Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Google Redirect Virus?


  • Please log in to reply

#1
The Mommy

The Mommy

    New Member

  • Member
  • Pip
  • 9 posts
Original Post
I've been working on this myself for about a week and a half now. I do a search, get the results, click the results, and get redirected to a flippin' shopping page. I'm not one of those people who click just anything, I have a very select few sites I visit on a regular basis, and I "thought" my machine was locked down tighter than Fort Knox. Apparently not. This wouldn't normally be that urgent for me and I could go at it sideways if need be, but I'm also a college student and with school starting back, I need the full functionality of the search results for research. HELP!

This is what I've done so far:
Scanned with HijackThis, analyzed it here, removed suggested issues. (there are two incidents on the list I can't remove, even through regedit)
Run SuperAntiSpyware, removed infections.
Run AdAware, removed infections.
Run Malwarebytes, removed infections.
Run a full scan with ClamWin and removed infections.
Had my friend who built this machine for me come by and "fix" it. It helped quite a bit, but hasn't completely fixed the problem. I can only assume that there was a plurality of viruses and he only caught the most egregious and easily yanked.

All of these scans were done with fully updated definitions.


I STILL get the redirects, and I still can't search effectively.

Help me Obi-geeks! You're my only hope!
/
New Post

Ok, followed the directions in the self help section, with mixed results.

MBAM shows a clean system, will post log.
Gmer runs, shows a bunch of stuff, when I try to save the log file, it freezes, goes into not responding, and won't let me save anything. I can however run it again and copy the actual results window into a new file and save as .txt and copy here.

Per instructions in the self help post, I run TDSSKiller and it runs fine. Once I try to "cure" the infections, I get a blue screen with a stop code that ends in F4, which I found to be pretty flippin' odd if you ask me. I thought stop codes were all numbers?

Ran OTL, did the copy file, paste file, run from scan, and the log of that follows.

Anyway, any help would be appreciated since I've exhausted all of my admittedly rich resources and am totally bereft of all hope.

For some reason my ost is too long with the logfiles added. Should I attach as a text file?


*Edited to add* It's apparently in the router itself. Logged in on my machine and I wasn't able to post at all. Decided to use my husband's laptop to post (see how smart I am?) and still couldn't get on. He signed in on his sprint modem and it logged in fine and was able to post. Now what?

Edited by The Mommy, 03 September 2010 - 08:58 PM.

  • 0

Advertisements


#2
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,047 posts
Hello The Mommy,

Welcome to the Malware Forum.

*Edited to add* It's apparently in the router itself.


Do you mean the infection is in the router?

Ran OTL, did the copy file, paste file, run from scan, and the log of that follows.


I really need to see those. While we prefer you to post them in the thread; if you can't do so please upload them. Tell me if you have difficulty. :)
  • 0

#3
The Mommy

The Mommy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Wow, that was a fast response! Thanks so much!

As far as the router being infected, that's what I think has happened. My husband brought his laptop home last night to help me get this one fixed in case I totally lost the machine. When I tried to start this topic yesterday, I kept getting a website time out error, and I couldn't get past it. When he got his machine here, we loaded it up and signed in to our wireless network. He was able to navigate to this website, but was also given the time out error. We then hooked up his wireless card from Sprint, and he was able to post the topic for me. Weird huh? Anything I can do to fix that?


Again, the site itself gives me a "post is too long" message. I'll attach it to this post.

Attached Files

  • Attached File  OTL.txt   278.22KB   168 downloads

  • 0

#4
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,047 posts
Hello The Mommy,

  • C:\WINDOWS\System32\drivers\ikymzs.sys
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
And do the same for this one C:\WINDOWS\imsins.BAK

Next

Please run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\lsp14.dll ()
    O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\lsp14.dll ()
    O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\lsp14.dll ()
    O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\lsp14.dll ()
    O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\lsp14.dll ()
    O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\System32\lsp14.dll ()
    O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\System32\lsp14.dll ()
    O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\System32\lsp14.dll ()
    O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\System32\lsp14.dll ()
    O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\System32\lsp14.dll ()
    O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\System32\lsp14.dll ()
    O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINDOWS\System32\lsp14.dll ()
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2010/05/09 05:16:04 | 000,203,304 | ---- | M] () - C:\AUTO.pat -- [ NTFS ]
    O32 - AutoRun File - [2010/05/09 05:16:04 | 000,082,084 | ---- | M] () - C:\AUTO.pst -- [ NTFS ]
    O32 - AutoRun File - [2010/02/08 20:55:42 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O33 - MountPoints2\{7eba6b10-4591-11df-b7ba-0018e7083cf0}\Shell\Explore\Command - "" = G:\
    O33 - MountPoints2\{88e340c6-1883-11df-b798-0018e7083cf0}\Shell\AutoRun\command - "" = H:\XCRACK\xKCARC\autorunme.exe -- File not found
    O33 - MountPoints2\{88e340c6-1883-11df-b798-0018e7083cf0}\Shell\Explore\Command - "" = H:\
    O33 - MountPoints2\{88e340c6-1883-11df-b798-0018e7083cf0}\Shell\open\command - "" = H:\XCRACK\xKCARC\autorunme.exe -- File not found
    O33 - MountPoints2\{b64ff94b-1516-11df-b785-a4419743368c}\Shell - "" = AutoRun
    O33 - MountPoints2\{b64ff94b-1516-11df-b785-a4419743368c}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{b64ff94b-1516-11df-b785-a4419743368c}\Shell\AutoRun\command - "" = G:\WD SmartWare.exe -- File not found
    O33 - MountPoints2\{bb389ce2-6bc2-11df-b7e3-0018e7083cf0}\Shell\Explore\Command - "" = G:\
    O33 - MountPoints2\{f6053863-23dc-11df-b7a2-0018e7083cf0}\Shell\Explore\Command - "" = G:\
    O33 - MountPoints2\E\Shell - "" = AutoRun
    O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
    O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
    [2010/09/01 10:02:34 | 001,410,704 | ---- | C] (FarPoint Technologies, Inc.) -- C:\WINDOWS\System32\FPSPR70.ocx
    [2010/09/01 10:02:34 | 000,729,161 | ---- | C] (FarPoint Technologies, Inc.) -- C:\WINDOWS\System32\fpimage.dll
    [2010/09/01 10:02:34 | 000,000,000 | ---D | C] -- C:\Program Files\Respondus LockDown Browser
    [2010/09/01 10:02:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mommy\Application Data\InstallShield
    [2010/08/31 16:32:57 | 000,047,104 | ---- | C] (Yandex PLC) -- C:\WINDOWS\System32\yoxgsvpc.dll
    [2010/09/03 08:29:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
    [2010/09/03 02:24:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
    [2010/09/02 20:37:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
    [2010/09/03 10:23:14 | 000,053,099 | ---- | M] () -- C:\WINDOWS\System32\lsp14.dll
    [2010/09/03 10:23:14 | 000,000,004 | -H-- | M] () -- C:\WINDOWS\System32\iexplore.sy_
    [2010/08/22 20:18:02 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
    @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
    @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:040E11E4
    @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:10F6E97E
    
    :Commands
    [emptytemp]
    [resethosts]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.

  • 0

#5
The Mommy

The Mommy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
C:\WINDOWS\System32\drivers\ikymzs.sys

VirSCAN.org Scanned Report :
Scanned time : 2010/09/04 21:10:37 (EDT)
Scanner results: 53% Scanner(s) (19/36) found malware!
File Name : ikymzs.sys
File Size : 783360 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 9096f2a5c2d093d7407d207427840c49
SHA1 : f4799a36828852f48e8a43f51daa1c27c49a3fa9
Online report : http://virscan.org/r...c01a937ff0.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.19 20100904070557 2010-09-04 4.56 Virus.Win32.Bubak!IK
AhnLab V3 2010.08.28.00 2010.08.28 2010-08-28 1.33 -
AntiVir 8.2.4.50 7.10.11.86 2010-09-03 0.28 TR/Crypt.ZPACK.Gen
Antiy 2.0.18 20100905.5078168 2010-09-05 0.12 -
Arcavir 2009 201006281601 2010-06-28 0.01 -
Authentium 5.1.1 201009041908 2010-09-04 1.37 -
AVAST! 4.7.4 100904-1 2010-09-04 0.04 Win32:Bubak [Rtk]
AVG 8.5.793 271.1.1/3114 2010-09-05 0.23 BackDoor.Generic13.JT
BitDefender 7.90123.6321142 7.33736 2010-09-05 4.45 Gen:Variant.Bubnix.1
ClamAV 0.96.1 11799 2010-09-04 0.10 -
Comodo 4.0 5970 2010-09-04 1.74 -
CP Secure 1.3.0.5 2010.09.04 2010-09-04 0.10 -
Dr.Web 5.0.2.3300 2010.09.05 2010-09-05 9.07 Trojan.Packed.140
F-Prot 4.4.4.56 20100904 2010-09-04 1.30 -
F-Secure 7.02.73807 2010.09.04.01 2010-09-04 0.16 Rootkit.Win32.Bubnix.adl [AVP]
Fortinet 4.1.143 12.314 2010-09-04 0.46 -
GData 21.779/21.305 20100905 2010-09-05 6.00 Rootkit.Win32.Bubnix.adl [Engine:A]
ViRobot 20100903 2010.09.03 2010-09-03 0.38 -
Ikarus T3. 2010.09.04.76669 2010-09-04 4.73 Virus.Win32.Bubak
JiangMin 13.0.900 2010.08.30 2010-08-30 1.38 -
Kaspersky 5.5.10 2010.09.03 2010-09-03 0.10 Rootkit.Win32.Bubnix.adl
KingSoft 2009.2.5.15 2010.9.4.19 2010-09-04 0.71 -
McAfee 5400.1158 6095 2010-09-04 19.23 Generic.dx!tot
Microsoft 1.6103 2010.09.04 2010-09-04 5.93 Trojan:WinNT/Bubnix.gen!A
Norman 6.05.11 6.05.00 2010-09-04 8.01 -
Panda 9.05.01 2010.09.03 2010-09-03 2.37 -
Trend Micro 9.120-1004 7.436.05 2010-09-04 0.08 -
Quick Heal 11.00 2010.09.03 2010-09-03 2.43 -
Rising 20.0 22.63.05.01 2010-09-04 0.97 Trojan.Win32.Generic.522D576F
Sophos 3.11.2 4.57 2010-09-05 3.92 Mal/Bubnix-B
Sunbelt 3.9.2442.2 6833 2010-09-04 21.61 Trojan.Win32.Generic!BT
Symantec 1.3.0.24 20100904.003 2010-09-04 0.30 -
nProtect 20100903.01 9021186 2010-09-03 11.34 Gen:Variant.Bubnix.1
The Hacker 6.5.2.1 v00363 2010-09-03 0.57 Trojan/Bubnix.adl
VBA32 3.12.14.0 20100903.1012 2010-09-03 3.10 Rootkit.Bubnix.adl
VirusBuster 4.5.11.10 10.127.73/2006073 2010-09-05 2.31 Rootkit.Bubnix.MZ



C:\WINDOWS\imsins.BAK


VirSCAN.org Scanned Report :
Scanned time : 2010/09/04 21:15:15 (EDT)
Scanner results: Scanners did not find malware!
File Name : imsins.BAK
File Size : 1374 byte
File Type : ASCII text, with CRLF, LF line terminators
MD5 : 719dbe560553c7b03ebe90917d685dbd
SHA1 : f125ada6b35ae3561143e4697485ba0d62386de9
Online report : http://virscan.org/r...348b255851.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.19 20100904070557 2010-09-04 4.92 -
AhnLab V3 2010.08.28.00 2010.08.28 2010-08-28 1.29 -
AntiVir 8.2.4.50 7.10.11.86 2010-09-03 0.26 -
Antiy 2.0.18 20100905.5078168 2010-09-05 0.12 -
Arcavir 2009 201006281601 2010-06-28 0.01 -
Authentium 5.1.1 201009041908 2010-09-04 1.30 -
AVAST! 4.7.4 100904-1 2010-09-04 0.00 -
AVG 8.5.793 271.1.1/3114 2010-09-05 0.23 -
BitDefender 7.90123.6321142 7.33736 2010-09-05 4.54 -
ClamAV 0.96.1 11799 2010-09-04 0.00 -
Comodo 4.0 5970 2010-09-04 1.23 -
CP Secure 1.3.0.5 2010.09.04 2010-09-04 0.01 -
Dr.Web 5.0.2.3300 2010.09.05 2010-09-05 9.07 -
F-Prot 4.4.4.56 20100904 2010-09-04 1.29 -
F-Secure 7.02.73807 2010.09.04.01 2010-09-04 10.70 -
Fortinet 4.1.143 12.314 2010-09-04 0.15 -
GData 21.779/21.305 20100905 2010-09-05 9.22 -
ViRobot 20100903 2010.09.03 2010-09-03 0.39 -
Ikarus T3. 2010.09.04.76669 2010-09-04 4.74 -
JiangMin 13.0.900 2010.08.30 2010-08-30 1.34 -
Kaspersky 5.5.10 2010.09.03 2010-09-03 0.04 -
KingSoft 2009.2.5.15 2010.9.4.19 2010-09-04 0.74 -
McAfee 5400.1158 6095 2010-09-04 20.74 -
Microsoft 1.6103 2010.09.04 2010-09-04 5.96 -
Norman 6.05.11 6.05.00 2010-09-04 8.01 -
Panda 9.05.01 2010.09.03 2010-09-03 2.10 -
Trend Micro 9.120-1004 7.436.05 2010-09-04 0.02 -
Quick Heal 11.00 2010.09.03 2010-09-03 2.24 -
Rising 20.0 22.63.05.01 2010-09-04 0.28 -
Sophos 3.11.2 4.57 2010-09-05 3.85 -
Sunbelt 3.9.2442.2 6833 2010-09-04 18.78 -
Symantec 1.3.0.24 20100904.003 2010-09-04 0.09 -
nProtect 20100903.01 9021186 2010-09-03 9.28 -
The Hacker 6.5.2.1 v00363 2010-09-03 0.35 -
VBA32 3.12.14.0 20100903.1012 2010-09-03 4.38 -
VirusBuster 4.5.11.10 10.127.73/2006073 2010-09-05 2.43 -

Holy Cow! The OTL fix sped my machine up hardcore AND I'm able to post from my machine instead of doing the flash drive shuffle! You're so awesome!

OTL After Fix:

All processes killed
========== OTL ==========
Registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\

deleted successfully.
C:\WINDOWS\system32\lsp14.dll moved successfully.
Registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\

deleted successfully.
File C:\WINDOWS\System32\lsp14.dll not found.
Registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\

deleted successfully.
File C:\WINDOWS\System32\lsp14.dll not found.
Registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\

deleted successfully.
File C:\WINDOWS\System32\lsp14.dll not found.
Registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\

deleted successfully.
File C:\WINDOWS\System32\lsp14.dll not found.
Registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\

deleted successfully.
File C:\WINDOWS\System32\lsp14.dll not found.
Registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\

deleted successfully.
File C:\WINDOWS\System32\lsp14.dll not found.
Registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\

deleted successfully.
File C:\WINDOWS\System32\lsp14.dll not found.
Registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\

deleted successfully.
File C:\WINDOWS\System32\lsp14.dll not found.
Registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\

deleted successfully.
File C:\WINDOWS\System32\lsp14.dll not found.
Registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\

deleted successfully.
File C:\WINDOWS\System32\lsp14.dll not found.
Registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023\

deleted successfully.
File C:\WINDOWS\System32\lsp14.dll not found.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully!
C:\AUTO.pat moved successfully.
C:\AUTO.pst moved successfully.
C:\AUTOEXEC.BAT moved successfully.
Registry key

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7eba6b10-4591-11df-b7ba-0018e7083cf0}\

deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7eba6b10-4591-11df-b7ba-0018e7083cf0}\ not found.
File G:\ not found.
Registry key

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{88e340c6-1883-11df-b798-0018e7083cf0}\

deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88e340c6-1883-11df-b798-0018e7083cf0}\ not found.
File H:\XCRACK\xKCARC\autorunme.exe not found.
Registry key

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{88e340c6-1883-11df-b798-0018e7083cf0}\ not

found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88e340c6-1883-11df-b798-0018e7083cf0}\ not found.
File H:\ not found.
Registry key

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{88e340c6-1883-11df-b798-0018e7083cf0}\ not

found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88e340c6-1883-11df-b798-0018e7083cf0}\ not found.
File H:\XCRACK\xKCARC\autorunme.exe not found.
Registry key

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b64ff94b-1516-11df-b785-a4419743368c}\

deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b64ff94b-1516-11df-b785-a4419743368c}\ not found.
Registry key

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b64ff94b-1516-11df-b785-a4419743368c}\ not

found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b64ff94b-1516-11df-b785-a4419743368c}\ not found.
Registry key

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b64ff94b-1516-11df-b785-a4419743368c}\ not

found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b64ff94b-1516-11df-b785-a4419743368c}\ not found.
File G:\WD SmartWare.exe not found.
Registry key

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bb389ce2-6bc2-11df-b7e3-0018e7083cf0}\

deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bb389ce2-6bc2-11df-b7e3-0018e7083cf0}\ not found.
File G:\ not found.
Registry key

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6053863-23dc-11df-b7a2-0018e7083cf0}\

deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f6053863-23dc-11df-b7a2-0018e7083cf0}\ not found.
File G:\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:autocheck autochk * deleted

successfully.
C:\WINDOWS\system32\FPSPR70.ocx moved successfully.
C:\WINDOWS\system32\fpimage.dll moved successfully.
C:\Program Files\Respondus LockDown Browser folder moved successfully.
C:\Documents and Settings\Mommy\Application Data\InstallShield\ISEngine12.0 folder moved successfully.
C:\Documents and Settings\Mommy\Application Data\InstallShield folder moved successfully.
C:\WINDOWS\system32\yoxgsvpc.dll moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
File C:\WINDOWS\System32\lsp14.dll not found.
C:\WINDOWS\system32\iexplore.sy_ moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:040E11E4 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:10F6E97E deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 18459839 bytes
->Flash cache emptied: 615 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 1214470 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 14698 bytes

User: Mommy
->Temp folder emptied: 508302 bytes
->Temporary Internet Files folder emptied: 3573146 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 62471169 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1041 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 14144477 bytes
->Java cache emptied: 1092292 bytes
->Flash cache emptied: 10903 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 148992 bytes
Windows Temp folder emptied: 131556 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 97.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\: LSP stack updated.

OTL by OldTimer - Version 3.2.11.0 log created on 09042010_212134

Files\Folders moved on Reboot...
C:\Documents and Settings\Mommy\Local Settings\Temp\ClamWin1.log moved successfully.

Registry entries deleted on Reboot...

Edited by The Mommy, 04 September 2010 - 07:28 PM.

  • 0

#6
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,047 posts
Hello The Mommy,

Making progress I think. :)

Please run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :processes
    killallprocesses
    
    :Files
    C:\WINDOWS\System32\drivers\ikymzs.sys
    
    :Commands
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.
Next

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

When you return please post
  • OTL fix log
  • ComboFix.txt

  • 0

#7
The Mommy

The Mommy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks so much! First is the OTL Log, followed by the ComboFix log. You're a lifesaver!


OTL Log



========== PROCESSES ==========
All processes killed
========== FILES ==========
C:\WINDOWS\System32\drivers\ikymzs.sys moved successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.11.0 log created on 09042010_214708

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...















ComboFix 10-09-04.04 - Mommy 09/04/2010 22:09:26.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.624 [GMT -4:00]
Running from: c:\documents and settings\Mommy\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mommy\Local Settings\Application Data\Windows Server
c:\documents and settings\Mommy\Local Settings\Application Data\Windows Server\server.dat
c:\windows\msconfig32.exe
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\drivers\block.txt
c:\windows\system32\ico.ico
c:\windows\system32\vbzlib1.dll
D:\install.exe

Infected copy of c:\windows\system32\drivers\isapnp.sys was found and disinfected
Restored copy from - Kitty had a snack :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2010-08-05 to 2010-09-05 )))))))))))))))))))))))))))))))
.

2010-09-05 02:20 . 2010-09-05 02:20 -------- d-----w- c:\windows\LastGood
2010-09-05 01:21 . 2010-09-05 01:21 -------- dc----w- C:\_OTL
2010-09-04 15:47 . 2010-09-04 15:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-09-01 14:57 . 2010-09-01 15:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-08-29 23:46 . 2010-08-29 23:46 -------- d-----w- c:\windows\system32\msmq
2010-08-29 23:46 . 2010-08-29 23:47 -------- dc----w- C:\Inetpub
2010-08-29 22:33 . 2010-08-29 22:33 -------- d-----w- c:\documents and settings\Mommy\Local Settings\Application Data\Mozilla
2010-08-29 18:48 . 2010-08-29 18:57 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-29 17:42 . 2010-08-29 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-08-29 17:42 . 2010-08-29 17:42 -------- d-----w- c:\program files\NOS
2010-08-28 22:57 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-28 19:39 . 2010-08-12 12:15 64288 -c--a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-28 19:39 . 2010-08-28 19:39 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-28 19:16 . 2010-08-28 19:16 -------- d-----w- c:\documents and settings\Mommy\Local Settings\Application Data\Sunbelt Software
2010-08-28 19:14 . 2010-08-28 19:14 -------- d-----w- c:\program files\Google
2010-08-28 19:12 . 2010-08-28 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-28 19:12 . 2010-08-28 19:12 -------- d-----w- c:\program files\Lavasoft
2010-08-28 18:44 . 2010-08-28 18:44 -------- d-----w- c:\documents and settings\Mommy\Application Data\MSNInstaller
2010-08-28 17:54 . 2010-08-29 01:30 -------- d-----w- c:\windows\system32\MpEngineStore
2010-08-28 03:36 . 2010-08-28 03:36 -------- d-----w- c:\documents and settings\Mommy\Application Data\Malwarebytes
2010-08-28 03:35 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-28 03:35 . 2010-08-28 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-28 03:35 . 2010-08-28 03:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-28 03:35 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-27 23:19 . 2010-08-27 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-27 23:17 . 2010-08-27 23:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-27 23:17 . 2010-08-27 23:17 -------- d-----w- c:\documents and settings\Mommy\Application Data\SUPERAntiSpyware.com
2010-08-27 22:56 . 2008-04-14 09:39 6656 -c--a-w- c:\windows\system32\dllcache\fxsres.dll
2010-08-27 22:55 . 2008-04-14 09:42 142848 -c--a-w- c:\windows\system32\dllcache\fxsclnt.exe
2010-08-27 22:40 . 2010-08-27 22:40 -------- d-----w- c:\program files\WhoCrashed
2010-08-27 01:40 . 2010-08-27 01:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
2010-08-27 01:13 . 2010-08-27 15:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\.clamwin
2010-08-27 00:32 . 2010-08-27 00:32 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-08-27 00:27 . 2010-08-27 00:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-08-26 04:29 . 2010-08-28 19:14 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-08-25 22:14 . 2010-08-25 22:15 -------- d-----w- c:\documents and settings\Administrator
2010-08-25 22:11 . 2010-08-28 15:20 -------- d-----w- c:\documents and settings\Mommy\Local Settings\Application Data\lgbvddeqj
2010-08-25 22:11 . 2010-08-28 15:20 -------- d-----w- c:\documents and settings\Mommy\Local Settings\Application Data\osgvdmqyu
2010-08-25 22:11 . 2010-08-27 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-08-25 22:06 . 2009-09-08 21:54 158720 ----a-w- c:\windows\system32\drivers\skybound.gecko.dll
2010-08-25 22:06 . 2010-08-26 21:41 -------- d-----w- c:\windows\system32\drivers\f
2010-08-25 22:06 . 2010-08-25 22:06 69992 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-25 22:05 . 2010-08-25 22:05 -------- d-----w- c:\windows\system32\system333
2010-08-25 22:05 . 2010-08-25 22:05 -------- d-----w- c:\windows\system32\weber
2010-08-23 00:29 . 2010-08-23 00:29 -------- d-----w- c:\documents and settings\Mommy\Application Data\Vast Studios
2010-08-23 00:18 . 2010-08-23 00:18 -------- d-----w- c:\windows\Nightfall Mysteries - The Asylum Conspiracy
2010-08-15 03:31 . 2010-08-15 03:31 -------- d-----w- c:\documents and settings\Mommy\Application Data\Silverback Productions
2010-08-15 01:23 . 2010-08-15 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Exorcist DS 7
2010-08-10 22:28 . 2010-08-10 22:28 -------- d-----w- c:\documents and settings\Mommy\Application Data\ERS Game Studios
2010-08-10 22:25 . 2010-08-10 22:25 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-02 22:36 . 2010-02-19 18:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-02 21:34 . 2010-08-29 02:16 63488 ----a-w- c:\documents and settings\Mommy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-02 21:34 . 2010-08-27 23:19 117760 ----a-w- c:\documents and settings\Mommy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-02 20:58 . 2010-02-11 18:11 -------- d-----w- c:\program files\Coupons
2010-09-02 13:21 . 2010-02-09 01:33 70768 ----a-w- c:\documents and settings\Mommy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-01 14:02 . 2010-02-09 02:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-30 08:49 . 2010-02-22 22:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-29 17:42 . 2010-08-29 17:42 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-08-28 19:08 . 2010-02-13 04:27 -------- d-----w- c:\documents and settings\Mommy\Application Data\BitComet
2010-08-28 18:44 . 2010-08-28 18:44 1244648 ----a-w- c:\documents and settings\Mommy\Application Data\MSNInstaller\msnauins.exe
2010-08-27 23:19 . 2010-08-27 23:19 52224 ----a-w- c:\documents and settings\Mommy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-27 23:11 . 2010-02-09 01:34 -------- d-----w- c:\program files\ClamWin
2010-08-27 17:23 . 2010-03-19 03:57 -------- d-----w- c:\program files\Microsoft Reader
2010-08-27 17:16 . 2010-05-23 20:12 -------- d-----w- c:\program files\FLAC
2010-08-27 16:50 . 2010-02-13 04:27 -------- d-----w- c:\program files\BitComet
2010-08-27 16:50 . 2010-03-03 02:37 -------- d-----w- c:\program files\Audio Workstation
2010-08-26 03:31 . 2010-08-25 22:06 35 ----a-w- c:\windows\system32\drivers\auth.txt
2010-08-25 22:06 . 2010-08-25 22:06 16896 ----a-w- c:\windows\system32\drivers\up.exe.old
2010-08-25 00:58 . 2010-07-31 20:24 22 ----a-w- c:\windows\popcinfot.dat
2010-08-24 02:11 . 2010-08-25 22:06 19456 ----a-w- c:\windows\system32\drivers\surfguard.exe.old
2010-08-24 02:11 . 2010-06-25 22:15 210944 ----a-w- c:\windows\system32\drivers\safesurf.old
2010-08-12 12:16 . 2010-08-28 19:14 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-08-05 03:15 . 2010-08-05 03:15 -------- d-----w- c:\documents and settings\Mommy\Application Data\runic games
2010-08-05 03:08 . 2010-08-05 03:08 -------- d-----w- c:\program files\Runic Games
2010-07-31 20:24 . 2010-07-31 20:24 0 ----a-w- c:\windows\popcreg.dat
2010-07-22 20:37 . 2010-07-22 20:37 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-20 08:04 . 2010-03-08 00:43 256 -c--a-w- c:\windows\system32\pool.bin
2010-07-20 07:49 . 2010-05-08 00:45 -------- d-----w- c:\documents and settings\Mommy\Application Data\calibre
2010-07-20 07:45 . 2010-02-13 04:37 -------- d-----w- c:\program files\ABC Amber LIT Converter
2010-06-30 12:31 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2008-04-14 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-14 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-20 06:09 . 2010-06-20 06:09 10134 ----a-r- c:\documents and settings\Mommy\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2010-06-17 14:03 . 2008-04-14 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2010-02-09 00:53 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-14 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-08-27 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-08-20 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-02 7933952]
"nwiz"="nwiz.exe" [2007-02-02 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-02 81920]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-02-08 1634304]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 18:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"Updater Service"= c:\windows\system32\drivers\safesurf.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8831:TCP"= 8831:TCP:BitComet 8831 TCP
"8831:UDP"= 8831:UDP:BitComet 8831 UDP
"9322:TCP"= 9322:TCP:EKDiscovery
"4000:TCP"= 4000:TCP:192.168.0.10/255.255.255.255,192.168.0.13/255.255.255.255:Enabled:diablo
"4000:UDP"= 4000:UDP:diablo

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/28/2010 3:39 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/16/2009 4:26 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 67656]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [2/11/2010 3:36 PM 300400]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 8:15 AM 1355928]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/10/2010 10:46 PM 1691480]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 8:15 AM 15008]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 8:00 AM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 12872]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/1/2010 12:07 AM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-09-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 20:15]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Mommy\Application Data\Mozilla\Firefox\Profiles\r258s0lq.default\
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\NOS\bin\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Zeus - c:\impressions games\Zeus\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-05 00:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2324)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2010-09-05 00:12:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-05 04:12

Pre-Run: 12,438,188,032 bytes free
Post-Run: 12,319,436,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 76973E2A4040AD09AACD338364CCD645
  • 0

#8
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,047 posts
Hello The Mommy

Moving along now.

You have used Malwarebytes before. If you still have it on your machine please update and run. Post the scan report back here.

If you no-longer have Malwarebytes please download from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

Kaspersky on line scanner is very thorough. It can take a long time and for periods may seem not to be working. Just be patient and let it do its job.

Kaspersky works with Internet Explorer and Firefox 3.

Go to Kaspersky website and perform an online antivirus scan.

Note: you will need to turn off your security programs to allow Kaspersky to do its job.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start dowanloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Copy and paste that information in your next post.

So when you return please post
  • MBAM log
  • Kaspersky scan results
  • and tell me how your computer is performing now

  • 0

#9
The Mommy

The Mommy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
The machine is doing much better now! I'm not using it too much because I'm not sure it's "fixed" but the redirect thing seems to be completely stopped at the moment. It's got a much faster load time, and no broken image links! You so rock!


MBAM Log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4546

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

9/5/2010 2:07:17 AM
mbam-log-2010-09-05 (02-07-17).txt

Scan type: Quick scan
Objects scanned: 139105
Time elapsed: 7 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Kaspersky Log
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, September 5, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, September 05, 2010 04:11:53
Records in database: 4192264
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\

Scan statistics:
Objects scanned: 122007
Threats found: 8
Infected objects found: 11
Suspicious objects found: 0
Scan duration: 04:28:31


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\msconfig32.exe.vir Infected: Trojan.Win32.Buzus.byre 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\isapnp.sys.vir Infected: Virus.Win32.TDSS.b 1
C:\System Volume Information\_restore{AD116179-C4B2-4447-846F-F91DC9A52B31}\RP250\A0110511.sys Infected: Virus.Win32.TDSS.b 1
C:\System Volume Information\_restore{AD116179-C4B2-4447-846F-F91DC9A52B31}\RP250\A0110566.exe Infected: Trojan-Dropper.Win32.Agent.cybd 1
C:\System Volume Information\_restore{AD116179-C4B2-4447-846F-F91DC9A52B31}\RP250\A0110568.exe Infected: Trojan.Win32.Buzus.byre 1
C:\WINDOWS\system32\system333\svchost.exe Infected: Trojan-Downloader.Win32.Pher.gdd 1
C:\WINDOWS\system32\weber\Updater.exe Infected: Trojan-Downloader.Win32.Pher.gdd 1
C:\_OTL\MovedFiles\09042010_212134\C_WINDOWS\system32\yoxgsvpc.dll Infected: Trojan.Win32.Agent2.cvll 1
C:\_OTL\MovedFiles\09042010_214708\C_WINDOWS\System32\drivers\ikymzs.sys Infected: Rootkit.Win32.Bubnix.adl 1
D:\Program Files\EA GAMES\The Sims 2 Pets\eauninstall.exe Infected: Trojan-Clicker.Win32.Agent.odw 1
G:\XCRACK\xKCARC\autorunme.exe Infected: Trojan.Win32.Buzus.cwav 1

Selected area has been scanned.
  • 0

#10
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,047 posts
Hello The Mommy,

Most of those found by Kaspersky are in quarantine in the tools that we have been using or in System Restore. Those will be removed at the same time we clean away the tools which will happen, all going well, at next post.

Meantime we still have one or two to get rid of.

Now

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\system333\svchost.exe
C:\WINDOWS\system32\weber\Updater.exe
D:\Program Files\EA GAMES\The Sims 2 Pets\eauninstall.exe
G:\XCRACK\xKCARC\autorunme.exe

Reboot::


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt. Please post that here for further review.
  • 0

#11
The Mommy

The Mommy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks! I ran the scan and the log follows.

ComboFix 10-09-04.06 - Mommy 09/05/2010 16:14:34.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.487 [GMT -4:00]
Running from: c:\documents and settings\Mommy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mommy\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

FILE ::
"c:\windows\system32\system333\svchost.exe"
"c:\windows\system32\weber\Updater.exe"
"d:\program files\EA GAMES\The Sims 2 Pets\eauninstall.exe"
"g:\xcrack\xKCARC\autorunme.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\system333
c:\windows\system32\system333\svchost.exe
c:\windows\system32\weber\Updater.exe
d:\program files\EA GAMES\The Sims 2 Pets\eauninstall.exe

.
((((((((((((((((((((((((( Files Created from 2010-08-05 to 2010-09-05 )))))))))))))))))))))))))))))))
.

