Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search ecata.info problem


  • This topic is locked This topic is locked
3 replies to this topic

#1 Yetiboy

Yetiboy

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 07 January 2009 - 03:53 AM

EDIT - I ran MalwareBytes and now everything is fine. Didn't want to post a reply cos it would bump the thread. Thanks!

Hi,

I basically have the same problem as this guy, i.e. when i do a google search I can see it looking up www.ecata.info in the bottom left.

I ran ComboFix like that guy in the thread (I guess I shouldn't have done this, sorry), and I had much the same results as him (it deleted the same two files his did), but when the process was complete I ran Firefox and nothing had changed.

Thanks for your help.


Here's my log :

DDS (Ver_09-01-07.01) - NTFSx86
Run by Jon at 19:47:18.93 on Wed 01/07/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1982.1143 [GMT 11:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\TeamViewer3\TeamViewer_Host.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Unwired\UwSCT.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Jon\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Megaupload Toolbar: {4e7bd74f-2b8d-469e-ccb0-b130eedbe97c} - c:\progra~1\megaup~1\MEGAUP~1.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Megaupload Toolbar: {4e7bd74f-2b8d-469e-ccb0-b130eedbe97c} - c:\progra~1\megaup~1\MEGAUP~1.DLL
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0\bin\jusched.exe"
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [WinampAgent] "c:\program files\winamp\Winampa.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\unwire~1.lnk - c:\program files\unwired\UwSCT.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AIM Toolbar Search - c:\programdata\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\programs\partygaming\partypoker\RunApp.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\jon\appdata\roaming\mozilla\firefox\profiles\si9777se.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - component: c:\users\jon\appdata\roaming\mozilla\firefox\profiles\si9777se.default\extensions\{d02b1e87-a8c6-433f-9b5c-2cec4a072736}\components\susfox2.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-7-10 15424]
R3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2007-4-26 25088]
R4 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2008-3-17 77824]
R4 TeamViewer;TeamViewer 3;c:\program files\teamviewer3\TeamViewer_Host.exe [2007-12-3 90112]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-23 24652]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-7 38496]

=============== Created Last 30 ================

2009-01-07 19:23 161,792 a------- c:\windows\SWREG.exe
2009-01-07 19:23 98,816 a------- c:\windows\sed.exe
2009-01-07 19:23 <DIR> --d----- C:\ComboFix
2009-01-07 19:10 691 a------- c:\users\jon\appdata\roaming\GetValue.vbs
2009-01-07 19:10 35 a------- c:\users\jon\appdata\roaming\SetValue.bat
2009-01-07 19:03 317,068,516 a------- c:\windows\MEMORY.DMP
2009-01-07 18:28 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2009-01-07 18:06 <DIR> --d----- c:\users\jon\appdata\roaming\Malwarebytes
2009-01-07 18:06 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-07 18:06 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 18:06 <DIR> --d----- c:\programdata\Malwarebytes
2009-01-07 18:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-07 18:06 <DIR> --d----- c:\progra~2\Malwarebytes
2009-01-07 15:32 90,112 a------- c:\windows\unvise32.exe
2009-01-07 15:31 <DIR> --d----- c:\program files\The Rosetta Stone
2009-01-01 16:31 <DIR> --d----- c:\program files\igowin
2008-12-30 13:49 <DIR> --d----- c:\program files\Unwired
2008-12-22 15:59 25,312 a------- c:\windows\system32\DivXVfWCodec.dll
2008-12-22 15:59 25,312 a------- c:\windows\system32\SamsungVfWCodec.dll
2008-12-22 15:59 447,200 a------- c:\windows\system32\OpenQuicktimeLib.dll
2008-12-22 15:59 332,512 a------- c:\windows\system32\3ivxVfWCodec.dll
2008-12-22 15:58 1,155,808 a------- c:\windows\system32\3ivx.dll
2008-12-22 15:52 66,272 a------- c:\windows\system32\libfaac.dll
2008-12-17 06:20 34,064 a------- c:\windows\system32\lhacm.acm
2008-12-17 06:20 <DIR> --d----- c:\program files\Teamspeak2_RC2
2008-12-12 07:17 2,048 a------- c:\windows\system32\tzres.dll
2008-12-11 21:14 296,960 a------- c:\windows\system32\gdi32.dll
2008-12-11 21:09 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-12-11 21:09 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-12-11 13:44 2,927,104 a------- c:\windows\explorer.exe
2008-12-11 13:44 827,392 a------- c:\windows\system32\wininet.dll
2008-12-11 13:33 2,868,736 a------- c:\windows\system32\mf.dll
2008-12-11 13:32 996,352 a------- c:\windows\system32\WMNetMgr.dll
2008-12-11 13:32 94,720 a------- c:\windows\system32\logagent.exe

==================== Find3M ====================

2009-01-07 18:13 12,931 a------- c:\users\jon\appdata\roaming\nvModes.dat
2008-11-09 12:54 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-11-01 14:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-11-01 14:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-11-01 14:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-11-01 14:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-11-01 14:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-22 14:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-21 16:25 1,645,568 a------- c:\windows\system32\connect.dll
2008-10-17 07:56 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-10-17 07:55 83,456 a------- c:\windows\system32\wudriver.dll
2008-10-16 18:08 162,064 a------- c:\windows\system32\wuwebv.dll
2008-10-16 17:56 31,232 a------- c:\windows\system32\wuapp.exe
2008-10-10 06:56 143,360 a------- c:\windows\inf\infstrng.dat
2008-10-10 06:56 86,016 a------- c:\windows\inf\infstor.dat
2008-10-10 06:56 51,200 a------- c:\windows\inf\infpub.dat
2008-09-23 20:26 174 a--sh--- c:\program files\desktop.ini
2008-09-23 20:11 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-03 11:18 0 a------- c:\users\jon\appdata\roaming\wklnhst.dat
2007-04-26 10:53 25,088 a------- c:\windows\inf\tap0901.sys
2006-11-02 23:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 23:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 23:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 23:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 20:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 20:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 20:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 20:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 19:47:57.29 ===============

Attached Files


Edited by Yetiboy, 07 January 2009 - 04:36 AM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:26 AM

Posted 07 January 2009 - 04:40 AM

Hi,

EDIT - I ran MalwareBytes and now everything is fine. Didn't want to post a reply cos it would bump the thread. Thanks!

So I assume this thread can be closed as resolved?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Yetiboy

Yetiboy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 07 January 2009 - 08:19 PM

Yes, thank you :thumbsup:

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:26 AM

Posted 08 January 2009 - 03:35 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users