39 replies to this topic

[skatalite]

I'm getting redirected very frequently when clicking on links (i.e. from googles search results), to shady sites. My AV (avast!) tells me a few times (but most of the times it doesn't complain) that there is some typ of URL:Mal from svchost.exe.

I've read about others having similar problems with getting redirected and it being related to svchost.exe.

Can some kind soul help me solve this annoying problem? Awaiting orders!

Thanks in advance!

[Maniac]

Hello skatalite and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at support@malwarebytes.org or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Step 1

Download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
  
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
  
  
  
  
• Click the Start Scan button.
  
  
  
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
  
  
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
  
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  
  
  
  
• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.


Step 2

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.


In your next post, please include:

• TDSSKiller log
  
• ComboFix log

[skatalite]

Hi, and thanks for helping me!
I am a non-paying costumer, so I will stick to your instructions here.

I have downloaded TDSSkiller.exe from the given link and saved the file to my desktop. When I doubleclick it, a window pops up asking for my permission to run (normal stuff), then nothing happens... What to do?

[Maniac]

Please proceed with the next step.

[skatalite]

Followed instructions, downloaded, installed, and so on for step 2, but ComboFix froze at the part where it scans for infected files and it says that it will take about 10 minutes. I had it running for an hour before I took the decision to power-nuke my computer.

[Maniac]

Depending on how badly your system is infected, ComboFix may take longer to complete its routine than it normally does. However, there are circumstances ComboFix will hang or stall at various stages due to malware interference. Did you disable your AV protection?

[skatalite]

Yes, I did. I use avast!, and did also disable Ad-aware, just in case.

[skatalite]

By miracle my computer gave birth! Here is one of the logs...





ComboFix 12-02-22.01 - Uffe 2012-02-23 17:43:25.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.46.1053.18.2047.1297 [GMT 1:00]
Körs från: c:\users\Uffe\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\programdata\WQacN7FjcE9xAt
C:\readme.txt
c:\windows\system32\SET15B4.tmp
c:\windows\system32\SET231F.tmp
L:\Autorun.inf
.
.
(((((((((((((((((((((((( Filer skapade från 2012-01-23 till 2012-02-23 ))))))))))))))))))))))))))))))
.
.
2012-02-23 17:18 . 2012-02-23 17:20 -------- d-----w- c:\users\Uffe\AppData\Local\temp
2012-02-23 17:18 . 2012-02-23 17:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-23 13:36 . 2012-02-23 13:36 -------- d-sh--w- c:\programdata\DSS
2012-02-23 10:14 . 2012-02-23 10:14 -------- d-----w- c:\programdata\Electronic Arts
2012-02-23 10:14 . 2012-02-23 10:14 -------- d-----w- c:\programdata\EA Core
2012-02-21 17:19 . 2012-02-21 17:19 388096 ----a-r- c:\users\Uffe\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-02-21 17:19 . 2012-02-21 17:19 -------- d-----w- c:\program files\Trend Micro
2012-02-21 17:10 . 2012-02-21 17:10 -------- d-----w- c:\users\Uffe\AppData\Roaming\Malwarebytes
2012-02-21 17:09 . 2012-02-21 17:09 -------- d-----w- c:\programdata\Malwarebytes
2012-02-21 16:52 . 2012-02-21 16:52 378640 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-02-21 10:44 . 2011-12-14 02:56 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-21 10:04 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C1E29046-358F-4925-A894-0E259A0F039A}\mpengine.dll
2012-02-18 16:50 . 2012-02-18 16:50 -------- d-----w- c:\program files\GOG.com
2012-02-16 20:15 . 2012-02-16 20:15 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-02-16 20:09 . 2012-02-16 20:10 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-02-16 17:37 . 2012-02-23 16:31 -------- d-----w- c:\programdata\Lavasoft
2012-02-16 17:03 . 2012-02-16 20:10 -------- d-----w- C:\sh4ldr
2012-02-16 17:03 . 2012-02-16 17:03 -------- d-----w- c:\program files\Enigma Software Group
2012-02-16 17:02 . 2012-02-16 17:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-02-15 17:56 . 2012-02-15 17:57 -------- d-----w- C:\DOTT.CD
2012-02-15 14:55 . 2012-02-23 16:34 -------- d-----w- c:\programdata\AVAST Software
2012-02-15 14:55 . 2012-02-15 14:55 -------- d-----w- c:\program files\AVAST Software
2012-02-15 14:52 . 2011-12-14 16:17 680448 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 14:52 . 2012-01-12 19:52 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-02-15 14:51 . 2011-12-20 10:56 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-02-15 14:29 . 2012-02-15 14:29 -------- d-----w- c:\program files\CCleaner
2012-02-14 20:18 . 2012-02-14 20:20 -------- d-----w- c:\users\Uffe\AppData\Local\DOSBox
2012-02-14 19:50 . 2012-02-14 19:50 -------- d-----w- c:\program files\DOSBox-0.74
2012-02-14 19:46 . 2012-02-14 19:47 -------- d-----w- C:\DFInstall
2012-01-26 08:00 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-26 08:00 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-26 08:00 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-26 08:00 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-26 08:00 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-26 08:00 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-29 04:10 . 2009-10-03 15:26 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-12-31 23:31 . 2011-12-31 23:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-15 18:03 . 2011-05-08 12:07 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2011-05-09 09:49 176936 ----a-w- c:\program files\Freecorder\prxtbFre0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{807ca0aa-7cb3-4f03-bd61-076f618cc82d}]
2009-11-08 08:55 297808 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"????r"="" [?]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-11-23 319488]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-11-17 453120]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-01-19 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-01-19 7770112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-19 81920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 09:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-03 21:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-02-16 10:38 136176 ----atw- c:\users\Uffe\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Innehåll i mappen 'Schemalagda aktiviteter':
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-05 02:48]
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-05 02:48]
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2214144576-2560372886-1436887819-1000Core.job
- c:\users\Uffe\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-16 10:38]
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2214144576-2560372886-1436887819-1000UA.job
- c:\users\Uffe\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-16 10:38]
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://sv.intl.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: Download with FLV Blaster - c:\program files\FLV Blaster\Addons\Internet Explorer\script.htm
IE: Download with FLV Blaster\Contexts - 1 (0x1)
IE: Download with FLV Blaster\Flags - 1 (0x1)
TCP: DhcpNameServer = 80.251.201.177 80.251.201.178
FF - ProfilePath - c:\users\Uffe\AppData\Roaming\Mozilla\Firefox\Profiles\w13x1pvi.default\
.
- - - - FöRÄLDRALöSA POSTER SOM TAGITS BORT - - - -
.
HKLM-Run-Acer Tour - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-23 18:20
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AgentService]
"ImagePath"="c:\program files\AgentService/AgentService.exe"
.
--------------------- LåSTA REGISTERNYCKLAR ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Sluttid: 2012-02-23 18:37:24
ComboFix-quarantined-files.txt 2012-02-23 17:37
.
Före genomsökningen: 80 370 962 432 byte ledigt
Efter genomsökningen: 79 007 432 704 byte ledigt
.
- - End Of File - - BB2C4C3FE0E9E4A6DFF1B9AE2D764E9B

[Maniac]

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\program files\Freecorder\prxtbFre0.dll

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"=-

[-HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"=-

[-HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"=-

[-HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[skatalite]

ComboFix 12-02-22.01 - Uffe 2012-02-24 11:49:23.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.46.1053.18.2047.1298 [GMT 1:00]
Körs från: c:\users\Uffe\Desktop\ComboFix.exe
Kommandoväxlar som använts :: c:\users\Uffe\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files\Freecorder\prxtbFre0.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Freecorder\prxtbFre0.dll
.
.
(((((((((((((((((((((((( Filer skapade från 2012-01-24 till 2012-02-24 ))))))))))))))))))))))))))))))
.
.
2012-02-24 11:22 . 2012-02-24 11:24 -------- d-----w- c:\users\Uffe\AppData\Local\temp
2012-02-24 11:22 . 2012-02-24 11:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-24 08:31 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{105E7765-67BB-42B1-ACB6-221DD3865473}\mpengine.dll
2012-02-23 13:36 . 2012-02-23 13:36 -------- d-sh--w- c:\programdata\DSS
2012-02-23 10:14 . 2012-02-23 10:14 -------- d-----w- c:\programdata\Electronic Arts
2012-02-23 10:14 . 2012-02-23 10:14 -------- d-----w- c:\programdata\EA Core
2012-02-21 17:19 . 2012-02-21 17:19 388096 ----a-r- c:\users\Uffe\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-02-21 17:19 . 2012-02-21 17:19 -------- d-----w- c:\program files\Trend Micro
2012-02-21 17:10 . 2012-02-21 17:10 -------- d-----w- c:\users\Uffe\AppData\Roaming\Malwarebytes
2012-02-21 17:09 . 2012-02-21 17:09 -------- d-----w- c:\programdata\Malwarebytes
2012-02-21 16:52 . 2012-02-21 16:52 378640 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-02-21 10:44 . 2011-12-14 02:56 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-18 16:50 . 2012-02-18 16:50 -------- d-----w- c:\program files\GOG.com
2012-02-16 20:15 . 2012-02-16 20:15 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-02-16 20:09 . 2012-02-16 20:10 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-02-16 17:37 . 2012-02-23 16:31 -------- d-----w- c:\programdata\Lavasoft
2012-02-16 17:03 . 2012-02-16 20:10 -------- d-----w- C:\sh4ldr
2012-02-16 17:03 . 2012-02-16 17:03 -------- d-----w- c:\program files\Enigma Software Group
2012-02-16 17:02 . 2012-02-16 17:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-02-15 17:56 . 2012-02-15 17:57 -------- d-----w- C:\DOTT.CD
2012-02-15 14:55 . 2012-02-23 16:34 -------- d-----w- c:\programdata\AVAST Software
2012-02-15 14:55 . 2012-02-15 14:55 -------- d-----w- c:\program files\AVAST Software
2012-02-15 14:52 . 2011-12-14 16:17 680448 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 14:52 . 2012-01-12 19:52 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-02-15 14:51 . 2011-12-20 10:56 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-02-15 14:29 . 2012-02-15 14:29 -------- d-----w- c:\program files\CCleaner
2012-02-14 20:18 . 2012-02-14 20:20 -------- d-----w- c:\users\Uffe\AppData\Local\DOSBox
2012-02-14 19:50 . 2012-02-14 19:50 -------- d-----w- c:\program files\DOSBox-0.74
2012-02-14 19:46 . 2012-02-14 19:47 -------- d-----w- C:\DFInstall
2012-01-26 08:00 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-26 08:00 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-26 08:00 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-26 08:00 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-26 08:00 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-26 08:00 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-29 04:10 . 2009-10-03 15:26 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-12-31 23:31 . 2011-12-31 23:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-24 08:17 . 2011-05-08 12:07 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-23_17.20.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-12-28 00:17 . 2012-02-23 16:19 67008 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-12-28 00:17 . 2012-02-24 08:12 67008 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2012-02-24 08:12 81646 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-01-17 16:12 . 2012-02-23 16:20 17438 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2214144576-2560372886-1436887819-1000_UserData.bin
+ 2008-01-17 16:12 . 2012-02-24 08:12 17438 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2214144576-2560372886-1436887819-1000_UserData.bin
+ 2006-12-28 00:38 . 2012-02-24 08:45 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-12-28 00:38 . 2012-02-23 16:17 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-12-28 00:38 . 2012-02-23 16:17 65536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-12-28 00:38 . 2012-02-24 08:45 65536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-12-28 00:38 . 2012-02-23 16:17 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-12-28 00:38 . 2012-02-24 08:45 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-02-23 16:17 . 2012-02-23 16:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-24 08:10 . 2012-02-24 08:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-02-23 16:17 . 2012-02-23 16:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-02-24 08:10 . 2012-02-24 08:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-06-19 13:52 . 2012-02-23 21:18 544372 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
- 2010-10-20 18:24 . 2012-02-23 16:16 247364 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-10-20 18:24 . 2012-02-23 23:14 247364 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2006-11-02 10:22 . 2012-02-23 23:15 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2006-11-02 10:22 . 2012-02-23 16:31 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2010-10-20 18:24 . 2012-02-23 16:16 1070956 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2214144576-2560372886-1436887819-1000-8192.dat
+ 2010-10-20 18:24 . 2012-02-23 23:14 1070956 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2214144576-2560372886-1436887819-1000-8192.dat
+ 2011-03-05 00:49 . 2012-02-23 23:15 2315836 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2214144576-2560372886-1436887819-1000-12288.dat
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{807ca0aa-7cb3-4f03-bd61-076f618cc82d}]
2009-11-08 08:55 297808 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"????r"="" [?]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-11-23 319488]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-11-17 453120]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-01-19 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-01-19 7770112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-19 81920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 09:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-03 21:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-02-16 10:38 136176 ----atw- c:\users\Uffe\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Innehåll i mappen 'Schemalagda aktiviteter':
.
2012-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-05 02:48]
.
2012-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-05 02:48]
.
2012-02-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2214144576-2560372886-1436887819-1000Core.job
- c:\users\Uffe\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-16 10:38]
.
2012-02-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2214144576-2560372886-1436887819-1000UA.job
- c:\users\Uffe\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-16 10:38]
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://sv.intl.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: Download with FLV Blaster - c:\program files\FLV Blaster\Addons\Internet Explorer\script.htm
IE: Download with FLV Blaster\Contexts - 1 (0x1)
IE: Download with FLV Blaster\Flags - 1 (0x1)
TCP: DhcpNameServer = 80.251.201.177 80.251.201.178
FF - ProfilePath - c:\users\Uffe\AppData\Roaming\Mozilla\Firefox\Profiles\w13x1pvi.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-24 12:23
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AgentService]
"ImagePath"="c:\program files\AgentService/AgentService.exe"
.
--------------------- LåSTA REGISTERNYCKLAR ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Sluttid: 2012-02-24 12:39:06
ComboFix-quarantined-files.txt 2012-02-24 11:38
ComboFix2.txt 2012-02-23 17:37
.
Före genomsökningen: 76 546 187 264 byte ledigt
Efter genomsökningen: 76 505 190 400 byte ledigt
.
- - End Of File - - B62BE362718A3F02D15B202F4E843046

[skatalite]

"Monster," I shrieked, "be thou juggler, enchanter, dream, or devil, no more will I endure thy mockeries. Either thou or I must perish."
- Edwin A. Abbott, Flatland, 1884


That's how I feel about viruses and malware whilst waiting on ComboFix to do it's magic...

[Maniac]

Step 1

• Launch Malwarebytes' Anti-Malware
  
• Go to Update" tab and select Check for Updates. If an update is found, it will download and install the latest version.
  
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.


Step 2

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

In your next post, please include:

• Malwarebytes' Anti-Malware log
  
• ESET Online Scanner log

[skatalite]

I had MBAM installed in english, but it turned out to be a swede after all... sorry... just tell me if you need anything translated.


Step 1, MBAM log:


Malwarebytes Anti-Malware (Testversion) 1.60.1.1000
www.malwarebytes.org

Databasversion: v2012.02.24.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Uffe :: GLORIAS [administratör]

Skydd: Inaktiverad

2012-02-24 14:38:48
mbam-log-2012-02-24 (14-38-48).txt

Skanningstyp: Snabbskanning
Aktiverade skanningsalternativ: Minne | Start | Register | Filsystem | Heuristik/Extra | Heuristik/Shuriken | PUP | PUM
Inaktiverade skanningsalternativ: P2P
Antal skannade objekt: 181529
Förfluten tid: 4 minut(er), 47 sekund(er)

Upptäckta minnesprocesser: 0
(Inga skadliga poster hittades)

Upptäckta minnesmoduler: 0
(Inga skadliga poster hittades)

Upptäckta registernycklar: 0
(Inga skadliga poster hittades)

Upptäckta registervärden: 0
(Inga skadliga poster hittades)

Upptäckta registerdataposter: 0
(Inga skadliga poster hittades)

Upptäckta mappar: 0
(Inga skadliga poster hittades)

Upptäckta filer: 0
(Inga skadliga poster hittades)

(klar)


Step 2, ESET log:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=cccd0b67aa851040bca60f60ba474826
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-02-24 03:13:52
# local_time=2012-02-24 04:13:52 (+0100, Västeuropa, normaltid)
# country="Sweden"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 250440 250440 0 0
# compatibility_mode=5892 16776573 100 100 22919 167624319 0 0
# compatibility_mode=8192 67108863 100 0 3849 3849 0 0
# scanned=202272
# found=1
# cleaned=1
# scan_time=4841
C:\Users\Uffe\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\143b51c7-44228c29 a variant of Java/TrojanDownloader.OpenStream.NCC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

[Maniac]

Everything is fine, don't worry!

How are things running now?

[skatalite]

Still getting redirected.

[Maniac]

Try to run TDSSKiller now.

[skatalite]

Nothing happens...

[Maniac]

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named)

Click the cog in the upper right


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan


Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and post it in your next reply.

[skatalite]

That program takes an eternity to complete its scan. I've tried to run it twice, it has detected four infections or so, but it has shut down both of the times because of some shennanigangs with my computer while I've left it running. I'll try to run it again now, and when that is done, I'll write again...

[skatalite]

After 7 hours of labour, the program gave birth to the following final results:


Status: Disinfected (events: 1)
2012-02-27 16:14:03 Disinfected Trojan program Rootkit.Boot.SST.b \Device\Harddisk0\DR0 High