Geographer

Browser Hijacker - Again

34 posts in this topic

Thanks in advance, you guys helped me back in 2008, and now I have a similar problem with a browser hijacker.

Briefly, I had a the 'XP Security Center' mal appear a few days ago along with a browse hijacker that would redirect to findsutff.com, and I was able to remove them with Malwarebytes and Avira. I still have a browser hijacker that redirects searches to icityfind.com, but it doesn't do it every time I perform a search. In any case i appreciate any help you can offer:

This is my latest mbam log

Malwarebytes' Anti-Malware 1.44

Database version: 3730

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

6/13/2010 12:35:35 AM

mbam-log-2010-06-13 (00-35-35).txt

Scan type: Full Scan (C:\|)

Objects scanned: 271054

Time elapsed: 2 hour(s), 50 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And this is the results of DDS

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Dennis at 13:19:59.89 on Sat 05/14/2011

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1220 [GMT -4:00]

.

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe

C:\WINDOWS\system32\LxrJD31s.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Dennis\Application Data\Dropbox\bin\Dropbox.exe

C:\WINDOWS\System32\dllhost.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\System32\dllhost.exe

c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Dennis\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110512215306.dll

BHO: {A095A6F6-B7E8-40E2-9A80-A235566C0FE6} - No File

BHO: Catcher Class: {adecbed6-0366-4377-a739-e69dfba04663} - c:\program files\moyea\flv downloader\MoyeaCth.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: CAdBlocker Object: {e24ad748-155e-4254-b674-4edf86e7e1df} - c:\progra~1\acronis\privac~1\Blocker.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [storageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe

StartupFolder: c:\docume~1\dennis\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\dennis\application data\dropbox\bin\Dropbox.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - c:\progra~1\acronis\privac~1\Blocker.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

Trusted Zone: internet

Trusted Zone: intuit.com\ttlc

Trusted Zone: mcafee.com

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\dennis\applic~1\mozilla\firefox\profiles\f0hdd127.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdbplug.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

FF - plugin: c:\windows\system32\superadblocker.com\npsabffx.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Zotero: zotero@chnm.gmu.edu - %profile%\extensions\zotero@chnm.gmu.edu

FF - Ext: Wired-Marker: {e36db930-f18d-4449-b45f-e286cfb9e03a} - %profile%\extensions\{e36db930-f18d-4449-b45f-e286cfb9e03a}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: XULRunner: {D7427597-ECD1-485E-ACCE-2A58EC457E82} - c:\documents and settings\suzi2\local settings\application data\{D7427597-ECD1-485E-ACCE-2A58EC457E82}

FF - Ext: XULRunner: {68088CAC-141C-40D2-9A7A-F8B10F9B656E} - c:\documents and settings\dennis\local settings\application data\{68088CAC-141C-40D2-9A7A-F8B10F9B656E}

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-2 387480]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-5-13 11608]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-1 84200]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-2-29 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 67656]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-5-13 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-5-13 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-12 61960]

R2 FlipShareServer;FlipShare Server;c:\program files\flip video\flipshareserver\FlipShareServer.exe [2010-12-15 1085440]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-12 363344]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-11-14 88176]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-1 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-1 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-1 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-1 171168]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-1 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-1 141792]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-1 56064]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-12 20952]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-2 153280]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-2 52320]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-1 314088]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-1 88736]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]

S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-30 133104]

S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2010-12-26 18560]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-9-30 133104]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-1 88736]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-1 84488]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-2 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-2 40552]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 12872]

S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-05-13 05:39:40 -------- d-----w- c:\docume~1\dennis\applic~1\Avira

2011-05-13 05:31:16 -------- dc----w- c:\docume~1\alluse~1\applic~1\Avira

2011-05-13 05:31:16 -------- d-----w- c:\program files\Avira

2011-05-06 01:03:28 -------- d-----w- c:\windows\system32\LogFiles

2011-05-05 23:41:05 -------- d-----w- c:\program files\Cisco Systems

2011-05-05 23:15:25 -------- dc----w- c:\docume~1\alluse~1\applic~1\Cisco Systems

2011-05-03 07:05:14 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2011-05-02 13:34:03 215920 ----a-w- c:\windows\system32\muweb.dll

2011-05-02 13:34:03 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2011-05-02 13:34:02 274288 ----a-w- c:\windows\system32\mucltui.dll

2011-05-02 01:23:22 -------- d-----w- c:\program files\Microsoft Synchronization Services

2011-05-02 01:21:46 -------- dc----w- c:\documents and settings\all users\Microsoft

2011-05-02 01:21:46 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2011-05-02 01:06:32 -------- d-----w- c:\program files\Microsoft Analysis Services

2011-04-23 22:04:22 -------- d-----w- c:\docume~1\dennis\locals~1\applic~1\{68088CAC-141C-40D2-9A7A-F8B10F9B656E}

2011-04-23 21:37:13 0 ----a-w- c:\windows\Griku.bin

2011-04-20 01:41:12 98304 ----a-w- c:\windows\system32\hpzjsn01.dll

2011-04-20 01:41:11 606208 ----a-w- c:\windows\system32\hpotscl.dll

2011-04-20 01:41:11 258122 ----a-w- c:\windows\system32\hpovst08.dll

2011-04-20 01:40:18 180315 ----a-w- c:\windows\system32\hpzsnt12.dll

2011-04-18 17:29:27 -------- dc----w- C:\spoolerlogs

.

==================== Find3M ====================

.

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-17 13:51:57 81920 ------w- c:\windows\system32\ieencode.dll

2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 13:51:57 61952 ----a-w- c:\windows\system32\tdc.ocx

2011-02-17 12:37:38 369664 ------w- c:\windows\system32\html.iec

2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll

2001-05-24 16:59:30 162304 ----a-w- c:\program files\UNWISE.EXE

.

============= FINISH: 13:22:47.92 ===============

Attach.zip

Share this post


Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Share this post


Link to post
Share on other sites

Thanks for your help,

this is the updated MBAM log file

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6612

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

5/18/2011 7:11:11 PM

mbam-log-2011-05-18 (19-11-11).txt

Scan type: Quick scan

Objects scanned: 191864

Time elapsed: 15 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

this is the cf log:

ComboFix 11-05-17.03 - Suzi2 05/18/2011 19:19:36.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1418 [GMT -4:00]

Running from: c:\documents and settings\Suzi2\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Suzi2\Application Data\Adobe\plugs

c:\documents and settings\Suzi2\Application Data\Adobe\shed

c:\documents and settings\Suzi2\Local Settings\Application Data\{D7427597-ECD1-485E-ACCE-2A58EC457E82}

c:\documents and settings\Suzi2\Local Settings\Application Data\{D7427597-ECD1-485E-ACCE-2A58EC457E82}\chrome.manifest

c:\documents and settings\Suzi2\Local Settings\Application Data\{D7427597-ECD1-485E-ACCE-2A58EC457E82}\chrome\content\_cfg.js

c:\documents and settings\Suzi2\Local Settings\Application Data\{D7427597-ECD1-485E-ACCE-2A58EC457E82}\chrome\content\overlay.xul

c:\documents and settings\Suzi2\Local Settings\Application Data\{D7427597-ECD1-485E-ACCE-2A58EC457E82}\install.rdf

c:\windows\system32\regobj.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-04-18 to 2011-05-18 )))))))))))))))))))))))))))))))

.

.

2011-05-18 02:15 . 2011-05-18 02:15 -------- dc----w- c:\documents and settings\Suzi2\Application Data\SUPERAntiSpyware.com

2011-05-18 02:11 . 2011-05-18 02:11 -------- dc----w- c:\documents and settings\Suzi2\Application Data\Avira

2011-05-13 05:31 . 2011-04-01 21:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-05-13 05:31 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-05-13 05:31 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-05-13 05:31 . 2011-05-13 05:31 -------- dc----w- c:\documents and settings\All Users\Application Data\Avira

2011-05-13 05:31 . 2011-05-13 05:31 -------- d-----w- c:\program files\Avira

2011-05-06 01:03 . 2011-05-06 01:03 -------- d-----w- c:\windows\system32\LogFiles

2011-05-05 23:41 . 2011-05-06 22:03 -------- d-----w- c:\program files\Cisco Systems

2011-05-05 23:15 . 2011-05-05 23:15 -------- dc----w- c:\documents and settings\All Users\Application Data\Cisco Systems

2011-05-03 07:05 . 2011-05-03 07:05 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2011-05-02 13:34 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll

2011-05-02 13:34 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2011-05-02 01:23 . 2011-05-02 01:23 -------- d-----w- c:\program files\Microsoft Synchronization Services

2011-05-02 01:21 . 2011-05-02 01:21 -------- dc----w- c:\documents and settings\All Users\Microsoft

2011-05-02 01:21 . 2011-05-02 01:21 -------- d-----w- c:\program files\Microsoft Sync Framework

2011-05-02 01:21 . 2011-05-02 01:21 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2011-05-02 01:06 . 2011-05-02 01:06 -------- d-----w- c:\program files\Microsoft Analysis Services

2011-04-23 21:37 . 2011-05-13 04:57 0 ----a-w- c:\windows\Griku.bin

2011-04-20 01:41 . 2011-04-20 01:41 -------- dc----w- c:\documents and settings\Suzi2\Application Data\HP

2011-04-20 01:41 . 2005-02-05 02:58 98304 ----a-w- c:\windows\system32\hpzjsn01.dll

2011-04-20 01:41 . 2005-04-08 15:51 258122 ----a-w- c:\windows\system32\hpovst08.dll

2011-04-20 01:41 . 2005-04-08 15:51 606208 ----a-w- c:\windows\system32\hpotscl.dll

2011-04-20 01:40 . 2005-03-18 18:32 180315 ----a-w- c:\windows\system32\hpzsnt12.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-14 18:01 . 2010-08-01 15:09 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-04-14 18:01 . 2010-08-01 15:09 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-04-14 18:01 . 2010-08-01 15:09 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-04-14 18:01 . 2010-08-01 15:09 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-04-14 18:01 . 2010-08-01 15:09 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-04-14 18:01 . 2010-08-01 15:09 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-04-14 18:01 . 2010-08-01 15:09 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-04-14 18:01 . 2007-02-03 00:17 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-04-14 18:01 . 2007-02-03 00:17 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-04-14 18:01 . 2007-02-03 00:17 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-04-01 21:07 . 2010-02-12 20:39 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-03-07 05:33 . 2007-02-02 18:13 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45 . 2003-07-16 20:49 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2003-07-16 20:51 1857920 ----a-w- c:\windows\system32\win32k.sys

2001-05-24 16:59 . 2008-05-26 02:53 162304 ----a-w- c:\program files\UNWISE.EXE

2011-04-14 18:01 . 2010-08-01 15:09 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]

@="{95A27763-F62A-4114-9072-E81D87DE3B68}"

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]

2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]

2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]

@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]

2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]

"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-03 65536]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-04-05 1195408]

"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-11-19 193880]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]

"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-03-04 948880]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2010-02-12 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-02-12 05:43 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=

"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=

"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=

"c:\\WINDOWS\\system32\\vssvc.exe"=

"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=

"c:\\Program Files\\FinalMediaPlayer\\FMPCheckForUpdates.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"24726:TCP"= 24726:TCP:FlipShareServer

"24727:TCP"= 24727:TCP:FlipShareServer

.

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [8/1/2010 11:09 AM 84200]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/29/2008 4:03 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 4:03 PM 67656]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/13/2011 1:31 AM 136360]

R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [12/15/2010 2:22 PM 1085440]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/12/2010 4:14 AM 363344]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/14/2008 9:41 PM 88176]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/1/2010 11:09 AM 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [8/1/2010 11:09 AM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [8/1/2010 11:09 AM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [8/1/2010 11:09 AM 141792]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [8/1/2010 11:09 AM 56064]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/12/2010 4:14 AM 20952]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [8/1/2010 11:09 AM 314088]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [8/1/2010 11:09 AM 88736]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]

S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/30/2009 2:17 PM 133104]

S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/26/2010 11:54 PM 18560]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/30/2009 2:17 PM 133104]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [8/1/2010 11:09 AM 88736]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/1/2010 11:09 AM 84488]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 10:25 AM 30969208]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 12872]

S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

Contents of the 'Scheduled Tasks' folder

.

2003-09-19 c:\windows\Tasks\Final Media Player Update Checker.job

- c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2011-02-05 21:35]

.

2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-30 18:17]

.

2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-30 18:17]

.

.

------- Supplementary Scan -------

.

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

Trusted Zone: internet

Trusted Zone: mcafee.com

FF - ProfilePath - c:\documents and settings\Suzi2\Application Data\Mozilla\Firefox\Profiles\3t77m5o6.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{A095A6F6-B7E8-40E2-9A80-A235566C0FE6} - (no file)

ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)

HKCU-Run-Mgekewori - c:\windows\lsonet.dll

AddRemove-HijackThis - c:\documents and settings\Dennis\My Documents\HiJackThis\HijackThis.exe

AddRemove-Shockwave - c:\windows\system32\Macromed\SHOCKW~1\UNWISE.EXE

AddRemove-{E6358333-B89B-4243-8477-647C9360B5D9}_is1 - c:\documents and settings\Dennis\Local Settings\Application Data\Batchwork\Ppt-2-Ppt\unins000.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-18 19:29

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1008)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

Completion time: 2011-05-18 19:32:51

ComboFix-quarantined-files.txt 2011-05-18 23:32

ComboFix2.txt 2010-02-18 03:43

.

Pre-Run: 22,931,062,784 bytes free

Post-Run: 23,875,989,504 bytes free

.

- - End Of File - - C2327102AC15334966ABD365DC16749D

and the two DDS logs

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_11-03-05.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 2/2/2007 1:20:29 PM

System Uptime: 9/19/2003 1:33:07 AM (67171 hours ago)

.

Motherboard: Dell Computer Corp. | | 0K0057

Processor: Intel® Pentium® 4 CPU 2.66GHz | Microprocessor | 2660/533mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 75 GiB total, 22.251 GiB free.

D: is CDROM ()

F: is FIXED (NTFS) - 297 GiB total, 243.901 GiB free.

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP428: 4/28/2011 3:49:36 AM - System Checkpoint

RP429: 4/29/2011 4:49:35 AM - System Checkpoint

RP430: 4/30/2011 5:49:34 AM - System Checkpoint

RP431: 4/30/2011 10:28:10 AM - Software Distribution Service 3.0

RP432: 5/1/2011 11:02:07 AM - System Checkpoint

RP433: 5/1/2011 8:57:11 PM - Installed Microsoft Office Professional Plus 2010

RP434: 5/1/2011 9:01:49 PM - Installed Microsoft Office Professional Plus 2010

RP435: 5/1/2011 9:33:22 PM - Printer Driver Send To Microsoft OneNote 2010 Driver Installed

RP436: 5/2/2011 10:21:31 AM - Software Distribution Service 3.0

RP437: 5/3/2011 3:00:50 AM - Software Distribution Service 3.0

RP438: 5/4/2011 3:00:25 AM - Software Distribution Service 3.0

RP439: 5/5/2011 3:16:06 AM - System Checkpoint

RP440: 5/6/2011 4:08:39 AM - System Checkpoint

RP441: 5/7/2011 3:00:42 PM - System Checkpoint

RP442: 5/8/2011 3:28:41 PM - System Checkpoint

RP443: 5/9/2011 3:49:27 PM - System Checkpoint

RP444: 5/10/2011 4:49:27 PM - System Checkpoint

RP445: 5/11/2011 5:49:27 PM - System Checkpoint

RP446: 5/12/2011 3:00:20 AM - Software Distribution Service 3.0

RP447: 5/15/2011 1:42:36 AM - System Checkpoint

RP448: 5/16/2011 2:30:54 AM - System Checkpoint

RP449: 5/17/2011 3:31:10 AM - System Checkpoint

RP450: 5/17/2011 9:54:22 PM - Restore Operation

RP451: 5/17/2011 10:02:59 PM - Restore Operation

.

==== Installed Programs ======================

.

.

1400

1400_Help

1400Trb

Acronis

Share this post


Link to post
Share on other sites

More information:

This time, I had to run Combofix, MBAM, and DDS from my wife's user account. Previously I was able to run everything from my user account. Now, I can't get anything to work from my user account (where I first noticed all the problems). If I attempt to open MBAM or Firefox or anything from my user account, the file association dialog opens (the Open With box) and no matter what I select, nothing happens.

Also, Carbonite lost connection with the internet on all user accounts about 11 days ago. And finally the system clock went back to 2003. I was able to reset the clock from my wife's user account, but the MBAM program still says it is 2798 days out of date.

Share this post


Link to post
Share on other sites

Hi,

I notice that you are using more than one antivirus program (Antivir and McAfee). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Share this post


Link to post
Share on other sites

Antivir is now uninstalled, and these are the results from the ESET and the Security Check:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=53251

# version=7

# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)

# OnlineScanner.ocx=1.0.0.6522

# api_version=3.0.2

# EOSSerial=befee2d67ddaab4bb18ba2449d5a388f

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-05-21 04:59:28

# local_time=2011-05-21 12:59:28 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=1797 16774142 0 1 0 0 0 0

# compatibility_mode=5121 16777173 100 75 0 35099796 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=126462

# found=1

# cleaned=1

# scan_time=8295

C:\System Volume Information\_restore{9EE8FFE7-A98B-401B-96FD-32A41CC0A7CC}\RP451\A0090237.ini Win32/Adware.AntimalwareDoctor.AE.Gen application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Results of screen317's Security Check version 0.99.11

Windows XP Service Pack 3

Internet Explorer 6 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ESET Online Scanner v3

McAfee AntiVirus Plus

McAfee Virtual Technician

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 21

Java SE Runtime Environment 6 Update 1

Java 6 Update 2

Java 6 Update 3

Java 6 Update 5

Out of date Java installed!

Adobe Flash Player 10.1.85.3

Adobe Reader X (10.0.1)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe

``````````End of Log````````````

And these are the main issues I am still having:

If I attempt to open a program from my old user profile, I get the file association dialog:

post-32854-0-51320300-1305994694.png

or if I am in my old user profile, and Iattempt to open a utility in the control panel, I get a different error

post-32854-0-08330700-1305994713.png

And finally, I have reinstalled it and made sure my firewall isn't blocking it, but carbonite can't access the internet from any user profile.

post-32854-0-35086400-1305994723.png

Thanks so very much for spending time to help me with this.

Share this post


Link to post
Share on other sites

The browser hijack is still happening in my old profile as well, google searches are redirected to coupon sites etc.

Share this post


Link to post
Share on other sites

I was able to fix the Carbonite issue, now the only problems I have are restricted to the old user account.

Share this post


Link to post
Share on other sites

Looking at your other replies to users who have the same issue as me, if I try to even download exehelper, i get this:

post-32854-0-17513500-1306196544.jpg

Share this post


Link to post
Share on other sites

Hi,

My apologies for the delay.

Every time you reply, your post gets pushed to the bottom of my list to reply to.

Ignore the McAfee warning and let it run. It's safe...

Alternatively, backup any useful files on the affected profile, then delete it and create a new profile. Then transfer your backed up files over.

Share this post


Link to post
Share on other sites

Thanks, I believe I understand now about replying correctly, all at once and then don't add anything until I hear back from you.

I deleted all the old Java and installed the most current. I never use Internet Explorer, so I haven't updated it yet.

I was able to download and run exehelper and now the file associations on the old profile work correctly, so I don't think I need to delete the old profile just yet.

This is the exehelper log

exeHelper by Raktor

Build 20100414

Run at 19:12:19 on 05/25/11

Now searching...

Checking for numerical processes...

Checking for sysguard processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

I have re-run complete MBAM and McAffee scans and they both come back clean.

This is the latest MBAM log

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6644

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

5/25/2011 10:29:52 PM

mbam-log-2011-05-25 (22-29-52).txt

Scan type: Full scan (C:\|)

Objects scanned: 304366

Time elapsed: 1 hour(s), 42 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I am still having occasional hijacks when I do google searches (most are blocked by MBAM Pro), so I know I'm not clean yet. I don't feel comfortable repeating any of the other cleaning efforts without your guidance, so I'll wait to hear from you.

Thanks again. You guys who do this for us are literally unsung heroes.

Share this post


Link to post
Share on other sites

Hi,

Could you give an example of the hijack? Go ahead and update IE. See if the behavior persists there.

Share this post


Link to post
Share on other sites

IE is updated, and I ran the ESET online again. It found this:

C:\Documents and Settings\Suzi2\Application Data\Sun\Java\Deployment\cache\6.0\39\58ec35a7-404be173 a variant of Java/Exploit.CVE-2010-4452.A trojan cleaned by deleting - quarantined

here are some examples of the hijacks

If i do a google search (using Firefox) for 'XP Security malware' the first site that appears in the search is an ehow url:

How to Get Rid of XP Security Center Malware | eHow.com

How to Get Rid of XP Security Center Malware. XP Security Center is a rogue antispyware program despite its creators advertising it as a legitimate security ...

www.ehow.com

Share this post


Link to post
Share on other sites

Hi,

Please download ATF Cleaner by Atribune from here, and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Java Cache

The rest are optional - if you want to remove the whole lot, check Select All.

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

Please download the HostsXpert.

  • [*]Extract the HostsXpert.zip by doing the following:

  • [*]Right-click HostsXpert.zip and select extract all

Share this post


Link to post
Share on other sites

I'm still getting the redirects. Here's an example

hxxp://www.pcsecurityshield.com/lp/shield-deluxe-43.aspx?aid=wps766&Subid=5malware

and to clarify, I only get the redirects when I use Firefox. I don't get them with IE.

Share this post


Link to post
Share on other sites

Uninstall Firefox completely.

Reboot and ensure that the C:\Program Files\Mozilla folder is deleted.

Grab the latest version of Firefox and see if the redirects persist.

Share this post


Link to post
Share on other sites

Post a fresh DDS.txt log please. Also grab a fresh copy of ComboFix, run it, and post its log.

Share this post


Link to post
Share on other sites

Thanks I'll do that, but I won't have access to the damaged computer for a few weeks, so it will be late June before I can post the information.

Share this post


Link to post
Share on other sites

any chance this could be a virus in my router?

Share this post


Link to post
Share on other sites

Sure it's possible that it is malware on your router.. Are the other computers on the network affected?

Share this post


Link to post
Share on other sites

I actually don't have another computer on the network, just a Roku.

Share this post


Link to post
Share on other sites

Hi,

1. Very important: First disconnect your computers from the Internet.

2. Router Reset: Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into the small hole labeled Reset located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 30 seconds).

3. Reset the IP/DNS settings of your Internet connection on each computer connected:

  • Go to Start -> Control Panel -> Double click on Network Connections.
  • Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.
  • Select the General tab.
  • Double click on Internet Protocol (TCP/IP).
    • Under General tab:
      • Select "Obtain an IP address automatically".
      • Select "Obtain DNS server address automatically".

    [*]Click OK twice to save the settings.

    [*]Reboot if you had to change any setting.

4. Flush the DNS cache:

  • Click the Start logo in the bottom left corner of the screen
  • Click on Run
  • In the command window copy/paste the following:
    ipconfig /flushdns


  • Then hit enter.
  • Exit the command window.

5. Reconnect: Once you have followed all the above steps you can reconnect your computer to the internet.

Also update MBAM, run a Quick Scan, and post its log.

Share this post


Link to post
Share on other sites

Awesome,

I will be able to do everything on Thursday, June 23.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.