We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Infected with something, please see logs
Comments
-
wait for user AlienRik to look at the combofix log
are you still seeing the weird redirects ?Ex forum ambassador
Long term forum member0 -
Just rebooted and no redirects so far. However another scan of SUPERAntiSpyware is running and it's found, "Rogue.Agent/Gen-Nullo[DLL]", whether this is a false-positive or genuine I don't know. Not sure what happened to it "fixing" it before the reboot either!wait for user AlienRik to look at the combofix log
are you still seeing the weird redirects ?0 -
MAy I make a suggestion...... empty all your temp files before continuing (ccleaner and/or windows disk cleanup, both would be better), turn off system restore then re-run combofix.
If it was a rootkit I'd expect cf to at least detect it, even if it couldn't clear it. Dr Web may also be a good bet where other things haven't picked up anything.........Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple
0 -
http://download.drweb.com/?lng=enDr Web may also be a good bet where other things haven't picked up anything...
Which product?0 -
Reran, "cleaned", rebooted, found the issue again. I'll give up on SAS thenDeleted_User wrote: »Just rebooted and no redirects so far. However another scan of SUPERAntiSpyware is running and it's found, "Rogue.Agent/Gen-Nullo[DLL]", whether this is a false-positive or genuine I don't know. Not sure what happened to it "fixing" it before the reboot either!
MAy I make a suggestion...... empty all your temp files before continuing (ccleaner and/or windows disk cleanup, both would be better), turn off system restore then re-run combofix.
I'll give this a go if aliEnRIK doesn't come online today / tomorrow0 -
Looks fine to me
I suspect the file that SAS found wasnt actually in use
Id follow Jacks advice (Dr web too):idea:0 -
-
MAy I make a suggestion...... empty all your temp files before continuing (ccleaner and/or windows disk cleanup, both would be better), turn off system restore then re-run combofix.
Done. Looks like it's removed at least one file. I'll rerun it again though and repost in a bit.
ComboFix 11-04-26.05 - Dave 27/04/2011 16:41:08.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.569 [GMT 1:00]
Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\14545215641.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-03-27 to 2011-04-27 )))))))))))))))))))))))))))))))
.
.
2011-04-27 15:33 . 2011-04-27 15:33
d
w- c:\program files\CCleaner
2011-04-27 12:33 . 2011-04-27 12:33
d
w- c:\program files\Common Files\Java
2011-04-27 10:59 . 2011-04-27 10:59
d
w- c:\program files\Sophos
2011-04-27 10:51 . 2011-04-27 10:51
d
w- c:\documents and settings\Dave\Application Data\SUPERAntiSpyware.com
2011-04-27 10:50 . 2011-04-27 10:50
d
w- c:\program files\SUPERAntiSpyware
2011-04-27 10:46 . 2011-04-27 10:46 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-27 10:45 . 2011-04-27 10:45
d
w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-25 21:26 . 2011-04-25 21:27
d
w- c:\program files\Common Files\Data
2011-04-25 21:24 . 2011-04-25 21:24 197632 ----a-w- c:\program files\Common Files\OnlineFilesManager.dll
2011-04-23 15:39 . 2011-04-23 15:39
d
w- c:\documents and settings\Dave\Application Data\Convivea
2011-04-23 15:39 . 2011-04-23 15:39
d
w- c:\program files\Bit Che
2011-04-17 20:32 . 2011-04-17 20:32
d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-19 17:33 . 2010-08-22 03:55 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-07 05:33 . 2004-09-14 12:03 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 1979-12-31 23:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 1979-12-31 23:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 1979-12-31 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 1979-12-31 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 1979-12-31 23:00 1469440
w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:42 . 1979-12-31 23:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 1979-12-31 23:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 1979-12-31 23:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-08-21 20:39 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 1979-12-31 23:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 12:53 . 1979-12-31 23:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 12:53 . 1979-12-31 23:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 1979-12-31 23:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 1979-12-31 23:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 20:40 . 2010-08-24 09:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 18:19 . 2010-12-27 19:38 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 06:58 . 2004-09-14 12:01 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Dave\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Dave\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Dave\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Online Files]
@="{B82655E9-B81D-4A97-8154-0D84A4C048E4}"
[HKEY_CLASSES_ROOT\CLSID\{B82655E9-B81D-4A97-8154-0D84A4C048E4}]
2011-04-25 21:24 197632 ----a-w- c:\program files\Common Files\OnlineFilesManager.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-04-20 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="c:\windows\RUNXMLPL.exe" [2004-04-20 40960]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 688218]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-05 339968]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-03-30 32768]
"PowerKey"="c:\program files\Launch Manager\PowerKey.exe" [2002-08-30 94208]
"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2005-05-19 69632]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2004-10-11 245760]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2005-04-18 81920]
"eRecoveryService"="c:\windows\System32\Check.exe" [2005-03-23 245760]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 281768]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2010-11-11 129648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Documents and Settings\\Dave\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Steam\\SteamApps\\origdav\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [22/08/2010 04:55 136360]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [11/11/2010 13:48 70768]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [11/11/2010 12:31 539248]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [01/01/1980 200192]
R3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.SYS [22/08/2010 04:38 2343]
S1 mailKmd;mailKmd; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/12/2010 15:24 136176]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\18.tmp --> c:\windows\system32\18.tmp [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [01/01/1980 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-21 14:24]
.
2011-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-21 14:24]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
FF - ProfilePath - c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\r2nc36eo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-27 16:44
Windows 5.1.2600 Service Pack 3 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\18.tmp"
.
DLLs Loaded Under Running Processes
.
- - - - - - - > 'winlogon.exe'(984)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-04-27 16:46:05
ComboFix-quarantined-files.txt 2011-04-27 15:46
ComboFix2.txt 2011-04-27 11:24
.
Pre-Run: 2,063,269,888 bytes free
Post-Run: 2,062,843,904 bytes free
.
- - End Of File - - 0D8A123637ADE34427E416301CD71A8F0 -
Deleted_User wrote: »Which product?
Download and run the FREE version of DR WEB
http://www.freedrweb.com/download+cureit/?nc=t&lng=en:idea:0 -
2011-04-23 15:39 . 2011-04-23 15:39
d
w- c:\program files\Bit Che
Could it have come from a dodgy torrent?Move along, nothing to see.0
![[Deleted User]](https://us-noi.v-cdn.net/6031891/uploads/defaultavatar/nFA7H6UNOO0N5.jpg)
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.6K Banking & Borrowing
- 254.2K Reduce Debt & Boost Income
- 455.1K Spending & Discounts
- 246.7K Work, Benefits & Business
- 603.1K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.7K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards