Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Another Google and Yahoo redirected problem

Started by Eden Obscured , Feb 06 2009 04:26 PM

  • Please log in to reply

#1
Eden Obscured
Posted 06 February 2009 - 04:26 PM

Eden Obscured

    New Member

  • Member
  • Pip
  • 3 posts
So my setup is:

I have a Linksys router. The pc that is infected is connected straight to the router. My pc upstairs that is not infected is connected wirelessly. I have contacted AT&T, Linksys and HP about this dnschanger trojan and only HP has given me the most help. Heck, I think I might even help them by showing them this thread documentation here if this gets solved because the rep was really interested in solving this. The rep understands I work in IT and didnt want to tell me about their other department in specializing in this type of infection and for $60 they can control my pc and get rid of this. Maybe.
:)


I also can't update through Windows update or use the update feature in any application.

So anyways, I ran SuperAntiSpyware and it has detected

Rootkit.Agent/Gen-GAOPDX.
- C:\WINDOWS\SYSTEM32\GAOPDXXSPDXNCQ.DLL


Malware bytes has detected this and the dnschanger files. I have removed those in safemode and while I was disconnected from the net. I also bypassed the router and just used my modem to access the net. I also cleared my router and gave it a new password and everything. Each way I keep getting redirected.


Here is the Superantispyware logs:

1st log:

Trace Rules Database Version: 1698

Scan type : Quick Scan
Total Scan Time : 00:01:25

Memory items scanned : 637
Memory threats detected : 0
Registry items scanned : 448
Registry threats detected : 4
File items scanned : 546
File threats detected : 0

Adware.MyWebSearch/FunWebProducts
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs

Trojan.DNS-Changer (Hi-Jacked DNS)
HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{B46A800E-914A-41CE-B166-4A6013C33531}#NAMESERVER
HKLM\SYSTEM\CONTROLSET002\SERVICES\TCPIP\PARAMETERS\INTERFACES\{B46A800E-914A-41CE-B166-4A6013C33531}#NAMESERVER


2nd log:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/06/2009 at 11:28 AM

Application Version : 4.25.1012

Core Rules Database Version : 3724
Trace Rules Database Version: 1698

Scan type : Quick Scan
Total Scan Time : 00:12:07

Memory items scanned : 259
Memory threats detected : 0
Registry items scanned : 487
Registry threats detected : 0
File items scanned : 17904
File threats detected : 1

Rootkit.Agent/Gen-GAOPDX
C:\WINDOWS\SYSTEM32\GAOPDXXSPDXNCQ.DLL


Here is Malwares log:

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 6.0.6001 Service Pack 1

2/6/2009 12:29:48 PM
mbam-log-2009-02-06 (12-29-48).txt

Scan type: Quick Scan
Objects scanned: 47869
Time elapsed: 2 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Quarantined and deleted successfully.


Here's a highjack log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:24:50, on 2/6/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...ion&pf=cndt
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...ion&pf=cndt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...ion&pf=cndt
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [hpsysdrv] "c:\hp\support\hpsysdrv.exe"
O4 - HKLM\..\Run: [IgfxTray] "C:\Windows\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\Windows\system32\hkcmd.exe"
O4 - HKLM\..\Run: [Persistence] "C:\Windows\system32\igfxpers.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] "c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [NvCplDaemon] "C:\Windows\system32\RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "C:\Windows\system32\RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "C:\Windows\KHALMNPR.EXE"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [LDM] "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: PictureMover.lnk = C:\Program Files\PictureMover\Bin\PictureMover.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - https://h20364.www2....DataManager.CAB
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.co...sreqlab_srl.cab
O16 - DPF: {E62A8B6B-D91C-457C-B1FB-20CC2D96B4EC} (Comodo AV Scanner ActiveX) - http://www.personalf...doAVScanner.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\Windows\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7033 bytes



I'd appreciate the help. The only thing I haven't done is the Free Kaspersky Lab online scan.

Edited by Eden Obscured, 06 February 2009 - 04:35 PM.

  • 0

Advertisements

#2
Eden Obscured
Posted 06 February 2009 - 05:40 PM

Eden Obscured

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I started the Free Kaspersky Lab online scan, but couldn't get it to run since I can't get any program to go out to reach updates. It needs updates before it will start the scan.
  • 0

#3
Eden Obscured
Posted 06 February 2009 - 06:43 PM

Eden Obscured

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I think I solved it.


ComboFix 09-02-06.01 - Stonebraker 2009-02-06 6:28:53.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3325.2314 [GMT -6:00]
Running from: c:\users\Stonebraker\Desktop\ComboFix.exe
AV: COMODO Antivirus *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\recycler\S-4-9-75-100026947-100015626-100031416-8242.com
c:\users\Stonebraker\AppData\Roaming\.#
c:\windows\system32\drivers\gaopdxwqvicquw.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxxspdxncq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.

2009-02-06 14:24 . 2009-02-06 14:24 0 --a------ c:\windows\System32\file.ext
2009-02-06 12:21 . 2009-02-06 12:21 <DIR> d-------- c:\users\Stonebraker\AppData\Roaming\Malwarebytes
2009-02-06 12:21 . 2009-02-06 12:21 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-02-06 12:21 . 2009-02-06 12:21 <DIR> d-------- c:\programdata\Malwarebytes
2009-02-06 12:21 . 2009-02-06 12:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-06 12:21 . 2009-01-14 16:11 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-06 12:21 . 2009-01-14 16:11 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-02-06 10:20 . 2009-02-06 10:20 <DIR> d-------- c:\users\All Users\Motive
2009-02-06 10:20 . 2009-02-06 10:20 <DIR> d-------- c:\programdata\Motive
2009-02-06 10:20 . 2009-02-06 10:20 <DIR> d-------- c:\program files\Common Files\Motive
2009-02-06 10:20 . 2009-02-06 10:20 <DIR> d-------- c:\program files\ATT-PRT22-WISE
2009-02-06 10:20 . 2009-02-06 10:20 <DIR> d-------- c:\program files\att-prt22
2009-02-06 06:15 . 2009-02-06 06:17 <DIR> d-------- C:\32788R22FWJFW.1.tmp
2009-02-06 06:14 . 2009-02-06 06:15 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2009-02-06 05:18 . 2009-02-06 05:18 <DIR> d-------- c:\users\All Users\Kaspersky Lab Setup Files
2009-02-06 05:18 . 2009-02-06 05:18 <DIR> d-------- c:\programdata\Kaspersky Lab Setup Files
2009-02-06 04:56 . 2009-02-06 04:56 410,984 --a------ c:\windows\System32\deploytk.dll
2009-02-06 04:55 . 2009-02-06 04:55 <DIR> d-------- c:\program files\Java
2009-02-06 04:07 . 2009-02-06 04:07 <DIR> d-------- c:\program files\Trend Micro
2009-02-05 22:56 . 2009-02-05 22:56 <DIR> d-------- c:\users\Stonebraker\AppData\Roaming\SUPERAntiSpyware.com
2009-02-05 22:56 . 2009-02-05 22:56 <DIR> d-------- c:\users\All Users\SUPERAntiSpyware.com
2009-02-05 22:56 . 2009-02-05 22:56 <DIR> d-------- c:\programdata\SUPERAntiSpyware.com
2009-02-05 22:56 . 2009-02-05 22:56 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-05 22:11 . 2009-02-05 22:11 <DIR> d-------- c:\program files\VS Revo Group
2009-02-05 20:55 . 2009-02-05 20:55 0 --ah----- c:\users\Default.LOG2
2009-02-05 20:55 . 2009-02-05 20:55 0 --ah----- c:\users\Default.LOG1
2009-02-05 20:55 . 2009-02-05 20:55 0 --ah----- C:\ProgramData.LOG2
2009-02-05 20:55 . 2009-02-05 20:55 0 --ah----- C:\ProgramData.LOG1
2009-02-05 20:43 . 2009-02-05 20:43 <DIR> d-------- C:\Binaries
2009-02-05 20:30 . 2009-02-05 20:31 <DIR> d-------- c:\users\Stonebraker\.housecall6.6
2009-02-05 19:41 . 2009-02-05 20:15 <DIR> d----c--- c:\windows\System32\DRVSTORE
2009-02-04 22:05 . 2009-02-04 22:05 260 --a------ c:\users\Stonebraker\AppData\Roaming\AddThis.Bin
2009-01-26 19:11 . 2009-01-26 19:11 <DIR> d-------- c:\windows\PCHEALTH
2009-01-26 19:11 . 2009-01-26 19:11 <DIR> d-------- c:\program files\Microsoft.NET
2009-01-26 19:08 . 2009-01-27 11:54 <DIR> d-------- c:\users\All Users\Microsoft Help
2009-01-26 19:08 . 2009-01-27 11:54 <DIR> d-------- c:\programdata\Microsoft Help
2009-01-26 18:56 . 2009-01-26 18:56 <DIR> d-------- c:\users\Stonebraker\AppData\Roaming\Kutchka
2009-01-26 18:56 . 2009-01-26 18:56 <DIR> d-------- c:\program files\Kutchka
2009-01-26 18:53 . 2009-01-26 18:53 <DIR> dr-h----- C:\MSOCache
2009-01-25 16:43 . 2009-02-05 20:16 <DIR> d-------- c:\users\All Users\Lavasoft
2009-01-25 16:43 . 2009-02-05 20:16 <DIR> d-------- c:\programdata\Lavasoft
2009-01-25 16:43 . 2009-02-05 20:16 <DIR> d-------- c:\program files\Lavasoft
2009-01-14 17:35 . 2008-12-15 20:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-10 09:46 . 2009-01-26 19:03 <DIR> d-------- c:\users\Stonebraker\AppData\Roaming\GetRightToGo
2009-01-10 00:38 . 2009-01-10 00:38 215,040 --ahs---- c:\users\ehthumbs_vista.db
2009-01-10 00:31 . 2009-01-10 00:31 <DIR> d-------- c:\users\Stonebraker\AppData\Roaming\iWin
2009-01-10 00:26 . 2006-11-02 04:23 <DIR> dr------- c:\users\Mcx1\Videos
2009-01-10 00:26 . 2006-11-02 04:23 <DIR> d-------- c:\users\Mcx1\Saved Games
2009-01-10 00:26 . 2006-11-02 04:23 <DIR> dr------- c:\users\Mcx1\Pictures
2009-01-10 00:26 . 2006-11-02 04:23 <DIR> dr------- c:\users\Mcx1\Music
2009-01-10 00:26 . 2006-11-02 04:23 <DIR> dr------- c:\users\Mcx1\Links
2009-01-10 00:26 . 2006-11-02 04:23 <DIR> dr------- c:\users\Mcx1\Downloads
2009-01-10 00:26 . 2009-01-10 00:26 <DIR> dr------- c:\users\Mcx1\Documents
2009-01-10 00:26 . 2009-01-10 00:28 <DIR> d--h----- c:\users\Mcx1\AppData
2009-01-10 00:26 . 2009-01-25 17:28 <DIR> d-------- c:\users\Mcx1
2009-01-10 00:23 . 2009-01-10 00:23 <DIR> d-------- c:\users\Stonebraker\AppData\Roaming\WildTangent
2009-01-07 22:53 . 2009-01-07 22:53 130,208 -r------- c:\windows\bwUnin-8.1.1.87-8876480SL.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 12:34 --------- d-----w c:\programdata\_comodo_
2009-02-06 04:55 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-06 04:16 --------- d-----w c:\program files\COMODO
2009-02-06 02:38 --------- d-----w c:\programdata\WildTangent
2009-02-06 02:38 --------- d-----w c:\program files\HP Games
2009-02-05 03:53 --------- d-----w c:\program files\Steam
2009-02-05 03:05 --------- d-----w c:\program files\Common Files\Steam
2009-01-28 23:52 --------- d-----w c:\program files\Common Files\Adobe
2009-01-27 14:30 1,854 ----a-w c:\users\Stonebraker\AppData\Roaming\wklnhst.dat
2009-01-27 00:56 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-27 00:55 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-15 09:01 --------- d-----w c:\program files\Windows Mail
2009-01-05 21:24 127,034 ------r c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2009-01-05 21:24 --------- d-----w c:\users\Stonebraker\AppData\Roaming\Logitech
2009-01-05 21:24 --------- d-----w c:\program files\Logitech
2009-01-05 21:24 --------- d-----w c:\program files\Common Files\Logishrd
2009-01-05 21:22 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-01-05 21:21 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2009-01-05 21:20 --------- d-----w c:\programdata\Logitech
2009-01-05 21:19 --------- d-----w c:\users\Stonebraker\AppData\Roaming\InstallShield
2009-01-05 21:19 --------- d-----w c:\programdata\LogiShrd
2009-01-04 06:15 --------- d-----w c:\programdata\WindowsSearch
2008-12-25 14:11 --------- d-----w c:\users\Stonebraker\AppData\Roaming\Out of the Park Developments
2008-12-25 01:48 --------- d-----w c:\program files\GoldWave
2008-12-25 01:45 131,072 ----a-w c:\windows\System32\SpoonUninstall.exe
2008-12-25 01:45 --------- d-----w c:\program files\Illustrate
2008-12-22 03:05 --------- d-----w c:\program files\Adobe_Photoshop_CS3
2008-12-13 22:59 --------- d-----w c:\users\Stonebraker\AppData\Roaming\SystemRequirementsLab
2008-12-13 22:43 99,344 ----a-w c:\windows\system32\drivers\cmdguard.sys
2008-12-13 22:43 147,192 ----a-w c:\windows\System32\guard32.dll
2008-12-13 22:39 --------- d-----w c:\program files\CCleaner
2008-12-06 15:08 --------- d-----w c:\users\Stonebraker\AppData\Roaming\DivX
2008-12-06 15:05 --------- d-----w c:\program files\DivX
2008-12-06 15:05 --------- d-----w c:\program files\Common Files\PX Storage Engine
2008-11-21 21:47 524,288 ----a-w c:\windows\System32\DivXsm.exe
2008-11-21 21:47 3,596,288 ----a-w c:\windows\System32\qt-dx331.dll
2008-11-21 21:46 200,704 ----a-w c:\windows\System32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\System32\libdivx.dll
2008-11-21 21:44 161,096 ----a-w c:\windows\System32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 ----a-w c:\windows\System32\DivXWMPExtType.dll
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-20 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-20 125952]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2009-01-10 91440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-20 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-04-01 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-01 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-01 133656]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-02 75008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2008-12-13 1797880]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13584928]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 92704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Kernel and Hardware Abstraction Layer"="c:\windows\KHALMNPR.EXE" [2008-02-29 76304]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-06 148888]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-02-05 805392]
PictureMover.lnk - c:\program files\PictureMover\Bin\PictureMover.exe [2008-06-03 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
--a------ 2008-07-24 14:59 972080 c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-31 20:21 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2008-02-29 03:12 76304 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2008-02-29 03:12 76304 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{908A9AD7-9842-406F-9F01-1D8D643F69D4}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"TCP Query User{23BDAE14-996C-4CAB-AB11-385EB915F7E0}c:\\program files\\bitlord\\bitlord.exe"= UDP:c:\program files\bitlord\bitlord.exe:BitLord
"UDP Query User{4A2DA3C1-7EA0-458C-A911-12BEA6E5250C}c:\\program files\\bitlord\\bitlord.exe"= TCP:c:\program files\bitlord\bitlord.exe:BitLord
"TCP Query User{1C6A511E-7B13-4783-B37E-A8AD47ED000F}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{21D90B1C-5E63-4957-9E2A-175B9B848310}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"TCP Query User{78D8C10B-1057-48CA-9C35-FA51E163A00A}c:\\program files\\steam\\steamapps\\whitesox93\\counter-strike\\hl.exe"= UDP:c:\program files\steam\steamapps\whitesox93\counter-strike\hl.exe:Half-Life Launcher
"UDP Query User{1E9E4607-9433-40F9-87BD-CA807F817031}c:\\program files\\steam\\steamapps\\whitesox93\\counter-strike\\hl.exe"= TCP:c:\program files\steam\steamapps\whitesox93\counter-strike\hl.exe:Half-Life Launcher
"TCP Query User{88BE3C92-30AC-4408-9951-908043172352}c:\\program files\\steam\\steamapps\\whitesox93\\day of defeat\\hl.exe"= UDP:c:\program files\steam\steamapps\whitesox93\day of defeat\hl.exe:Half-Life Launcher
"UDP Query User{7D3C0D24-7000-4EC2-BB5F-530E97E8D0D8}c:\\program files\\steam\\steamapps\\whitesox93\\day of defeat\\hl.exe"= TCP:c:\program files\steam\steamapps\whitesox93\day of defeat\hl.exe:Half-Life Launcher
"TCP Query User{48F25C5E-6BFB-451B-B60E-EAEF6210948D}c:\\program files\\steam\\steamapps\\whitesox93\\counter-strike source\\hl2.exe"= UDP:c:\program files\steam\steamapps\whitesox93\counter-strike source\hl2.exe:hl2
"UDP Query User{795D64F2-1DDB-4B7D-8328-D601FE5CD565}c:\\program files\\steam\\steamapps\\whitesox93\\counter-strike source\\hl2.exe"= TCP:c:\program files\steam\steamapps\whitesox93\counter-strike source\hl2.exe:hl2
"TCP Query User{3E4AA542-A43D-43F6-B8A3-7D9365BE82E2}c:\\program files\\steam\\steamapps\\whitesox93\\deathmatch classic\\hl.exe"= UDP:c:\program files\steam\steamapps\whitesox93\deathmatch classic\hl.exe:Half-Life Launcher
"UDP Query User{AF30CC63-E19D-4AD6-A559-9FB0643CCD64}c:\\program files\\steam\\steamapps\\whitesox93\\deathmatch classic\\hl.exe"= TCP:c:\program files\steam\steamapps\whitesox93\deathmatch classic\hl.exe:Half-Life Launcher
"TCP Query User{E5DEE3E3-01D0-4DF6-BE9A-D37FE0A9C980}c:\\program files\\steam\\steamapps\\whitesox93\\ricochet\\hl.exe"= UDP:c:\program files\steam\steamapps\whitesox93\ricochet\hl.exe:Half-Life Launcher
"UDP Query User{B71D1C34-6C38-4DD5-8E8B-4595CA909A3F}c:\\program files\\steam\\steamapps\\whitesox93\\ricochet\\hl.exe"= TCP:c:\program files\steam\steamapps\whitesox93\ricochet\hl.exe:Half-Life Launcher
"{8B0B984D-BBB7-4000-A423-EF9C68BB77B4}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{AF66493D-5E20-4E35-B3EE-9819001AF2D3}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{FDC33FBD-8019-4FD6-AC27-B48BA3F8F397}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{0CD68BB9-9530-4B5B-B5C2-D4ECCB53FA79}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"TCP Query User{5CAA7F0A-AC4A-4332-B052-BF51D585DA6C}c:\\program files\\steam\\steamapps\\whitesox93\\condition zero\\hl.exe"= UDP:c:\program files\steam\steamapps\whitesox93\condition zero\hl.exe:Half-Life Launcher
"UDP Query User{F8E76849-4004-4EAD-A4A8-25F297EE6223}c:\\program files\\steam\\steamapps\\whitesox93\\condition zero\\hl.exe"= TCP:c:\program files\steam\steamapps\whitesox93\condition zero\hl.exe:Half-Life Launcher
"TCP Query User{0583815D-5C63-4C95-BB75-F8AE452450D3}c:\\program files\\steam\\steamapps\\whitesox93\\insurgency\\hl2.exe"= UDP:c:\program files\steam\steamapps\whitesox93\insurgency\hl2.exe:hl2
"UDP Query User{CE716386-992B-4AB8-B211-A422F4069EB4}c:\\program files\\steam\\steamapps\\whitesox93\\insurgency\\hl2.exe"= TCP:c:\program files\steam\steamapps\whitesox93\insurgency\hl2.exe:hl2
"TCP Query User{C3770701-3100-4FF6-8332-4AA2C906D8DF}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{923DDD36-48BC-406B-8C91-A61103B506FB}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{2102CFAC-B417-4D51-9F3A-7D64D6F33636}c:\\program files\\steam\\steamapps\\whitesox93\\team fortress 2\\hl2.exe"= UDP:c:\program files\steam\steamapps\whitesox93\team fortress 2\hl2.exe:hl2
"UDP Query User{4FE64347-4AB6-40D2-8D1C-7A414BCA0D82}c:\\program files\\steam\\steamapps\\whitesox93\\team fortress 2\\hl2.exe"= TCP:c:\program files\steam\steamapps\whitesox93\team fortress 2\hl2.exe:hl2
"{859C4430-08AB-4109-8253-AF031658DE98}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{9F17EDC8-3413-44FF-893F-A58E6552C0BE}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{AE2CB247-E30F-47A0-8644-8456C31423FF}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{8034BDE2-B6C3-4B6F-B2BB-7DB38C4AB800}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{B64FEB57-75A5-46D2-A8F3-1B4F71E7BF19}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{AB6A69CE-5481-4089-9ACE-A75A54995C5F}c:\\program files\\steam\\gameoverlayui.exe"= UDP:c:\program files\steam\gameoverlayui.exe:Steam Game Overlay
"UDP Query User{1D371E58-0533-4A0B-99EB-F2994C3D3644}c:\\program files\\steam\\gameoverlayui.exe"= TCP:c:\program files\steam\gameoverlayui.exe:Steam Game Overlay
"{67577E9D-135F-40A8-9AE1-6ABC6242041D}"= UDP:c:\program files\Steam\steamapps\common\left 4 dead\left4dead.exe:Left 4 Dead
"{D93A8171-FE4F-4C7D-A0A9-5C0583C41645}"= TCP:c:\program files\Steam\steamapps\common\left 4 dead\left4dead.exe:Left 4 Dead
"{1B51B84D-9C8A-4561-B4E6-5196465F5E1C}"= UDP:c:\program files\Steam\steamapps\common\out of the park baseball 9\ootp9.exe:Out of the Park Baseball 9
"{DDF1D5A0-A96A-47D7-97E1-1D0FC666A443}"= TCP:c:\program files\Steam\steamapps\common\out of the park baseball 9\ootp9.exe:Out of the Park Baseball 9

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\System32\drivers\cmdguard.sys [2008-10-31 99344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\System32\drivers\cmdhlp.sys [2008-10-31 25104]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-01-20 21504]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-11-03 24652]
R3 HSXHWBS3;HSXHWBS3;c:\windows\System32\drivers\HSXHWBS3.sys [2008-10-28 207360]
S3 rcmirror;rcmirror;c:\windows\System32\drivers\rcmirror.sys [2008-10-08 3328]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
Contents of the 'Scheduled Tasks' folder

2009-01-11 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2008-09-10 08:43]

2009-02-06 c:\windows\Tasks\User_Feed_Synchronization-{FC403BD3-93FD-4A80-BB83-2367E5A2E7E0}.job
- c:\windows\system32\msfeedssync.exe [2008-01-20 20:24]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {E62A8B6B-D91C-457C-B1FB-20CC2D96B4EC} - hxxp://www.personalfirewall.comodo.com/scan/ComodoAVScanner.cab
FF - ProfilePath - c:\users\Stonebraker\AppData\Roaming\Mozilla\Firefox\Profiles\le6kiyni.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\Mozilla Firefox\extensions\{7c5c0f58-e061-457d-9033-77307f5ed00c}\components\FFAlert.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-06 06:34:05
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(688)
c:\windows\system32\guard32.dll
.
Completion time: 2009-02-06 6:36:22
ComboFix-quarantined-files.txt 2009-02-06 12:36:20

Pre-Run: 111,621,197,824 bytes free
Post-Run: 111,659,503,616 bytes free

278 --- E O F --- 2009-02-03 00:47:45










Thanks for the great guides in this forum :)



I have a question about the time in lower right corner though. Combofix didn't change my time back to normal I still have army time. How do I fix it?

Edited by Eden Obscured, 06 February 2009 - 06:45 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP