008-11-01 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Douglas.job
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe []2008-11-02 C:\Windows\Tasks\User_Feed_Synchronization-{C7A26A44-A30D-4812-897D-57EF48174D46}.job
- C:\Windows\system32\msfeedssync.exe [2006-11-02 03:45]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R1 -: HKCU-Internet Settings,ProxyOverride = <local>
O8 -: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O17 -: HKLM\CCS\Interface\{bc64d18a-5f16-4724-997a-e64e40333055}: NameServer = 85.255.112.11;85.255.112.93O16 -: {297DE2B6-509A-4B36-93C5-A65276606900} - hxxp://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB
C:\Windows\Downloaded Program Files\RraainAX.INF
C:\Windows\System32\MSSTKPRP.DLL
C:\Windows\System32\msvbvm60.dll
C:\Windows\System32\oleaut32.dll
C:\Windows\System32\olepro32.dll
C:\Windows\System32\asycfilt.dll
C:\Windows\System32\stdole2.tlb
C:\Windows\System32\comcat.dll
C:\Windows\System32\objsafe.tlb
C:\Windows\System32\DLGOBJS.DLL
C:\Windows\Downloaded Program Files\RraainAX.ocx
.**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-02 11:47:50
Windows 6.0.6000 NTFSdetected NTDLL code modification:
ZwQueryDirectoryFilescanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\Windows\system32\kdhut.exe 69120 bytes executablescan completed successfully
hidden files: 1**************************************************************************
.
Completion time: 2008-11-02 11:53:00
ComboFix-quarantined-files.txt 2008-11-02 17:52:51Pre-Run: 205,455,441,920 bytes free
Post-Run: 205,503,123,456 bytes free292
0
Delete this file with killbox:
C:\Windows\system32\kdhut.exe
Download the Registry Search Tool from here:
http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip
Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)In the dialog that opens enter the following:
kdhutPress 'OK'
The search will run for a while then alert you when it is finished.
Press 'OK' and copy the contents of the WordPad window and post in this thread.
Please post the results of this scan .
0
ok ran killbox but popped up error that it could not delete file, so I selected 'delete file on reboot". Once the PC rebooted I ran killbox again and attempted to delete file again, and it popped up a message saying, "file doesnt seem to exist, so I take it the kdhut file was deleted. I next ran regsrch.vbs and here is the wordpad log it provided .............
REGEDIT4
; RegSrch.vbs © Bill James; Registry search results for string "kdhut" 11/2/2008 1:23:03 PM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\S-1-5-21-2232079719-3568914182-275210791-1000\Software\Microsoft\Windows\CurrentVersion]
"kdhut.exe"=hex:99,14,00,00,49,4e,50,5d,b7,ba,38,c5,c5,d1,10,e1,e7,f1,08,f3,13,\
0
Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as Registry, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Registry::
[HKEY_USERS\S-1-5-21-2232079719-3568914182-275210791-1000\Software\Microsoft\Windows\CurrentVersion]
"kdhut.exe"=-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".Restart the computer.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Please run Esets online scanner from this link:
1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( Iwant to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.
0
Ok, I followed the instructions and here is the Eset log ............
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3576 (20081102)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=bb746c5c57e85a44bd6548cb39c3ce63
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-11-03 02:38:49
# local_time=2008-11-02 08:38:49 (-0600, Central Standard Time)
# country="United States"
# osver=6.0.6000 NT
# scanned=776430
# found=1
# scan_time=8098
# nod_component=V3 Build:0x30000000 ()
D:\resycled\boot.com a variant of Win32/Kryptik.BB trojan DABD25FD76707E989267196FF82B8180
0
Before you run the combofix script make sure the D: drive is plugged into the computer as it appears to be a jump drive or similar.
Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
D:\resycled\boot.com
Folder::
D:\resycledDriver::
Windows Tribute Service
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".Please run another Eset online scan and post its log.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
