Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TinyProxy.exe/MyWebSearch infections


  • This topic is locked This topic is locked
3 replies to this topic

#1 jcbuzz1970

jcbuzz1970

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK N/E
  • Local time:06:07 PM

Posted 28 December 2008 - 03:19 PM

Howdy all and thankyou for taking a look.
PC Specs:
Microsoft Windows XP
Media Center Edition
Version 2002
SP3

Fujitsu
Pentium 2.80GHZ
1.0 GB RAM

It's my sisters PC and not currently connected to the internet or any home networks.
Windows starts and seems to boot properly and quite fast but when finished lots of CMD/DOS boxes(about 50) open evry fast.
Some are blank,some have text in them but they open and close again too fast to read.
I have glimpsed the contents of 1 box and "MyWebSearch" was the only part i could read.
It takes about 10 seconds for this to happen then they stop,we get a McAfee error saying "virus scanning is disabled" then the PC restarts and goes through this loop again.
The PC starts in Safemode ok but until this morn wasn't able to access the internet.(i know it's a bad idea is safemode).
Did a bit of reading and found something called "TinyProxy.exe" on the PC and think that had changed settings in:-Internet Explorer-Tools-Internet Options-Connections-LAN Settings-Proxy Server."Use a proxy server for you LAN" was ticked.I unticked that and the net was available.
When using IE and doing a search using google all is fine until you click any of the results google found.I am taken to many different types of web sites but not the link i clicked ie windows update link takes me to MSN, ESET link takes me to Blinx video hosting site, etc, etc.

I have run a couple of scans (Mcafee,Trend online) and the have found many,many infections but PC is no better.
Anyway, if anyone can help, my sis and i would greatly appreciate it..



DDS (Version 1.1.0) - NTFSx86 MINIMAL
Run by Harry at 19:38:37.89 on 28/12/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.794 [GMT 0:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Harry\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.co.uk/
uWindow Title = Microsoft Internet Explorer provided by Orange UK
uSearch Bar = hxxp://search.bearshare.com/sidebar.html?src=ssb
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:9090
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - No File
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [xgsvwuyos] c:\windows\system32\xgsvwuyos.exe xgsvwuyos
mRun: [AAWTray] c:\program files\lavasoft\ad-aware 2007\AAWTray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [McAfee Backup] c:\program files\mcafee\mbk\McAfeeDataBackup.exe
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &Search - ?p=ZUfox000
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-gb\msntabres.dll.mui/229?335e535d5c2a4cf18ccbd2db875b7386
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-gb\msntabres.dll.mui/230?335e535d5c2a4cf18ccbd2db875b7386
IE: orange search - file://c:\program files\orange3\cache\SelectedContextSearch.htm
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\yujukumi.dll c:\windows\system32\jogejase.dll c:\windows\system32\mizukobe.dll c:\windows\system32\laraletu.dll,c:\windows\system32\nuhugofe.dll
LSA: Notification Packages = scecli c:\windows\system32\nuhugofe.dll

============= SERVICES / DRIVERS ===============

S1 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-10-12 201288]
S2 Logical Disk Manager (dmserver) ;Logical Disk Manager (dmserver) ;c:\program files\tintinyproxyy\tinyproxy.exe [2008-12-28 8960]
S2 Machine Debug Manager (MDM) ;Machine Debug Manager (MDM) ;c:\program files\tintinyproxyy\tinyproxy.exe [2008-12-28 8960]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\mcafee\siteadvisor\McSACore.exe" []
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-12 359248]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-10-12 144704]
S2 Windows Audio (AudioSrv) ;Windows Audio (AudioSrv) ;c:\program files\tintinyproxyy\tinyproxy.exe [2008-12-28 8960]
S3 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service []
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-12 695624]
S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-10-12 79304]
S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-10-12 35240]
S3 mferkdk;McAfee Inc.;c:\windows\system32\drivers\mferkdk.sys [2008-10-12 33800]
S3 mfesmfk;McAfee Inc.;c:\windows\system32\drivers\mfesmfk.sys [2008-10-12 40488]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2008-12-27 517632]

=============== Created Last 30 ================

2008-12-28 12:24 <DIR> --d----- c:\program files\tintinyproxyy
2008-12-28 04:31 <DIR> --d----- c:\program files\EsetOnlineScanner
2008-12-28 01:24 <DIR> --d----- c:\docume~1\harry\applic~1\Malwarebytes
2008-12-28 01:24 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-28 01:24 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-28 01:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-28 01:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-27 22:49 <DIR> --d----- c:\windows\pss
2008-12-27 22:38 <DIR> --d----- c:\docume~1\harry\applic~1\McAfee
2008-12-27 22:30 517,632 a----r-- c:\windows\system32\drivers\rt2870.sys
2008-12-27 15:46 <DIR> --d----- c:\windows\ERUNT
2008-12-27 15:44 <DIR> --d----- C:\SDFix
2008-12-24 17:39 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2008-12-24 16:42 <DIR> --d----- c:\documents and settings\harry\.housecall6.6
2008-12-24 15:42 120 ---sh--- c:\windows\system32\irozemem.ini
2008-12-23 12:08 26,112 a------- c:\windows\system32\stu2.exe
2008-12-22 13:10 120 ---sh--- c:\windows\system32\ukapoyur.ini
2008-12-21 12:48 120 ---sh--- c:\windows\system32\awawetod.ini
2008-12-20 21:37 120 ---sh--- c:\windows\system32\apobehew.ini
2008-12-20 08:01 120 ---sh--- c:\windows\system32\udeduges.ini
2008-12-19 11:15 120 ---sh--- c:\windows\system32\ahemegus.ini
2008-12-18 15:35 120 ---sh--- c:\windows\system32\imahivez.ini
2008-12-18 03:13 120 ---sh--- c:\windows\system32\ijasisaj.ini
2008-12-17 15:13 120 ---sh--- c:\windows\system32\urijetik.ini
2008-12-16 19:55 120 ---sh--- c:\windows\system32\itefajav.ini
2008-12-15 15:56 120 ---sh--- c:\windows\system32\imezarev.ini
2008-12-14 12:22 120 ---sh--- c:\windows\system32\ahozireg.ini
2008-12-12 15:09 120 ---sh--- c:\windows\system32\aleyahet.ini
2008-12-12 02:15 120 ---sh--- c:\windows\system32\imujezaj.ini
2008-12-10 03:49 120 ---sh--- c:\windows\system32\igoyinib.ini
2008-12-08 19:03 4,124 a------- c:\windows\wininit.ini
2008-11-28 22:20 54,156 a---h--- c:\windows\QTFont.qfn
2008-11-28 22:20 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2008-12-24 15:42 97,919 a--sh--- c:\windows\system32\visujowo.dll
2008-12-23 14:59 63,041 a--sh--- c:\windows\system32\dutememo.dll
2008-12-23 12:08 8,704 a------- c:\windows\system32\userinit.exe
2008-12-23 01:10 95,870 a--sh--- c:\windows\system32\yowujeje.dll
2008-12-22 13:10 96,835 a--sh--- c:\windows\system32\talogevi.dll
2008-12-21 12:47 96,041 a--sh--- c:\windows\system32\kivigoru.dll
2008-12-20 21:36 97,916 a--sh--- c:\windows\system32\jutizowi.dll
2008-12-20 08:01 96,970 a--sh--- c:\windows\system32\jasamohu.dll
2008-12-18 15:35 98,054 a--sh--- c:\windows\system32\wuholove.dll
2008-12-16 19:55 68,206 a--sh--- c:\windows\system32\gazeyuha.dll
2008-12-14 12:22 90,268 a--sh--- c:\windows\system32\fanudugu.dll
2008-12-14 00:22 90,215 a--sh--- c:\windows\system32\zezosivi.dll
2008-12-14 00:22 85,717 a--sh--- c:\windows\system32\jelayube.dll
2008-12-12 02:14 90,233 a--sh--- c:\windows\system32\farakive.dll
2008-12-11 14:15 61,023 a--sh--- c:\windows\system32\wadavuro.dll
2008-12-11 14:15 92,272 a--sh--- c:\windows\system32\raganapo.dll
2008-12-10 17:03 94,843 a--sh--- c:\windows\system32\reboyuti.dll
2008-12-10 03:48 94,354 a--sh--- c:\windows\system32\takisupe.dll
2008-12-09 15:48 93,426 a--sh--- c:\windows\system32\pidezabi.dll
2008-12-08 15:35 64,788 a--sh--- c:\windows\system32\diyobela.dll
2008-12-07 16:35 95,919 a--sh--- c:\windows\system32\nugebini.dll
2008-12-07 16:35 87,262 -------- c:\windows\system32\gavulowe.dll
2008-12-06 15:07 91,818 a--sh--- c:\windows\system32\wamejawe.dll
2008-12-06 00:33 94,364 a--sh--- c:\windows\system32\mivojova.dll
2008-12-06 00:33 85,665 a--sh--- c:\windows\system32\muhofola.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 11:24 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2007-03-04 14:18 278,528 a------- c:\program files\common files\FDEUnInstaller.exe

============= FINISH: 19:39:15.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 05 January 2009 - 06:38 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 jcbuzz1970

jcbuzz1970
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK N/E
  • Local time:06:07 PM

Posted 05 January 2009 - 09:25 AM

Thankyou for your response fenzodahl512 but after reading topics with similar problems to ours, we decided over the holidays to format and start again.
Anyway, my sis is a big "facebook" fan so i,m sure we'll be back soon with more nasties to sort out.
Could you recomend some free protection for her to maybe stop getting infected next time.

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 05 January 2009 - 09:47 AM

Thank you for notify us.. I would recommend you to read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


For free antivirus.. I would recommend Avira AntiVir Personal

For free firewall, I would recommend PC Tools Firewall Plus

And for free antimalware I would recommend Malwarebytes' Anti-Malware


While we can have loads of security programs inside the computer, the best way is to stay safe on the internet.. Stay away from all porn sites, warez, illegal software, cracks, keygens.. Don't click on any suspicious pop-ups that may appears on your browser..


I will now close this topic.. Please pm any Moderator or HijackThis Team should you need to re-open this topic..


Stay safe on the net :thumbsup:


Regards
fenzodahl512

Edited by fenzodahl512, 05 January 2009 - 09:49 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users