Jump to content

Had AV Virus, Malwarebytes cleaned now frequent...

Mike D.
 Share

Recommended Posts

Mike D.

Mike D.

Posted
Posted

I had the AV virus. Bought Malwarebytes which cleaned but now I get frequent blocked attempts to contact dangerous IP Addresses. GMER would crash unless I ran in SAFE mode, which I did. Logs attached as instructed. Thanks for your help!

Malwarebyte's log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4202

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/15/2010 10:58:40 PM

mbam-log-2010-06-15 (22-58-40).txt

Scan type: Full scan (C:\|)

Objects scanned: 224108

Time elapsed: 1 hour(s), 9 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{CB740C2D-5E44-4F89-A6D3-559342AF87A0}\RP2\A0002283.EXE (Rogue.AdorableCasino) -> Quarantined and deleted successfully.

DDS Log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4202

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/15/2010 10:58:40 PM

mbam-log-2010-06-15 (22-58-40).txt

Scan type: Full scan (C:\|)

Objects scanned: 224108

Time elapsed: 1 hour(s), 9 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{CB740C2D-5E44-4F89-A6D3-559342AF87A0}\RP2\A0002283.EXE (Rogue.AdorableCasino) -> Quarantined and deleted successfully.Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4202

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/15/2010 10:58:40 PM

mbam-log-2010-06-15 (22-58-40).txt

Scan type: Full scan (C:\|)

Objects scanned: 224108

Time elapsed: 1 hour(s), 9 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{CB740C2D-5E44-4F89-A6D3-559342AF87A0}\RP2\A0002283.EXE (Rogue.AdorableCasino) -> Quarantined and deleted successfully.Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4202

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/15/2010 10:58:40 PM

mbam-log-2010-06-15 (22-58-40).txt

Scan type: Full scan (C:\|)

Objects scanned: 224108

Time elapsed: 1 hour(s), 9 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{CB740C2D-5E44-4F89-A6D3-559342AF87A0}\RP2\A0002283.EXE (Rogue.AdorableCasino) -> Quarantined and deleted successfully.Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4202

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/15/2010 10:58:40 PM

mbam-log-2010-06-15 (22-58-40).txt

Scan type: Full scan (C:\|)

Objects scanned: 224108

Time elapsed: 1 hour(s), 9 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{CB740C2D-5E44-4F89-A6D3-559342AF87A0}\RP2\A0002283.EXE (Rogue.AdorableCasino) -> Quarantined and deleted successfully.C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe

C:\WINDOWS\system32\ctfmon.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\PowerPanel\upssrv.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\PowerPanel\upsio.exe

C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE

C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Documents and Settings\Mike Davis\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:1034

uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

TB: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [OpAgent] "OpAgent.exe" /agent

uRun: [MoneyBackgoundBanking] "c:\program files\microsoft money plus\mnycorefiles\mnybbsvc.exe"

uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [scanSoft OmniPage 16-reminde

Attach.zip

Link to post
Share on other sites
  • Replies 59
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Let's check for remnants of malware before investigating alternate avenues.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites
Mike D.

Mike D.

Posted
  • Author
Posted
Hi,

Let's check for remnants of malware before investigating alternate avenues.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Ran combofix successfully and then DDS. Attached both logscombofix.rar in an compressed file.

Thanks again for your help!

Mike

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

In the future please copy all logs directly into your reply instead of attaching them.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites
Mike D.

Mike D.

Posted
  • Author
Posted
Hi,

In the future please copy all logs directly into your reply instead of attaching them.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

I've pasted in the logs from the F-Secure online scanner and from the security check file. I'm still getting blocked address notifications from Malwarebytes and IE now is opening insurance websites and giving me bogus dialog boxes. Thanks again for your help:

Online Scanner - Scanning Report - Thursday, June 17, 2010 07:15:02Scanning

Report

Thursday, June 17, 2010 06:14:40 - 07:15:02

Computer name: DIMENSION306

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ D:\ E:\

No malware found

Statistics

Scanned:

Files: 56992

System: 3703

Not scanned: 11

Actions:

Disinfected: 0

Renamed: 0

Deleted: 0

Not cleaned: 0

Submitted: 0

Files not scanned:

C:\PAGEFILE.SYS

C:\HIBERFIL.SYS

C:\WINDOWS\TEMP\MCMSC_VST0HNGEJHAZZLA

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB

C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB

C:\DOCUMENTS AND SETTINGS\MIKE DAVIS\LOCAL SETTINGS\TEMP\HSPERFDATA_MIKE

DAVIS\2268

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF

VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI

MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0

TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT

CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

Copyright

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Please delete all copies of ComboFix that you have, grab a fresh copy, run it, and post its log.

Also, in Firefox, Click Help --> Check for Updates; install any that are available.

After that, please run a GMER Rootkit scan:

Download GMER's application from here:

http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe

Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.

This will copy the results to your clipboard.

Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

-screen317

Link to post
Share on other sites
Mike D.

Mike D.

Posted
  • Author
Posted
Hi,

Please delete all copies of ComboFix that you have, grab a fresh copy, run it, and post its log.

Also, in Firefox, Click Help --> Check for Updates; install any that are available.

After that, please run a GMER Rootkit scan:

Download GMER's application from here:

http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe

Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.

This will copy the results to your clipboard.

Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

-screen317

Thanks again.

I updated Firefox and got a new copy of combofix:

Here is the combofix report:

ComboFix 10-06-17.02 - Mike Davis 06/17/2010 17:25:10.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1431 [GMT -7:00]

Running from: c:\documents and settings\Mike Davis\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\win.com

.

((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))

.

2010-06-17 13:14 . 2010-06-17 13:14 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2010-06-16 13:28 . 2010-06-16 13:28 -------- d-----w- c:\program files\CCleaner

2010-06-08 22:49 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-08 22:49 . 2010-06-08 22:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-08 22:49 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-08 17:53 . 2010-06-08 17:53 -------- d-----w- c:\documents and settings\Mike Davis\Application Data\Malwarebytes

2010-06-08 17:53 . 2010-06-08 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-08 15:13 . 2010-06-08 19:53 -------- d-----w- c:\documents and settings\Mike Davis\Local Settings\Application Data\uxeikc

2010-06-04 22:32 . 2010-06-04 22:32 -------- d-----w- c:\program files\MagicDisc

2010-06-04 22:32 . 2009-02-25 01:42 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys

2010-05-26 00:44 . 2010-05-26 00:44 503808 ----a-w- c:\documents and settings\Mike Davis\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-240b8f84-n\msvcp71.dll

2010-05-26 00:44 . 2010-05-26 00:44 499712 ----a-w- c:\documents and settings\Mike Davis\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-240b8f84-n\jmc.dll

2010-05-26 00:44 . 2010-05-26 00:44 348160 ----a-w- c:\documents and settings\Mike Davis\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-240b8f84-n\msvcr71.dll

2010-05-26 00:44 . 2010-05-26 00:44 61440 ----a-w- c:\documents and settings\Mike Davis\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1a40c032-n\decora-sse.dll

2010-05-26 00:44 . 2010-05-26 00:44 12800 ----a-w- c:\documents and settings\Mike Davis\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1a40c032-n\decora-d3d.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-16 05:23 . 2009-11-26 00:58 -------- d-----w- c:\documents and settings\Mike Davis\Application Data\vlc

2010-06-16 04:27 . 2010-02-04 14:02 -------- d-----w- c:\program files\McAfee

2010-06-15 14:24 . 2009-01-27 06:28 -------- d-----w- c:\program files\Eudora

2010-06-09 00:03 . 2009-05-18 13:17 -------- d-----w- c:\program files\Everest Casino

2010-06-08 22:31 . 2010-06-16 13:26 170968 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat

2010-06-08 22:00 . 2009-02-06 00:27 -------- d-----w- c:\program files\Norton SystemWorks Basic Edition

2010-06-03 23:19 . 2009-02-08 15:58 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-03 23:19 . 2009-01-28 14:36 -------- d-----w- c:\program files\Savings Bond Wizard

2010-05-12 23:22 . 2009-01-27 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-05-04 00:24 . 2010-05-04 00:24 -------- d-----w- c:\documents and settings\Mike Davis\Application Data\j2 Global

2010-05-04 00:24 . 2010-05-04 00:23 -------- d-----w- c:\program files\eFax Messenger 4.4

2010-05-04 00:24 . 2010-05-04 00:24 -------- d-----w- c:\documents and settings\Mike Davis\Application Data\eFax Messenger

2010-05-04 00:23 . 2010-05-04 00:23 4710 ----a-r- c:\documents and settings\Mike Davis\Application Data\Microsoft\Installer\{DF6DA606-904D-4C18-823F-A4CFC3035E53}\ext.exe

2010-05-04 00:23 . 2010-05-04 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\eFax Messenger 4.4 Output

2010-04-29 12:21 . 2010-04-29 12:21 -------- d-----w- c:\program files\Common Files\Java

2010-04-29 12:20 . 2010-04-29 12:20 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-23 03:47 . 2010-04-23 03:47 18816 ----a-w- c:\windows\system32\drivers\dvd43llh.sys

2010-04-23 03:47 . 2010-04-23 03:47 -------- d-----w- c:\program files\dvd43

2010-04-06 01:40 . 2010-04-06 01:40 409600 ----a-w- c:\windows\system32\wrap_oal.dll

2010-04-06 01:40 . 2003-03-28 03:24 114688 ----a-w- c:\windows\system32\OpenAL32.dll

2010-04-06 01:27 . 2010-04-06 01:25 58102430 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative Sound Blaster Audigy SE and Audigy Value Driver 01.04.0061 and Creative Basic Aud__\SBA_PCDRV_LB_1_04_0061.exe

2010-04-06 01:25 . 2010-04-06 01:24 66473440 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative Sound Blaster Audigy Value_SE_LS and Sound Blaster Live! 24-bit XP and Windows Vi__\SB24_VTDRV_LB_1_04_0077.exe

2010-03-22 05:37 . 2010-03-22 05:37 10995608 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative CD Burner Plugin 5.01.44 for Creative MediaSource 5 Player_Organizer__\CMS5_BRNR_PCAPP_LB_5_01_44.exe

2010-03-22 05:24 . 2009-01-26 23:54 70096 ----a-w- c:\documents and settings\Mike Davis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-03-22 04:52 . 2010-03-22 04:51 12907880 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative WaveStudio 7.12.00__\WAVESTD_PCAPP_LB_7_12_00.exe

2010-03-22 04:51 . 2010-03-22 04:51 37634288 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative MediaSource 5 Player_Organizer 5.26.02__\CMS5_PCAPP_LB_5_26_02.exe

.

((((((((((((((((((((((((((((( SnapShot@2010-06-17_06.40.43 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-06-18 00:01 . 2010-06-18 00:01 16384 c:\windows\Temp\Perflib_Perfdata_808.dat

+ 2010-06-18 00:01 . 2010-06-18 00:01 16384 c:\windows\Temp\Perflib_Perfdata_384.dat

+ 2009-01-26 23:09 . 2010-06-18 00:09 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-01-26 23:09 . 2010-06-17 05:29 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-01-26 23:09 . 2010-06-18 00:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-01-26 23:09 . 2010-06-17 05:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2010-06-17 13:09 . 2010-06-18 00:09 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-30 1182088]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2009-09-30 18:40 1182088 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-30 1182088]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-30 1182088]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-28 39408]

"MoneyBackgoundBanking"="c:\program files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe" [2008-02-19 53264]

"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ScanSoft OmniPage 16-reminder"="c:\program files\ScanSoft\OmniPage16\Ereg\Ereg.exe" [2007-07-20 328992]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-03-17 57393]

"P17Helper"="P17.dll" [2005-05-04 64512]

"NswUiTray"="c:\program files\Norton SystemWorks Basic Edition\NswUiTray.exe" [2008-09-25 85360]

"NSWosCheck"="c:\program files\Norton SystemWorks Basic Edition\osCheck.exe" [2008-09-25 160112]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-03-17 40960]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 163840]

"DellNSCST"="c:\program files\DELL\Dell Laser MFP 1600n\NetworkScan\DNSCST.exe" [2006-02-20 278528]

"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Mike Davis^Start Menu^Programs^Startup^eFax 4.4.lnk]

path=c:\documents and settings\Mike Davis\Start Menu\Programs\Startup\eFax 4.4.lnk

backup=c:\windows\pss\eFax 4.4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike Davis^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\documents and settings\Mike Davis\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike Davis^Start Menu^Programs^Startup^radio SHARK Scheduler.lnk]

path=c:\documents and settings\Mike Davis\Start Menu\Programs\Startup\radio SHARK Scheduler.lnk

backup=c:\windows\pss\radio SHARK Scheduler.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeTaskScheduler]

2006-11-17 09:42 53341 ------w- c:\program files\Creative\Shared Files\CTSched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]

2009-10-24 02:34 827904 ----a-w- c:\program files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

2000-05-11 08:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\DELL\\Dell Laser MFP 1600n\\NetworkScan\\DNSCST.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/8/2010 3:49 PM 304464]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [2/4/2010 7:04 AM 93320]

R2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~3\NORTON~1\NPROTECT.EXE [9/25/2008 3:53 PM 95600]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/8/2010 3:49 PM 20952]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2010 9:13 AM 135664]

S3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [11/30/2007 10:18 PM 651712]

S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys --> c:\windows\system32\drivers\tbcspud.sys [?]

S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys --> c:\windows\system32\drivers\tbcwdm.sys [?]

S3 vtdg46xx;vtdg46xx;\??\c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys --> c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 16:13]

2010-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 16:13]

2010-02-04 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-04 20:22]

2010-02-04 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-04 20:22]

2010-03-08 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job

- c:\program files\Norton SystemWorks Basic Edition\OBC.exe [2008-09-25 22:52]

2010-06-17 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2009-09-30 18:40]

2010-06-17 c:\windows\Tasks\User_Feed_Synchronization-{A56B90A4-2D38-4B38-97F6-13B0202E9469}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:1034

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

TCP: {5783E86C-EE8D-47FC-9C8A-C7C9CDE6BCCB} = 208.67.222.222,208.67.220.220

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Mike Davis\Application Data\Mozilla\Firefox\Profiles\b4pgmchu.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-17 17:37

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(844)

c:\windows\system32\WININET.dll

.

Completion time: 2010-06-17 17:44:28

ComboFix-quarantined-files.txt 2010-06-18 00:44

ComboFix2.txt 2010-06-17 06:47

Pre-Run: 642,683,473,920 bytes free

Post-Run: 643,652,096,000 bytes free

- - End Of File - - 78694A8B2DFB9ABFE769FE0F99C0CBBE

I tried to run GMER but it crashed. I can run it in safe mode but it will take all night. Any suggestions on how to stop it from crashing?

Should I just burn this thing down?

Thanks,

Mike

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Run this instead:

Download RootRepeal from one of the following locations and save it to your desktop:

Link 1 Link 2 Link 3

  • Double click rr_DesktopIcon.png to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the rr_Scan.png button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, click the rr_SaveReport.png button and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead. To attach a file, do the following:

  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on attach_add.png to insert the attachment into your post

Link to post
Share on other sites
Mike D.

Mike D.

Posted
  • Author
Posted
Hi,

Run this instead:

Download RootRepeal from one of the following locations and save it to your desktop:

Link 1 Link 2 Link 3

  • Double click rr_DesktopIcon.png to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the rr_Scan.png button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, click the rr_SaveReport.png button and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead. To attach a file, do the following:

  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on attach_add.png to insert the attachment into your post

Rootrepeal reported it was "initializing" for 90 minutes. I shut down and rebooted in safe mode and it, once again, hung.

I'll run GMER in safe mode and upload the results in the morning. This is all I will be able to do until Monday p.m. my time. If you'd rather I do something else, let me know. I'll monitor email (on another, uninfected computer) for another hour or so.

Once again, thanks for all your efforts.

Mike

Link to post
Share on other sites
Mike D.

Mike D.

Posted
  • Author
Posted
Rootrepeal reported it was "initializing" for 90 minutes. I shut down and rebooted in safe mode and it, once again, hung.

I'll run GMER in safe mode and upload the results in the morning. This is all I will be able to do until Monday p.m. my time. If you'd rather I do something else, let me know. I'll monitor email (on another, uninfected computer) for another hour or so.

Once again, thanks for all your efforts.

Mike

GMER took about 10 hours to run in safe mode. It finished a few minutes ago. Here is the ark.txt file it produced:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-18 08:26:11

Windows 5.1.2600 Service Pack 3

Running: 737x7l02.exe; Driver: C:\DOCUME~1\MIKEDA~1\LOCALS~1\Temp\pxtdqkob.sys

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A

.text C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A

.text C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C

.text C:\WINDOWS\system32\svchost.exe[568] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A

.text C:\WINDOWS\system32\svchost.exe[568] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 013C000A

.text C:\WINDOWS\Explorer.EXE[936] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A

.text C:\WINDOWS\Explorer.EXE[936] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A

.text C:\WINDOWS\Explorer.EXE[936] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)

---- EOF - GMER 1.0.15 ----

As I mentioned, while I won't be able to do anything to the machine until Monday night, I will monitor this thread in the meantime.

Thanks again for your help. My browser is still misbehaving (opening advertising windows) as I post this.

Mike

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

I see the Ask Toolbar in your log.

I strongly recommend you remove Ask Toolbar from your computer because:

  • It promotes its toolbars on sites targeted at kids.
  • It promotes its toolbars through ads that appear to be part of other companies' sites.
  • It promotes its toolbars through other companies' spyware.
  • It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.
  • It Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
  • It makes confusing changes to user's browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

You can read more about Ask.com here

To remove it:

Click Start-->Control Panel-->Programs and Features

Click on the program name AskBarDis to highlight it

From the menu at the top, select Uninstall or Remove.

Also uninstall Adobe Acrobat 7.0

Restart your computer.

Get the latest version of Adobe from here.

After that, please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Dirlook::

c:\documents and settings\Mike Davis\Local Settings\Application Data\uxeikc

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply, along with a fresh DDS log.

Link to post
Share on other sites
Mike D.

Mike D.

Posted
  • Author
Posted

Hi,

I see the Ask Toolbar in your log.

I strongly recommend you remove Ask Toolbar from your computer because:

  • It promotes its toolbars on sites targeted at kids.
  • It promotes its toolbars through ads that appear to be part of other companies' sites.
  • It promotes its toolbars through other companies' spyware.
  • It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.
  • It Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
  • It makes confusing changes to user's browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

You can read more about Ask.com here

This is my 3rd attempt at replying. IE crashes whenever I try to attach the DDS attach file. Thanks for your help. 3 separate replies.

I couldn't find the ASK toolbar to uninstall it. Turns out it was labeled "Nero" but had the ASK logo in front of it. So, it was uninstalled after the combofix and DDS reports were run. If I need to run them again...let me know. I'm still seeing Malwarebytes blocking websites (not often) and the browser is opening survey pages...including for malwarebytes.org.

Combofix log

ComboFix 10-06-21.01 - Mike Davis 06/21/2010 14:45:18.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1484 [GMT -7:00]

Running from: c:\documents and settings\Mike Davis\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Mike Davis\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))

.

2010-06-17 13:14 . 2010-06-17 13:14 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2010-06-16 13:28 . 2010-06-16 13:28 -------- d-----w- c:\program files\CCleaner

2010-06-08 22:49 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-08 22:49 . 2010-06-08 22:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-08 22:49 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-08 17:53 . 2010-06-08 17:53 -------- d-----w- c:\documents and settings\Mike Davis\Application Data\Malwarebytes

2010-06-08 17:53 . 2010-06-08 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-08 15:13 . 2010-06-08 19:53 -------- d-----w- c:\documents and settings\Mike Davis\Local Settings\Application Data\uxeikc

2010-06-04 22:32 . 2010-06-04 22:32 -------- d-----w- c:\program files\MagicDisc

2010-06-04 22:32 . 2009-02-25 01:42 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys

2010-05-26 00:44 . 2010-05-26 00:44 503808 ----a-w- c:\documents and settings\Mike Davis\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-240b8f84-n\msvcp71.dll

2010-05-26 00:44 . 2010-05-26 00:44 499712 ----a-w- c:\documents and settings\Mike Davis\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-240b8f84-n\jmc.dll

2010-05-26 00:44 . 2010-05-26 00:44 348160 ----a-w- c:\documents and settings\Mike Davis\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-240b8f84-n\msvcr71.dll

2010-05-26 00:44 . 2010-05-26 00:44 61440 ----a-w- c:\documents and settings\Mike Davis\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1a40c032-n\decora-sse.dll

2010-05-26 00:44 . 2010-05-26 00:44 12800 ----a-w- c:\documents and settings\Mike Davis\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1a40c032-n\decora-d3d.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-16 05:23 . 2009-11-26 00:58 -------- d-----w- c:\documents and settings\Mike Davis\Application Data\vlc

2010-06-16 04:27 . 2010-02-04 14:02 -------- d-----w- c:\program files\McAfee

2010-06-15 14:24 . 2009-01-27 06:28 -------- d-----w- c:\program files\Eudora

2010-06-09 00:03 . 2009-05-18 13:17 -------- d-----w- c:\program files\Everest Casino

2010-06-08 22:31 . 2010-06-16 13:26 170968 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat

2010-06-08 22:00 . 2009-02-06 00:27 -------- d-----w- c:\program files\Norton SystemWorks Basic Edition

2010-06-03 23:19 . 2009-02-08 15:58 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-03 23:19 . 2009-01-28 14:36 -------- d-----w- c:\program files\Savings Bond Wizard

2010-05-12 23:22 . 2009-01-27 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-05-04 00:24 . 2010-05-04 00:24 -------- d-----w- c:\documents and settings\Mike Davis\Application Data\j2 Global

2010-05-04 00:24 . 2010-05-04 00:23 -------- d-----w- c:\program files\eFax Messenger 4.4

2010-05-04 00:24 . 2010-05-04 00:24 -------- d-----w- c:\documents and settings\Mike Davis\Application Data\eFax Messenger

2010-05-04 00:23 . 2010-05-04 00:23 4710 ----a-r- c:\documents and settings\Mike Davis\Application Data\Microsoft\Installer\{DF6DA606-904D-4C18-823F-A4CFC3035E53}\ext.exe

2010-05-04 00:23 . 2010-05-04 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\eFax Messenger 4.4 Output

2010-04-29 12:21 . 2010-04-29 12:21 -------- d-----w- c:\program files\Common Files\Java

2010-04-29 12:20 . 2010-04-29 12:20 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-23 03:47 . 2010-04-23 03:47 18816 ----a-w- c:\windows\system32\drivers\dvd43llh.sys

2010-04-23 03:47 . 2010-04-23 03:47 -------- d-----w- c:\program files\dvd43

2010-04-06 01:40 . 2010-04-06 01:40 409600 ----a-w- c:\windows\system32\wrap_oal.dll

2010-04-06 01:40 . 2003-03-28 03:24 114688 ----a-w- c:\windows\system32\OpenAL32.dll

2010-04-06 01:27 . 2010-04-06 01:25 58102430 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative Sound Blaster Audigy SE and Audigy Value Driver 01.04.0061 and Creative Basic Aud__\SBA_PCDRV_LB_1_04_0061.exe

2010-04-06 01:25 . 2010-04-06 01:24 66473440 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative Sound Blaster Audigy Value_SE_LS and Sound Blaster Live! 24-bit XP and Windows Vi__\SB24_VTDRV_LB_1_04_0077.exe

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\Mike Davis\Local Settings\Application Data\uxeikc ----

((((((((((((((((((((((((((((( SnapShot@2010-06-17_06.40.43 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-06-21 21:16 . 2010-06-21 21:16 16384 c:\windows\Temp\Perflib_Perfdata_6e8.dat

+ 2010-06-21 21:16 . 2010-06-21 21:16 16384 c:\windows\Temp\Perflib_Perfdata_1b8.dat

+ 2009-01-26 23:09 . 2010-06-18 15:34 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-01-26 23:09 . 2010-06-17 05:29 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-01-26 23:09 . 2010-06-18 15:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-01-26 23:09 . 2010-06-17 05:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2010-06-18 15:34 . 2010-06-18 15:34 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-01-26 23:09 . 2010-06-17 05:29 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-01-26 14:50 . 2010-06-21 21:16 268600 c:\windows\system32\FNTCACHE.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-30 1182088]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2009-09-30 18:40 1182088 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-30 1182088]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-30 1182088]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-28 39408]

"MoneyBackgoundBanking"="c:\program files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe" [2008-02-19 53264]

"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ScanSoft OmniPage 16-reminder"="c:\program files\ScanSoft\OmniPage16\Ereg\Ereg.exe" [2007-07-20 328992]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-03-17 57393]

"P17Helper"="P17.dll" [2005-05-04 64512]

"NswUiTray"="c:\program files\Norton SystemWorks Basic Edition\NswUiTray.exe" [2008-09-25 85360]

"NSWosCheck"="c:\program files\Norton SystemWorks Basic Edition\osCheck.exe" [2008-09-25 160112]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-03-17 40960]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 163840]

"DellNSCST"="c:\program files\DELL\Dell Laser MFP 1600n\NetworkScan\DNSCST.exe" [2006-02-20 278528]

"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Mike Davis^Start Menu^Programs^Startup^eFax 4.4.lnk]

path=c:\documents and settings\Mike Davis\Start Menu\Programs\Startup\eFax 4.4.lnk

backup=c:\windows\pss\eFax 4.4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike Davis^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\documents and settings\Mike Davis\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike Davis^Start Menu^Programs^Startup^radio SHARK Scheduler.lnk]

path=c:\documents and settings\Mike Davis\Start Menu\Programs\Startup\radio SHARK Scheduler.lnk

backup=c:\windows\pss\radio SHARK Scheduler.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeTaskScheduler]

2006-11-17 09:42 53341 ------w- c:\program files\Creative\Shared Files\CTSched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]

2009-10-24 02:34 827904 ----a-w- c:\program files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

2000-05-11 08:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\DELL\\Dell Laser MFP 1600n\\NetworkScan\\DNSCST.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/8/2010 3:49 PM 304464]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [2/4/2010 7:04 AM 93320]

R2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~3\NORTON~1\NPROTECT.EXE [9/25/2008 3:53 PM 95600]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/8/2010 3:49 PM 20952]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2010 9:13 AM 135664]

S3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [11/30/2007 10:18 PM 651712]

S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys --> c:\windows\system32\drivers\tbcspud.sys [?]

S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys --> c:\windows\system32\drivers\tbcwdm.sys [?]

S3 vtdg46xx;vtdg46xx;\??\c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys --> c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 16:13]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 16:13]

2010-02-04 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-04 20:22]

2010-02-04 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-04 20:22]

2010-03-08 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job

- c:\program files\Norton SystemWorks Basic Edition\OBC.exe [2008-09-25 22:52]

2010-06-18 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2009-09-30 18:40]

2010-06-21 c:\windows\Tasks\User_Feed_Synchronization-{A56B90A4-2D38-4B38-97F6-13B0202E9469}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:1034

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

TCP: {5783E86C-EE8D-47FC-9C8A-C7C9CDE6BCCB} = 208.67.222.222,208.67.220.220

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Mike Davis\Application Data\Mozilla\Firefox\Profiles\b4pgmchu.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-21 14:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(880)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3728)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\hnetcfg.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-06-21 15:04:14

ComboFix-quarantined-files.txt 2010-06-21 22:04

ComboFix2.txt 2010-06-18 00:44

ComboFix3.txt 2010-06-17 06:47

Pre-Run: 643,960,496,128 bytes free

Post-Run: 643,965,673,472 bytes free

- - End Of File - - 08BC7EE29792FE5D3FF10C3939D74F9D

Link to post
Share on other sites
Mike D.

Mike D.

Posted
  • Author
Posted
Hi,

Please delete this folder:

c:\documents and settings\Mike Davis\Local Settings\Application Data\uxeikc

I would like to know what IPs are being blocked. Open MBAM, click the Logs tab, and find the relevant protection module log for me to look at. Post it here.

Hello Chris...

1) Folder deleted.

2)

Today's protection log:

14:08:42 Mike Davis MESSAGE Protection started successfully

14:08:55 Mike Davis MESSAGE IP Protection started successfully

14:17:56 Mike Davis MESSAGE Protection started successfully

14:18:02 Mike Davis MESSAGE IP Protection started successfully

15:36:52 Mike Davis MESSAGE Protection started successfully

15:37:02 Mike Davis MESSAGE IP Protection started successfully

15:39:22 Mike Davis IP-BLOCK 91.212.226.67

15:39:25 Mike Davis IP-BLOCK 91.212.226.67

15:39:31 Mike Davis IP-BLOCK 91.212.226.67

15:46:22 Mike Davis IP-BLOCK 94.228.209.200

15:46:25 Mike Davis IP-BLOCK 94.228.209.200

15:46:31 Mike Davis IP-BLOCK 94.228.209.200

15:47:21 Mike Davis IP-BLOCK 94.228.209.200

15:47:24 Mike Davis IP-BLOCK 94.228.209.200

15:47:30 Mike Davis IP-BLOCK 94.228.209.200

15:49:43 Mike Davis IP-BLOCK 91.212.226.59

15:49:46 Mike Davis IP-BLOCK 91.212.226.59

15:49:53 Mike Davis IP-BLOCK 91.212.226.59

16:01:48 Mike Davis MESSAGE IP Protection stopped

16:02:05 Mike Davis MESSAGE Database updated successfully

16:02:10 Mike Davis MESSAGE IP Protection started successfully

16:18:43 Mike Davis IP-BLOCK 94.228.209.200

16:18:45 Mike Davis IP-BLOCK 94.228.209.200

16:18:52 Mike Davis IP-BLOCK 94.228.209.200

16:25:04 Mike Davis IP-BLOCK 94.228.209.200

16:25:06 Mike Davis IP-BLOCK 94.228.209.200

16:25:13 Mike Davis IP-BLOCK 94.228.209.200

16:48:25 Mike Davis IP-BLOCK 94.228.209.200

16:48:28 Mike Davis IP-BLOCK 94.228.209.200

16:48:34 Mike Davis IP-BLOCK 94.228.209.200

17:18:46 Mike Davis IP-BLOCK 94.228.209.200

17:18:49 Mike Davis IP-BLOCK 94.228.209.200

17:18:55 Mike Davis IP-BLOCK 94.228.209.200

17:39:54 Mike Davis IP-BLOCK 91.212.226.67

17:39:57 Mike Davis IP-BLOCK 91.212.226.67

17:40:03 Mike Davis IP-BLOCK 91.212.226.67

17:49:07 Mike Davis IP-BLOCK 94.228.209.200

17:49:10 Mike Davis IP-BLOCK 94.228.209.200

17:49:17 Mike Davis IP-BLOCK 94.228.209.200

17:50:15 Mike Davis IP-BLOCK 91.212.226.59

17:50:18 Mike Davis IP-BLOCK 91.212.226.59

17:50:24 Mike Davis IP-BLOCK 91.212.226.59

18:00:37 Mike Davis IP-BLOCK 195.170.178.55

18:00:40 Mike Davis IP-BLOCK 195.170.178.55

18:00:46 Mike Davis IP-BLOCK 195.170.178.55

18:10:58 Mike Davis IP-BLOCK 91.212.226.59

18:11:01 Mike Davis IP-BLOCK 91.212.226.59

18:11:07 Mike Davis IP-BLOCK 91.212.226.59

18:19:29 Mike Davis IP-BLOCK 94.228.209.200

18:19:32 Mike Davis IP-BLOCK 94.228.209.200

18:19:38 Mike Davis IP-BLOCK 94.228.209.200

18:46:50 Mike Davis IP-BLOCK 94.228.209.200

18:46:53 Mike Davis IP-BLOCK 94.228.209.200

18:46:59 Mike Davis IP-BLOCK 94.228.209.200

Protection log from 6-17

06:04:08 (null) MESSAGE Protection started successfully

06:04:56 Mike Davis MESSAGE IP Protection started successfully

06:06:45 Mike Davis IP-BLOCK 91.212.226.67

06:06:48 Mike Davis IP-BLOCK 91.212.226.67

06:06:54 Mike Davis IP-BLOCK 91.212.226.67

06:13:45 Mike Davis IP-BLOCK 94.228.209.200

06:13:48 Mike Davis IP-BLOCK 94.228.209.200

06:13:54 Mike Davis IP-BLOCK 94.228.209.200

06:14:45 Mike Davis IP-BLOCK 94.228.209.200

06:14:48 Mike Davis IP-BLOCK 94.228.209.200

06:14:54 Mike Davis IP-BLOCK 94.228.209.200

06:17:07 Mike Davis IP-BLOCK 91.212.226.59

06:17:10 Mike Davis IP-BLOCK 91.212.226.59

06:17:16 Mike Davis IP-BLOCK 91.212.226.59

06:26:06 Mike Davis IP-BLOCK 94.228.209.200

06:26:09 Mike Davis IP-BLOCK 94.228.209.200

06:26:15 Mike Davis IP-BLOCK 94.228.209.200

06:27:28 Mike Davis IP-BLOCK 195.170.178.55

06:27:31 Mike Davis IP-BLOCK 195.170.178.55

06:27:37 Mike Davis IP-BLOCK 195.170.178.55

06:37:50 Mike Davis IP-BLOCK 91.212.226.59

06:37:53 Mike Davis IP-BLOCK 91.212.226.59

06:37:59 Mike Davis IP-BLOCK 91.212.226.59

07:16:23 Mike Davis IP-BLOCK 94.228.209.200

07:16:26 Mike Davis IP-BLOCK 94.228.209.200

07:16:32 Mike Davis IP-BLOCK 94.228.209.200

07:42:44 Mike Davis IP-BLOCK 94.228.209.200

07:42:47 Mike Davis IP-BLOCK 94.228.209.200

07:42:53 Mike Davis IP-BLOCK 94.228.209.200

07:54:05 Mike Davis IP-BLOCK 94.228.209.200

07:54:08 Mike Davis IP-BLOCK 94.228.209.200

07:54:14 Mike Davis IP-BLOCK 94.228.209.200

08:02:26 Mike Davis IP-BLOCK 94.228.209.200

08:02:29 Mike Davis IP-BLOCK 94.228.209.200

08:02:35 Mike Davis IP-BLOCK 94.228.209.200

08:06:58 Mike Davis IP-BLOCK 91.212.226.67

08:07:01 Mike Davis IP-BLOCK 91.212.226.67

08:07:07 Mike Davis IP-BLOCK 91.212.226.67

08:12:47 Mike Davis IP-BLOCK 94.228.209.200

08:12:50 Mike Davis IP-BLOCK 94.228.209.200

08:12:56 Mike Davis IP-BLOCK 94.228.209.200

08:27:52 Mike Davis IP-BLOCK 195.170.178.55

08:27:55 Mike Davis IP-BLOCK 195.170.178.55

08:28:01 Mike Davis IP-BLOCK 195.170.178.55

08:38:13 Mike Davis IP-BLOCK 91.212.226.59

08:38:17 Mike Davis IP-BLOCK 91.212.226.59

08:38:23 Mike Davis IP-BLOCK 91.212.226.59

08:39:09 Mike Davis IP-BLOCK 94.228.209.200

08:39:12 Mike Davis IP-BLOCK 94.228.209.200

08:39:18 Mike Davis IP-BLOCK 94.228.209.200

17:02:16 Mike Davis MESSAGE Protection started successfully

17:02:31 Mike Davis MESSAGE IP Protection started successfully

17:04:47 Mike Davis IP-BLOCK 91.212.226.67

17:04:50 Mike Davis IP-BLOCK 91.212.226.67

17:04:56 Mike Davis IP-BLOCK 91.212.226.67

17:08:57 Mike Davis IP-BLOCK 85.12.46.158

17:09:00 Mike Davis IP-BLOCK 85.12.46.158

17:09:06 Mike Davis IP-BLOCK 85.12.46.158

17:09:18 Mike Davis IP-BLOCK 85.12.46.158

17:09:21 Mike Davis IP-BLOCK 85.12.46.158

17:09:27 Mike Davis IP-BLOCK 85.12.46.158

17:09:39 Mike Davis IP-BLOCK 85.12.46.157

17:09:42 Mike Davis IP-BLOCK 85.12.46.157

17:09:48 Mike Davis IP-BLOCK 85.12.46.157

17:10:00 Mike Davis IP-BLOCK 85.12.46.157

17:10:03 Mike Davis IP-BLOCK 85.12.46.157

17:10:09 Mike Davis IP-BLOCK 85.12.46.157

17:10:22 Mike Davis IP-BLOCK 85.12.46.155

17:10:25 Mike Davis IP-BLOCK 85.12.46.155

17:10:31 Mike Davis IP-BLOCK 85.12.46.155

17:10:43 Mike Davis IP-BLOCK 85.12.46.155

17:10:46 Mike Davis IP-BLOCK 85.12.46.155

17:10:52 Mike Davis IP-BLOCK 85.12.46.155

17:11:04 Mike Davis IP-BLOCK 85.12.46.155

17:11:07 Mike Davis IP-BLOCK 85.12.46.155

17:11:14 Mike Davis IP-BLOCK 85.12.46.155

17:11:26 Mike Davis IP-BLOCK 85.12.46.155

17:11:29 Mike Davis IP-BLOCK 85.12.46.155

17:11:35 Mike Davis IP-BLOCK 85.12.46.155

17:11:47 Mike Davis IP-BLOCK 85.12.46.158

17:11:48 Mike Davis IP-BLOCK 94.228.209.200

17:11:50 Mike Davis IP-BLOCK 85.12.46.158

17:11:51 Mike Davis IP-BLOCK 94.228.209.200

17:11:56 Mike Davis IP-BLOCK 85.12.46.158

17:11:57 Mike Davis IP-BLOCK 94.228.209.200

17:12:08 Mike Davis IP-BLOCK 85.12.46.158

17:12:11 Mike Davis IP-BLOCK 85.12.46.158

17:12:17 Mike Davis IP-BLOCK 85.12.46.158

17:12:30 Mike Davis IP-BLOCK 91.212.226.130

17:12:33 Mike Davis IP-BLOCK 91.212.226.130

17:12:39 Mike Davis IP-BLOCK 91.212.226.130

17:12:47 Mike Davis IP-BLOCK 94.228.209.200

17:12:50 Mike Davis IP-BLOCK 94.228.209.200

17:12:51 Mike Davis IP-BLOCK 91.212.226.130

17:12:54 Mike Davis IP-BLOCK 91.212.226.130

17:12:56 Mike Davis IP-BLOCK 94.228.209.200

17:13:00 Mike Davis IP-BLOCK 91.212.226.130

17:13:13 Mike Davis IP-BLOCK 91.212.226.178

17:13:16 Mike Davis IP-BLOCK 91.212.226.178

17:13:22 Mike Davis IP-BLOCK 91.212.226.178

17:13:34 Mike Davis IP-BLOCK 91.212.226.178

18:22:33 Mike Davis MESSAGE Protection started successfully

18:23:10 Mike Davis MESSAGE IP Protection started successfully

19:20:43 (null) MESSAGE Protection started successfully

19:21:34 Mike Davis MESSAGE IP Protection started successfully

19:23:23 Mike Davis IP-BLOCK 91.212.226.67

19:23:26 Mike Davis IP-BLOCK 91.212.226.67

19:23:32 Mike Davis IP-BLOCK 91.212.226.67

19:30:24 Mike Davis IP-BLOCK 94.228.209.200

19:30:26 Mike Davis IP-BLOCK 94.228.209.200

19:30:33 Mike Davis IP-BLOCK 94.228.209.200

19:31:22 Mike Davis IP-BLOCK 94.228.209.200

19:31:25 Mike Davis IP-BLOCK 94.228.209.200

19:31:31 Mike Davis IP-BLOCK 94.228.209.200

19:45:00 Mike Davis MESSAGE Protection started successfully

19:45:13 Mike Davis MESSAGE IP Protection started successfully

21:52:03 Mike Davis MESSAGE Protection started successfully

21:52:39 Mike Davis MESSAGE IP Protection started successfully

Thanks,

Mike

Link to post
Share on other sites
Mike D.

Mike D.

Posted
  • Author
Posted

After I blocked the ones above, these new ones triggered the blocked IP message...

(end of log)

22:14:34 Mike Davis IP-BLOCK 91.212.226.130

22:14:37 Mike Davis IP-BLOCK 91.212.226.130

22:14:43 Mike Davis IP-BLOCK 91.212.226.130

22:14:56 Mike Davis IP-BLOCK 91.212.226.178

22:14:59 Mike Davis IP-BLOCK 91.212.226.178

22:15:05 Mike Davis IP-BLOCK 91.212.226.178

Link to post
Share on other sites
Mike D.

Mike D.

Posted
  • Author
Posted
After I blocked the ones above, these new ones triggered the blocked IP message...

(end of log)

22:14:34 Mike Davis IP-BLOCK 91.212.226.130

22:14:37 Mike Davis IP-BLOCK 91.212.226.130

22:14:43 Mike Davis IP-BLOCK 91.212.226.130

22:14:56 Mike Davis IP-BLOCK 91.212.226.178

22:14:59 Mike Davis IP-BLOCK 91.212.226.178

22:15:05 Mike Davis IP-BLOCK 91.212.226.178

I made sure those were now added too...my bad!

Link to post
Share on other sites
Mike D.

Mike D.

Posted
  • Author
Posted
Okay. Use your computer normally for a while and let me know if you're getting any additional IP block notifications.

Hello Chris...

I fired back up about an hour ago. Using both IE and Firefox. Here is today's log (I also logged on early this morning):

05:21:24 Mike Davis MESSAGE Protection started successfully

05:21:33 Mike Davis MESSAGE IP Protection started successfully

05:34:48 Mike Davis IP-BLOCK 208.87.33.151

05:34:51 Mike Davis IP-BLOCK 208.87.33.151

05:34:57 Mike Davis IP-BLOCK 208.87.33.151

16:16:02 (null) MESSAGE Protection started successfully

16:16:01 Mike Davis MESSAGE IP Protection started successfully

16:25:32 Mike Davis IP-BLOCK 67.228.186.114

16:25:35 Mike Davis IP-BLOCK 67.228.186.114

16:25:41 Mike Davis IP-BLOCK 67.228.186.114

I also had one case where IE opened a new window (and couldn't connect). The URL was this:

"http://www.directrdr.com/v3.php?pid=245&cid=15160&crid=13914&t=6(53293)1(594903)&cc=840&said=0&params=61a559f5e8142670347f3566bd42bc82c840e051-33.FU.wUS.sw%09f.fwffff%097cKqLvIaL%09ws44sk3wwF%09pTc&pc=0-15160&vurl=http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fn884.tribalfusion1%2Fb4165755.4%3Bsz%3D120x600%3Bclick%3Dhttp%3A%2F%2Fa.tribalfusion.com%2Fh.click%2Fawmmbk2fqxmd6t0a6y2hbgqcva4pyjmdipthb60bq7xrqfxazaqpryfurqsvtqtmfzbprujrxe3m5q

bc5ayroebixfu6utjxmpfjmvjqmhba5ebf5taq56bzbnfbza0s7wygr4xvjnpafu3bqqwfvzbwpjtrhv

g

nwmjef%2F%3Bord%3D1071727975%3F&mm=53"

For the last hour, the system has appeared normal. Prior to today, often the browser(s) would lose their connections and ad/survey sites would pop up. That hasn't happened since I fired back up this afternoon.

Thanks for your help!

Mike

Link to post
Share on other sites
Mike D.

Mike D.

Posted
  • Author
Posted
Hello Chris...

I fired back up about an hour ago. Using both IE and Firefox. Here is today's log (I also logged on early this morning):

05:21:24 Mike Davis MESSAGE Protection started successfully

05:21:33 Mike Davis MESSAGE IP Protection started successfully

05:34:48 Mike Davis IP-BLOCK 208.87.33.151

05:34:51 Mike Davis IP-BLOCK 208.87.33.151

05:34:57 Mike Davis IP-BLOCK 208.87.33.151

16:16:02 (null) MESSAGE Protection started successfully

16:16:01 Mike Davis MESSAGE IP Protection started successfully

16:25:32 Mike Davis IP-BLOCK 67.228.186.114

16:25:35 Mike Davis IP-BLOCK 67.228.186.114

16:25:41 Mike Davis IP-BLOCK 67.228.186.114

I also had one case where IE opened a new window (and couldn't connect). The URL was this:

"http://www.directrdr.com/v3.php?pid=245&cid=15160&crid=13914&t=6(53293)1(594903)&cc=840&said=0&params=61a559f5e8142670347f3566bd42bc82c840e051-33.FU.wUS.sw%09f.fwffff%097cKqLvIaL%09ws44sk3wwF%09pTc&pc=0-15160&vurl=http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fn884.tribalfusion1%2Fb4165755.4%3Bsz%3D120x600%3Bclick%3Dhttp%3A%2F%2Fa.tribalfusion.com%2Fh.click%2Fawmmbk2fqxmd6t0a6y2hbgqcva4pyjmdipthb60bq7xrqfxazaqpryfurqsvtqtmfzbprujrxe3m5q

bc5ayroebixfu6utjxmpfjmvjqmhba5ebf5taq56bzbnfbza0s7wygr4xvjnpafu3bqqwfvzbwpjtrhv

g

nwmjef%2F%3Bord%3D1071727975%3F&mm=53"

For the last hour, the system has appeared normal. Prior to today, often the browser(s) would lose their connections and ad/survey sites would pop up. That hasn't happened since I fired back up this afternoon.

Thanks for your help!

Mike

I'll add that I did have to restart my router...another lost connection and when trying to add this info (and the new log), my browser got pointed to the last site and couldn't connect...Sigh.

05:21:24 Mike Davis MESSAGE Protection started successfully

05:21:33 Mike Davis MESSAGE IP Protection started successfully

05:34:48 Mike Davis IP-BLOCK 208.87.33.151

05:34:51 Mike Davis IP-BLOCK 208.87.33.151

05:34:57 Mike Davis IP-BLOCK 208.87.33.151

16:16:02 (null) MESSAGE Protection started successfully

16:16:01 Mike Davis MESSAGE IP Protection started successfully

16:25:32 Mike Davis IP-BLOCK 67.228.186.114

16:25:35 Mike Davis IP-BLOCK 67.228.186.114

16:25:41 Mike Davis IP-BLOCK 67.228.186.114

17:25:45 Mike Davis IP-BLOCK 208.87.33.151

17:25:48 Mike Davis IP-BLOCK 208.87.33.151

18:46:23 Mike Davis IP-BLOCK 208.94.233.34

18:46:26 Mike Davis IP-BLOCK 208.94.233.34

18:46:32 Mike Davis IP-BLOCK 208.94.233.34

18:46:45 Mike Davis IP-BLOCK 208.94.233.34

18:46:48 Mike Davis IP-BLOCK 208.94.233.34

18:46:54 Mike Davis IP-BLOCK 208.94.233.34

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.