Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yahoo and Google Hijack/Redirect


  • This topic is locked This topic is locked
35 replies to this topic

#1 jescabrera

jescabrera

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 29 May 2009 - 07:21 PM

I was being helped by Rigel. Information on my original request can be found here:

http://www.bleepingcomputer.com/forums/t/229600/yahoo-and-google-hijack/

Per Rigel's instructions, I have followed your procedures starting on Step 6, however, when I run dds.scr, I get a black pop-up window with an error message that says, "The System cannot find the file specified."

My problem can be described as follows:

When I perform a search on either Yahoo or Google, the search engines return responses. When I click on the responses, I get a message in a white window that says:
The document has moved here. Wait...
The address on the toolbar is as follows:

http://7-isearch.net/search.php?s=2&q=...amAA~~&pe=0

I'm currently running Windows XP. I have run Malwarebytes, McAfee, Spybot, SuperAntispy to no avail.

Edited by JSntgRvr, 29 May 2009 - 07:44 PM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:31 PM

Posted 29 May 2009 - 07:45 PM

Hi, jescabrera :thumbup2:

Welcome.

Please read and follow all these instructions very carefully.

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

=====================================================================


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
  • Install the Recovery Console upon request.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 jescabrera

jescabrera
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 29 May 2009 - 08:33 PM

Malwarebytes report:
Malwarebytes' Anti-Malware 1.37
Database version: 2190
Windows 5.1.2600 Service Pack 3

5/29/2009 8:17:32 PM
mbam-log-2009-05-29 (20-17-32).txt

Scan type: Quick Scan
Objects scanned: 87750
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ComboFix Report:

ComboFix 09-05-29.01 - Jesse Cabrera 05/29/2009 20:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.635 [GMT -5:00]
Running from: c:\documents and settings\Jesse Cabrera\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-30 )))))))))))))))))))))))))))))))
.

2009-05-28 22:49 . 2009-05-28 22:49 -------- d-----w c:\program files\ESET
2009-05-27 21:52 . 2009-05-27 21:52 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-05-26 23:21 . 2009-05-26 23:21 -------- d-----w c:\documents and settings\Jesse Cabrera\Local Settings\Application Data\Downloaded Installations
2009-05-24 12:22 . 2009-05-24 12:22 -------- d-----w c:\program files\CleanUp!
2009-05-23 23:07 . 2009-05-23 23:07 -------- d-----w c:\program files\Trend Micro
2009-05-23 13:59 . 2009-05-26 22:18 -------- d-----w c:\program files\Lavasoft
2009-05-23 13:59 . 2009-05-26 22:18 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-22 14:19 . 2009-05-22 14:19 -------- d-----w c:\program files\Citrix
2009-05-21 12:21 . 2009-05-21 12:21 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-21 00:25 . 2009-05-21 00:25 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-21 00:21 . 2009-03-25 16:06 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-05-21 00:21 . 2009-03-25 16:06 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-05-21 00:21 . 2009-03-25 16:06 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-05-21 00:21 . 2008-10-23 18:08 120136 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-05-21 00:21 . 2009-05-21 00:21 -------- d-----w c:\program files\Common Files\McAfee
2009-05-21 00:21 . 2009-05-21 00:21 -------- d-----w c:\program files\McAfee.com
2009-05-21 00:21 . 2009-05-22 14:03 -------- d-----w c:\program files\McAfee
2009-05-21 00:18 . 2009-03-25 16:05 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-05-10 16:11 . 2009-05-10 16:15 -------- d-----w c:\program files\MyDSC2
2009-05-10 16:11 . 2005-03-24 22:21 38937 ----a-w c:\windows\system32\drivers\Capt905c.sys
2009-05-10 16:11 . 2004-05-07 20:31 24382 ----a-w c:\windows\system32\drivers\Camd905c.sys
2009-05-10 16:10 . 2009-05-27 00:45 -------- d-----w c:\program files\Kids Cam Show and Share Creativity Center
2009-05-06 23:40 . 2009-05-06 23:40 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-06 23:03 . 2009-05-06 23:03 -------- d-----w c:\docume~1\JESSEC~1\APPLIC~1\Malwarebytes
2009-05-06 23:03 . 2009-05-26 18:19 19096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-06 23:03 . 2009-05-26 18:20 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-06 23:03 . 2009-05-28 22:22 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-06 23:03 . 2009-05-06 23:03 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-06 22:24 . 2009-05-06 22:28 -------- d-----w c:\program files\DrWeb
2009-05-06 22:01 . 2009-05-06 22:25 -------- d-----w c:\documents and settings\Jesse Cabrera\DoctorWeb
2009-05-05 23:54 . 2009-05-05 23:54 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-05 23:54 . 2009-05-29 00:16 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-05 23:54 . 2009-05-29 00:15 -------- d-----w c:\docume~1\JESSEC~1\APPLIC~1\SUPERAntiSpyware.com
2009-05-03 16:51 . 2009-05-03 16:57 -------- d-----w c:\program files\Adware Professional

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-29 00:15 . 2008-02-05 22:09 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-21 00:24 . 2009-02-22 19:40 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-05-10 16:11 . 2007-09-03 16:00 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-29 22:16 . 2007-09-22 18:55 -------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-04-28 22:42 . 2009-04-28 22:42 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-28 22:42 . 2007-11-15 01:04 -------- d-----w c:\program files\iTunes
2009-04-28 22:42 . 2009-04-28 22:42 -------- d-----w c:\program files\iPod
2009-04-28 22:42 . 2007-09-30 13:25 -------- d-----w c:\program files\Common Files\Apple
2009-04-28 22:40 . 2009-04-28 22:40 -------- d-----w c:\program files\Bonjour
2009-04-28 22:36 . 2009-04-28 22:36 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-23 22:29 . 2009-04-23 22:20 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-23 22:21 . 2009-04-23 22:20 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-21 02:06 . 2007-11-10 02:51 -------- d-----w c:\docume~1\JESSEC~1\APPLIC~1\Move Networks
2009-04-10 00:46 . 2007-09-23 12:49 -------- d-----w c:\program files\Common Files\Ahead
2009-04-10 00:44 . 2009-04-09 22:28 -------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-04-09 22:46 . 2009-04-09 22:28 -------- d-----w c:\program files\Common Files\Nero
2009-04-09 22:46 . 2007-11-24 18:13 -------- d-----w c:\program files\Nero
2009-04-09 22:31 . 2009-04-09 22:31 -------- d-----w c:\docume~1\JESSEC~1\APPLIC~1\Nero
2009-04-01 22:24 . 2009-04-01 22:24 -------- d-----w c:\docume~1\JESSEC~1\APPLIC~1\Leadertech
2009-04-01 22:21 . 2009-04-01 22:21 -------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2009-04-01 22:15 . 2009-04-01 22:15 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-03-29 12:31 . 2007-09-20 00:43 45952 ----a-w c:\documents and settings\Jesse Cabrera\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-25 16:06 . 2009-03-25 16:06 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-19 21:32 . 2009-03-19 21:32 23400 ----a-w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 21:32 . 2008-01-29 17:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 09:34 . 2001-08-30 19:51 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 09:34 . 2001-08-30 19:50 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 09:33 . 2001-08-30 19:48 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 09:33 . 2001-08-30 19:50 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 09:32 . 2001-08-30 19:48 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 09:32 . 2001-08-30 19:49 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 09:31 . 2001-08-30 19:49 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 09:31 . 2001-08-30 19:50 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 09:31 . 2001-08-30 19:50 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 09:22 . 2001-08-30 19:50 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2001-08-30 19:50 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 01:57 . 2007-09-01 01:19 86327 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 13:01 . 2007-10-11 01:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
2008-10-15 07:04 . 2008-10-15 07:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

2006-01-12 22:40 . 2006-01-12 22:40 155648 c:\program files\Common Files\Ahead\Lib\bak\NeroCheck.exe
2006-01-12 20:40 . 2006-01-12 20:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

2006-10-09 17:28 . 2006-10-09 17:28 139264 c:\program files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe
2006-11-17 00:04 . 2006-11-17 00:04 139264 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

2007-11-03 00:36 . 2007-11-03 00:36 267048 c:\program files\iTunes\bak\iTunesHelper.exe
2009-04-02 21:11 . 2009-04-02 21:11 342312 c:\program files\iTunes\iTunesHelper.exe

2007-10-20 02:16 . 2007-10-20 02:16 286720 c:\program files\QuickTime\bak\qttask.exe
2009-01-05 22:18 . 2009-01-05 22:18 413696 c:\program files\QuickTime\QTTask.exe

2008-02-06 00:28 . 2006-07-21 22:19 129536 c:\program files\Yahoo!\browser\bak\ybrwicon.exe

2008-02-06 00:29 . 2007-08-30 23:43 4670704 c:\program files\Yahoo!\Messenger\bak\YahooMessenger.exe

2001-08-30 19:48 . 2004-08-04 07:56 15360 c:\windows\system32\bak\ctfmon.exe
2001-08-30 19:48 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [N/A]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-03-25 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]

c:\documents and settings\Jesse Cabrera\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/20/2009 7:23 PM 203280]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-05-21 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-21 15:53]

2009-05-21 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-21 15:53]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-29 20:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1940)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-30 20:25
ComboFix-quarantined-files.txt 2009-05-30 01:25

Pre-Run: 118,863,458,304 bytes free
Post-Run: 118,855,557,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

219 --- E O F --- 2009-05-13 22:17

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:31 PM

Posted 30 May 2009 - 07:42 PM

Hi, jescabrera
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

AWF::
c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
c:\program files\Common Files\Ahead\Lib\bak\NeroCheck.exe
c:\program files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\QuickTime\bak\qttask.exe
c:\program files\Yahoo!\browser\bak\ybrwicon.exe
c:\program files\Yahoo!\Messenger\bak\YahooMessenger.exe
c:\windows\system32\bak\ctfmon.exe


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 13.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u13-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u13-windows-i586-p.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 jescabrera

jescabrera
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 30 May 2009 - 08:08 PM

For the Java update, the only one available is JRE 6 Update 14. Is that O.K.?

#6 jescabrera

jescabrera
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 30 May 2009 - 10:19 PM

Alright...I followed your instructions. Below is the ComboFix Report:

ComboFix 09-05-30.03 - Jesse Cabrera 05/30/2009 20:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.646 [GMT -5:00]
Running from: c:\documents and settings\Jesse Cabrera\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jesse Cabrera\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-31 )))))))))))))))))))))))))))))))
.

2009-05-29 00:35 . 2009-05-29 01:52 117760 ----a-w c:\documents and settings\Jesse Cabrera\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-28 22:49 . 2009-05-28 22:49 -------- d-----w c:\program files\ESET
2009-05-27 21:52 . 2009-05-27 21:52 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-05-26 23:21 . 2009-05-26 23:21 -------- d-----w c:\documents and settings\Jesse Cabrera\Local Settings\Application Data\Downloaded Installations
2009-05-24 12:22 . 2009-05-24 12:22 -------- d-----w c:\program files\CleanUp!
2009-05-23 23:07 . 2009-05-23 23:07 -------- d-----w c:\program files\Trend Micro
2009-05-23 13:59 . 2009-05-26 22:18 -------- d-----w c:\program files\Lavasoft
2009-05-23 13:59 . 2009-05-26 22:18 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-22 14:19 . 2009-05-22 14:19 -------- d-----w c:\program files\Citrix
2009-05-22 14:03 . 2009-05-22 14:03 49152 ----a-r c:\documents and settings\Jesse Cabrera\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA1.exe
2009-05-22 14:03 . 2009-05-22 14:03 49152 ----a-r c:\documents and settings\Jesse Cabrera\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA.exe
2009-05-21 12:21 . 2009-05-21 12:21 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-21 00:25 . 2009-05-21 00:25 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-21 00:21 . 2009-03-25 16:06 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-05-21 00:21 . 2009-03-25 16:06 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-05-21 00:21 . 2009-03-25 16:06 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-05-21 00:21 . 2008-10-23 18:08 120136 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-05-21 00:21 . 2009-05-21 00:21 -------- d-----w c:\program files\Common Files\McAfee
2009-05-21 00:21 . 2009-05-21 00:21 -------- d-----w c:\program files\McAfee.com
2009-05-21 00:21 . 2009-05-22 14:03 -------- d-----w c:\program files\McAfee
2009-05-21 00:18 . 2009-03-25 16:05 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-05-10 16:11 . 2009-05-10 16:15 -------- d-----w c:\program files\MyDSC2
2009-05-10 16:11 . 2005-03-24 22:21 38937 ----a-w c:\windows\system32\drivers\Capt905c.sys
2009-05-10 16:11 . 2004-05-07 20:31 24382 ----a-w c:\windows\system32\drivers\Camd905c.sys
2009-05-10 16:10 . 2009-05-27 00:45 -------- d-----w c:\program files\Kids Cam Show and Share Creativity Center
2009-05-06 23:40 . 2009-05-06 23:40 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-06 23:03 . 2009-05-06 23:03 -------- d-----w c:\documents and settings\Jesse Cabrera\Application Data\Malwarebytes
2009-05-06 23:03 . 2009-05-26 18:19 19096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-06 23:03 . 2009-05-26 18:20 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-06 23:03 . 2009-05-28 22:22 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-06 23:03 . 2009-05-06 23:03 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-06 22:24 . 2009-05-06 22:28 -------- d-----w c:\program files\DrWeb
2009-05-06 22:01 . 2009-05-06 22:25 -------- d-----w c:\documents and settings\Jesse Cabrera\DoctorWeb
2009-05-05 23:54 . 2009-05-05 23:54 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-05 23:54 . 2009-05-29 00:16 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-05 23:54 . 2009-05-29 00:15 -------- d-----w c:\documents and settings\Jesse Cabrera\Application Data\SUPERAntiSpyware.com
2009-05-03 16:51 . 2009-05-03 16:57 -------- d-----w c:\program files\Adware Professional

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-31 01:16 . 2007-11-15 01:04 -------- d-----w c:\program files\iTunes
2009-05-31 01:14 . 2007-11-15 01:01 -------- d-----w c:\program files\QuickTime
2009-05-29 00:15 . 2008-02-05 22:09 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-21 00:24 . 2009-02-22 19:40 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-05-12 21:08 . 2009-03-23 22:14 266400 ----a-r c:\documents and settings\Jesse Cabrera\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-05-10 16:11 . 2007-09-03 16:00 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-29 22:16 . 2007-09-22 18:55 -------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-04-28 22:42 . 2009-04-28 22:42 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-28 22:42 . 2009-04-28 22:42 -------- d-----w c:\program files\iPod
2009-04-28 22:42 . 2007-09-30 13:25 -------- d-----w c:\program files\Common Files\Apple
2009-04-28 22:40 . 2009-04-28 22:40 -------- d-----w c:\program files\Bonjour
2009-04-28 22:36 . 2009-04-28 22:36 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-23 22:29 . 2009-04-23 22:20 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-23 22:21 . 2009-04-23 22:20 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-21 02:06 . 2007-11-10 02:51 -------- d-----w c:\documents and settings\Jesse Cabrera\Application Data\Move Networks
2009-04-20 03:23 . 2009-04-20 03:22 34062 ----a-w c:\documents and settings\Jesse Cabrera\Application Data\Move Networks\ie_bin\Uninst.exe
2009-04-10 00:46 . 2007-09-23 12:49 -------- d-----w c:\program files\Common Files\Ahead
2009-04-10 00:44 . 2009-04-09 22:28 -------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-04-09 22:46 . 2009-04-09 22:28 -------- d-----w c:\program files\Common Files\Nero
2009-04-09 22:46 . 2007-11-24 18:13 -------- d-----w c:\program files\Nero
2009-04-09 22:31 . 2009-04-09 22:31 -------- d-----w c:\documents and settings\Jesse Cabrera\Application Data\Nero
2009-04-01 22:24 . 2009-04-01 22:24 -------- d-----w c:\documents and settings\Jesse Cabrera\Application Data\Leadertech
2009-04-01 22:21 . 2009-04-01 22:21 -------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2009-04-01 22:15 . 2009-04-01 22:15 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-03-29 12:31 . 2007-09-20 00:43 45952 ----a-w c:\documents and settings\Jesse Cabrera\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-25 16:06 . 2009-03-25 16:06 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-23 00:55 . 2009-03-23 00:55 8704 ----a-w c:\documents and settings\Jesse Cabrera\Application Data\Thinstall\WinAVI Video Converter\4000003100002i\DivXVersionChecker.exe
2009-03-22 23:17 . 2009-03-22 23:17 8704 ----a-w c:\documents and settings\Jesse Cabrera\Application Data\Thinstall\WinAVI Video Converter\1000000b00002i\rundll32.exe
2009-03-22 23:14 . 2009-03-22 23:14 8704 ----a-w c:\documents and settings\Jesse Cabrera\Application Data\Thinstall\WinAVI Video Converter\4000009c00002i\IEXPLORE.EXE
2009-03-22 23:14 . 2009-03-22 23:14 8704 ----a-w c:\documents and settings\Jesse Cabrera\Application Data\Thinstall\WinAVI Video Converter\10000001200002i\msimn.exe
2009-03-22 18:40 . 2009-03-22 18:40 8704 ----a-w c:\documents and settings\Jesse Cabrera\Application Data\Thinstall\WinAVI Video Converter\300000003400002i\dwwin.exe
2009-03-22 18:40 . 2009-03-22 18:40 8704 ----a-w c:\documents and settings\Jesse Cabrera\Application Data\Thinstall\WinAVI Video Converter\4000008200002i\divxsm.exe
2009-03-19 21:32 . 2009-03-19 21:32 23400 ----a-w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 21:32 . 2008-01-29 17:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 17:29 . 2009-03-09 17:29 97144 ----a-w c:\documents and settings\Jesse Cabrera\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-03-09 17:29 . 2009-03-09 17:29 1010552 ----a-w c:\documents and settings\Jesse Cabrera\Application Data\Move Networks\ie_bin\qsp2ie071303000006.dll
2009-03-08 09:34 . 2001-08-30 19:51 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 09:34 . 2001-08-30 19:50 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 09:33 . 2001-08-30 19:48 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 09:33 . 2001-08-30 19:50 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 09:32 . 2001-08-30 19:48 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 09:32 . 2001-08-30 19:49 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 09:31 . 2001-08-30 19:49 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 09:31 . 2001-08-30 19:50 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 09:31 . 2001-08-30 19:50 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 09:22 . 2001-08-30 19:50 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2001-08-30 19:50 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 01:57 . 2007-09-01 01:19 86327 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-05-30_01.24.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-08-30 19:48 . 2004-08-04 07:56 15360 c:\windows\system32\dllcache\ctfmon.exe
+ 2001-08-30 19:48 . 2004-08-04 07:56 15360 c:\windows\system32\ctfmon.exe
- 2001-08-30 19:48 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe
- 2007-09-01 01:21 . 2009-05-29 22:30 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-09-01 01:21 . 2009-05-30 20:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-09-01 01:21 . 2009-05-30 20:54 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-09-01 01:21 . 2009-05-29 22:30 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-22 21:23 . 2009-05-30 20:54 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-03-22 21:23 . 2009-05-29 22:30 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-20 286720]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-03 267048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-03-25 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]

c:\documents and settings\Jesse Cabrera\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/20/2009 7:23 PM 203280]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-05-21 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-21 15:53]

2009-05-21 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-21 15:53]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-30 20:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(208)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-31 20:18
ComboFix-quarantined-files.txt 2009-05-31 01:18
ComboFix2.txt 2009-05-30 01:25

Pre-Run: 119,558,713,344 bytes free
Post-Run: 119,538,769,920 bytes free

219 --- E O F --- 2009-05-13 22:17



The Kaspersky Scan did not find anything.


KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, May 30, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, May 31, 2009 03:53:07
Records in database: 2282082
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 52023
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:03:48

No malware has been detected. The scan area is clean.

The selected area was scanned.

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:31 PM

Posted 31 May 2009 - 01:34 AM

All looks clean. How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:31 PM

Posted 31 May 2009 - 01:38 AM

For the Java update, the only one available is JRE 6 Update 14. Is that O.K.?

Super.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 jescabrera

jescabrera
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 31 May 2009 - 06:45 AM

My machine seems to be running a lot faster. It doesn't bog down anymore...however, I'm still getting a redirect. Attached is the screen shot I get after I click on a Yahoo search link.

Attached Files



#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:31 PM

Posted 31 May 2009 - 01:00 PM

Hi, jescabrera :thumbup2:

Lets take a deeper look:

Download OTS.exe by OldTimer to your Desktop.
  • Close any open browsers.
  • Double-click on OTS.exe to start the program.
  • Leave all settings as they appear as default.
  • Under Drivers, select "All".
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 jescabrera

jescabrera
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 31 May 2009 - 01:55 PM

Per your instructions, see attached. OTS ran fairly quickly so I'm not sure if it did what it's supposed to do.

I've also attached a screen shot of the OTS screen after it finished running.

Attached Files



#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:31 PM

Posted 31 May 2009 - 05:53 PM

Hi, jescabrera :thumbup2:

Start OTS. Copy/Paste the information in the Quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Safe List]
< HOSTS File > (7851 bytes and 267 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts
YN -> Reset Hosts ->
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{7F9DB11C-E358-4ca6-A83D-ACC663939424}" [HKLM] -> [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY -> Irremote.ini -> C:\WINDOWS\Irremote.ini
[Empty Temp Folders]
[Start Explorer]
[Reboot]



The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS scan log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Edited by JSntgRvr, 31 May 2009 - 05:55 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 jescabrera

jescabrera
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 31 May 2009 - 06:31 PM

I think I messed something up. I followed your instructions but forgot to turn off McAfee. I aborted the fix and tried it again, this time with McAfee turned off. I got the attached report. Hopefully it did what was intended.

The scan log was too large to attach. Website indicates I only have a single upload size of 120.92kb.

Also, in the OTS window, under Paste Fix Here, I get the following after the scan:

"MaxScriptStatements" -> Reg Error: Invalid data type.
"Use My Stylesheet" -> Reg Error: Invalid data type.


I'm still gettin the same problem....a redirect from Yahoo. Let me ask you this, does it make a difference if my yahoo home page address is as follows:

http://www.yahoo.com/?fr=fp-yie8

Instead of just http://www.yahoo.com.

Attached Files


Edited by jescabrera, 31 May 2009 - 09:03 PM.


#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:31 PM

Posted 31 May 2009 - 10:54 PM

I think I messed something up. I followed your instructions but forgot to turn off McAfee. I aborted the fix and tried it again, this time with McAfee turned off. I got the attached report. Hopefully it did what was intended.

The scan log was too large to attach. Website indicates I only have a single upload size of 120.92kb.

Also, in the OTS window, under Paste Fix Here, I get the following after the scan:

"MaxScriptStatements" -> Reg Error: Invalid data type.
"Use My Stylesheet" -> Reg Error: Invalid data type.


I'm still gettin the same problem....a redirect from Yahoo. Let me ask you this, does it make a difference if my yahoo home page address is as follows:

http://www.yahoo.com/?fr=fp-yie8

Instead of just http://www.yahoo.com.

That is due to a setting in IE8

uLocal Page = \blank.htm
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab


Step 1
  • Click to open Internet Explorer.
  • Click the Tools button, and then click Internet Options.
  • Click the General tab, and then click Accessibility.
  • Clear any checked boxes.
Step 2
  • Click the Advanced tab
  • Restore Advanced Settings.
  • Apply, then OK.
  • Restart Internet Explorer and test.
Reset your Start Page:

Open IE. Select Tools from the Menu, then Internet Options. Select The General Tab. Reset your Home page to http://www.Yahoo.com/

Download the HostsXpert 4.2 - Hosts File Manager.
  • Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
  • Run HostsXpert 4.2 - Hosts File Manager from its new home
  • Click on "File Handling".
  • Click on "Restore MS Hosts File".
  • Click OK on the Confirmation box.
  • Click on "Make Read Only?"
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Re-scan with OTS. Leave all settings as they appear as default. Let me know if too large, You can always divide the file in two and upload both.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 jescabrera

jescabrera
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 01 June 2009 - 05:11 PM

I get a warning that says, "Your Hosts file is marked as a "System File" and cannot be manipulated. Press O.K. to to remove the system file attribute, cancel to quit."

Should I press O.K?

The Yahoo website re-naming thing worked...thanks!

Edited by jescabrera, 01 June 2009 - 06:44 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users