1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Please help with possible jump virus

Discussion in 'Virus & Other Malware Removal' started by BradZ28, Jan 8, 2011.

Thread Status:
Not open for further replies.
  1. BradZ28

    BradZ28 Thread Starter

    Joined:
    Jan 8, 2011
    Messages:
    3
    Hello,
    While searching for websites (usually on Google) my browser will re-direct me to an advertisement. Also IE opens on its own stating I have registry errors. I have tried MBAM, SuperAntiSpyware, AdAware, IObit, and AVG with no luck. I won't do additional scans or change anything until directed. I had to include the hijackthis file as an attachment because I kept getting an IE error when copying it into the post. Thanks!

    Brad
     

    Attached Files:

  2. BradZ28

    BradZ28 Thread Starter

    Joined:
    Jan 8, 2011
    Messages:
    3
    Also here are the DDS, Attach, & GMER files needed. Again I couldn't copy them into the post, but included them as attachments. Thanks!

    Brad
     

    Attached Files:

  3. BradZ28

    BradZ28 Thread Starter

    Joined:
    Jan 8, 2011
    Messages:
    3
    Well I ran ComboFix (which I have since deleted) because HitmanPro found the Atapi.sys trojan but wouldn't delete it. I than ran updated MBAM, SuperAntiSpyware, AdAware, IObit, and AVG scans to finish the job. The redirecting and advertising pop ups are gone and this thing is faster than it was when I got it (used). Here is the log:

    BTW I beleive a FrostWire download was the culprit. I used the program once and deleted it, I suppose I deserved it...



    ComboFix 11-01-08.05 - play 01/09/2011 13:26:59.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.245 [GMT -5:00]
    Running from: c:\documents and settings\play\Desktop\username123.exe
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    The following files were disabled during the run:
    c:\program files\IObit\IObit Security 360\IS360mon.dll

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\documents and settings\play\Application Data\inst.exe
    Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-12-09 to 2011-01-09 )))))))))))))))))))))))))))))))
    .
    2011-01-09 15:45 . 2011-01-09 17:51 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-01-09 15:45 . 2011-01-09 15:45 -------- d-----w- c:\program files\Hitman Pro 3.5
    2011-01-09 15:44 . 2011-01-09 15:44 -------- dc----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2011-01-08 19:22 . 2011-01-08 19:22 388096 ----a-r- c:\documents and settings\play\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-01-08 19:22 . 2011-01-08 19:22 -------- d-----w- c:\program files\Trend Micro
    2011-01-08 15:56 . 2011-01-08 15:56 -------- dc----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-12-31 02:43 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-31 02:43 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-31 02:43 . 2011-01-08 15:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-24 20:18 . 2010-12-24 20:18 -------- d-----w- c:\documents and settings\play\Application Data\SUPERAntiSpyware.com
    2010-12-24 20:17 . 2011-01-08 15:56 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-12-24 19:42 . 2011-01-08 15:56 -------- d-----w- c:\documents and settings\play\Application Data\IObit
    2010-12-22 03:23 . 2010-12-22 03:23 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater
    2010-12-22 03:19 . 2011-01-08 15:40 -------- dc----w- c:\documents and settings\All Users\Application Data\IObit
    2010-12-22 03:16 . 2010-12-24 18:19 -------- d-----w- c:\program files\IObit
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-09 18:09 . 2003-03-31 19:00 26112 ----a-w- c:\windows\system32\userinit.exe
    2010-12-31 23:21 . 2010-11-28 03:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-11-27 19:50 . 2010-11-27 19:50 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-12-16 2402512]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
    "IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http:" [X]
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
    2003-05-04 11:16 88267 ----a-r- c:\windows\AGRSMMSG.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
    2001-09-03 03:24 28672 ----a-w- c:\windows\system32\Ati2mdxx.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    2004-01-20 19:10 335872 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
    2004-03-01 11:05 200766 ----a-w- c:\program files\HPQ\Default Settings\Cpqset.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2006-10-27 04:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-09-01 12:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-08-10 09:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2005-02-02 18:11 692316 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
    2005-02-02 18:12 102492 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
    2003-08-18 23:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/27/2010 2:50 PM 64288]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
    R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [12/21/2010 10:18 PM 312152]
    R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [3/4/2008 10:35 AM 27008]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/10/2010 11:24 AM 135664]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/23/2010 2:46 AM 1389400]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    .
    Contents of the 'Scheduled Tasks' folder
    2011-01-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 23:21]
    2010-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
    2011-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 16:24]
    2011-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 16:24]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
    uInternet Settings,ProxyOverride = <local>;*.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    Trusted Zone: getoffutt.com\www
    Trusted Zone: hernandomls.com\www
    DPF: {0D9633EB-D799-4626-B34E-FCC17AFA2BCF} - hxxp://www.hernandomls.com/her/valid/osi_valid9j.ocx
    .
    - - - - ORPHANS REMOVED - - - -
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe
    MSConfigStartUp-EzPrint - c:\program files\Lexmark 4300 Series\ezprint.exe
    MSConfigStartUp-FaxCenterServer - c:\program files\Lexmark Fax Solutions\fm3032.exe
    MSConfigStartUp-lxcemon - c:\program files\Lexmark 4300 Series\lxcemon.exe
    MSConfigStartUp-Media Codec Update Service - c:\program files\Essentials Codec Pack\update.exe

    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-09 13:44
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    [HKEY_USERS\S-1-5-21-1482476501-2111687655-854245398-1004\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'winlogon.exe'(896)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    Completion time: 2011-01-09 13:48:06
    ComboFix-quarantined-files.txt 2011-01-09 18:47
    Pre-Run: 58,418,409,472 bytes free
    Post-Run: 59,131,314,176 bytes free
    - - End Of File - - D18C5E54447CA92C9E1474FF3FBF8AD5
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/973514

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice