Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unknown trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 Lumpy

Lumpy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 24 February 2009 - 10:48 AM

Hi.

I got infected from a website last week (18-Feb-2009). I used the Malwarebyte's Anti-Malware program to remove most of the bad stuff:

Files Infected:
C:\Documents and Settings\Matthew Farr\Local Settings\Temp\winvsnet.tmp (Rogue.Installer)
C:\WINDOWS\system32\Drivers\mmfsvbwb.sys (Rootkit.Agent)
C:\WINDOWS\system32\senekaxrjvtebo.dat (Trojan.Agent)
C:\WINDOWS\system32\senekaongdhcmc.dat (Trojan.Agent)
C:\Documents and Settings\Matthew Farr\Local Settings\Temp\winsinstall.exe (Trojan.Downloader)
C:\WINDOWS\system32\prunnet.exe (Trojan.Downloader)
C:\Documents and Settings\Matthew Farr\Local Settings\Temp\prun.tmp (Trojan.Downloader)
C:\WINDOWS\system32\senekajushlplg.dll (Trojan.TDSS)
C:\WINDOWS\system32\senekaglwyuvor.dll (Trojan.TDSS)
C:\WINDOWS\system32\senekakughppej.dll (Trojan.TDSS)
C:\WINDOWS\system32\drivers\senekalfwebyck.sys (Trojan.TDSS)
C:\WINDOWS\system32\mlJcyYqp.dll (Trojan.Vundo)
C:\WINDOWS\system32\urqPgdaX.dll (Trojan.Vundo)
C:\WINDOWS\system32\wvUKDwvV.dll (Trojan.Vundo)
C:\WINDOWS\system32\kcjrjnri.dll (Trojan.Vundo.H)
C:\WINDOWS\system32\akbvid.dll (Trojan.Vundo.H)
C:\WINDOWS\system32\cJQBdMoq.ini (Trojan.Vundo.H)
C:\WINDOWS\system32\cJQBdMoq.ini2 (Trojan.Vundo.H)
C:\WINDOWS\system32\pwxkcwub.dll (Trojan.Vundo.H)
C:\WINDOWS\system32\buwckxwp.ini (Trojan.Vundo.H)
C:\WINDOWS\system32\qoMdBQJc.dll (Trojan.Vundo.H)
C:\WINDOWS\system32\qoMdBQJc.dllbox (Trojan.Vundo.H)
C:\WINDOWS\system32\c:\windows\system32\qomdbqjc.dll (Trojan.Vundo.H)

I had to run it twice and restart twice to get clean. I then installed F-Secure antivirus/antispyware (listed as WildBlue Security Center 8.01 below).

- - - - - - - - - - - - - -

Apparently, I didn't get everything. I noticed a few days ago that my Google searches are being redirected by "clickfraudmanager.com." It takes me to various advertisement sites, such as:
  • http://www.ave99.com/search.php?q=canon%2B40d%2Bvs%2B50d
  • http://www.dexknows.com/search.ds?newSearch=true&siteid=CD42&what=Cameras&where=denver+co&pid=bresults&from=CD42&metro=checked&qCD=
  • http://biassickness.info/search.php?aid=11774&said=2788-3&keyword=canon%2040d%20vs%2050d&ipr=&rej=1

- - - - - - - - - - - - - -

I tried running SDFix, but it didn't solve the problem. Here is the SDFix report:


SDFix: Version 1.240
Run by Administrator on Tue 02/24/2009 at 01:01 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 01:22:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex]
"pkm:catalog:LastCatalogCrawlId"=dword:00000012
"pkm:catalog:LastCatalogCrawlModified"=dword:000000a9
"pkm:catalog:LastCatalogCrawlErrors"=dword:00000000
"pkm:catalog:LastCatalogCrawlKBytes"=dword:00000066
"pkm:catalog:LastCatalogCrawlRetries"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex]
"CheckPointNumber"=dword:00000005

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\19]
"CrawlType"=dword:00000005
"InProgress"=dword:00000001
"DoneAddingCrawlSeeds"=dword:00000001
"LogName"="C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Crwl19.gthr"
"CheckPoint"=hex:e0,9a,00,00,00,00,00,00
"IsCatalogLevel"=dword:00000000
"LogStartAddId"=dword:00000002
"SuccessfulTransactions"=dword:00000001
"ErrorTransactions"=dword:00000000
"WarningTransactions"=dword:00000000
"ExcludedTransactions"=dword:00000000
"RetryTransactions"=dword:00000000
"KilobytesCrawled"=dword:00000000
"Modified"=dword:000000a8
"UnvisitedItems"=dword:00000004
"ForcedFullCrawl"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\2]
"CrawlNumberInProgress"=dword:00000013

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"="C:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe:*:Enabled:Adobe Dreamweaver CS3"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :



Files with Hidden Attributes :

Tue 13 Jan 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!




I did delete "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" but it didn't seem to fix anything.




- - - - - - - - - - - - - -

HERE IS MY DDS.TXT LOG FILE CONTENTS:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Matthew Farr at 8:14:52.70 on Tue 02/24/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1283 [GMT -7:00]

AV: WildBlue Security Center 8.01 *On-access scanning enabled* (Updated)
FW: WildBlue Security Center 8.01 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
C:\Program Files\F-Secure\FSAUA\program\fsus.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\FlashGet\FlashGet.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Matthew Farr\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
mRun: [SonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Flashget] c:\program files\flashget\FlashGet.exe /min
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [DMXLauncher] "c:\program files\roxio\cineplayer\DMXLauncher.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking10\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking10\Ereg.ini
mRun: [F-Secure Manager] "c:\program files\f-secure\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\f-secure\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
StartupFolder: c:\docume~1\matthe~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\f-secure\fsps\program\FSLSP.DLL
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
TCP: {22A86038-21D0-4EF5-9AE2-8AD3F4DCB954} = 205.171.3.65,205.171.2.65
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: akbvid.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\qoMdBQJc

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matthe~1\applic~1\mozilla\firefox\profiles\xo2fgfna.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-2-19 33408]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-2-19 79872]
R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [2002-3-11 9216]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\f-secure\hips\drivers\fshs.sys [2009-2-19 67808]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\f-secure\anti-virus\fsgk32st.exe [2009-2-19 215648]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\f-secure\anti-virus\minifilter\fsgk.sys [2009-2-19 84096]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\f-secure\orsp client\fsorsp.exe [2009-2-19 55904]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2009-1-12 71961]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S2 SessionLauncher;SessionLauncher;c:\docume~1\matthe~1\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\matthe~1\locals~1\temp\dx9\SessionLauncher.exe [?]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\f-secure\anti-virus\win2k\fsfilter.sys [2009-2-19 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\f-secure\anti-virus\win2k\fsrec.sys [2009-2-19 25184]

=============== Created Last 30 ================

2009-02-24 00:56 <DIR> --d----- c:\windows\ERUNT
2009-02-24 00:55 <DIR> --d----- C:\SDFix
2009-02-22 14:38 <DIR> --d----- c:\docume~1\matthe~1\applic~1\F-Secure
2009-02-19 23:56 33,408 a------- c:\windows\system32\drivers\fsbts.sys
2009-02-19 23:55 79,872 a------- c:\windows\system32\drivers\fsdfw.sys
2009-02-19 23:54 <DIR> --d----- c:\program files\F-Secure
2009-02-19 23:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\fssg
2009-02-19 23:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\f-secure
2009-02-18 00:04 <DIR> --d----- c:\docume~1\matthe~1\applic~1\Malwarebytes
2009-02-18 00:04 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-18 00:04 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-18 00:04 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-18 00:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-18 00:03 <DIR> --d----- C:\fsaua.data
2009-02-17 23:23 1,104 a------- c:\windows\bmmcgvof
2009-02-06 04:26 0 a------- c:\windows\tosOBEX.INI
2009-02-06 00:43 <DIR> --d-h--- c:\windows\PIF
2009-02-06 00:38 41,344 a------- c:\windows\system32\drivers\tosrfusb.sys
2009-02-06 00:38 113,920 a------- c:\windows\system32\drivers\tosrfbd.sys
2009-02-06 00:38 73,728 a------- c:\windows\system32\drivers\Tosrfhid.sys
2009-02-06 00:38 36,480 a------- c:\windows\system32\drivers\tosrfbnp.sys
2009-02-06 00:38 3,712 a------- c:\windows\system32\drivers\Toshidpt.sys
2009-02-06 00:38 64,896 a------- c:\windows\system32\drivers\tosrfcom.sys
2009-02-06 00:38 53,376 a------- c:\windows\system32\drivers\TosRfSnd.sys
2009-02-06 00:38 41,600 a------- c:\windows\system32\drivers\tosporte.sys
2009-02-06 00:38 18,612 a------- c:\windows\system32\drivers\tosrfnds.sys
2009-02-06 00:38 <DIR> --d----- c:\program files\Toshiba
2009-02-05 23:13 <DIR> --d----- C:\v51006T_20070314
2009-01-25 22:57 <DIR> --d----- c:\docume~1\matthe~1\applic~1\Intuit
2009-01-25 22:57 <DIR> --d----- c:\program files\common files\supportsoft
2009-01-25 22:47 1,933,312 a------- c:\windows\system32\cdintf251.dll
2009-01-25 22:45 <DIR> --d----- c:\program files\common files\AnswerWorks 4.0
2009-01-25 22:45 <DIR> --d----- c:\program files\common files\Intuit
2009-01-25 22:45 <DIR> --d----- c:\program files\Intuit
2009-01-25 22:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2009-01-25 22:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\COMMON FILES

==================== Find3M ====================

2009-01-14 02:10 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-13 01:00 21,275 a------- c:\windows\system32\drivers\AegisP.sys
2009-01-13 00:17 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-12-20 16:15 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 8:15:31.82 ===============




I have attached the "Attach.txt" file as zip file as well.


- - - - - - - - - - - - - -

Thanks in advance for any help! I'm at a loss for what I should do at this point. :thumbup2:

Attached Files



BC AdBot (Login to Remove)

 


#2 Lumpy

Lumpy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 24 February 2009 - 12:04 PM

I think I have fixed this problem. I did some searching using IE for "clickfraudmanager" and found this geeks to go thread. Someone else had the same problem. I used the GooredFix program that he mentions in post #22. He says the problem was "the new variant of the XUL Cache infection."

Looks like my redirect problem is solved.

Thanks!

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:09:03 AM

Posted 24 February 2009 - 12:41 PM

Thanks for informing us what you have done.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users