Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search redirect in Firefox


  • This topic is locked This topic is locked
13 replies to this topic

#1 Catatonic

Catatonic

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 14 May 2009 - 04:41 AM

Greetings. In Firefox, when I do a search in Google and then click on one of the search results, something is redirecting it to an unrelated web site. I have had other issues, but this one is the most persistent. Other issues have included suddenly being unable to click on anything on my PC, even though the cursor was movable, and so having to restart the PC. I have also had a window pop up while doing searches on the internet, and the window looked like it was scanning for viruses on my PC. And I have had a Microsoft Security Center window pop up on my PC with a warning about Win32.Brontok. Your help in locating any and all viruses, trojans, spyware, and/or malware on my PC and removing them would be greatly appreciated.


DDS (Ver_09-05-14.01) - NTFSx86
Run by HP_Administrator at 5:15:32.81 on Thu 05/14/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1322 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\RTHDCPL.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
c:\windows\system\hpsysdrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.yahoo.com
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uInternet Settings,ProxyServer = http=127.0.0.1:6711
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: XBTB08484 Class: {5018ff9c-589b-4b69-9cd5-b8d5670541f4} - c:\program files\powerratings toolbar\powerratingsv2.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {577EBCA9-8ED3-45FC-A514-55B3817D4BCF} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\26719257-26d9-4beb-adeb-f42e267c71bf.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [DVDTray] c:\program files\ahead\odd toolkit\DVDTray.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [realteks] "c:\documents and settings\hp_administrator\application data\google\jaeio234556.exe" 2
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: EasyRead + - c:\program files\easy read\ZoomIn.js
IE: EasyRead - - c:\program files\easy read\ZoomOut.js
IE: {A0E6D3BD-A661-447D-8634-0751467857F3} - c:\program files\easy read\ZoomIn.js
IE: {AEBB571B-4C48-438D-808D-999F168CDECE} - c:\program files\easy read\ZoomOut.js
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: facebook.com\www
Trusted Zone: fool.com\caps
Trusted Zone: indiana-ins.com
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: mhsnr.org\tsac
Trusted Zone: microsoft.com\update
Trusted Zone: storephotos.com\www
Trusted Zone: turbotax.com
Trusted Zone: yahoo.com
Trusted Zone: yahoo.com\dsl.sbc
Trusted Zone: yahoo.com\sbc
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://prod1.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} - hxxp://www.schaeffersresearch.com/download/CfxIEAx.cab
DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} - hxxp://host1.telechart.tv/tcinstall/setup.exe
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxp://mhsnr-svmc1.mhsnr.org/iNotes6.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4033A55E-27B3-11D3-B48A-005004868418} - hxxp://mercynetportal.mhsnr.org/coreport/controls/windowssso.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143601082656
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxp://tsac.mhsnr.org/tsweb/msrdp.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/1452/ftp.coupons.com/r3302/cpbrkpie.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - hxxp://asp17.centra.com/SiteRoots/main/Install/CentraDownloader.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://toolbox.webex.com/client/v_mywebex-t20/event/ieatgpc.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 214024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-7 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-5-7 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-5-7 144704]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2005-10-25 100480]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-5-7 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-5-7 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-5-7 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-5-7 40552]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]
S2 0191111242179427mcinstcleanup;McAfee Application Installer Cleanup (0191111242179427);c:\windows\temp\019111~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\019111~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-5-7 34216]

=============== Created Last 30 ================

2009-05-14 01:05 <DIR> --d----- C:\SDFix
2009-05-14 00:52 <DIR> --d----- c:\program files\SpywareBlaster
2009-05-14 00:19 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-05-14 00:11 <DIR> --d----- c:\windows\ERUNT
2009-05-14 00:02 <DIR> --d----- C:\SDFix first
2009-05-12 18:40 197 a------- c:\windows\system32\MRT.INI
2009-05-10 23:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-10 23:30 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-10 23:30 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\SUPERAntiSpyware.com
2009-05-10 23:28 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-07 06:30 11,007 a------- c:\windows\system32\Config.MPF
2009-05-07 06:27 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-05-07 06:27 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-05-07 06:27 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-05-07 06:27 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
2009-05-07 06:27 <DIR> --d----- c:\program files\common files\McAfee
2009-05-07 06:27 <DIR> --d----- c:\program files\McAfee.com
2009-05-07 06:27 <DIR> --d----- c:\program files\McAfee
2009-05-07 06:22 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-04-25 09:05 <DIR> --d----- c:\program files\iPod
2009-04-25 09:05 <DIR> --d----- c:\program files\iTunes
2009-04-25 09:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-25 09:03 <DIR> --d----- c:\program files\Bonjour
2009-04-15 15:20 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-15 15:20 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-15 15:20 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-15 15:20 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 15:20 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-15 15:20 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 15:20 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-15 15:20 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-15 15:20 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 15:19 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 15:19 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 15:19 215,552 -------- c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-05-05 09:19 1,442 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2009-03-25 11:06 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 a------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2006-02-22 05:13 28,672 a------- c:\documents and settings\hp_administrator\atwbxdet.dll
2006-02-06 03:05 22 a--sh--- c:\windows\sminst\HPCD.sys
2008-09-17 12:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091720080918\index.dat

============= FINISH: 5:17:04.95 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Catatonic

Catatonic
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 14 May 2009 - 09:49 PM

Here's more information. When I ran dds.scr, my McAfee SecurityCenter protection services were enabled, but it did not seem to interfere with dds. If you think it affected the results of the scan, however, then please let me know.

Before running the dds, I had uninstalled Firefox from my PC.

Several minutes ago, while browsing the internet with AT&T Yahoo! Browser, my PC suddenly shutdown on its own and attempted to restart; it stalled just before the Welcome screen was supposed to appear. I then held down the power button to make it shutdown, and then I restarted it. After restarting, the following messages popped up:

Messge #1:

svchost.exe Bad Image

The application or DLL globalroot\systemroot\system32\UAChkstriqyviiuvfw.dll is not a valid Windows image. Please check this against your installation diskette.

Message #2:

Security Center Alert

To help protect your computer, Windows ... some features of this program. Do you want to bock this suspicious software?
Name: Win32.Brontok
Risk: High
Description: This worm spreads via the Internet ....
Windows Firewall has detected unauthorized ....

Message #3:

Windows Explorer has encountered a problem and needs to close. ....
AppName: explorer.exe
AppVer: 6.0.2900.5512
ModName: kernel32.dll
ModVer: 5.1.2600.5781
Offset: 00012afb

The following files will be included in this error report:

C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\a93d_appcompat.txt

I then tried to check my Windows Firewall settings and noticed that I had to turn something on (Security Center?) in order to view the firewall settings. After doing this, I could see that the firewall is on, but the following exceptions are being permitted:

File and Printer Sharing
Remote Assistance
svchost
Updates from HP

Another thing perhaps worth mentioning is that I've got my AT&T Yahoo! Browser set so that a Privacy Alert pops up whenever cookies attempt to be saved to my PC. But even when I'm not actively browsing, I sometimes get these Privacy Alerts. This seems abnormal.

One more thing. In AT&T Yahoo! Browser, when clicking on some search results, nothing happens (i.e., when clicking on the link, the web site doesn't open). This seems random and does not affect all search results.

I feel that I've really got a sick PC, and so I hope you can help me.

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:58 PM

Posted 15 May 2009 - 10:03 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 Catatonic

Catatonic
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 16 May 2009 - 01:39 AM

Hi, Sam. Thanks for offering to help me!

Immediately after downloading and saving ComboFix.exe to my desktop from "Link 1" in your message, my computer automatically shutdown and restarted. And then the following messages appeared:

Message #1:

Svchost.exe - Bad Image

Message #2:

Security Center Alert (regarding Win32.Brontok)

Message #3:

cli.exe has encountered a problem and needs to close. (This message has an ATI logo in it.)

Message #4:

DVDTray.exe - Application Error

Upon closing the cli.exe message, the following message appeared:

Application Error

I then, just to be safe, I manually shut down and restarted my computer.

And then, I turned off the McAfee SecurityCenter protection and disabled all Spyware Blaster protection.

Next, I double-clicked on ComboFix.exe and then clicked on the Run button. An hour glass appeared for a few seconds, and then nothing else happened.

In Windows Task Manager, I could see that ComboFix.exe was one of the processes running, but with zero CPU usage. And so I ended this process.

I then turned the McAfee SecurityCenter protection back on and ran a quick scan with it. It found and quarantined four trojans named Generic FakeAlert.k. (I had run scans with McAfee several times during recent days, and each time it had found and quarantined these trojans, but with no obvious benefit.)

I then turned off my DSL router, disabled McAfee SecurityCenter, and tried running ComboFix.exe again. Still, just the hour glass, but nothing else.

Next, I manually shut down and restarted my computer and tried running ComboFix.exe again. This time, it began executing. But suddenly, my computer made a short high-pitched sound. The sound did not come from the speakers, but it came from the unit that houses the hard drives, CPU, etc. And the following message appeared:

"Caution. ComboFix.exe may be downloaded from any of the above sites .... For peace of mind, I suggest that you delete the current copy and get a fresh one."

I assumed that the message was normal, and so I allowed the process to continue.

After ComboFix.exe created the log.txt file, I enabled McAfee Security Center, turned my modem on, and then opened the AT&T Yahoo Browser.

McAfee then generated a message saying that it had blocked and removed a trojan. Evidently, it thought ComboFix.exe was a trojan, and so it deleted ComboFix.exe from my desktop. In the McAfee SecurityCenter log, the detection name for this trojan is Artemis!D5FA7D66707D. I assume that this was a normal event and that ComboFix is not a trojan.

Here is log.txt:

ComboFix 09-05-15.01 - HP_Administrator 05/16/2009 1:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1497 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\err.log
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
c:\windows\system32\UACadbhypkmpudvvoc.dll
c:\windows\system32\UACbvovdfrbbogfsuk.log
c:\windows\system32\UACclwlqphxjhfoobs.dat
c:\windows\system32\UACfheabuempsghebi.dll
c:\windows\system32\UACgfjobsejmqflnsw.dll
c:\windows\system32\UAChkstriqyviiuvfw.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkeobpcfodkxmqtf.db
c:\windows\system32\UACudklxiamtcxmtsw.dll
c:\windows\system32\UACxesvtbjuhocqcov.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-14 05:05 . 2009-05-14 05:41 -------- d-----w C:\SDFix
2009-05-14 04:52 . 2009-05-16 05:17 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-14 04:52 . 2009-05-14 04:54 -------- d-----w c:\program files\SpywareBlaster
2009-05-14 04:19 . 2009-05-14 04:19 578560 ----a-w c:\windows\system32\dllcache\user32.dll
2009-05-14 04:11 . 2009-05-14 04:11 -------- d-----w c:\windows\ERUNT
2009-05-14 04:02 . 2009-05-14 04:35 -------- d-----w C:\SDFix first
2009-05-14 03:21 . 2009-05-14 03:21 -------- d-----w c:\documents and settings\HP_Administrator\Local Settings\Application Data\Mozilla
2009-05-12 06:14 . 2009-05-12 06:14 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-05-11 03:40 . 2009-05-11 03:40 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-11 03:30 . 2009-05-14 07:20 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-11 03:30 . 2009-05-11 03:30 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-05-11 03:28 . 2009-05-11 03:28 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-07 10:27 . 2009-03-25 15:06 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-05-07 10:27 . 2009-03-25 15:06 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-05-07 10:27 . 2009-03-25 15:06 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-05-07 10:27 . 2008-10-23 17:08 120136 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-05-07 10:27 . 2009-05-07 10:27 -------- d-----w c:\program files\Common Files\McAfee
2009-05-07 10:27 . 2009-05-07 10:27 -------- d-----w c:\program files\McAfee.com
2009-05-07 10:27 . 2009-05-13 01:50 -------- d-----w c:\program files\McAfee
2009-05-07 10:22 . 2009-03-25 15:05 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-05-06 19:55 . 2009-05-16 05:10 0 ----a-w c:\windows\system32\drivers\UACohyvoxyqfmouiow.sys
2009-04-25 13:05 . 2009-04-25 13:05 -------- d-----w c:\program files\iPod
2009-04-25 13:05 . 2009-04-25 13:05 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-25 13:05 . 2009-04-25 13:05 -------- d-----w c:\program files\iTunes
2009-04-25 13:03 . 2009-04-25 13:03 -------- d-----w c:\program files\Bonjour
2009-04-25 13:02 . 2009-04-25 13:02 -------- d-----w c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 04:35 . 2007-03-30 23:06 -------- d-----w c:\program files\PowerArchiver
2009-05-10 17:17 . 2006-08-11 09:12 -------- d-----w c:\program files\IRIS Desktop Search
2009-05-10 04:56 . 2007-10-03 07:02 -------- d-----w c:\program files\IRISPen
2009-05-07 09:47 . 2008-08-06 00:06 -------- d-----w c:\program files\Webshots
2009-05-05 13:19 . 2005-12-30 11:21 1442 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-04-25 13:05 . 2007-07-08 11:31 -------- d-----w c:\program files\Common Files\Apple
2009-04-08 15:39 . 2005-10-25 13:59 -------- d-----w c:\program files\Java
2009-04-03 12:00 . 2005-10-25 14:58 -------- d-----w c:\program files\Google
2009-03-25 15:06 . 2009-03-25 15:06 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-19 20:32 . 2006-09-19 20:44 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 09:19 . 2008-12-18 18:13 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-10 05:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-10 05:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-10 05:00 78336 ----a-w c:\windows\system32\ieencode.dll
2006-02-06 07:05 . 2006-02-06 07:05 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\26719257-26d9-4beb-adeb-f42e267c71bf.exe" [2009-04-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-06 196608]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-03-25 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-02 77312]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-22 14854144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-10-25 36903]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/7/2009 6:29 AM 203280]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [10/25/2005 10:13 AM 100480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S2 0191111242179427mcinstcleanup;McAfee Application Installer Cleanup (0191111242179427);c:\windows\TEMP\019111~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\019111~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-04-26 c:\windows\Tasks\HPCeeSchedule.job
- c:\progra~1\EASYIN~1\Ceement\HPCEE.exe [2005-05-24 16:46]

2009-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-07 14:53]

2009-05-07 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-07 14:53]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5018FF9C-589B-4B69-9CD5-B8D5670541F4} - c:\program files\PowerRatings Toolbar\powerratingsv2.dll
HKLM-Run-realteks - c:\documents and settings\HP_Administrator\Application Data\Google\jaeio234556.exe
HKLM-Run-PCDrProfiler - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uInternet Settings,ProxyServer = http=127.0.0.1:6711
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: EasyRead + - c:\program files\Easy Read\ZoomIn.js
IE: EasyRead - - c:\program files\Easy Read\ZoomOut.js
IE: {{A0E6D3BD-A661-447D-8634-0751467857F3} - c:\program files\Easy Read\ZoomIn.js
IE: {{AEBB571B-4C48-438D-808D-999F168CDECE} - c:\program files\Easy Read\ZoomOut.js
Trusted Zone: facebook.com\www
Trusted Zone: fool.com\caps
Trusted Zone: indiana-ins.com
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: mhsnr.org\tsac
Trusted Zone: microsoft.com\update
Trusted Zone: storephotos.com\www
Trusted Zone: turbotax.com
Trusted Zone: yahoo.com
Trusted Zone: yahoo.com\dsl.sbc
Trusted Zone: yahoo.com\sbc
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://prod1.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
DPF: {4033A55E-27B3-11D3-B48A-005004868418} - hxxp://mercynetportal.mhsnr.org/coreport/controls/windowssso.cab
DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - hxxp://asp17.centra.com/SiteRoots/main/Install/CentraDownloader.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 01:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(936)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\windows\system\hpsysdrv.exe
c:\program files\Common Files\InstallShield\UpdateService\issch.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-05-16 1:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-16 05:35

Pre-Run: 220,727,513,088 bytes free
Post-Run: 220,709,175,296 bytes free

253 --- E O F --- 2009-05-12 22:41

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:58 PM

Posted 16 May 2009 - 02:27 PM

You are correct. Combofix is not a trojan, but it's not uncommon for it to create false positives which is why it's important to disable your antivirus while running to it doesn't interfere.

Let's try it again with a slight twist.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 Catatonic

Catatonic
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 17 May 2009 - 05:19 AM

Okay, Sam, I did as you asked me to do, except that I named it Catatonic.exe instead of Combo-Fix.exe.

I didn't have any difficuties running it this time.

Here are the contents of ComboFix.txt:

ComboFix 09-05-16.05 - HP_Administrator 05/17/2009 5:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1502 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\Catatonic.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-05-14 05:05 . 2009-05-14 05:41 -------- d-----w C:\SDFix
2009-05-14 04:52 . 2009-05-17 09:55 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-14 04:52 . 2009-05-14 04:54 -------- d-----w c:\program files\SpywareBlaster
2009-05-14 04:19 . 2009-05-14 04:19 578560 ----a-w c:\windows\system32\dllcache\user32.dll
2009-05-14 04:11 . 2009-05-14 04:11 -------- d-----w c:\windows\ERUNT
2009-05-14 04:02 . 2009-05-14 04:35 -------- d-----w C:\SDFix first
2009-05-14 03:21 . 2009-05-14 03:21 -------- d-----w c:\documents and settings\HP_Administrator\Local Settings\Application Data\Mozilla
2009-05-12 06:14 . 2009-05-12 06:14 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-05-11 03:40 . 2009-05-11 03:40 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-11 03:30 . 2009-05-14 07:20 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-11 03:30 . 2009-05-11 03:30 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-05-11 03:28 . 2009-05-11 03:28 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-07 10:27 . 2009-03-25 15:06 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-05-07 10:27 . 2009-03-25 15:06 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-05-07 10:27 . 2009-03-25 15:06 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-05-07 10:27 . 2008-10-23 17:08 120136 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-05-07 10:27 . 2009-05-07 10:27 -------- d-----w c:\program files\Common Files\McAfee
2009-05-07 10:27 . 2009-05-07 10:27 -------- d-----w c:\program files\McAfee.com
2009-05-07 10:27 . 2009-05-13 01:50 -------- d-----w c:\program files\McAfee
2009-05-07 10:22 . 2009-03-25 15:05 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-05-06 19:55 . 2009-05-16 05:10 0 ----a-w c:\windows\system32\drivers\UACohyvoxyqfmouiow.sys
2009-04-25 13:05 . 2009-04-25 13:05 -------- d-----w c:\program files\iPod
2009-04-25 13:05 . 2009-04-25 13:05 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-25 13:05 . 2009-04-25 13:05 -------- d-----w c:\program files\iTunes
2009-04-25 13:03 . 2009-04-25 13:03 -------- d-----w c:\program files\Bonjour
2009-04-25 13:02 . 2009-04-25 13:02 -------- d-----w c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 11:38 . 2007-03-30 23:06 -------- d-----w c:\program files\PowerArchiver
2009-05-10 17:17 . 2006-08-11 09:12 -------- d-----w c:\program files\IRIS Desktop Search
2009-05-10 04:56 . 2007-10-03 07:02 -------- d-----w c:\program files\IRISPen
2009-05-07 09:47 . 2008-08-06 00:06 -------- d-----w c:\program files\Webshots
2009-05-05 13:19 . 2005-12-30 11:21 1442 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-04-25 13:05 . 2007-07-08 11:31 -------- d-----w c:\program files\Common Files\Apple
2009-04-08 15:39 . 2005-10-25 13:59 -------- d-----w c:\program files\Java
2009-04-03 12:00 . 2005-10-25 14:58 -------- d-----w c:\program files\Google
2009-03-25 15:06 . 2009-03-25 15:06 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-19 20:32 . 2006-09-19 20:44 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 09:19 . 2008-12-18 18:13 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-10 05:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-10 05:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-10 05:00 78336 ----a-w c:\windows\system32\ieencode.dll
2006-02-06 07:05 . 2006-02-06 07:05 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-05-16_05.32.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-16 05:30 . 2009-05-16 05:30 16384 c:\windows\Temp\Perflib_Perfdata_1f8.dat
+ 2005-01-28 02:29 . 2009-05-17 09:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-01-28 02:29 . 2009-05-16 05:06 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-01-28 02:29 . 2009-05-17 09:45 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-01-28 02:29 . 2009-05-16 05:06 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\26719257-26d9-4beb-adeb-f42e267c71bf.exe" [2009-04-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-06 196608]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-03-25 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-02 77312]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-22 14854144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-10-25 36903]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/7/2009 6:29 AM 203280]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [10/25/2005 10:13 AM 100480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S2 0191111242179427mcinstcleanup;McAfee Application Installer Cleanup (0191111242179427);c:\windows\TEMP\019111~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\019111~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-04-26 c:\windows\Tasks\HPCeeSchedule.job
- c:\progra~1\EASYIN~1\Ceement\HPCEE.exe [2005-05-24 16:46]

2009-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-07 14:53]

2009-05-07 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-07 14:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uInternet Settings,ProxyServer = http=127.0.0.1:6711
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: EasyRead + - c:\program files\Easy Read\ZoomIn.js
IE: EasyRead - - c:\program files\Easy Read\ZoomOut.js
IE: {{A0E6D3BD-A661-447D-8634-0751467857F3} - c:\program files\Easy Read\ZoomIn.js
IE: {{AEBB571B-4C48-438D-808D-999F168CDECE} - c:\program files\Easy Read\ZoomOut.js
Trusted Zone: facebook.com\www
Trusted Zone: fool.com\caps
Trusted Zone: indiana-ins.com
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: mhsnr.org\tsac
Trusted Zone: microsoft.com\update
Trusted Zone: storephotos.com\www
Trusted Zone: turbotax.com
Trusted Zone: yahoo.com
Trusted Zone: yahoo.com\dsl.sbc
Trusted Zone: yahoo.com\sbc
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://prod1.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
DPF: {4033A55E-27B3-11D3-B48A-005004868418} - hxxp://mercynetportal.mhsnr.org/coreport/controls/windowssso.cab
DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - hxxp://asp17.centra.com/SiteRoots/main/Install/CentraDownloader.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 05:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3684)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-17 6:00
ComboFix-quarantined-files.txt 2009-05-17 10:00
ComboFix2.txt 2009-05-16 05:35

Pre-Run: 220,714,913,792 bytes free
Post-Run: 220,695,605,248 bytes free

205 --- E O F --- 2009-05-12 22:41

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:58 PM

Posted 17 May 2009 - 07:48 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\windows\system32\drivers\UACohyvoxyqfmouiow.sys
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


================


Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 Catatonic

Catatonic
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 18 May 2009 - 12:48 AM

Sam,

I have followed your instructions, and so here are the contents of ComboFix.txt and the Kaspersky scan report. Kaspersky found some infected files. I haven't reinstalled Firefox yet, and so I'm not sure if it will still give me Google search redirects. Otherwise, my computer seems to be behaving better than before. What should I do about the files that Kaspersky indicated as being infected?

ComboFix 09-05-17.03 - HP_Administrator 05/17/2009 22:48.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1492 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
c:\windows\system32\drivers\UACohyvoxyqfmouiow.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\UACohyvoxyqfmouiow.sys
c:\windows\system32\mfc70.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-18 to 2009-05-18 )))))))))))))))))))))))))))))))
.

2009-05-14 05:05 . 2009-05-14 05:41 -------- d-----w C:\SDFix
2009-05-14 04:52 . 2009-05-18 02:47 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-14 04:52 . 2009-05-14 04:54 -------- d-----w c:\program files\SpywareBlaster
2009-05-14 04:19 . 2009-05-14 04:19 578560 ----a-w c:\windows\system32\dllcache\user32.dll
2009-05-14 04:11 . 2009-05-14 04:11 -------- d-----w c:\windows\ERUNT
2009-05-14 04:02 . 2009-05-14 04:35 -------- d-----w C:\SDFix first
2009-05-14 03:21 . 2009-05-14 03:21 -------- d-----w c:\documents and settings\HP_Administrator\Local Settings\Application Data\Mozilla
2009-05-12 06:14 . 2009-05-12 06:14 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-05-11 03:40 . 2009-05-11 03:40 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-11 03:30 . 2009-05-14 07:20 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-11 03:30 . 2009-05-11 03:30 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-05-11 03:28 . 2009-05-11 03:28 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-07 10:27 . 2009-03-25 15:06 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-05-07 10:27 . 2009-03-25 15:06 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-05-07 10:27 . 2009-03-25 15:06 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-05-07 10:27 . 2008-10-23 17:08 120136 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-05-07 10:27 . 2009-05-07 10:27 -------- d-----w c:\program files\Common Files\McAfee
2009-05-07 10:27 . 2009-05-07 10:27 -------- d-----w c:\program files\McAfee.com
2009-05-07 10:27 . 2009-05-13 01:50 -------- d-----w c:\program files\McAfee
2009-05-07 10:22 . 2009-03-25 15:05 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-25 13:05 . 2009-04-25 13:05 -------- d-----w c:\program files\iPod
2009-04-25 13:05 . 2009-04-25 13:05 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-25 13:05 . 2009-04-25 13:05 -------- d-----w c:\program files\iTunes
2009-04-25 13:03 . 2009-04-25 13:03 -------- d-----w c:\program files\Bonjour
2009-04-25 13:02 . 2009-04-25 13:02 -------- d-----w c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 10:08 . 2007-03-30 23:06 -------- d-----w c:\program files\PowerArchiver
2009-05-10 17:17 . 2006-08-11 09:12 -------- d-----w c:\program files\IRIS Desktop Search
2009-05-10 04:56 . 2007-10-03 07:02 -------- d-----w c:\program files\IRISPen
2009-05-07 09:47 . 2008-08-06 00:06 -------- d-----w c:\program files\Webshots
2009-05-05 13:19 . 2005-12-30 11:21 1442 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-04-25 13:05 . 2007-07-08 11:31 -------- d-----w c:\program files\Common Files\Apple
2009-04-08 15:39 . 2005-10-25 13:59 -------- d-----w c:\program files\Java
2009-04-03 12:00 . 2005-10-25 14:58 -------- d-----w c:\program files\Google
2009-03-25 15:06 . 2009-03-25 15:06 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-19 20:32 . 2006-09-19 20:44 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 09:19 . 2008-12-18 18:13 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-10 05:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-10 05:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-10 05:00 78336 ----a-w c:\windows\system32\ieencode.dll
2006-02-06 07:05 . 2006-02-06 07:05 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-05-16_05.32.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-16 05:30 . 2009-05-16 05:30 16384 c:\windows\Temp\Perflib_Perfdata_1f8.dat
+ 2005-01-28 02:29 . 2009-05-18 02:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-01-28 02:29 . 2009-05-16 05:06 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-01-28 02:29 . 2009-05-18 02:24 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-01-28 02:29 . 2009-05-16 05:06 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\26719257-26d9-4beb-adeb-f42e267c71bf.exe" [2009-04-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-06 196608]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-03-25 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-02 77312]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-22 14854144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-10-25 36903]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/7/2009 6:29 AM 203280]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [10/25/2005 10:13 AM 100480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S2 0191111242179427mcinstcleanup;McAfee Application Installer Cleanup (0191111242179427);c:\windows\TEMP\019111~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\019111~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-04-26 c:\windows\Tasks\HPCeeSchedule.job
- c:\progra~1\EASYIN~1\Ceement\HPCEE.exe [2005-05-24 16:46]

2009-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-07 14:53]

2009-05-07 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-07 14:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uInternet Settings,ProxyServer = http=127.0.0.1:6711
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: EasyRead + - c:\program files\Easy Read\ZoomIn.js
IE: EasyRead - - c:\program files\Easy Read\ZoomOut.js
IE: {{A0E6D3BD-A661-447D-8634-0751467857F3} - c:\program files\Easy Read\ZoomIn.js
IE: {{AEBB571B-4C48-438D-808D-999F168CDECE} - c:\program files\Easy Read\ZoomOut.js
Trusted Zone: facebook.com\www
Trusted Zone: indiana-ins.com
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: mhsnr.org\tsac
Trusted Zone: microsoft.com\update
Trusted Zone: turbotax.com
Trusted Zone: yahoo.com
Trusted Zone: yahoo.com\dsl.sbc
Trusted Zone: yahoo.com\sbc
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://prod1.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
DPF: {4033A55E-27B3-11D3-B48A-005004868418} - hxxp://mercynetportal.mhsnr.org/coreport/controls/windowssso.cab
DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - hxxp://asp17.centra.com/SiteRoots/main/Install/CentraDownloader.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 22:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-05-18 22:51
ComboFix-quarantined-files.txt 2009-05-18 02:51
ComboFix2.txt 2009-05-17 10:00
ComboFix3.txt 2009-05-16 05:35

Pre-Run: 220,708,343,808 bytes free
Post-Run: 220,687,654,912 bytes free

206 --- E O F --- 2009-05-12 22:41


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 18, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 18, 2009 03:12:19
Records in database: 2189365
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 103416
Threat name: 2
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 02:05:42


File name / Threat name / Threats count
C:\Program Files\Online Services\AOL\United States\AOL90\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACadbhypkmpudvvoc.dll.vir Infected: Packed.Win32.Tdss.f 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACfheabuempsghebi.dll.vir Infected: Packed.Win32.Tdss.f 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACgfjobsejmqflnsw.dll.vir Infected: Packed.Win32.Tdss.f 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACxesvtbjuhocqcov.dll.vir Infected: Packed.Win32.Tdss.f 1
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1\A0000038.dll Infected: Packed.Win32.Tdss.f 1
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1\A0000039.dll Infected: Packed.Win32.Tdss.f 1
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1\A0000040.dll Infected: Packed.Win32.Tdss.f 1
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1\A0000041.dll Infected: Packed.Win32.Tdss.f 1

The selected area was scanned.

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:58 PM

Posted 18 May 2009 - 11:52 AM

Flush your system restore, this will delete any restore points that you have but it will also make sure that any malware hiding in system restore will be booted off.

Turn off System Restore:
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer, turn it back on and create a restore point.

Create a restore point:
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.


The other files that Kaspersky found are already quarantined, and there's one that's a false positive.

Go ahead and give Firefox a try and let me know how it's behaving.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 Catatonic

Catatonic
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 18 May 2009 - 09:27 PM

Sam,

I have followed your instructions regarding System Restore. Afterwards, I reinstalled Firefox. Google search results are no longer being redirected, and my computer no longer seems to be showing any other symptoms of infection.

Unless there's anything else you think I should do, then at this point in time I'll thank you for your help. I greatly appreciate your generosity.

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:58 PM

Posted 19 May 2009 - 02:08 PM

Here's some final steps and recommendations for you.


We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbup2: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 Catatonic

Catatonic
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 19 May 2009 - 04:50 PM

Sam,

You had asked me to remove ComboFix now that we're done with it. I had already deleted the executable file from my Desktop. When I try to remove ComboFix via the Run box, I get a message saying that Windows can't find it. Does this mean that I don't need to do anything more? I noticed that there is a folder named C:\Qoobox, and I believe that it had been created by ComboFix. Is it okay to leave that folder there, along with its contents?

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:58 PM

Posted 20 May 2009 - 11:18 AM

You can delete that folder. It contains some logs and any quarantined files that Combofix removed. It can just be deleted and you should be fine.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:58 PM

Posted 31 May 2009 - 09:45 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users