10 replies to this topic

[FirefoxForNow]

Hello.

This is a continuation of a previous thread located here

http://www.malwareby...showtopic=11604

I flaked out for a while and the thread was closed. My fault- your previous proficiency and eliminating the major problems and personal frustration with kaspersky delayed my response.

I haven't installed/uninstalled any software since last post. No symptoms have appeared/disappeared. I can post a fresh HJT log if you wish.

The Kapersky prompts didn't coordinate perfectly with your instructions but I think I worked it out and ran the scan as you asked. It's possible that I am just crummy at interpreting your instructions (my bad)

Here's the results- seems that something was found. Long scan time! Again, sorry for the flakeyness. You have been very successful and proficient at disinfecting my machine so far- I'd be bummed to loose your help now.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, March 3, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, March 04, 2009 01:14:06
Records in database: 1866833
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
I:\

Scan statistics:
Files scanned: 89601
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:08:17


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\998.exe.vir Infected: Trojan.Win32.Monder.bdnr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Infected: Trojan-Dropper.Win32.Agent.ahob 1

The selected area was scanned.

[Tigger93]

Hi again.

Sorry about the instructions. They probably very well do need updating, its been a while since I've looked over then.

Can you please delete the c:\qoobox folder.

Then let's get a new copy of Combofix and we can see whats going on from there.

Download ComboFix from one of the locations below, and save it to your Desktop.
[indent] Link 1
Link 2 [/indent]Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply
Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

[FirefoxForNow]

Tigger-

Thanks for responding despite the hiatus. Deleted the qoobox folder and downloaded a new Combofix file. Ran scan.

Your help is appreciated.




ComboFix 09-03-03.01 - Marcus 2009-03-04 17:48:48.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1806 [GMT -8:00]
Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 )))))))))))))))))))))))))))))))
.

2009-02-24 15:20 . 2009-02-24 15:20 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD
2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro
2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 23:19 --------- d-----w c:\program files\Common Files\Adobe
2009-02-24 07:36 --------- d-----w c:\program files\HP
2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-21 05:20 --------- d-----w c:\program files\LucasArts
2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-20 00:49 --------- d-----w c:\program files\Creative
2009-02-20 00:47 --------- d-----w c:\program files\GemMaster
2009-02-19 09:04 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-19 09:04 --------- d-----w c:\program files\Java
2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent
2009-02-19 08:17 --------- d-----w c:\program files\uTorrent
2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-10 22:00 1,033,728 ----a-w c:\windows\system32\dllcache\explorer.exe
2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe
2009-01-24 04:09 --------- d-----w c:\program files\Activision
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys
2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys
2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3XP.sys
2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3.sys
2005-03-01 19:16 212,992 -c--a-w c:\windows\inf\WG311v3\CopyWHQLDriver.exe
2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264]
NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"%windir%\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12345:UDP"= 12345:UDP:dc++

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-14 58048]
S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2006-09-01 666624]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dell4me.com/myway
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-04 17:51:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\windows\system32\MrvGINA.dll

- - - - - - - > 'lsass.exe'(924)
c:\windows\system32\EntApi.dll
.
Completion time: 2009-03-04 17:53:07
ComboFix-quarantined-files.txt 2009-03-05 01:53:04
ComboFix2.txt 2009-02-24 20:34:34

Pre-Run: 17,573,416,960 bytes free
Post-Run: 17,623,048,192 bytes free

128 --- E O F --- 2009-02-24 22:53:47

[Tigger93]

Really stumped. Kaspersky and Combofix, as before, are showing clean.

Download GMER from here:

• Unzip it to the desktop.
  
• Open the program and click on the Rootkit tab.
  
• Make sure all the boxes on the right of the screen are checked, EXCEPT for Show All.
  
• Click on Scan.
  
• When the scan has run click Copy and paste the results (if any) into this thread.

[FirefoxForNow]

GMER found some stuff.

The System volume info system restore thing sounds familiar... I think that McAfee reported a system volume info infection around a month ago. Possible infected restore points?

Thanks for the prompt responses.


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-03-04 22:39:34
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xB9ED9AC8]
SSDT sptd.sys ZwEnumerateKey [0xB9ED9C22]
SSDT sptd.sys ZwEnumerateValueKey [0xB9ED9F9A]
SSDT sptd.sys ZwOpenKey [0xB9ED998E]
SSDT sptd.sys ZwQueryKey [0xB9EDA064]
SSDT sptd.sys ZwQueryValueKey [0xB9ED9EFC]
SSDT sptd.sys ZwSetValueKey [0xB9EDA0EC]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\SPTD8701.SYS The process cannot access the file because it is being used by another process.
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 B8FA54F0 16 Bytes [ FA, B2, 91, 10, AD, 3B, 4F, ... ]
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 B8FA5501 31 Bytes [ 40, FA, B8, C6, 8C, 8F, B5, ... ]
? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9ED5AD2] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9ED5C0E] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9ED5B96] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9ED676C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9ED6642] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8AC0EBF8
Device \FileSystem\Udfs \UdfsCdRom 8A9AF8E8
Device \FileSystem\Udfs \UdfsCdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk 8A9AF8E8
Device \FileSystem\Udfs \UdfsDisk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \Driver\NetBT \Device\NetBT_Tcpip_{585841F7-1DD4-4AC7-A6D6-364A1534A3BF} 89D47748

AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)

Device \Driver\dmio \Device\DmControl\DmIoDaemon 8ABC1410
Device \Driver\dmio \Device\DmControl\DmConfig 8ABC1410
Device \Driver\dmio \Device\DmControl\DmPnP 8ABC1410
Device \Driver\dmio \Device\DmControl\DmInfo 8ABC1410
Device \Driver\00000073 \Device\00000053 sptd.sys

AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)

Device \Driver\prodrv06 \Device\ProDrv06 E1EC23F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8ABC16C8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8ABC16C8
Device \Driver\Cdrom \Device\CdRom0 8A9E6830
Device \FileSystem\Rdbss \Device\FsWrap 89D333C0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\Ftdisk \Device\HarddiskVolume3 8ABC16C8
Device \Driver\prohlp02 \Device\ProHlp02 E189D338
Device \Driver\NetBT \Device\NetBt_Wins_Export 89D47748
Device \Driver\NetBT \Device\NetbiosSmb 89D47748

AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)

Device \Driver\Disk \Device\Harddisk0\DR0 8AC0EE30

AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{45DA8E86-FDFA-4A7D-B4F1-16F25E484B3B} 89D47748
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89D31548
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89D31548
Device \FileSystem\Npfs \Device\NamedPipe 8A52E258
Device \Driver\Ftdisk \Device\FtControl 8ABC16C8
Device \FileSystem\Msfs \Device\Mailslot 89D989F8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 8A8D09F8
Device \FileSystem\Fastfat \Fat 89D3E840
Device \FileSystem\Fastfat \Fat AC54D297

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 1353520082
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1871465379
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1571322080
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x18 0x90 0xB8 0xA0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA4 0xD2 0xA5 0x3A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xEB 0xAE 0x27 0xA4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x64 0xDC 0x93 0x47 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xBB 0xCE 0x6F 0x4C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xF3 0xE4 0x4B 0x74 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x18 0x90 0xB8 0xA0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA4 0xD2 0xA5 0x3A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xEB 0xAE 0x27 0xA4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x64 0xDC 0x93 0x47 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xBB 0xCE 0x6F 0x4C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xF3 0xE4 0x4B 0x74 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x18 0x90 0xB8 0xA0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA4 0xD2 0xA5 0x3A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xEB 0xAE 0x27 0xA4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x64 0xDC 0x93 0x47 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xBB 0xCE 0x6F 0x4C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xF3 0xE4 0x4B 0x74 ...

---- Files - GMER 1.0.14 ----

ADS C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP46\A0004733.exe:mian.nest.9.10 18944 bytes executable

---- EOF - GMER 1.0.14 ----

[Tigger93]

Clean again. I really don't think you are infected with anything. Can point out what McAfee is detecting if anything.

You can clear out system restore, won't help any other than removing the alert from McAfee.

[FirefoxForNow]

I guess my main question at this point then is... how do I go about dealing with the re-route issue with Firefox web searches? should I just try reinstalling firefox? might deleting the old system restore points help with this firefox redirect issue?

Thanks again

[Tigger93]

Do you have a router by chance?

[FirefoxForNow]

Yes, I am behind a cable router.

[Tigger93]

Well never mind then. If you had I wireless router, I was going to suggest resetting it. You may be able to do the same here, however I don't know if that would change anything.

Let's try this. You say you get them in Firefox but not in IE?

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

Double-click GooredFix.exe on your Desktop to run it.

• Select "2. Fix Goored" by typing 2 and pressing Enter.
  
• Make sure all instances of Firefox are closed at this point.
  
• Type y at the prompt and press Enter again.
  
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

[FirefoxForNow]

Hello- sorry I've been a couple of days without replying.

Finally had some free time to deal with it- the GooredFix seems to have worked- the firefox redirect problem is gone. Excellent!

Log is below. I imagine that it already took care of everything but I thought I'd check if there is anything further that should be done...


Thanks again for all your help- you have been very cooperative and effective. If I ever need any future help, I'll be sure to come here. Gracias, and may you continue to be victorious in all your future malware battles.


GooredFix v1.92 by jpshortstuff
Log created at 20:11 on 11/03/2009 running Option #2 (Marcus)
Firefox version 3.0.7 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{DC850E77-604F-498A-BF47-A171D66E9AA1}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"