2010-09-05 01:21 . 2010-09-05 01:21 -------- dc----w- C:\_OTL
2010-09-04 15:47 . 2010-09-04 15:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-09-01 14:57 . 2010-09-01 15:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-08-29 23:46 . 2010-08-29 23:46 -------- d-----w- c:\windows\system32\msmq
2010-08-29 23:46 . 2010-08-29 23:47 -------- dc----w- C:\Inetpub
2010-08-29 22:33 . 2010-08-29 22:33 -------- d-----w- c:\documents and settings\Mommy\Local Settings\Application Data\Mozilla
2010-08-29 18:48 . 2010-08-29 18:57 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-29 17:42 . 2010-08-29 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-08-29 17:42 . 2010-08-29 17:42 -------- d-----w- c:\program files\NOS
2010-08-28 22:57 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-28 19:39 . 2010-08-12 12:15 64288 -c--a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-28 19:39 . 2010-08-28 19:39 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-28 19:16 . 2010-08-28 19:16 -------- d-----w- c:\documents and settings\Mommy\Local Settings\Application Data\Sunbelt Software
2010-08-28 19:14 . 2010-08-28 19:14 -------- d-----w- c:\program files\Google
2010-08-28 19:12 . 2010-08-28 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-28 19:12 . 2010-08-28 19:12 -------- d-----w- c:\program files\Lavasoft
2010-08-28 18:44 . 2010-08-28 18:44 -------- d-----w- c:\documents and settings\Mommy\Application Data\MSNInstaller
2010-08-28 17:54 . 2010-08-29 01:30 -------- d-----w- c:\windows\system32\MpEngineStore
2010-08-28 03:36 . 2010-08-28 03:36 -------- d-----w- c:\documents and settings\Mommy\Application Data\Malwarebytes
2010-08-28 03:35 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-28 03:35 . 2010-08-28 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-28 03:35 . 2010-08-28 03:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-28 03:35 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-27 23:19 . 2010-08-27 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-27 23:17 . 2010-08-27 23:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-27 23:17 . 2010-08-27 23:17 -------- d-----w- c:\documents and settings\Mommy\Application Data\SUPERAntiSpyware.com
2010-08-27 22:56 . 2008-04-14 09:39 6656 -c--a-w- c:\windows\system32\dllcache\fxsres.dll
2010-08-27 22:55 . 2008-04-14 09:42 142848 -c--a-w- c:\windows\system32\dllcache\fxsclnt.exe
2010-08-27 22:40 . 2010-08-27 22:40 -------- d-----w- c:\program files\WhoCrashed
2010-08-27 01:40 . 2010-08-27 01:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
2010-08-27 01:13 . 2010-08-27 15:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\.clamwin
2010-08-27 00:32 . 2010-08-27 00:32 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-08-27 00:27 . 2010-08-27 00:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-08-26 04:29 . 2010-08-28 19:14 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-08-25 22:14 . 2010-08-25 22:15 -------- d-----w- c:\documents and settings\Administrator
2010-08-25 22:11 . 2010-08-28 15:20 -------- d-----w- c:\documents and settings\Mommy\Local Settings\Application Data\lgbvddeqj
2010-08-25 22:11 . 2010-08-28 15:20 -------- d-----w- c:\documents and settings\Mommy\Local Settings\Application Data\osgvdmqyu
2010-08-25 22:11 . 2010-08-27 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-08-25 22:06 . 2009-09-08 21:54 158720 ----a-w- c:\windows\system32\drivers\skybound.gecko.dll
2010-08-25 22:06 . 2010-08-26 21:41 -------- d-----w- c:\windows\system32\drivers\f
2010-08-25 22:06 . 2010-08-25 22:06 69992 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-25 22:05 . 2010-09-05 20:19 -------- d-----w- c:\windows\system32\weber
2010-08-23 00:29 . 2010-08-23 00:29 -------- d-----w- c:\documents and settings\Mommy\Application Data\Vast Studios
2010-08-23 00:18 . 2010-08-23 00:18 -------- d-----w- c:\windows\Nightfall Mysteries - The Asylum Conspiracy
2010-08-15 03:31 . 2010-08-15 03:31 -------- d-----w- c:\documents and settings\Mommy\Application Data\Silverback Productions
2010-08-15 01:23 . 2010-08-15 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Exorcist DS 7
2010-08-10 22:28 . 2010-08-10 22:28 -------- d-----w- c:\documents and settings\Mommy\Application Data\ERS Game Studios
2010-08-10 22:25 . 2010-08-10 22:25 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-05 18:56 . 2010-02-09 01:33 70768 ----a-w- c:\documents and settings\Mommy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-02 22:36 . 2010-02-19 18:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-02 21:34 . 2010-08-29 02:16 63488 ----a-w- c:\documents and settings\Mommy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-02 21:34 . 2010-08-27 23:19 117760 ----a-w- c:\documents and settings\Mommy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-02 20:58 . 2010-02-11 18:11 -------- d-----w- c:\program files\Coupons
2010-09-01 14:02 . 2010-02-09 02:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-30 08:49 . 2010-02-22 22:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-29 17:42 . 2010-08-29 17:42 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-08-28 19:08 . 2010-02-13 04:27 -------- d-----w- c:\documents and settings\Mommy\Application Data\BitComet
2010-08-28 18:44 . 2010-08-28 18:44 1244648 ----a-w- c:\documents and settings\Mommy\Application Data\MSNInstaller\msnauins.exe
2010-08-27 23:19 . 2010-08-27 23:19 52224 ----a-w- c:\documents and settings\Mommy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-27 23:11 . 2010-02-09 01:34 -------- d-----w- c:\program files\ClamWin
2010-08-27 17:23 . 2010-03-19 03:57 -------- d-----w- c:\program files\Microsoft Reader
2010-08-27 17:16 . 2010-05-23 20:12 -------- d-----w- c:\program files\FLAC
2010-08-27 16:50 . 2010-02-13 04:27 -------- d-----w- c:\program files\BitComet
2010-08-27 16:50 . 2010-03-03 02:37 -------- d-----w- c:\program files\Audio Workstation
2010-08-26 03:31 . 2010-08-25 22:06 35 ----a-w- c:\windows\system32\drivers\auth.txt
2010-08-25 22:06 . 2010-08-25 22:06 16896 ----a-w- c:\windows\system32\drivers\up.exe.old
2010-08-25 00:58 . 2010-07-31 20:24 22 ----a-w- c:\windows\popcinfot.dat
2010-08-24 02:11 . 2010-08-25 22:06 19456 ----a-w- c:\windows\system32\drivers\surfguard.exe.old
2010-08-24 02:11 . 2010-06-25 22:15 210944 ----a-w- c:\windows\system32\drivers\safesurf.old
2010-08-12 12:16 . 2010-08-28 19:14 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-08-05 03:15 . 2010-08-05 03:15 -------- d-----w- c:\documents and settings\Mommy\Application Data\runic games
2010-08-05 03:08 . 2010-08-05 03:08 -------- d-----w- c:\program files\Runic Games
2010-07-31 20:24 . 2010-07-31 20:24 0 ----a-w- c:\windows\popcreg.dat
2010-07-22 20:37 . 2010-07-22 20:37 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-20 08:04 . 2010-03-08 00:43 256 -c--a-w- c:\windows\system32\pool.bin
2010-07-20 07:49 . 2010-05-08 00:45 -------- d-----w- c:\documents and settings\Mommy\Application Data\calibre
2010-07-20 07:45 . 2010-02-13 04:37 -------- d-----w- c:\program files\ABC Amber LIT Converter
2010-06-30 12:31 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2008-04-14 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-14 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-20 06:09 . 2010-06-20 06:09 10134 ----a-r- c:\documents and settings\Mommy\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2010-06-17 14:03 . 2008-04-14 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41 . 2008-04-14 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-08-27 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-08-20 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-02 7933952]
"nwiz"="nwiz.exe" [2007-02-02 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-02 81920]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-02-08 1634304]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 18:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"Updater Service"= c:\windows\system32\drivers\safesurf.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8831:TCP"= 8831:TCP:BitComet 8831 TCP
"8831:UDP"= 8831:UDP:BitComet 8831 UDP
"9322:TCP"= 9322:TCP:EKDiscovery
"4000:TCP"= 4000:TCP:192.168.0.10/255.255.255.255,192.168.0.13/255.255.255.255:Enabled:diablo
"4000:UDP"= 4000:UDP:diablo

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/28/2010 3:39 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/16/2009 4:26 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 67656]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 8:15 AM 1355928]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [2/11/2010 3:36 PM 300400]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/10/2010 10:46 PM 1691480]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 8:15 AM 15008]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 8:00 AM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 12872]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/1/2010 12:07 AM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-09-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 20:15]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Mommy\Application Data\Mozilla\Firefox\Profiles\r258s0lq.default\
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\NOS\bin\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-{4817189D-1785-4627-A33C-39FD90919300} - d:\program files\EA GAMES\The Sims 2 Pets\EAUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-05 16:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(480)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-09-05 16:32:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-05 20:32
ComboFix2.txt 2010-09-05 04:12

Pre-Run: 12,071,931,904 bytes free
Post-Run: 12,197,199,872 bytes free

- - End Of File - - 41E27EB0A7C2DDC4BD8F05313794D242
  • 0

#12
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,047 posts
Hello The Mommy,

I think your machine is clean now. :)

We have a couple of last steps to perform and then you're all set.Posted Image

Follow these steps to uninstall Combofix and tools used in the removal of malware. This will also clean out and reset your Restore Points.
  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    Posted Image
Step 2
  • Double-click OTL.exe to run it. (Vista users, please right click on OTL.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep.

-------------------------------------------------------------------------------------------------------------------

A reminder: Remember to turn back on any anti-malware programs you may have turned off during the cleaning process.

-------------------------------------------------------------------------------------------------------------------

Now that your machine is clean here are some things that I think are worth having a look at if you don't already know about them:

---------------------------------------------------------------------------------------------------------------------

Regularly check that your Java is up to date. Older versions are vunerable to malicious attack.
  • Download from here Java Runtime Environment (JDK) Update
  • Scroll to where it says "Windows XP/Vista/2000/2003/2008 online" and download and follow the instructions to install.

    Reboot your computer.
    You also need to uininstall older versions of Java.
  • Click Start > Control Panel > Add or Remove Programs
  • Remove all Java updates except the latest one you have just installed.
--------------------------------------------------------------------------------------------------------------------

Be sure and give the Temp folders a cleaning out now and then. This helps with security and your computer will run more efficiently. I clean mine once a week.

For ease of use, you might consider the following free program:--------------------------------------------------------------------------------------------------------------------

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* Consider using an alternate browser.

Opera may be downloaded from here. It is one of the least targeted of all browers.

Avant may be downloaded from here. Another one that is less well known.

Firefox may be downloaded from Here. I use Firefox because I like it. Used to be one of the safest but now targeted probably as much as IE.

Adblock Plus is a good Add-on for Firefox that helps prevent those annoying pop ups.
-----------------------------------------------------------------------------------------------------------------------

Startuplite is a tool to help you stop some programs not needed when you start your computer from loading. They will begin automatically only when needed.

-----------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future here are some free programs you can look at:

  • It is recommended that you do set Windows to check, download and install your updates automatically.

    * Click Start > Control Panel > Automatic Updates
    * Set the day and time for the update check. Set this to a time when your computer will normally be on and connected to the internet.
    * Click Apply then OK.

    And to keep your system clean consider choosing from these free for home use malware scanners and updating and running weekly.
  • Malwarebytes
  • SuperAntiSpyWare
Be aware of what emails you open and websites you visit.

Go here for some good advice about how to prevent infection.

Have a safe and happy computing day!
  • 0

#13
The Mommy

The Mommy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I can research my paper now! :) Thanks so much for your help, and especially for your time. I've now put a stronger password on my machine so nobody can get on without me knowing. You've been a great help and I'll be eternally grateful! :)
  • 0

#14
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,047 posts

Thanks so much for your help


Your very welcome. :)

I will keep this topic open for a day or two in case any issues arise.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP