Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

browser redirect [Solved]

Started by TacticalMonkey , Aug 02 2009 11:49 AM

  • This topic is locked This topic is locked

#16
emeraldnzl
Posted 04 August 2009 - 05:47 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hmm... something happening there that we are missing or can't see.

Let's check your plugins to see if there is something there.

In IE go to Tools > Manage Add-ons > Toolbars & Extensions. Scroll down and see what's there. If there is one that shouldn't be there, highlight and click the Disable button bottom right. If you are unsure come back and ask.

In Firefox go to Tools > Add-ons > Plugins same procedure, highlight any bad ones and disable.

Come back and tell me how you got on.

Next

Lets have a look with a different AntiRootKit Scan.

Please download and save SysProt AntiRootkit to your Desktop.

  • double click the Zip file.
  • You should now have a folder with SysProt and some other files within it on your Desktop.
  • Double-click SysProt and you should see another small window with SysProt underneath it.
  • Double-click this and Wizard will appear to guide you through extracting the files.
  • Double-click the Sysprot folder
  • SysProt will appear with a red cross on black - double-click
  • a panel will appear with a number of tabs along the top
  • click on the Log tab and check all boxes except the one Hidden objects only
  • click the Creat Log button
  • it will scan...once finished a panel will appear
  • click on Scan all drives
  • A log will be created and saved automatically in the same folder.
  • Open the text file copy and paste the contents back here in the forum. Close any left open panels.
So when you return
  • tell be me about the plugins
  • post the SysProt scan results
  • 0

Advertisements

#17
TacticalMonkey
Posted 04 August 2009 - 06:04 PM

TacticalMonkey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
In Firefox, when I review the plug-ins...none look all that "bad". I disabled the one I was least sure about...Shockwave Flash 10.0 r12
  • 0

#18
emeraldnzl
Posted 04 August 2009 - 06:19 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

I disabled the one I was least sure about...Shockwave Flash 10.0 r12


Shouldn't be a problem with that one.

Let's see whether SysProt reveals anything.
  • 0

#19
TacticalMonkey
Posted 04 August 2009 - 09:19 PM

TacticalMonkey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
The add-ons looked fine for both. The odd ones were a Shockwave flash addon, move media, and 'research' in IE. However, these looked normal when I did a search and read the accompanying text to the search results (of course I can't actually click on the search result link).

Sysprot scan result below:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 824
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 900
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 932
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 976
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 988
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 1144
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1176
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1280
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1340
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PID: 1416
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PID: 1512
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1656
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1684
Hidden: No
Window Visible: No

Name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PID: 1900
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1972
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 132
Hidden: No
Window Visible: No

Name: C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
PID: 232
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
PID: 252
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 496
Hidden: No
Window Visible: No

Name: C:\MPC\jetty\NMWebSrv.exe
PID: 632
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
PID: 668
Hidden: No
Window Visible: No

Name: C:\Program Files\Softex\OmniPass\OmniServ.exe
PID: 680
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PID: 712
Hidden: No
Window Visible: No

Name: C:\MPC\system_monitor\agent\smaagent.exe
PID: 808
Hidden: No
Window Visible: No

Name: C:\MPC\java\bin\java.exe
PID: 852
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 880
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\unsecapp.exe
PID: 2136
Hidden: No
Window Visible: No

Name: C:\Program Files\Softex\OmniPass\OPXPApp.exe
PID: 2144
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 2192
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 2200
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 2384
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wscntfy.exe
PID: 272
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 560
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 1824
Hidden: No
Window Visible: No

Name: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PID: 2632
Hidden: No
Window Visible: No

Name: C:\WINDOWS\AGRSMMSG.exe
PID: 2728
Hidden: No
Window Visible: No

Name: C:\Program Files\ltmoh\ltmoh.exe
PID: 2908
Hidden: No
Window Visible: No

Name: C:\Program Files\Analog Devices\Core\smax4pnp.exe
PID: 2940
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wuauclt.exe
PID: 2976
Hidden: No
Window Visible: No

Name: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PID: 3088
Hidden: No
Window Visible: No

Name: C:\Program Files\Softex\OmniPass\scureapp.exe
PID: 244
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PID: 3172
Hidden: No
Window Visible: No

Name: C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
PID: 1352
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
PID: 1692
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PID: 676
Hidden: No
Window Visible: No

Name: C:\Program Files\SAMSUNG\DisplayManager\DisplayManager.exe
PID: 3464
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 3616
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\SYMANT~1\SYMANT~1\VPTray.exe
PID: 1056
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jusched.exe
PID: 516
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
PID: 3716
Hidden: No
Window Visible: No

Name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PID: 3728
Hidden: No
Window Visible: No

Name: C:\Program Files\Messenger\msmsgs.exe
PID: 3596
Hidden: No
Window Visible: No

Name: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID: 3904
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\dllhost.exe
PID: 3852
Hidden: No
Window Visible: No

Name: C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
PID: 336
Hidden: No
Window Visible: No

Name: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PID: 2544
Hidden: No
Window Visible: No

Name: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PID: 2620
Hidden: No
Window Visible: No

Name: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 2900
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\java.exe
PID: 968
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\edrie.kelly\Local Settings\Temp\jkos-ICIUSER\binaries\ScanningProcess.exe
PID: 3300
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\edrie.kelly\Local Settings\Temp\jkos-ICIUSER\binaries\ScanningProcess.exe
PID: 2252
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\edrie.kelly\Desktop\VirusScan\SysProt\SysProt.exe
PID: 3664
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\vsfocejkdpaswr.sys
Service Name: vsfocepqjxjkcd
Module Base: ---
Module End: ---
Hidden: Yes

Module Name: \??\C:\Documents and Settings\edrie.kelly\Desktop\VirusScan\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: BAA70000
Module End: BAA7B000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E2000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E2000
Module End: 80702C80
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7B44000
Module End: F7B46000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F7A54000
Module End: F7A57000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F7515000
Module End: F7543000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F7B46000
Module End: F7B48000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F7504000
Module End: F7515000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F7644000
Module End: F764D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: F7654000
Module End: F7663000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: F7664000
Module End: F7671000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: F7A58000
Module End: F7A5B000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: F7A5C000
Module End: F7A60000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7C0C000
Module End: F7C0D000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F78C4000
Module End: F78CB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: F7B48000
Module End: F7B4A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaide.sys
Service Name: ViaIde
Module Base: F7B4A000
Module End: F7B4C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aliide.sys
Service Name: AliIde
Module Base: F7B4C000
Module End: F7B4E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pcmcia.sys
Service Name: Pcmcia
Module Base: F74E6000
Module End: F7504000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F7674000
Module End: F767F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F74C7000
Module End: F74E6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPIEC.sys
Service Name: ACPIEC
Module Base: F7A60000
Module End: F7A63000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Service Name: ---
Module Base: F7C0D000
Module End: F7C0E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F78CC000
Module End: F78D1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pavboot.sys
Service Name: pavboot
Module Base: F78D4000
Module End: F78DA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F7684000
Module End: F7691000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F74AF000
Module End: F74C7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\adpu160m.sys
Service Name: adpu160m
Module Base: F7496000
Module End: F74AF000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Service Name: ---
Module Base: F747E000
Module End: F7496000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F7694000
Module End: F769D000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F76A4000
Module End: F76B1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltMgr.sys
Service Name: FltMgr
Module Base: F745F000
Module End: F747E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F744D000
Module End: F745F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Lbd.sys
Service Name: Lbd
Module Base: F76B4000
Module End: F76C3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F7436000
Module End: F744D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F73A9000
Module End: F7436000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F737C000
Module End: F73A9000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F7361000
Module End: F737C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F77B4000
Module End: F77BD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Service Name: CmBatt
Module Base: F7B08000
Module End: F7B0C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: F718A000
Module End: F7308000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F7176000
Module End: F718A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: F7151000
Module End: F7176000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\e1e5132.sys
Service Name: e1express
Module Base: F7125000
Module End: F7151000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\w39n51.sys
Service Name: w39n51
Module Base: F6FC8000
Module End: F7125000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F7944000
Module End: F7949000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F6FA5000
Module End: F6FC8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F794C000
Module End: F7953000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: F77C4000
Module End: F77D4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\sdbus.sys
Service Name: sdbus
Module Base: F6F94000
Module End: F6FA5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
Service Name: rimmptsk
Module Base: F7954000
Module End: F795B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
Service Name: rimsptsk
Module Base: F77D4000
Module End: F77E1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
Service Name: rismxdp
Module Base: F6F48000
Module End: F6F94000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
Service Name: IFXTPM
Module Base: F77E4000
Module End: F77ED000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F77F4000
Module End: F7804000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: F7B18000
Module End: F7B1C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F7804000
Module End: F7811000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F795C000
Module End: F7962000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Service Name: SynTP
Module Base: F6EF1000
Module End: F6F20000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F7B70000
Module End: F7B72000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F7964000
Module End: F796A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F7814000
Module End: F781F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F7824000
Module End: F7831000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F7834000
Module End: F7843000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: F6ECE000
Module End: F6EF1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\btkrnl.sys
Service Name: BTKRNL
Module Base: F6D8A000
Module End: F6ECE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7D62000
Module End: F7D63000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F7844000
Module End: F7851000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F7B20000
Module End: F7B23000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F6D73000
Module End: F6D8A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F7854000
Module End: F785F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F7864000
Module End: F7870000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F796C000
Module End: F7971000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F6CC2000
Module End: F6CD3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F7874000
Module End: F787D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F7974000
Module End: F7979000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F797C000
Module End: F7981000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: F6C91000
Module End: F6CC2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F7884000
Module End: F788E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F7B72000
Module End: F7B74000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: F6C5D000
Module End: F6C91000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F7B3C000
Module End: F7B40000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F7894000
Module End: F789E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ADIHdAud.sys
Service Name: ADIHdAudAddService
Module Base: EEBB2000
Module End: EEBD8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: EEB90000
Module End: EEBB2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F76D4000
Module End: F76E3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\AEAudio.sys
Service Name: AEAudioService
Module Base: EEB6A000
Module End: EEB90000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\AGRSM.sys
Service Name: AgereSoftModem
Module Base: EEA57000
Module End: EEB6A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F7984000
Module End: F798C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F7714000
Module End: F7723000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: F6F3C000
Module End: F6F3F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: F7724000
Module End: F772D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F7994000
Module End: F799B000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F7B7C000
Module End: F7B7E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F7CCB000
Module End: F7CCC000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F7B7E000
Module End: F7B80000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F79AC000
Module End: F79B2000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F7B80000
Module End: F7B82000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F7B82000
Module End: F7B84000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F79B4000
Module End: F79B9000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F79BC000
Module End: F79C4000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\btwusb.sys
Service Name: BTWUSB
Module Base: F7734000
Module End: F7742000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ATSwpDrv.sys
Service Name: ATSWPDRV
Module Base: EE8E3000
Module End: EE900000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F6C41000
Module End: F6C44000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: EE8D0000
Module End: EE8E3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: EE878000
Module End: EE8D0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: EE850000
Module End: EE878000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: EE82E000
Module End: EE850000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F7754000
Module End: F775D000
Hidden: No

Module Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Service Name: SASKUTIL
Module Base: EE809000
Module End: EE82E000
Hidden: No

Module Name: \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Service Name: SASDIFSV
Module Base: F79D4000
Module End: F79DA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: EE7DD000
Module End: EE809000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: EE76E000
Module End: EE7DD000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F7764000
Module End: F776D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: EE74D000
Module End: EE76E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F7774000
Module End: F777D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: F7784000
Module End: F7793000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: EEA1B000
Module End: EEA1E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: F6D43000
Module End: F6D53000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EE70D000
Module End: EE725000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7BB0000
Module End: F7BB2000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: EE957000
Module End: EE95A000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F79FC000
Module End: F7A01000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F7CB7000
Module End: F7CB8000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\MEMIO.SYS
Service Name: DOSMEMIO
Module Base: F7D43000
Module End: F7D44000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Service Name: AegisP
Module Base: F7A4C000
Module End: F7A51000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\s24trans.sys
Service Name: s24trans
Module Base: EC525000
Module End: EC529000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: EC4ED000
Module End: EC4F1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: EC280000
Module End: EC2AD000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\btserial.sys
Service Name: BTSERIAL
Module Base: F790C000
Module End: F7912000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\btslbcsp.sys
Service Name: BTSLBCSP
Module Base: EC1FE000
Module End: EC230000
Hidden: No

Module Name: \??\C:\MPC\system_monitor\agent\drivers\caniodrvr.sys
Service Name: caniodrvr
Module Base: F7C57000
Module End: F7C58000
Hidden: No

Module Name: \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS
Service Name: NAVAPEL
Module Base: EC035000
Module End: EC046000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: EBFE3000
Module End: EC035000
Hidden: No

Module Name: \??\C:\Program Files\Symantec\SYMEVENT.SYS
Service Name: SymEvent
Module Base: EBB9A000
Module End: EBBAB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: EB8CD000
Module End: EB8E2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: EBA1A000
Module End: EBA29000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: EB08D000
Module End: EB0CE000
Hidden: No

Module Name: \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys
Service Name: NAVAP
Module Base: BAC64000
Module End: BACA2000
Hidden: No

Module Name: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090803.005\NAVEX15.sys
Service Name: NAVEX15
Module Base: BAB8F000
Module End: BAC64000
Hidden: No

Module Name: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090803.005\NAVENG.sys
Service Name: NAVENG
Module Base: BAB7A000
Module End: BAB8F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: BA9E6000
Module End: BAA10000
Hidden: No

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwSaveKeyEx
At Address: 80620ADA
Jump To: 8586E9D2
Module Name: _unknown_

Hooked Function: ZwSaveKey
At Address: 80620A4A
Jump To: 858299D2
Module Name: _unknown_

Hooked Function: ZwFlushInstructionCache
At Address: 805B5642
Jump To: 858243CC
Module Name: _unknown_

Hooked Function: ZwEnumerateKey
At Address: 80622DE0
Jump To: 8582483C
Module Name: _unknown_

Hooked Function: IofCompleteRequest
At Address: 804EF230
Jump To: 8673C9FB
Module Name: _unknown_

Hooked Function: IofCallDriver
At Address: 804EF1A0
Jump To: 85829E43
Module Name: _unknown_

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: MPC-FEC0D47CCF7.HSD1.WA.COMCAST.NET.:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: MPC-FEC0D47CCF7:32000
Remote Address: LOCALHOST:1025
Type: TCP
Process: C:\MPC\jetty\NMWebSrv.exe
State: ESTABLISHED

Local Address: MPC-FEC0D47CCF7:32000
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\MPC\jetty\NMWebSrv.exe
State: LISTENING

Local Address: MPC-FEC0D47CCF7:5152
Remote Address: LOCALHOST:2891
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT

Local Address: MPC-FEC0D47CCF7:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: MPC-FEC0D47CCF7:1069
Remote Address: LOCALHOST:1068
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MPC-FEC0D47CCF7:1068
Remote Address: LOCALHOST:1069
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MPC-FEC0D47CCF7:1065
Remote Address: LOCALHOST:1064
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MPC-FEC0D47CCF7:1064
Remote Address: LOCALHOST:1065
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MPC-FEC0D47CCF7:1035
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
State: LISTENING

Local Address: MPC-FEC0D47CCF7:1033
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
State: LISTENING

Local Address: MPC-FEC0D47CCF7:1031
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
State: LISTENING

Local Address: MPC-FEC0D47CCF7:1026
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: MPC-FEC0D47CCF7:1025
Remote Address: LOCALHOST:32000
Type: TCP
Process: C:\MPC\java\bin\java.exe
State: ESTABLISHED

Local Address: MPC-FEC0D47CCF7:3930
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\MPC\java\bin\java.exe
State: LISTENING

Local Address: MPC-FEC0D47CCF7:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: MPC-FEC0D47CCF7:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: MPC-FEC0D47CCF7.HSD1.WA.COMCAST.NET.:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: MPC-FEC0D47CCF7.HSD1.WA.COMCAST.NET.:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: MPC-FEC0D47CCF7.HSD1.WA.COMCAST.NET.:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: MPC-FEC0D47CCF7.HSD1.WA.COMCAST.NET.:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: MPC-FEC0D47CCF7:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: MPC-FEC0D47CCF7:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: MPC-FEC0D47CCF7:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: MPC-FEC0D47CCF7:3894
Remote Address: NA
Type: UDP
Process: C:\MPC\system_monitor\agent\smaagent.exe
State: NA

Local Address: MPC-FEC0D47CCF7:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: MPC-FEC0D47CCF7:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{7CA2813E-2A0F-45EC-993E-5B286FA5F85E}
Status: Access denied
  • 0

#20
emeraldnzl
Posted 04 August 2009 - 10:30 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello TacticalMonkey,

SysProt found something. Let's see if we can deal to it.

Now

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

Driver::
vsfocepqjxjkcd

Rootkit::
\systemroot\system32\drivers\vsfocejkdpaswr.sys
c:\systemroot\system32\drivers\vsfocejkdpaswr.sys

Reboot::


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt. Please post that here for further review.
  • 0

#21
TacticalMonkey
Posted 05 August 2009 - 03:44 PM

TacticalMonkey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Here is the log after running ComboFix:

ComboFix 09-08-04.04 - ICIUSER 08/05/2009 14:15.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.657 [GMT -7:00]
Running from: c:\documents and settings\edrie.kelly\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\edrie.kelly\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\vsfocejkdpaswr.sys
c:\windows\system32\vsfoceqptbairr.dll
c:\windows\system32\vsfocequlqbuwq.dll
c:\windows\system32\vsfocesvpqkajr.dat
c:\windows\system32\vsfocevseflovh.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_vsfocepqjxjkcd


((((((((((((((((((((((((( Files Created from 2009-07-05 to 2009-08-05 )))))))))))))))))))))))))))))))
.

2009-08-05 14:48 . 2009-08-05 14:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-08-03 20:15 . 2009-08-03 20:48 -------- d-----w- C:\Lop SD
2009-08-02 16:54 . 2009-08-02 16:54 -------- d-----w- c:\program files\ERUNT
2009-07-28 04:10 . 2009-08-04 03:44 117760 ----a-w- c:\documents and settings\edrie.kelly\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-28 04:10 . 2009-07-28 04:10 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-28 04:09 . 2009-07-29 05:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-28 04:09 . 2009-07-28 04:09 -------- d-----w- c:\documents and settings\edrie.kelly\Application Data\SUPERAntiSpyware.com
2009-07-28 04:00 . 2008-06-20 00:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-07-28 03:59 . 2009-07-28 03:59 -------- d-----w- c:\program files\Panda Security
2009-07-21 01:48 . 2009-07-21 01:48 -------- d-----w- c:\documents and settings\edrie.kelly\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-05 04:43 . 2008-12-25 06:25 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater
2009-07-31 04:01 . 2007-02-06 16:24 -------- d-----w- c:\documents and settings\edrie.kelly\Application Data\AdobeUM
2009-07-28 04:09 . 2009-01-24 03:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-28 01:31 . 2008-11-22 17:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-13 20:36 . 2008-11-22 17:19 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 20:36 . 2008-11-22 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-29 16:12 . 1980-01-01 00:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 1980-01-01 00:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 1980-01-01 00:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-16 14:55 . 1980-01-01 00:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 1980-01-01 00:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 22:24 . 2009-05-26 22:38 -------- d-----w- c:\documents and settings\edrie.kelly\Application Data\vlc
2009-06-15 16:11 . 2009-05-12 16:26 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-03 19:27 . 1980-01-01 00:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-12 16:16 . 2009-05-12 16:09 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2008-01-28 05:02 . 2009-05-26 22:32 4333568 ----a-w- c:\program files\mplayerc09.exe
2006-03-20 22:37 . 2007-10-29 22:51 5689344 ----a-w- c:\program files\mplayerc.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-08-03_13.42.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-05 21:13 . 2009-08-05 21:13 16384 c:\windows\Temp\Perflib_Perfdata_8fc.dat
+ 2009-08-05 21:21 . 2009-08-05 21:21 16384 c:\windows\Temp\Perflib_Perfdata_328.dat
+ 2007-01-23 20:37 . 2009-08-05 21:21 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-01-23 20:37 . 2009-08-03 13:41 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-01-23 20:37 . 2009-08-05 21:21 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-01-23 20:37 . 2009-08-03 13:41 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-01-23 20:37 . 2009-08-05 21:21 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-21 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-17 184320]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-07 761947]
"OmniPass"="c:\program files\Softex\OmniPass\scureapp.exe" [2005-11-30 1843200]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2005-04-11 151552]
"DisplayManager"="c:\program files\Samsung\DisplayManager\DMLoader.exe" [2005-11-16 356352]
"Remote Console"="c:\mpc\system_monitor\agent\winvnc.exe" [2007-01-23 368640]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2005-12-28 569413]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-22 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-12-10 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-13 520024]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-11-14 88203]

c:\documents and settings\edrie.kelly\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-1 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2005-11-30 18:23 49152 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3894:UDP"= 3894:UDP:MPC-Notebook-System-Manager-Agent-3894
"3930:TCP"= 3930:TCP:MPC-Notebook-System-Manager-Web-Server-3930
"5800:TCP"= 5800:TCP:MPC-Notebook-System-Manager-Remote-console-5800
"5900:TCP"= 5900:TCP:MPC-Notebook-System-Manager-Remote-console-5900

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/12/2009 9:09 AM 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/27/2009 9:00 PM 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 caniodrvr;caniodrvr;c:\mpc\system_monitor\agent\drivers\Caniodrvr.sys [8/24/2005 2:47 PM 4096]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [1/23/2007 1:24 PM 4300]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1029456]
R2 NMWebSrv;MPC Notebook System Manager Web Server;c:\mpc\jetty\NMWebSrv.exe -s c:\mpc\jetty\NMWebSrv.conf --> c:\mpc\jetty\NMWebSrv.exe -s c:\mpc\jetty\NMWebSrv.conf [?]
R2 SMAgent;MPC Notebook System Manager Agent;c:\mpc\system_monitor\agent\smaagent.exe NML 0 --> c:\mpc\system_monitor\agent\smaagent.exe NML 0 [?]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/21/2005 4:19 AM 36352]
S2 gupdate1c96659d3874570;Google Update Service (gupdate1c96659d3874570);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2008 11:27 PM 133104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\docume~1\EDRIE~1.KEL\APPLIC~1\Mozilla\Firefox\Profiles\qws8wp0z.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - plugin: c:\documents and settings\edrie.kelly\Application Data\Mozilla\Firefox\Profiles\qws8wp0z.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-05 14:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Softex\OmniPass\opxpgina.dll

- - - - - - - > 'explorer.exe'(2148)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\mpc\jetty\NMWebSrv.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\program files\Softex\OmniPass\OmniServ.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\mpc\system_monitor\agent\smaagent.exe
c:\mpc\java\bin\java.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Softex\OmniPass\OPXPApp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ati2evxx.exe
c:\program files\SAMSUNG\DisplayManager\DisplayManager.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\SAMSUNG\MagicKBD\MagicKBD.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\Macromed\Flash\FlashUtil9e.exe
.
**************************************************************************
.
Completion time: 2009-08-05 14:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-05 21:37
ComboFix2.txt 2009-08-03 13:48

Pre-Run: 19,948,314,624 bytes free
Post-Run: 20,034,772,992 bytes free

194 --- E O F --- 2009-07-28 17:35
  • 0

#22
emeraldnzl
Posted 05 August 2009 - 07:31 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
That worked well.

Now

Please update and run another scan with Malwarebytes.

Post the result back here and tell me if there has been any change in your computer.
  • 0

#23
TacticalMonkey
Posted 05 August 2009 - 08:59 PM

TacticalMonkey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hey, hey, good news! The redirect issue seems to be absent right now. A dozen or more clicks on search results in google, yahoo, bing (firefox and IE) seem to be working fine!

Attached below is the MBAM report (identified another trojan). Also symantec NAV today has captured trojan/viruses A0055907.sys (15:27 hrs local) and vsfocejkdpaswr.sys.vir (19:15 local).

The machine seems to be under assault right now - lots of stuff showing up all of a sudden.

MBAM log:

Malwarebytes' Anti-Malware 1.40
Database version: 2568
Windows 5.1.2600 Service Pack 2

8/5/2009 7:43:57 PM
mbam-log-2009-08-05 (19-43-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 178305
Time elapsed: 43 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\vsfocequlqbuwq.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7CA2813E-2A0F-45EC-993E-5B286FA5F85E}\RP407\A0055909.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
  • 0

#24
emeraldnzl
Posted 05 August 2009 - 09:25 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello TacticalMonkey,

The redirect issue seems to be absent right now


Yes, it was well hidden but I think we got the beggar.

Took a while but I think your machine is clean now.

We have a couple of last steps to perform and then you're all set.Posted Image

Follow these steps to uninstall Combofix and tools used in the removal of malware. This will also clean out and reset your Restore Points.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    Posted Image
Step 2
  • Make sure you have an Internet Connection.
  • Double-click OTL.exe to run it. (Vista users, please right click on OTL.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTL to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep. Erunt can also be uninstalled via the add/remove programs utility, for some though, it may be a useful backup program to hold on to. The SysProt folder/files can be deleted.

-------------------------------------------------------------------------------------------------------------------

A reminder now: Remember to turn back on any anti-malware programs you may have turned off during the cleaning process.

-------------------------------------------------------------------------------------------------------------------

Now that you are clean here are some things I think are worth having a look at if you don't already know a bout them:

---------------------------------------------------------------------------------------------------------------------

Be sure and give the Temp folders a cleaning out now and then. This helps with security and your computer will run more efficiently. I clean mine once a week. For ease of use, you might consider the following free program:--------------------------------------------------------------------------------------------------------------------

A great way to check that your Microsoft and Java have the latest updates is to go to Software Inspector at Secunia.

I do this weekly. Not only do they tell you which programs need updating but they give you the link to follow.

To bolster your security go to Secunia.com to ensure essential programs are up to date.

---------------------------------------------------------------------------------------------------------------------

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Consider using an alternate browser. Mozilla's Firefox browser is excellant; it is more secure than Internet Explorer. Firefox is my default browser but I retain Internet Explorer as well so that I can access the very few sites that require it.

Firefox may be downloaded from Here

-----------------------------------------------------------------------------------------------------------------------

Startuplite is a tool to help you stop some programs not needed when you start your computer from loading. They will begin automatically only when needed.

-----------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future here are some free programs you can look at:


To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?

Have a safe and happy computing day!
  • 0

#25
TacticalMonkey
Posted 05 August 2009 - 10:04 PM

TacticalMonkey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Thanks a ton for your help!
  • 0

Advertisements

#26
emeraldnzl
Posted 06 August 2009 - 12:41 AM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
You are very welcome. Posted Image
  • 0

#27
emeraldnzl
Posted 06 August 2009 - 12:41 AM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP