WiredWX Hobby Weather ToolsLog in

 


Trojan.JS.Redirector.xa

3 posters

descriptionTrojan.JS.Redirector.xa - Page 2 EmptyRe: Trojan.JS.Redirector.xa14th January 2013, 6:54 pm

more_horiz
ComboFix 13-01-14.01 - Sandi 14.01.2013 19:25:46.2.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2812.1549 [GMT 1:00]
Running from: c:\users\Sandi\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
FW: Kaspersky Internet Security *Disabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
SP: Kaspersky Internet Security *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-12-14 to 2013-01-14 )))))))))))))))))))))))))))))))
.
.
2013-01-14 18:44 . 2013-01-14 18:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-14 18:44 . 2013-01-14 18:44 -------- d-----w- c:\users\Classic .NET AppPool\AppData\Local\temp
2013-01-14 06:40 . 2013-01-14 06:40 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-01-14 06:37 . 2013-01-14 06:36 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-01-14 06:36 . 2013-01-14 06:36 -------- d-----w- c:\program files (x86)\Java
2013-01-13 15:31 . 2013-01-13 15:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2013-01-13 15:31 . 2013-01-13 15:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2013-01-13 15:31 . 2013-01-13 15:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2013-01-13 15:31 . 2013-01-13 15:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2013-01-13 15:31 . 2013-01-13 15:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2013-01-13 15:31 . 2013-01-13 15:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2013-01-13 15:31 . 2013-01-13 15:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2013-01-13 15:30 . 2013-01-13 15:31 -------- d-----w- c:\program files (x86)\QuickTime
2013-01-12 21:24 . 2013-01-12 21:24 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2013-01-12 07:18 . 2013-01-12 07:18 -------- d-----w- c:\users\Sandi\AppData\Local\Mozilla
2013-01-12 03:50 . 2013-01-12 03:50 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3D66D4FC-6916-4805-B11D-B3F5CBC7C8A0}\offreg.dll
2013-01-11 18:56 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3D66D4FC-6916-4805-B11D-B3F5CBC7C8A0}\mpengine.dll
2013-01-10 07:27 . 2013-01-10 07:27 -------- d-----w- c:\program files (x86)\ESET
2013-01-09 04:10 . 2012-11-09 05:45 750592 ----a-w- c:\windows\system32\win32spl.dll
2013-01-09 04:10 . 2012-11-09 04:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2013-01-09 04:08 . 2012-11-30 05:41 424448 ----a-w- c:\windows\system32\KernelBase.dll
2013-01-09 04:07 . 2012-11-23 03:13 68608 ----a-w- c:\windows\system32\taskhost.exe
2013-01-09 04:07 . 2012-11-23 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys
2012-12-22 02:01 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-22 02:01 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-22 02:01 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-22 02:01 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-16 16:17 . 2012-12-16 16:17 -------- d-----w- c:\users\Sandi\AppData\Local\Adobe_Systems_Incorporate
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-14 06:36 . 2010-09-25 20:05 780192 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-01-13 20:16 . 2012-04-01 16:56 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-01-13 20:16 . 2011-05-14 18:33 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-13 15:16 . 2012-09-01 09:48 859072 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2013-01-10 02:37 . 2009-10-23 13:47 67599240 ----a-w- c:\windows\system32\MRT.exe
2012-11-30 04:45 . 2013-01-09 04:08 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2012-11-14 07:06 . 2012-12-13 02:07 17811968 ----a-w- c:\windows\system32\mshtml.dll
2012-11-14 06:32 . 2012-12-13 02:07 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-11-14 06:11 . 2012-12-13 02:07 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 06:04 . 2012-12-13 02:07 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-11-14 06:04 . 2012-12-13 02:07 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 06:02 . 2012-12-13 02:07 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 06:02 . 2012-12-13 02:07 237056 ----a-w- c:\windows\system32\url.dll
2012-11-14 05:59 . 2012-12-13 02:07 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-11-14 05:58 . 2012-12-13 02:07 816640 ----a-w- c:\windows\system32\jscript.dll
2012-11-14 05:57 . 2012-12-13 02:07 599040 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 05:57 . 2012-12-13 02:07 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 05:55 . 2012-12-13 02:07 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-11-14 05:55 . 2012-12-13 02:07 729088 ----a-w- c:\windows\system32\msfeeds.dll
2012-11-14 05:53 . 2012-12-13 02:07 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-11-14 05:52 . 2012-12-13 02:07 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-14 05:46 . 2012-12-13 02:07 248320 ----a-w- c:\windows\system32\ieui.dll
2012-11-14 02:09 . 2012-12-13 02:07 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-11-14 01:58 . 2012-12-13 02:07 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-11-14 01:57 . 2012-12-13 02:07 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-11-14 01:49 . 2012-12-13 02:07 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-11-14 01:48 . 2012-12-13 02:07 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-11-14 01:44 . 2012-12-13 02:07 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-11-13 20:29 . 2012-11-13 20:29 354216 ----a-w- c:\windows\SysWow64\DivXControlPanelApplet.cpl
2012-11-09 05:45 . 2012-12-13 00:10 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-09 04:42 . 2012-12-13 00:10 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-11-02 05:59 . 2012-12-13 00:09 478208 ----a-w- c:\windows\system32\dpnet.dll
2012-11-02 05:11 . 2012-12-13 00:09 376832 ----a-w- c:\windows\SysWow64\dpnet.dll
2012-10-29 10:50 . 2011-04-20 13:50 637272 ----a-w- c:\windows\system32\drivers\klif.sys
2012-10-25 02:12 . 2012-10-25 02:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-10-25 02:12 . 2012-10-25 02:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2011-06-16 03:07 . 2011-06-16 03:07 16896 ----a-w- c:\program files\wmdmhelper.dll
2011-06-16 03:07 . 2011-06-16 03:07 139264 ----a-w- c:\program files\dunzip32.dll
2011-06-16 03:07 . 2011-06-16 03:07 641024 ----a-w- c:\program files\rjbres.dll
2011-06-16 03:07 . 2011-06-16 03:07 360960 ----a-w- c:\program files\rjdlg.dll
2011-06-16 03:07 . 2011-06-16 03:07 34304 ----a-w- c:\program files\rjprog.dll
2011-06-16 03:07 . 2011-06-16 03:07 9216 ----a-w- c:\program files\fixrjb.exe
2011-06-16 03:07 . 2011-06-16 03:07 45056 ----a-w- c:\program files\ierjplug.dll
2011-06-16 03:07 . 2011-06-16 03:07 1115376 ----a-w- c:\program files\cddbmusicid.dll
2011-06-16 03:07 . 2011-06-16 03:07 943344 ----a-w- c:\program files\cddblink.dll
2011-06-16 03:07 . 2011-06-16 03:07 23552 ----a-w- c:\program files\tnetdtct.dll
2011-06-16 03:07 . 2011-06-16 03:07 2041072 ----a-w- c:\program files\cddbcontrol.dll
2011-06-16 03:07 . 2011-06-16 03:07 74240 ----a-w- c:\program files\tsasdk.dll
2011-06-16 03:07 . 2011-06-16 03:07 48640 ----a-w- c:\program files\tpasdk.dll
2011-06-16 03:07 . 2011-06-16 03:07 45056 ----a-w- c:\program files\mmcdda32.dll
2011-06-16 03:07 . 2011-06-16 03:07 67072 ----a-w- c:\program files\rpwa3260.dll
2011-06-16 03:07 . 2011-06-16 03:07 16296 ----a-w- c:\program files\realtfon.fon
2011-06-16 03:07 . 2011-06-16 03:07 45744 ----a-w- c:\program files\rpshellsearch.dll
2011-06-16 03:06 . 2011-06-16 03:06 368776 ----a-w- c:\program files\realconverter.exe
2011-06-16 03:06 . 2011-06-16 03:06 344712 ----a-w- c:\program files\convert.exe
2011-06-16 03:06 . 2011-06-16 03:06 390384 ----a-w- c:\program files\mc_enc_mp4v.dll
2011-06-16 03:06 . 2011-06-16 03:06 372864 ----a-w- c:\program files\realtrimmer.exe
2011-06-16 03:06 . 2011-06-16 03:06 120960 ----a-w- c:\program files\realshare.exe
2011-06-16 03:06 . 2011-06-16 03:06 719360 ----a-w- c:\program files\dbghelp.dll
2011-06-16 03:06 . 2011-06-16 03:06 72192 ----a-w- c:\program files\rjwmapln.dll
2011-06-16 03:06 . 2011-06-16 03:06 46592 ----a-w- c:\program files\rpau3260.dll
2011-06-16 03:05 . 2011-06-16 03:05 26768 ----a-w- c:\program files\rndevicedbbuilder.exe
2011-06-16 03:05 . 2011-06-16 03:05 88064 ----a-w- c:\program files\hxaudiodevicehook.dll
2011-06-16 03:05 . 2011-06-16 03:05 116392 ----a-w- c:\program files\rdsf3260.dll
2011-06-16 03:05 . 2011-06-16 03:05 86528 ----a-w- c:\program files\rpplugprot.dll
2011-06-16 03:05 . 2011-06-16 03:05 64672 ----a-w- c:\program files\rpshell.dll
2011-06-16 03:05 . 2011-06-16 03:05 9728 ----a-w- c:\program files\realjbox.exe
2011-06-16 03:05 . 2011-06-16 03:05 17064 ----a-w- c:\program files\rphelperapp.exe
2011-06-16 03:05 . 2011-06-16 03:05 490112 ----a-w- c:\program files\realplay.exe
2011-06-16 03:05 . 2011-06-16 03:05 415416 ----a-w- c:\program files\recordingmanager.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 11:58 333192 ----a-w- c:\program files (x86)\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files (x86)\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"Eraser"="c:\program files (x86)\Eraser\Eraser.exe" [2007-12-22 916240]
"SRS Audio Sandbox"="c:\program files\SRS Labs\Audio Sandbox\SRSSSC.exe" [2010-01-07 3676952]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-12-13 969104]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-02 98304]
"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-18 218408]
"UpdatePRCShortCut"="c:\program files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-03-09 15872]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"TkBellExe"="c:\program files\Update\realsched.exe" [2011-06-16 273544]
"avp"="c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe" [2012-10-29 206448]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-11 59280]
"DivXMediaServer"="c:\program files (x86)\DivX\DivX Media Server\DivXMediaServer.exe" [2012-11-13 450560]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2012-11-30 1263512]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\users\Sandi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-07-07 195336]
R3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
R3 DKRtWrt;DKRtWrt;c:\windows\system32\DRIVERS\DKRtWrt.sys [2011-02-14 44624]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-19 1255736]
R3 WMSVC;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe [2009-07-14 10752]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-03-31 61976]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 311656]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 427880]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-03-11 834544]
S1 HWiNFO32;HWiNFO32/64 Kernel Driver;c:\program files\HWiNFO64\HWiNFO64A.SYS [2011-05-22 28032]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2011-03-04 11864]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2011-03-10 29488]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [2009-03-02 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-07-02 203264]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [2010-11-09 21992]
S2 ftpsvc;Microsoft FTP Service;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [2008-07-10 214040]
S2 PanService;PandoraService;c:\program files (x86)\PANDORA.TV\PanService\PandoraService.exe [2012-06-22 625816]
S2 PDFSFilter;PDFSFilter;c:\windows\system32\DRIVERS\PDFsFilter.sys [2011-06-06 79888]
S2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2009-03-30 2075480]
S2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);c:\program files\CyberLink\Shared files\RichVideo64.exe [2010-08-19 386344]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-02 22544]
S3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe [2008-07-10 34840]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2012-06-26 46176]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-05-23 215040]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-03-09 36408]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 19:11 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-01-14 09:20 1606760 ----a-w- c:\program files (x86)\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-12-09 16:04]
.
2013-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-12-09 16:04]
.
2013-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2974327514-3669766198-1081035601-1000Core.job
- c:\users\Sandi\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-25 04:15]
.
2013-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2974327514-3669766198-1081035601-1000UA.job
- c:\users\Sandi\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-25 04:15]
.
2012-12-30 c:\windows\Tasks\HPCeeScheduleForSandi.job
- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-08-17 21:38]
.
2013-01-13 c:\windows\Tasks\ReclaimerUpdateFiles_Sandi.job
- c:\users\Sandi\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-19 21:08]
.
2013-01-14 c:\windows\Tasks\ReclaimerUpdateXML_Sandi.job
- c:\users\Sandi\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-19 21:08]
.
2013-01-10 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_Sandi.job
- c:\users\Sandi\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-19 21:08]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"IntelliType Pro"="c:\program files\Microsoft Device Center\itype.exe" [2012-06-26 1464928]
"IntelliPoint"="c:\program files\Microsoft Device Center\ipoint.exe" [2012-06-26 2004584]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Presario&pf=cnnb
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Anti-Banner - c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: Save Page As PDF ... - file://c:\program files (x86)\Nitro PDF\PDF Download\nitroweb.htm
IE: {{E3CB497B-E230-4445-8B34-13476822F867} - c:\program files\Tidy Favorites\OpenTFV.js
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503} - {70BEC6D2-977B-43CB-9A50-424099BA3897} -
TCP: DhcpNameServer = 77.77.192.10 77.78.192.10 94.140.66.194
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\
FF - prefs.js: browser.startup.homepage - hxxps://addons.mozilla.org/en-US/firefox/collections/Santa/s/?page=3|about:newaddon?id={23fcfd51-4958-4f00-80a3-ae97e717ed8b}|https://www.google.ba/search?num=30&hl=bs&client=firefox-a&tbo=d&rls=org.mozilla:en-US:official&spell=1&q=Plugin+for+Firefox&sa=X&ei=8ODyUMrGG4WItQbQhICQBw&ved=0CCoQBSgA&biw=1360&bih=651|https://www.google.ba/search?num=30&hl=bs&client=firefox-a&tbo=d&rls=org.mozilla:en-US:official&q=flash+plugin+for+firefox&revid=1325548727&sa=X&ei=8-DyUJu3GonVtAb2q4DoCg&ved=0CIECENUCKAM&biw=1360&bih=651|https://www.mozilla.org/en-US/plugincheck/|http://www.interoperabilitybridges.com/|https://www.google.ba/search?q=Arsenal&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&channel=rcs|https://plus.google.com/u/0/|https://www.google.com/webhp?hl=en&tab=Xw
FF - ExtSQL: 2013-01-12 23:24; {EF522540-89F5-46b9-B6FE-1829E2B572C6}; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\{EF522540-89F5-46b9-B6FE-1829E2B572C6}.xpi
FF - ExtSQL: 2013-01-12 23:24; {5546F97E-11A5-46b0-9082-32AD74AAA920}; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\{5546F97E-11A5-46b0-9082-32AD74AAA920}.xpi
FF - ExtSQL: 2013-01-12 23:24; googledictionary@toptip.ca; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\googledictionary@toptip.ca.xpi
FF - ExtSQL: 2013-01-12 23:24; ehtip@robertkatic; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\ehtip@robertkatic
FF - ExtSQL: 2013-01-12 23:24; abhere2@moztw.org; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\abhere2@moztw.org.xpi
FF - ExtSQL: 2013-01-12 23:57; {097d3191-e6fa-4728-9826-b533d755359d}; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi
FF - ExtSQL: 2013-01-12 23:57; tabutils@ithinc.cn; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\tabutils@ithinc.cn.xpi
FF - ExtSQL: 2013-01-12 23:57; tabscope@xuldev.org; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\tabscope@xuldev.org.xpi
FF - ExtSQL: 2013-01-12 23:57; pavel.sherbakov@gmail.com; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\pavel.sherbakov@gmail.com
FF - ExtSQL: 2013-01-13 00:55; {4BBDD651-70CF-4821-84F8-2B918CF89CA3}; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - ExtSQL: 2013-01-13 00:55; zoompage@DW-dev; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\zoompage@DW-dev.xpi
FF - ExtSQL: 2013-01-13 00:55; en-US@dictionaries.addons.mozilla.org; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\en-US@dictionaries.addons.mozilla.org
FF - ExtSQL: 2013-01-13 06:28; {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}.xpi
FF - ExtSQL: 2013-01-13 06:28; {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}.xpi
FF - ExtSQL: 2013-01-13 06:28; status4evar@caligonstudios.com; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\status4evar@caligonstudios.com.xpi
FF - ExtSQL: 2013-01-13 16:38; firefox-managefolders@googlecode.com; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\firefox-managefolders@googlecode.com.xpi
FF - ExtSQL: 2013-01-13 17:14; {23fcfd51-4958-4f00-80a3-ae97e717ed8b}; c:\program files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
.
.
"ImagePath"="\"c:\program files\CyberLink\Shared files\RichVideo64.exe\"\00Z
[\]^_™\00\00™\00\00\00\00HIJKLMNO\00\00\00\00\00\00\00\00\03\00\00\00|}~™\00\00™\00\00\00\00™\00\00\00\00\00\00\00\00‘’“"
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
@Denied: (A) (Everyone)
"Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
"Key"="ActionsPane"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-01-14 19:50:52
ComboFix-quarantined-files.txt 2013-01-14 18:50
ComboFix2.txt 2013-01-09 04:28
.
Pre-Run: 77.426.671.616 bytes free
Post-Run: 77.447.884.800 bytes free
.
- - End Of File - - 269EABBB879FB438C0AD200764E15B9A

descriptionTrojan.JS.Redirector.xa - Page 2 EmptyRe: Trojan.JS.Redirector.xa14th January 2013, 8:07 pm

more_horiz
I suspect on these add-ons/extensions, actually their data/informations/urls these add-ons preserving :

- Scrapbook
- Session Manager (with Session Manager Export Tool)
- Textarea Cache
- Lazarus: Form Recovery
- Resurrect Pages
- SreenshotPimp

descriptionTrojan.JS.Redirector.xa - Page 2 EmptyRe: Trojan.JS.Redirector.xa15th January 2013, 5:42 pm

more_horiz
ComboFix Script


  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    ClearJavaCache::

    Registry::
    [-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-
    [-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    DDS::
    IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503} - {70BEC6D2-977B-43CB-9A50-424099BA3897} -
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Trojan.JS.Redirector.xa - Page 2 CFScriptB-4
  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.



Norman Malware Cleaner

Please download Norman Malware Cleaner and save to your desktop.
  • Double-click on Norman_Malware_Cleaner.exe to start the program.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot and run the tool again to ensure that all infections are removed.
  • After the scan has finished, a log file with the date (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
Note: For usb flash drives and/or other removable drives to scan, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.

descriptionTrojan.JS.Redirector.xa - Page 2 EmptyRe: Trojan.JS.Redirector.xa20th January 2013, 6:40 pm

more_horiz
I am sorry for delay, I hope you are still willing to finish this with me - here's ComboFix log file....

descriptionTrojan.JS.Redirector.xa - Page 2 EmptyRe: Trojan.JS.Redirector.xa23rd January 2013, 8:04 am

more_horiz
then visit our site->

descriptionTrojan.JS.Redirector.xa - Page 2 EmptyRe: Trojan.JS.Redirector.xa

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum