 Browser being redirected and OBFUSCATOR infection |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
  Jun 17 2009, 06:37 AM
Post
#1
|
|
|
New Member  Group: Members Posts: 2 Joined: 17-June 09 Member No.: 342,721  |
I am running Vista premium service pack 1 as two will not load. IE7 and McAfee security centre My browser keeps and getting transferred to sites that i have not clicked on? I did a OneCare safty scan and it said I was infected with OBFUSCATOR.ET and ER I tried to load MalwareBytes bit it wouldn't load. I eventually managed to get a scan log via a Ssr link on one of the help pages (thanks) copy of scan log below, can anyone please help me with this problem? DDS (Ver_09-05-14.01) - NTFSx86 Run by oakeyone at 12:30:36.90 on 17/06/2009 Internet Explorer: 8.0.6001.18783 BrowserJavaVersion: 1.6.0_14 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3071.2153 [GMT 1:00] SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\system32\Ati2evxx.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k GPSvcGroup C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\Ati2evxx.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe C:\Acer\Empowering Technology\ePerformance\MemCheck.exe C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\Windows\system32\rundll32.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe C:\Windows\system32\WUDFHost.exe C:\Windows\system32\wbem\wmiprvse.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Acer\Empowering Technology\SysMonitor.exe C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Windows\System32\nvraidservice.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\ehome\ehtray.exe C:\Users\oakeyone\Program Files\DNA\btdna.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\ehome\ehmsas.exe C:\Windows\system32\wbem\unsecapp.exe C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe C:\Windows\servicing\TrustedInstaller.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Users\oakeyone\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VW12PI8G\dds[1].scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.bbc.co.uk/ mStart Page = hxxp://en.uk.acer.yahoo.com mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe uRun: [BitTorrent DNA] "c:\users\oakeyone\program files\dna\btdna.exe" mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [RtHDVCpl] RtHDVCpl.exe mRun: [Acer Empowering Technology Monitor] c:\acer\empowering technology\SysMonitor.exe mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\x86\eDSloader.exe mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [PCMMediaSharing] c:\program files\acer arcade live\acer homemedia connect\kernel\dms\PCMMediaSharing.exe mRun: [Skytel] Skytel.exe mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\ASETRES.EXE StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL Trusted Zone: microsoft.com\www DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab TCP: NameServer = 85.255.112.215,85.255.112.94 Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll ================= FIREFOX =================== FF - ProfilePath - c:\users\oakeyone\appdata\roaming\mozilla\firefox\profiles\tcyp9i9m.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/ FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll FF - plugin: c:\users\oakeyone\appdata\roaming\mozilla\firefox\profiles\tcyp9i9m.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll FF - plugin: c:\users\oakeyone\program files\dna\plugins\npbtdna.dll ============= SERVICES / DRIVERS =============== R0 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-8-26 133152] R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\acer arcade live\acer homemedia connect\kernel\dms\CLMSServer.exe [2009-6-16 269448] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-8 210216] R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392] S3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-3-16 30752] =============== Created Last 30 ================ 2009-06-17 10:44 <DIR> --d----- c:\programdata\NOS 2009-06-17 10:28 410,984 a------- c:\windows\system32\deploytk.dll 2009-06-17 09:22 98,304 a------- c:\windows\RTKAUDIOSERVICE.EXE 2009-06-17 09:18 <DIR> --d----- c:\windows\system32\EventProviders 2009-06-17 09:17 27,648 a------- c:\windows\system32\drivers\usbser.sys 2009-06-17 09:10 4,838 a------- c:\windows\system32\PerfStringBackup.TMP 2009-06-17 09:02 20,793 a------- c:\windows\system32\Config.MPF 2009-06-17 08:59 156,160 a------- c:\windows\system32\msls31.dll 2009-06-16 16:25 <DIR> --d----- c:\programdata\Yahoo! 2009-06-16 11:38 158,249 a------- c:\windows\system32\Downlnvw.exe 2009-06-16 07:35 428,544 a------- c:\windows\system32\EncDec.dll 2009-06-16 07:35 293,376 a------- c:\windows\system32\psisdecd.dll 2009-06-16 07:35 217,088 a------- c:\windows\system32\psisrndr.ax 2009-06-16 07:35 177,664 a------- c:\windows\system32\mpg2splt.ax 2009-06-16 07:35 80,896 a------- c:\windows\system32\MSNP.ax 2009-06-11 17:28 2,033,152 a------- c:\windows\system32\win32k.sys 2009-06-11 17:28 636,928 a------- c:\windows\system32\localspl.dll 2009-06-11 17:28 784,896 a------- c:\windows\system32\rpcrt4.dll 2009-05-29 10:31 <DIR> --d----- c:\program files\common files\PX Storage Engine 2009-05-29 10:31 <DIR> --d----- c:\program files\DivX 2009-05-29 10:31 <DIR> --d----- c:\program files\common files\DivX Shared 2009-05-26 18:40 56 a---h--- c:\programdata\ezsidmv.dat 2009-05-26 18:40 56 a---h--- c:\progra~2\ezsidmv.dat 2009-05-26 18:39 <DIR> --d--r-- c:\program files\Skype 2009-05-26 18:39 <DIR> --d----- c:\programdata\Skype ==================== Find3M ==================== 2009-06-17 09:33 51,200 a------- c:\windows\inf\infpub.dat 2009-06-17 09:33 143,360 a------- c:\windows\inf\infstrng.dat 2009-06-17 09:33 86,016 a------- c:\windows\inf\infstor.dat 2009-06-17 09:24 665,600 a------- c:\windows\inf\drvindex.dat 2009-05-09 06:50 915,456 a------- c:\windows\system32\wininet.dll 2009-05-09 06:34 71,680 a------- c:\windows\system32\iesetup.dll 2009-05-01 22:02 823,296 a------- c:\windows\system32\divx_xx0c.dll 2009-05-01 22:02 823,296 a------- c:\windows\system32\divx_xx07.dll 2009-05-01 22:02 815,104 a------- c:\windows\system32\divx_xx0a.dll 2009-05-01 22:02 811,008 a------- c:\windows\system32\divx_xx16.dll 2009-05-01 22:02 802,816 a------- c:\windows\system32\divx_xx11.dll 2009-05-01 22:02 685,056 a------- c:\windows\system32\DivX.dll 2009-04-15 21:24 90,112 a------- c:\windows\system32\dpl100.dll 2008-01-21 03:43 174 a--sh--- c:\program files\desktop.ini 2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat 2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat 2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat 2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat 2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat ============= FINISH: 12:31:14.96 =============== Look forward to hearing from anyone |
 |
 
|
|
Jun 18 2009, 04:13 PM
Post
#2
|
|
 malware expert Group: HJT Team Posts: 14,729 Joined: 8-January 05 From: Vancouver (not BC) WA (Not DC) USA Member No.: 9,026 |
Hello oakeyone,
Download Security Check by screen317 from here or here. Save it to your Desktop. Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt. Please post the contents of that document. QUOTE I tried to load MalwareBytes bit it wouldn't load. If MBAM will not install, please rename the installer mbam-setup.exe. Example: newtool.exe Proceed installing the renamed installer of MBAM. If MBAM will not run, go to the program directory of MBAM (e.g. C:\Program FIles\Malwarebytes Antimalware\) then rename mbam.exe to newtool.exe, double click newtool.exe to proceed in running a quick scan. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform Full Scan", then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. -------------------- If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!  Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum. |
|
|
|
|
Jun 25 2009, 11:54 PM
Post
#3
|
|
|
malware expert Group: HJT Team Posts: 14,729 Joined: 8-January 05 From: Vancouver (not BC) WA (Not DC) USA Member No.: 9,026 |
This thread will now be closed due to lack of feedback.
-------------------- If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum. |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 21st November 2009 - 08:00 PM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.