Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Being redirected to ads when clicking Google results


  • This topic is locked This topic is locked
22 replies to this topic

#1 elf.i.am

elf.i.am

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 24 August 2009 - 09:24 PM

Hi,

When I'm searching on Google (in Firefox 3), and I click on the results, one of the following happens:
a] I am simply redirected to some ad site
b] I am redirected to a page (with url something like 'http://IP ADDRESS REDACTED/rs/v?phpses=c4afe9d304191fd7b11a35752000723fd3c09de25560676ae6d4a4f903985c72f32800a55
16b8c5632bd6a76d0e2d64c') that says 'Found the document has moved here' with "here" being a link to an ad.
c] I see a popup message saying "This web page is being redirected to a new location. Would you like to resend the form data you have typed to the new location?" then I am redirected to an ad.

I have observed that the above happens most of the time (but not all of the time, a few times I don't see the problem) and that going back to the Google results page and clicking the results again takes me to the real result.

I have received help at the "Am I Infected?" forum (http://www.bleepingcomputer.com/forums/t/250950/being-redirected-to-ads-when-clicking-google-results/) where I was referred to this forum since my RootRepeal scan shows a rootkit.

I am running XP SP2.
I have Avira AntiVir Personal, COMODO Firewall, and ThreatFire currently active.
I also have SuperAntiSPyware, RootRepeal, Malwarebyte's AntiMalware, and HijackThis (HJT downloaded when dealing with a previous problem - I have not run it with regards to the current problem).


RootRepeal log:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2009/08/24 19:53
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xED150000	Size: 49152	File Visible: No	Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\ESQULkglsenmdxjxtxpymkdhbyoitniqynhkg.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ESQULpqmvcwnfnujyrknqxhprcwgtyikkyxxp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ESQULzxspectrum
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\ESQULvxfaorobopupqcklvjjbdexyenldimyv.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\chikisaw\Local Settings\Apps\2.0\YO2H9XKA.E3A\0OXPMY5D.9QR\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\chikisaw\Local Settings\Apps\2.0\YO2H9XKA.E3A\0OXPMY5D.9QR\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 097	Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xee4ecf42

Stealth Objects
-------------------
Object: Hidden Module [Name: ESQULkglsenmdxjxtxpymkdhbyoitniqynhkg.dll]
Process: svchost.exe (PID: 984)	Address: 0x00770000	Size: 32768

Hidden Services
-------------------
Service Name: ESQULserv.sys
Image Path: C:\WINDOWS\system32\drivers\ESQULvxfaorobopupqcklvjjbdexyenldimyv.sys

Shadow SSDT
-------------------
#: 465	Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xee4f0258

==EOF==

And DDS log:
DDS (Ver_09-07-30.01) - NTFSx86  
Run by chikisaw at 21:58:46.84 on Mon 08/24/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.510.152 [GMT -4:00]

AV: ThreatFire *On-access scanning enabled* (Updated)   {67B2B9A1-25C8-4057-962D-807958FFC9E3}
AV: AntiVir Desktop *On-access scanning enabled* (Updated)   {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled*   {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\Documents and Settings\chikisaw\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - 
EB: {2BC9C452-BB57-4896-A9A2-64611E06C9AA} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Google Update] "c:\documents and settings\chikisaw\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [COMODO Internet Security] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ask and Record FLV Service] "c:\program files\ask & record toolbar\FLVSrvc.exe" /run
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08}
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chikisaw\applic~1\mozilla\firefox\profiles\9qc8vaju.default\
FF - plugin: c:\documents and settings\chikisaw\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox 3.5 beta 4\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32(2).dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota",	  5120);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history",	 true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata",	true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords",   false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads",   true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies",	 true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache",	   true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions",	true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.history",				 true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.formdata",				true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.passwords",			   false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.downloads",			   true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cookies",				 true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cache",				   true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.sessions",				true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps",			 false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings",			false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs",	false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2008-6-17 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2008-6-17 46864]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-3-31 11608]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-6-17 132640]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-6-17 24096]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2008-8-22 7040]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-3-31 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-3-31 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-3-31 55656]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\firewall\cmdagent.exe [2008-6-17 692496]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2008-6-17 33552]
R3 VirtDiskBus;Virtual disk Enumerator;c:\windows\system32\drivers\VirtDiskBus.sys [2008-11-2 56320]
S2 gupdate1c98e38a42ac58c;Google Update Service (gupdate1c98e38a42ac58c);c:\program files\google\update\GoogleUpdate.exe [2009-2-13 133104]
S3 BazisVirtualCD;Virtual CD driver;c:\windows\system32\drivers\BazisVirtualCD.sys [2008-11-2 62464]
S3 CrystalSysInfo;CrystalSysInfo;d:\mediacoder\SysInfo.sys [2007-9-25 15152]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2006-3-10 39424]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2008-8-22 17792]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-13 7408]

=============== Created Last 30 ================

2009-08-24 08:27	<DIR>	--d-----	c:\windows\system32\XPSViewer
2009-08-23 23:01	<DIR>	--d-----	c:\program files\common files\Wise Installation Wizard
2009-08-23 02:30	<DIR>	--d-----	c:\windows\ServicePackFiles
2009-08-23 01:13	<DIR>	--d-----	c:\program files\Rocker
2009-08-23 00:26	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\3DVIA
2009-08-23 00:26	<DIR>	--d-----	c:\program files\Virtools
2009-08-22 22:42	128,512	--------	c:\windows\system32\dllcache\dhtmled.ocx
2009-08-22 22:35	655,872	--------	c:\windows\system32\dllcache\mstscax.dll
2009-08-22 14:02	<DIR>	--d-----	c:\docume~1\chikisaw\applic~1\Malwarebytes
2009-08-21 20:12	38,160	a-------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-21 20:12	19,096	a-------	c:\windows\system32\drivers\mbam.sys
2009-08-21 20:12	<DIR>	--d-----	c:\program files\Malwarebytes' Anti-Malware
2009-08-21 20:12	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-19 13:48	<DIR>	--d-----	c:\program files\verizon
2009-08-05 05:11	204,800	--------	c:\windows\system32\dllcache\mswebdvd.dll
2009-07-26 00:23	<DIR>	--d-----	c:\program files\LimeWire

==================== Find3M  ====================

2009-08-05 09:13	55,656	a-------	c:\windows\system32\drivers\avgntflt.sys
2009-08-05 05:11	204,800	a-------	c:\windows\system32\mswebdvd.dll
2009-07-19 09:33	3,597,824	a-------	c:\windows\system32\dllcache\mshtml.dll
2009-07-19 09:32	6,067,200	a-------	c:\windows\system32\dllcache\ieframe.dll
2009-07-17 14:55	58,880	a-------	c:\windows\system32\atl.dll
2009-07-17 14:55	58,880	--------	c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43	10,841,088	a-------	c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43	286,208	a-------	c:\windows\system32\wmpdxm.dll
2009-07-13 23:43	286,208	a-------	c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 09:42	1,315,328	--------	c:\windows\system32\dllcache\msoe.dll
2009-06-29 07:07	13,824	a-------	c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 07:07	70,656	a-------	c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 04:35	634,632	a-------	c:\windows\system32\dllcache\iexplore.exe
2009-06-29 04:33	2,452,872	--------	c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 04:33	161,792	a-------	c:\windows\system32\dllcache\ieakui.dll
2009-06-16 10:55	119,808	a-------	c:\windows\system32\t2embed.dll
2009-06-16 10:55	82,432	a-------	c:\windows\system32\fontsub.dll
2009-06-16 10:55	119,808	--------	c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:55	82,432	--------	c:\windows\system32\dllcache\fontsub.dll
2009-06-12 07:50	76,288	a-------	c:\windows\system32\telnet.exe
2009-06-12 07:50	76,288	--------	c:\windows\system32\dllcache\telnet.exe
2009-06-10 10:21	84,992	a-------	c:\windows\system32\avifil32.dll
2009-06-10 10:21	84,992	--------	c:\windows\system32\dllcache\avifil32.dll
2009-06-10 02:32	132,096	a-------	c:\windows\system32\wkssvc.dll
2009-06-10 02:32	132,096	--------	c:\windows\system32\dllcache\wkssvc.dll
2009-06-08 15:33	8,676,883	a-------	c:\windows\system32\mp3Media2.dll
2009-06-05 03:42	655,872	a-------	c:\windows\system32\mstscax.dll
2009-06-03 15:27	1,290,752	a-------	c:\windows\system32\quartz.dll
2009-06-03 15:27	1,290,752	--------	c:\windows\system32\dllcache\quartz.dll
2009-03-21 01:29	87,608	a-------	c:\docume~1\chikisaw\applic~1\inst.exe
2009-03-21 01:29	47,360	a-------	c:\docume~1\chikisaw\applic~1\pcouffin.sys
2007-12-04 06:03	454,656	a-------	c:\program files\putty.exe
2007-11-03 10:47	17,128,234	a-------	c:\program files\klmcodec353.exe
2007-10-26 05:52	520,192	a-------	c:\program files\WinDjView-0.5.exe
2006-09-26 15:18	2,625,265	ac------	c:\program files\openofficeorg4.cab
2006-09-26 15:17	56,053,978	ac------	c:\program files\openofficeorg3.cab
2006-09-26 15:11	15,305,884	a-------	c:\program files\openofficeorg2.cab
2006-09-26 15:11	17,831,342	ac------	c:\program files\openofficeorg1.cab
2002-03-11 04:06	1,822,520	a-------	c:\program files\instmsiw.exe
2002-03-11 03:45	1,708,856	a-------	c:\program files\instmsia.exe
2007-09-03 07:50	56	---shr--	c:\windows\system32\76DB98AB77.sys
2007-05-22 17:08	88	---shr--	c:\windows\system32\77AB98DB76.sys
2007-09-03 07:50	5,122	a--sh---	c:\windows\system32\KGyGaAvL.sys

============= FINISH: 21:59:44.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 AM

Posted 07 September 2009 - 06:14 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 elf.i.am

elf.i.am
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 07 September 2009 - 10:49 PM

The problem has not changed since I last posted in this thread.


Here is the new DDS log ("Attach" is also attached)
DDS (Ver_09-07-30.01) - NTFSx86  
Run by chikisaw at 23:43:12.92 on Mon 09/07/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.510.293 [GMT -4:00]

AV: ThreatFire *On-access scanning disabled* (Updated)   {67B2B9A1-25C8-4057-962D-807958FFC9E3}
AV: AntiVir Desktop *On-access scanning disabled* (Updated)   {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *disabled*   {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\chikisaw\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - 
EB: {2BC9C452-BB57-4896-A9A2-64611E06C9AA} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Google Update] "c:\documents and settings\chikisaw\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [COMODO Internet Security] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ask and Record FLV Service] "c:\program files\ask & record toolbar\FLVSrvc.exe" /run
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08}
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chikisaw\applic~1\mozilla\firefox\profiles\9qc8vaju.default\
FF - plugin: c:\documents and settings\chikisaw\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox 3.5 beta 4\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32(2).dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota",	  5120);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history",	 true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata",	true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords",   false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads",   true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies",	 true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache",	   true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions",	true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.history",				 true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.formdata",				true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.passwords",			   false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.downloads",			   true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cookies",				 true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cache",				   true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.sessions",				true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps",			 false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings",			false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs",	false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2008-6-17 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2008-6-17 46864]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-3-31 11608]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-6-17 132640]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-6-17 24096]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2008-8-22 7040]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-3-31 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-3-31 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-3-31 55656]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\firewall\cmdagent.exe [2008-6-17 692496]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2008-6-17 33552]
R3 VirtDiskBus;Virtual disk Enumerator;c:\windows\system32\drivers\VirtDiskBus.sys [2008-11-2 56320]
S2 gupdate1c98e38a42ac58c;Google Update Service (gupdate1c98e38a42ac58c);c:\program files\google\update\GoogleUpdate.exe [2009-2-13 133104]
S3 BazisVirtualCD;Virtual CD driver;c:\windows\system32\drivers\BazisVirtualCD.sys [2008-11-2 62464]
S3 CrystalSysInfo;CrystalSysInfo;d:\mediacoder\SysInfo.sys [2007-9-25 15152]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2006-3-10 39424]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2008-8-22 17792]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-13 7408]

=============== Created Last 30 ================

2009-09-07 00:26	<DIR>	--d-----	c:\program files\common files\Merge Modules
2009-08-30 20:23	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-30 20:21	<DIR>	--d-----	c:\program files\Bonjour
2009-08-30 20:16	2,060,288	a-------	c:\windows\system32\usbaaplrc.dll
2009-08-24 16:43	1,089,601	--------	c:\windows\system32\dllcache\ntprint.cat
2009-08-24 08:27	<DIR>	--d-----	c:\windows\system32\XPSViewer
2009-08-23 23:01	<DIR>	--d-----	c:\program files\common files\Wise Installation Wizard
2009-08-23 02:30	<DIR>	--d-----	c:\windows\ServicePackFiles
2009-08-23 01:13	<DIR>	--d-----	c:\program files\Rocker
2009-08-23 00:26	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\3DVIA
2009-08-23 00:26	<DIR>	--d-----	c:\program files\Virtools
2009-08-22 22:42	128,512	--------	c:\windows\system32\dllcache\dhtmled.ocx
2009-08-22 22:35	655,872	--------	c:\windows\system32\dllcache\mstscax.dll
2009-08-22 14:02	<DIR>	--d-----	c:\docume~1\chikisaw\applic~1\Malwarebytes
2009-08-21 20:12	38,160	a-------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-21 20:12	19,096	a-------	c:\windows\system32\drivers\mbam.sys
2009-08-21 20:12	<DIR>	--d-----	c:\program files\Malwarebytes' Anti-Malware
2009-08-21 20:12	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-19 13:48	<DIR>	--d-----	c:\program files\verizon

==================== Find3M  ====================

2009-08-05 09:13	55,656	a-------	c:\windows\system32\drivers\avgntflt.sys
2009-08-05 05:11	204,800	a-------	c:\windows\system32\mswebdvd.dll
2009-08-05 05:11	204,800	--------	c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 09:33	3,597,824	a-------	c:\windows\system32\dllcache\mshtml.dll
2009-07-19 09:32	6,067,200	a-------	c:\windows\system32\dllcache\ieframe.dll
2009-07-17 14:55	58,880	a-------	c:\windows\system32\atl.dll
2009-07-17 14:55	58,880	--------	c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43	10,841,088	a-------	c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43	286,208	a-------	c:\windows\system32\wmpdxm.dll
2009-07-13 23:43	286,208	a-------	c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 09:42	1,315,328	--------	c:\windows\system32\dllcache\msoe.dll
2009-06-29 07:07	13,824	a-------	c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 07:07	70,656	a-------	c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 04:35	634,632	a-------	c:\windows\system32\dllcache\iexplore.exe
2009-06-29 04:33	2,452,872	--------	c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 04:33	161,792	a-------	c:\windows\system32\dllcache\ieakui.dll
2009-06-16 10:55	119,808	a-------	c:\windows\system32\t2embed.dll
2009-06-16 10:55	82,432	a-------	c:\windows\system32\fontsub.dll
2009-06-16 10:55	119,808	--------	c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:55	82,432	--------	c:\windows\system32\dllcache\fontsub.dll
2009-06-12 07:50	76,288	a-------	c:\windows\system32\telnet.exe
2009-06-12 07:50	76,288	--------	c:\windows\system32\dllcache\telnet.exe
2009-06-10 10:21	84,992	a-------	c:\windows\system32\avifil32.dll
2009-06-10 10:21	84,992	--------	c:\windows\system32\dllcache\avifil32.dll
2009-06-10 02:32	132,096	a-------	c:\windows\system32\wkssvc.dll
2009-06-10 02:32	132,096	--------	c:\windows\system32\dllcache\wkssvc.dll
2009-03-21 01:29	87,608	a-------	c:\docume~1\chikisaw\applic~1\inst.exe
2009-03-21 01:29	47,360	a-------	c:\docume~1\chikisaw\applic~1\pcouffin.sys
2007-12-04 06:03	454,656	a-------	c:\program files\putty.exe
2007-11-03 10:47	17,128,234	a-------	c:\program files\klmcodec353.exe
2007-10-26 05:52	520,192	a-------	c:\program files\WinDjView-0.5.exe
2006-09-26 15:18	2,625,265	ac------	c:\program files\openofficeorg4.cab
2006-09-26 15:17	56,053,978	ac------	c:\program files\openofficeorg3.cab
2006-09-26 15:11	15,305,884	a-------	c:\program files\openofficeorg2.cab
2006-09-26 15:11	17,831,342	ac------	c:\program files\openofficeorg1.cab
2002-03-11 04:06	1,822,520	a-------	c:\program files\instmsiw.exe
2002-03-11 03:45	1,708,856	a-------	c:\program files\instmsia.exe
2007-09-03 07:50	56	---shr--	c:\windows\system32\76DB98AB77.sys
2007-05-22 17:08	88	---shr--	c:\windows\system32\77AB98DB76.sys
2007-09-03 07:50	5,122	a--sh---	c:\windows\system32\KGyGaAvL.sys

============= FINISH: 23:44:29.04 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 AM

Posted 10 September 2009 - 05:53 PM

Hello.

Sorry for the delay.

Run RootRepeal and Malwarebytes for me please and let's see what may still be left. Then take a new DDS run and post back with both the DDS.txt and Attach.txt logs as well.

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.
  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Posted Image tab at the bottom.
  • Now press the Posted Image button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.
Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 elf.i.am

elf.i.am
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 11 September 2009 - 11:37 PM

Hi, sorry for the late reply.
I have performed the three scans and the logs are included.
After doing all the scans, it looks like the my search results are not being redirected anymore. I have to wait and see to be sure though.

For the record, I had to start Malwarebyte's Anti-malware by changing its name to winlogon like in the first thread for this problem.

The Root repeal log:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2009/09/11 21:00
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xED771000	Size: 49152	File Visible: No	Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\ESQULkglsenmdxjxtxpymkdhbyoitniqynhkg.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ESQULpqmvcwnfnujyrknqxhprcwgtyikkyxxp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ESQULzxspectrum
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\ESQULvxfaorobopupqcklvjjbdexyenldimyv.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\chikisaw\Local Settings\Apps\2.0\YO2H9XKA.E3A\0OXPMY5D.9QR\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\chikisaw\Local Settings\Apps\2.0\YO2H9XKA.E3A\0OXPMY5D.9QR\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

Path: Volume D:\
Status: MBR Rootkit Detected!

Path: Volume D:\, Sector 10
Status: Sector mismatch

Path: Volume D:\, Sector 32
Status: Sector mismatch

Path: Volume D:\, Sector 57
Status: Sector mismatch

Path: Volume D:\, Sector 62
Status: Sector mismatch

SSDT
-------------------
#: 097	Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeeccaf42

Stealth Objects
-------------------
Object: Hidden Module [Name: ESQULkglsenmdxjxtxpymkdhbyoitniqynhkg.dll]
Process: svchost.exe (PID: 984)	Address: 0x00770000	Size: 32768

Hidden Services
-------------------
Service Name: ESQULserv.sys
Image Path: C:\WINDOWS\system32\drivers\ESQULvxfaorobopupqcklvjjbdexyenldimyv.sys

Shadow SSDT
-------------------
#: 013	Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeecce258

#: 122	Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeecce97c

#: 227	Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeecce38c

#: 233	Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeecce83c

#: 237	Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeecce4cc

#: 292	Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeecce600

#: 310	Function Name: NtUserBlockInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeecce0d8

#: 319	Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeeccd32a

#: 383	Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeeccdda8

#: 389	Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeecce73a

#: 414	Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeeccdb16

#: 416	Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeeccdc58

#: 460	Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeeccd7fa

#: 465	Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeeccd062

#: 475	Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeeccd4ac

#: 476	Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeeccd658

#: 491	Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeeccdef8

#: 502	Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeeccd9bc

#: 509	Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeeccdfee

#: 529	Function Name: NtUserSetParent
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeeccd1d2

#: 549	Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeecce9da

#: 552	Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeeccec0e

==EOF==


MBAM log:
Malwarebytes' Anti-Malware 1.41
Database version: 2780
Windows 5.1.2600 Service Pack 2

9/11/2009 23:22:08
mbam-log-2009-09-11 (23-22-08).txt

Scan type: Quick Scan
Objects scanned: 130106
Time elapsed: 5 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ESQULserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

DDS log:
DDS (Ver_09-07-30.01) - NTFSx86  
Run by chikisaw at  0:19:52.84 on Sat 09/12/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.510.179 [GMT -4:00]

AV: ThreatFire *On-access scanning disabled* (Updated)   {67B2B9A1-25C8-4057-962D-807958FFC9E3}
AV: AntiVir Desktop *On-access scanning disabled* (Updated)   {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *disabled*   {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\chikisaw\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - 
EB: {2BC9C452-BB57-4896-A9A2-64611E06C9AA} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Google Update] "c:\documents and settings\chikisaw\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [COMODO Internet Security] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ask and Record FLV Service] "c:\program files\ask & record toolbar\FLVSrvc.exe" /run
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\winlogon.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08}
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chikisaw\applic~1\mozilla\firefox\profiles\9qc8vaju.default\
FF - plugin: c:\documents and settings\chikisaw\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox 3.5 beta 4\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32(2).dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota",	  5120);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history",	 true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata",	true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords",   false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads",   true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies",	 true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache",	   true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions",	true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.history",				 true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.formdata",				true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.passwords",			   false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.downloads",			   true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cookies",				 true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cache",				   true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.sessions",				true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps",			 false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings",			false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs",	false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2008-6-17 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2008-6-17 46864]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-3-31 11608]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-6-17 132640]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-6-17 24096]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2008-8-22 7040]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-3-31 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-3-31 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-3-31 55656]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\firewall\cmdagent.exe [2008-6-17 692496]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2008-6-17 33552]
R3 VirtDiskBus;Virtual disk Enumerator;c:\windows\system32\drivers\VirtDiskBus.sys [2008-11-2 56320]
S2 gupdate1c98e38a42ac58c;Google Update Service (gupdate1c98e38a42ac58c);c:\program files\google\update\GoogleUpdate.exe [2009-2-13 133104]
S3 BazisVirtualCD;Virtual CD driver;c:\windows\system32\drivers\BazisVirtualCD.sys [2008-11-2 62464]
S3 CrystalSysInfo;CrystalSysInfo;d:\mediacoder\SysInfo.sys [2007-9-25 15152]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2006-3-10 39424]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2008-8-22 17792]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-13 7408]

=============== Created Last 30 ================

2009-09-11 22:27	38,224	a-------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-11 22:27	19,160	a-------	c:\windows\system32\drivers\mbam.sys
2009-09-11 22:27	<DIR>	--d-----	c:\program files\Malwarebytes' Anti-Malware
2009-09-08 16:46	153,088	--------	c:\windows\system32\dllcache\triedit.dll
2009-09-07 00:26	<DIR>	--d-----	c:\program files\common files\Merge Modules
2009-08-30 20:23	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-30 20:21	<DIR>	--d-----	c:\program files\Bonjour
2009-08-30 20:16	2,060,288	a-------	c:\windows\system32\usbaaplrc.dll
2009-08-24 16:43	1,089,601	--------	c:\windows\system32\dllcache\ntprint.cat
2009-08-24 08:27	<DIR>	--d-----	c:\windows\system32\XPSViewer
2009-08-23 23:01	<DIR>	--d-----	c:\program files\common files\Wise Installation Wizard
2009-08-23 02:30	<DIR>	--d-----	c:\windows\ServicePackFiles
2009-08-23 01:13	<DIR>	--d-----	c:\program files\Rocker
2009-08-23 00:26	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\3DVIA
2009-08-23 00:26	<DIR>	--d-----	c:\program files\Virtools
2009-08-22 22:42	128,512	--------	c:\windows\system32\dllcache\dhtmled.ocx
2009-08-22 22:35	655,872	--------	c:\windows\system32\dllcache\mstscax.dll
2009-08-22 14:02	<DIR>	--d-----	c:\docume~1\chikisaw\applic~1\Malwarebytes
2009-08-21 20:12	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-19 13:48	<DIR>	--d-----	c:\program files\verizon

==================== Find3M  ====================

2009-08-13 11:16	512,000	a-------	c:\windows\system32\dllcache\jscript.dll
2009-08-05 09:13	55,656	a-------	c:\windows\system32\drivers\avgntflt.sys
2009-08-05 05:11	204,800	a-------	c:\windows\system32\mswebdvd.dll
2009-08-05 05:11	204,800	--------	c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 21:23	10,240	a-------	c:\windows\system32\ESQULkglsenmdxjxtxpymkdhbyoitniqynhkg.dll
2009-08-04 21:23	72,192	a-------	c:\windows\system32\drivers\ESQULvxfaorobopupqcklvjjbdexyenldimyv.sys
2009-07-19 09:33	3,597,824	a-------	c:\windows\system32\dllcache\mshtml.dll
2009-07-19 09:32	6,067,200	a-------	c:\windows\system32\dllcache\ieframe.dll
2009-07-17 14:55	58,880	a-------	c:\windows\system32\atl.dll
2009-07-17 14:55	58,880	--------	c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43	10,841,088	a-------	c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43	286,208	a-------	c:\windows\system32\wmpdxm.dll
2009-07-13 23:43	286,208	a-------	c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 09:42	1,315,328	--------	c:\windows\system32\dllcache\msoe.dll
2009-06-29 07:07	13,824	a-------	c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 07:07	70,656	a-------	c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 04:35	634,632	a-------	c:\windows\system32\dllcache\iexplore.exe
2009-06-29 04:33	2,452,872	--------	c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 04:33	161,792	a-------	c:\windows\system32\dllcache\ieakui.dll
2009-06-16 10:55	119,808	a-------	c:\windows\system32\t2embed.dll
2009-06-16 10:55	82,432	a-------	c:\windows\system32\fontsub.dll
2009-06-16 10:55	119,808	--------	c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:55	82,432	--------	c:\windows\system32\dllcache\fontsub.dll
2009-03-21 01:29	87,608	a-------	c:\docume~1\chikisaw\applic~1\inst.exe
2009-03-21 01:29	47,360	a-------	c:\docume~1\chikisaw\applic~1\pcouffin.sys
2007-12-04 06:03	454,656	a-------	c:\program files\putty.exe
2007-11-03 10:47	17,128,234	a-------	c:\program files\klmcodec353.exe
2007-10-26 05:52	520,192	a-------	c:\program files\WinDjView-0.5.exe
2006-09-26 15:18	2,625,265	ac------	c:\program files\openofficeorg4.cab
2006-09-26 15:17	56,053,978	ac------	c:\program files\openofficeorg3.cab
2006-09-26 15:11	15,305,884	a-------	c:\program files\openofficeorg2.cab
2006-09-26 15:11	17,831,342	ac------	c:\program files\openofficeorg1.cab
2002-03-11 04:06	1,822,520	a-------	c:\program files\instmsiw.exe
2002-03-11 03:45	1,708,856	a-------	c:\program files\instmsia.exe
2007-09-03 07:50	56	---shr--	c:\windows\system32\76DB98AB77.sys
2007-05-22 17:08	88	---shr--	c:\windows\system32\77AB98DB76.sys
2007-09-03 07:50	5,122	a--sh---	c:\windows\system32\KGyGaAvL.sys

============= FINISH:  0:20:57.43 ===============

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 AM

Posted 12 September 2009 - 11:14 AM

Hello.

Unfortunately, you have a rootkit infection. One of them is a Master Boot Record infection and another one is related to one of the TDSSserv rootkits.

Regarding rootkits...

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do.

If you wish to continue, please follow the instructions below please...

We can remove the MBR rootkit using different tools including RootRepeal itself.

We are going to start with Combofix...

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Then, please run a scan with GMER followed by MBR.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Registry
    • Files
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

Download and Run MBR Rootkit Scan

Unfortunatly you have a Master Boot Record rootkit.
  • Please download MBR Rootkit Detector and save it on your C:\ directory.
  • Double click on mbr.exe to run it.
  • Select Run when you recieve a Security Warning
  • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
  • A log file will the be created on your desktop where you ran mbr.exe
  • Copy and paste the contents of mbr.log on your next reply.
Let me know if there were any problems

Post back with those logs in your next reply.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 elf.i.am

elf.i.am
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 12 September 2009 - 03:39 PM

Although, I realize that rootkits have been found, I don't think it's absolutely necessary to wipe the drive clean, reformat and reinstall the OS.
I have done the three new scans. (The GMER log is over 1MB in size - I have uploaded it to Rapidshare - http://rapidshare.com/files/279208107/GMER_log_sep-12.log )

Update: The ad redirection is not occurring anymore and I was able to launch MBAM without renaming it 'winlogon.exe'

Is it ok if I remove CombFix, GMER and MBR now?

ComboFix log:
ComboFix 09-09-11.05 - chikisaw 09/12/2009 15:22.2.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.510.236 [GMT -4:00]
Running from: c:\documents and settings\chikisaw\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ThreatFire *On-access scanning disabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\chikisaw\Application Data\inst.exe
c:\documents and settings\chikisaw\Application Data\Microsoft\Internet Explorer\Quick Launch\SUPERAntiSpyware Free Edition.lnk
c:\windows\Installer\188086.msp
c:\windows\Installer\188087.msp
c:\windows\Installer\188088.msp
c:\windows\Installer\188089.msp
c:\windows\Installer\18808a.msp
c:\windows\Installer\18808b.msp
c:\windows\Installer\18808c.msp
c:\windows\Installer\18808d.msp
c:\windows\Installer\18808e.msp
c:\windows\Installer\3fcec3.msp
c:\windows\Installer\3fcec4.msp
c:\windows\Installer\3fcec5.msp
c:\windows\Installer\3fcec6.msp
c:\windows\Installer\3fcec7.msp
c:\windows\Installer\3fcec8.msp
c:\windows\Installer\3fcec9.msp
c:\windows\Installer\3fceca.msp
c:\windows\Installer\3fcecb.msp
c:\windows\Installer\3fcecc.msp
c:\windows\Installer\5db799.msi
c:\windows\Installer\71fcb9.msi
c:\windows\Installer\91f78.msi
c:\windows\ShellNew
c:\windows\ShellNew\Template.ahk
c:\windows\system32\drivers\ESQULvxfaorobopupqcklvjjbdexyenldimyv.sys
c:\windows\system32\ESQULkglsenmdxjxtxpymkdhbyoitniqynhkg.dll

.
(((((((((((((((((((((((((   Files Created from 2009-08-12 to 2009-09-12  )))))))))))))))))))))))))))))))
.

2009-09-12 02:27 . 2009-09-10 18:54	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-12 02:27 . 2009-09-12 18:55	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2009-09-12 02:27 . 2009-09-10 18:53	19160	----a-w-	c:\windows\system32\drivers\mbam.sys
2009-09-08 20:46 . 2009-06-21 22:04	153088	------w-	c:\windows\system32\dllcache\triedit.dll
2009-09-07 04:31 . 2009-09-07 04:31	--------	d-----w-	c:\documents and settings\chikisaw\Local Settings\Application Data\Microsoft Help
2009-09-07 04:27 . 2009-09-07 04:27	--------	d-----w-	c:\program files\Microsoft.NET
2009-09-07 04:26 . 2009-09-07 04:30	--------	d-----w-	c:\program files\Microsoft Visual Studio 9.0
2009-09-07 04:26 . 2009-09-07 04:28	--------	d-----w-	c:\program files\Common Files\Merge Modules
2009-09-07 04:26 . 2009-09-07 04:33	--------	d-----w-	c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-07 04:24 . 2009-09-07 04:24	--------	d-----w-	c:\program files\Microsoft SDKs
2009-08-31 00:23 . 2009-08-31 00:23	--------	d-----w-	c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-31 00:21 . 2009-08-31 00:21	--------	d-----w-	c:\program files\Bonjour
2009-08-31 00:20 . 2009-08-31 00:21	--------	d-----w-	c:\program files\QuickTime
2009-08-31 00:16 . 2009-07-09 16:16	2060288	----a-w-	c:\windows\system32\usbaaplrc.dll
2009-08-24 12:27 . 2009-08-24 12:27	--------	d-----w-	c:\windows\system32\XPSViewer
2009-08-24 12:27 . 2009-08-24 12:27	--------	d-----w-	c:\program files\MSBuild
2009-08-24 12:27 . 2009-08-24 12:27	--------	d-----w-	c:\program files\Reference Assemblies
2009-08-24 03:01 . 2009-08-24 03:01	--------	d-----w-	c:\program files\Common Files\Wise Installation Wizard
2009-08-23 06:30 . 2009-08-23 06:30	--------	d-----w-	c:\windows\ServicePackFiles
2009-08-23 05:13 . 2009-08-23 05:17	--------	d-----w-	c:\program files\Rocker
2009-08-23 04:26 . 2009-08-23 04:26	--------	d-----w-	c:\documents and settings\All Users\Application Data\3DVIA
2009-08-23 04:26 . 2009-08-23 04:26	--------	d-----w-	c:\program files\Virtools
2009-08-23 02:35 . 2009-06-05 07:42	655872	------w-	c:\windows\system32\dllcache\mstscax.dll
2009-08-22 18:02 . 2009-08-22 18:02	--------	d-----w-	c:\documents and settings\chikisaw\Application Data\Malwarebytes
2009-08-22 00:12 . 2009-08-22 00:12	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-19 17:48 . 2009-08-19 17:48	--------	d-----w-	c:\program files\verizon
2009-08-16 21:21 . 2009-08-16 21:21	--------	d-----w-	c:\documents and settings\EUL\Local Settings\Application Data\Temp

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-12 19:01 . 2009-06-11 22:08	--------	d-----w-	c:\program files\Mozilla Firefox 3.5 Beta 4
2009-09-12 18:52 . 2006-12-29 05:28	--------	d---a-w-	c:\documents and settings\All Users\Application Data\TEMP
2009-09-12 00:53 . 2009-07-10 03:01	--------	d-----w-	c:\documents and settings\chikisaw\Application Data\vlc
2009-09-11 22:59 . 2008-10-06 01:48	--------	d-----w-	c:\program files\Mozilla Thunderbird
2009-09-11 01:30 . 2008-07-01 19:07	--------	d-----w-	c:\program files\Notepad++
2009-09-07 04:37 . 2006-09-24 20:19	29520	----a-w-	c:\documents and settings\chikisaw\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-07 04:34 . 2007-09-18 20:45	--------	d-----w-	c:\program files\Microsoft SQL Server
2009-09-07 04:20 . 2008-08-09 22:49	--------	d-----w-	c:\documents and settings\chikisaw\Application Data\codeblocks
2009-09-06 19:25 . 2006-10-20 17:24	29520	-c--a-w-	c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-03 23:24 . 2007-04-21 21:45	664	----a-w-	c:\windows\system32\d3d9caps.dat
2009-08-31 04:25 . 2008-05-23 22:28	--------	d-----w-	c:\documents and settings\chikisaw\Application Data\Q-Dir
2009-08-31 00:23 . 2007-03-25 19:57	--------	d-----w-	c:\program files\iTunes
2009-08-31 00:23 . 2008-07-18 02:11	--------	d-----w-	c:\program files\iPod
2009-08-31 00:23 . 2007-07-01 19:59	--------	d-----w-	c:\program files\Common Files\Apple
2009-08-29 20:22 . 2007-05-02 00:16	--------	d-----w-	c:\documents and settings\chikisaw\Application Data\PLT Scheme
2009-08-25 00:50 . 2008-05-23 22:28	--------	d-----w-	c:\program files\Q-Dir
2009-08-24 12:12 . 2008-05-27 23:41	--------	d-----w-	c:\program files\SUPERAntiSpyware
2009-08-24 03:02 . 2008-05-28 21:52	--------	d-----w-	c:\documents and settings\chikisaw\Application Data\SUPERAntiSpyware.com
2009-08-12 19:39 . 2008-06-17 12:45	--------	d-----w-	c:\program files\ThreatFire
2009-08-05 13:13 . 2009-04-01 03:10	55656	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:11 . 2004-08-10 17:51	204800	----a-w-	c:\windows\system32\mswebdvd.dll
2009-08-04 11:44 . 2006-08-18 02:47	--------	d-----w-	c:\program files\Google
2009-08-01 03:16 . 2009-07-14 04:25	--------	d-----w-	c:\documents and settings\chikisaw\Application Data\XBMC
2009-07-29 21:53 . 2006-08-18 02:32	--------	d--h--w-	c:\program files\InstallShield Installation Information
2009-07-26 04:25 . 2009-07-26 04:23	--------	d-----w-	c:\program files\LimeWire
2009-07-24 20:54 . 2007-11-06 00:52	--------	d-----w-	c:\program files\Videora iPod classic Converter 3
2009-07-24 20:51 . 2009-07-24 20:51	--------	d-----w-	c:\documents and settings\All Users\Application Data\Amazon
2009-07-18 23:32 . 2008-06-16 21:44	--------	d-----w-	c:\documents and settings\chikisaw\Application Data\uTorrent
2009-07-17 18:55 . 2004-08-10 17:50	58880	----a-w-	c:\windows\system32\atl.dll
2009-07-15 02:37 . 2009-07-15 02:37	--------	d-----w-	c:\documents and settings\chikisaw\Application Data\Subversion
2009-07-14 03:43 . 2004-08-10 17:51	286208	----a-w-	c:\windows\system32\wmpdxm.dll
2009-07-09 16:16 . 2008-10-09 19:18	39424	----a-w-	c:\windows\system32\drivers\usbaapl.sys
2009-06-29 16:12 . 2004-08-10 17:51	827392	----a-w-	c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-10 17:51	78336	----a-w-	c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-10 17:50	17408	----a-w-	c:\windows\system32\corpol.dll
2009-06-19 20:37 . 2008-06-17 12:45	46864	----a-w-	c:\windows\system32\drivers\TfSysMon.sys
2009-06-19 20:37 . 2008-06-17 12:45	33552	----a-w-	c:\windows\system32\drivers\TfNetMon.sys
2009-06-19 20:37 . 2008-06-17 12:45	51984	----a-w-	c:\windows\system32\drivers\TfFsMon.sys
2009-06-16 14:55 . 2004-08-10 17:51	119808	----a-w-	c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-08-10 17:51	82432	----a-w-	c:\windows\system32\fontsub.dll
2007-12-04 10:03 . 2007-12-04 10:03	454656	----a-w-	c:\program files\putty.exe
2007-11-03 14:47 . 2007-11-03 14:47	17128234	----a-w-	c:\program files\klmcodec353.exe
2007-10-26 09:52 . 2007-10-26 09:52	520192	----a-w-	c:\program files\WinDjView-0.5.exe
2006-09-26 19:18 . 2006-09-26 19:18	2625265	-c--a-w-	c:\program files\openofficeorg4.cab
2006-09-26 19:17 . 2006-09-26 19:17	56053978	-c--a-w-	c:\program files\openofficeorg3.cab
2006-09-26 19:11 . 2006-09-26 19:11	15305884	----a-w-	c:\program files\openofficeorg2.cab
2006-09-26 19:11 . 2006-09-26 19:11	17831342	-c--a-w-	c:\program files\openofficeorg1.cab
2002-03-11 08:06 . 2002-03-11 08:06	1822520	----a-w-	c:\program files\instmsiw.exe
2002-03-11 07:45 . 2002-03-11 07:45	1708856	----a-w-	c:\program files\instmsia.exe
2008-08-21 00:56 . 2007-06-06 04:20	122880	----a-w-	c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-04-07 06:59 . 2008-05-30 23:28	67696	----a-w-	c:\program files\mozilla firefox\components\jar50(2).dll
2008-04-07 06:59 . 2008-05-30 23:28	54376	----a-w-	c:\program files\mozilla firefox\components\jsd3250(2).dll
2008-04-07 06:59 . 2008-05-30 23:28	34952	----a-w-	c:\program files\mozilla firefox\components\myspell(2).dll
2008-04-07 06:59 . 2008-05-30 23:28	46720	----a-w-	c:\program files\mozilla firefox\components\spellchk(2).dll
2008-04-07 06:59 . 2008-05-30 23:28	172144	----a-w-	c:\program files\mozilla firefox\components\xpinstal(2).dll
2007-09-03 11:50 . 2006-10-15 01:27	56	--sh--r-	c:\windows\system32\76DB98AB77.sys
2007-05-22 21:08 . 2006-09-11 03:01	88	--sh--r-	c:\windows\system32\77AB98DB76.sys
2007-09-03 11:50 . 2006-09-11 03:01	5122	--sha-w-	c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"Google Update"="c:\documents and settings\chikisaw\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-15 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2009-06-19 259344]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2009-05-16 1794320]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2009-05-16 1794320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-17 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05	356352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TotalMedia Backup Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TotalMedia Backup Monitor.lnk
backup=c:\windows\pss\TotalMedia Backup Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^chikisaw^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\chikisaw\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kgsystray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBkLogOnHook
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealJukeboxSystray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XdriveTrayIcon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McDetect.exe"=2 (0x2)
"McShield"=2 (0x2)
"MpfService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\chikisaw\\My Documents\\My Downloads\\Eclipse\\eclipse\\eclipse.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"d:\\chikisaw\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [6/17/2008 8:45 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [6/17/2008 8:45 46864]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [6/17/2008 9:34 132640]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/17/2008 9:34 24096]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [8/22/2008 22:44 7040]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 16:06 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 16:06 74480]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [6/17/2008 8:45 33552]
R3 VirtDiskBus;Virtual disk Enumerator;c:\windows\system32\drivers\VirtDiskBus.sys [11/2/2008 9:11 56320]
S3 BazisVirtualCD;Virtual CD driver;c:\windows\system32\drivers\BazisVirtualCD.sys [11/2/2008 9:12 62464]
S3 CrystalSysInfo;CrystalSysInfo;d:\mediacoder\SysInfo.sys [9/25/2007 10:59 15152]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [3/10/2006 15:55 39424]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [8/22/2008 22:44 17792]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 16:22 34064]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/13/2008 12:44 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 00:10]

2009-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 00:10]

2009-09-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3406903019-1477532870-3062942510-1007Core.job
- c:\documents and settings\chikisaw\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-15 07:43]

2009-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3406903019-1477532870-3062942510-1007UA.job
- c:\documents and settings\chikisaw\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-15 07:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
FF - ProfilePath - c:\documents and settings\chikisaw\Application Data\Mozilla\Firefox\Profiles\9qc8vaju.default\
FF - plugin: c:\documents and settings\chikisaw\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32(2).dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\winlogon.exe
Notify-WgaLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-12 15:44
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  


c:\documents and settings\chikisaw\Application Data\Mozilla\Firefox\Profiles\9qc8vaju.default\pluginreg.dat.bak 16993 bytes
c:\documents and settings\chikisaw\Application Data\Mozilla\Firefox\Profiles\9qc8vaju.default\prefs.js.BAK 51910 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\ThreatFire\TFWAH.dll
c:\program files\ThreatFire\TFNI.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll

- - - - - - - > 'lsass.exe'(816)
c:\windows\system32\guard32.dll
c:\program files\ThreatFire\TFWAH.dll
.
Completion time: 2009-09-12 15:52
ComboFix-quarantined-files.txt  2009-09-12 19:51

Pre-Run: 1,945,313,280 bytes free
Post-Run: 2,074,497,024 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

300	--- E O F ---	2009-09-09 01:53

And the MBR log:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 AM

Posted 12 September 2009 - 04:49 PM

Hello.

Is it ok if I remove CombFix, GMER and MBR now?

No. Don't remove it unless I tell you to please...

Do the following please...

Fix MBR with RootRepeal

* Scan with RootRepeal again with the same settings like last time.
* Once the scan is complete, click the File tab.
* In the File tab, you should see an entry marked with "Volume C:\ MBR Rootkit Detected!"
* Right-Click on that entry and select Restore and Reboot Immediately
* RootRepeal shall now fix it and reboot your computer. This will all be done automatically.
* Let it reboot your computer back to normal mode.
* Repeat the steps again and this time right-click and select Restore and Reboot Immediately on the "Volume D:\ MBR Rootkit Detected!"


Therefore in total your computer should of rebooted twice.

Run New Scan with RootRepeal
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Posted Image tab at the bottom.
  • Now press the Posted Image button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan2 and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.
Run New scan with GMER
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt to run a full scan. Please click NO..
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply.

For your next reply I would like to see:
-RepealScan2 log
-GMER log
-Malwarebytes log
-DDS logs


Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 elf.i.am

elf.i.am
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 12 September 2009 - 10:33 PM

I did not see any entries for MBR Rootkit in the 'Files' tab in RootRepeal. There were only five entries that were 'locked to the Windows API'

RootRepeal log:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2009/09/12 23:13
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP SP2
==================================================

Drivers
-------------------
Name: aujasnkj.sys
Image Path: C:\DOCUME~1\chikisaw\LOCALS~1\Temp\aujasnkj.sys
Address: 0xED63F000	Size: 84352	File Visible: No	Signed: -
Status: -

Name: mbr.sys
Image Path: C:\DOCUME~1\chikisaw\LOCALS~1\Temp\mbr.sys
Address: 0xEDB54000	Size: 11776	File Visible: No	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEDB80000	Size: 49152	File Visible: No	Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Program Files\Zune\ZuneLauncher.exe
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\ZuneBusEnum.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\chikisaw\Local Settings\Apps\2.0\YO2H9XKA.E3A\0OXPMY5D.9QR\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\chikisaw\Local Settings\Apps\2.0\YO2H9XKA.E3A\0OXPMY5D.9QR\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 097	Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead2f42

Shadow SSDT
-------------------
#: 013	Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead6258

#: 122	Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead697c

#: 227	Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead638c

#: 233	Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead683c

#: 237	Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead64cc

#: 292	Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead6600

#: 310	Function Name: NtUserBlockInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead60d8

#: 319	Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead532a

#: 383	Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead5da8

#: 389	Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead673a

#: 414	Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead5b16

#: 416	Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead5c58

#: 460	Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead57fa

#: 465	Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead5062

#: 475	Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead54ac

#: 476	Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead5658

#: 491	Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead5ef8

#: 502	Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead59bc

#: 509	Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead5fee

#: 529	Function Name: NtUserSetParent
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead51d2

#: 549	Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead69da

#: 552	Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xeead6c0e

==EOF==


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 AM

Posted 13 September 2009 - 08:37 AM

Hello.

Please continue with GMER and the running of Malwarebytes.

Post the logs once they are done.

Thanks.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 elf.i.am

elf.i.am
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 14 September 2009 - 05:02 AM

Hi, here are the other two logs.

GMER log:
GMER 1.0.15.15077 [ct2g03qx.exe] - http://www.gmer.net
Rootkit scan 2009-09-13 18:12:37
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT			\SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)  ZwAdjustPrivilegesToken [0xEEC7AF42]
SSDT			\SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)  ZwConnectPort [0xEEC7A464]
SSDT			\SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)  ZwCreateFile [0xEEC7AAFE]
SSDT			F8EB83BE																					ZwCreateKey
SSDT			\SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)  ZwCreatePort [0xEEC7A142]
SSDT			\SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)  ZwCreateSection [0xEEC7C1CA]
SSDT			\SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)  ZwCreateSymbolicLinkObject [0xEEC7C4A2]
SSDT			F8EB83B4																					ZwCreateThread
SSDT			F8EB83C3																					ZwDeleteKey
SSDT			F8EB83CD																					ZwDeleteValueKey
SSDT			\SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)  ZwDuplicateObject [0xEEC79A6A]
SSDT			\SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)  ZwLoadDriver [0xEEC7BE4C]
SSDT			F8EB83D2																					ZwLoadKey
SSDT			\SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)  ZwMakeTemporaryObject [0xEEC7A6E8]
SSDT			\SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)  ZwOpenFile [0xEEC7AD36]
SSDT			TfSysMon.sys (ThreatFire System Monitor/PC Tools)										   ZwOpenKey [0xF880BF68]
SSDT			F8EB83A0																					ZwOpenProcess
SSDT			\SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)  ZwOpenSection [0xEEC7A978]
SSDT			F8EB83A5																					ZwOpenThread
SSDT			\SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)  ZwRenameKey [0xEEC7B884]
SSDT			F8EB83DC																					ZwReplaceKey
SSDT			\SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)  ZwRequestWaitReplyPort [0xEEC7A260]
SSDT			F8EB83D7																					ZwRestoreKey
SSDT			\SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)  ZwSecureConnectPort [0xEEC7BBE8]
SSDT			\SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)  ZwSetSystemInformation [0xEEC7BFFA]
SSDT			F8EB83C8																					ZwSetValueKey
SSDT			\SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)  ZwShutdownSystem [0xEEC7A682]
SSDT			\SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)  ZwSystemDebugControl [0xEEC7A86C]
SSDT			F8EB83AF																					ZwTerminateProcess
SSDT			\SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)  ZwTerminateThread [0xEEC79EDA]

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs																	  TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice  \Driver\Tcpip \Device\Ip																	cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice  \Driver\Tcpip \Device\Tcp																   cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice  \Driver\Tcpip \Device\Udp																   cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice  \Driver\Tcpip \Device\RawIp																 cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

Device		  A																						   mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device		  A																						   ED7F0C8A
Device		  A																						   ED80038A

AttachedDevice  A																						   fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice  A																						   TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)

---- EOF - GMER 1.0.15 ----

MBAM log:
Malwarebytes' Anti-Malware 1.41
Database version: 2794
Windows 5.1.2600 Service Pack 2

9/14/2009 4:16:47
mbam-log-2009-09-14 (04-16-47).txt

Scan type: Quick Scan
Objects scanned: 120588
Time elapsed: 21 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 AM

Posted 14 September 2009 - 08:11 PM

Hello.

Run a scan with ESET...

Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
You can refer to this animation by neomage if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 elf.i.am

elf.i.am
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 15 September 2009 - 11:25 PM

Hi,

When I run the ESET Online scan, the computer forces a shutdown at around 31%. It shows a blue screen saying "Windows has encountered a problems and needs to shut down to prevent damage".


The computer is actually running very well. I have not seen a single redirection or any other symptoms after the ComboFix scan.

Here is a new DDS log:
DDS (Ver_09-07-30.01) - NTFSx86  
Run by chikisaw at  0:15:55.76 on Wed 09/16/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.510.36 [GMT -4:00]

AV: ThreatFire *On-access scanning disabled* (Updated)   {67B2B9A1-25C8-4057-962D-807958FFC9E3}
AV: AntiVir Desktop *On-access scanning disabled* (Updated)   {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *disabled*   {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1151601.exe
C:\Documents and Settings\chikisaw\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - 
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Google Update] "c:\documents and settings\chikisaw\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [COMODO Internet Security] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08}
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chikisaw\applic~1\mozilla\firefox\profiles\9qc8vaju.default\
FF - plugin: c:\documents and settings\chikisaw\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox 3.5 beta 4\plugins\NPTURNMED.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota",	  5120);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history",	 true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata",	true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords",   false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads",   true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies",	 true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache",	   true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions",	true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.history",				 true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.formdata",				true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.passwords",			   false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.downloads",			   true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cookies",				 true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cache",				   true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.sessions",				true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps",			 false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings",			false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs",	false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2008-6-17 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2008-6-17 46864]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-3-31 11608]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-6-17 132640]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-6-17 24096]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2008-8-22 7040]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-3-31 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-3-31 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-3-31 55656]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\firewall\cmdagent.exe [2008-6-17 692496]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2008-6-17 33552]
R3 VirtDiskBus;Virtual disk Enumerator;c:\windows\system32\drivers\VirtDiskBus.sys [2008-11-2 56320]
S2 gupdate1c98e38a42ac58c;Google Update Service (gupdate1c98e38a42ac58c);c:\program files\google\update\GoogleUpdate.exe [2009-2-13 133104]
S3 BazisVirtualCD;Virtual CD driver;c:\windows\system32\drivers\BazisVirtualCD.sys [2008-11-2 62464]
S3 CrystalSysInfo;CrystalSysInfo;d:\mediacoder\SysInfo.sys [2007-9-25 15152]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2006-3-10 39424]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2008-8-22 17792]
S3 mbr;mbr;\??\c:\docume~1\chikisaw\locals~1\temp\mbr.sys --> c:\docume~1\chikisaw\locals~1\temp\mbr.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-13 7408]

=============== Created Last 30 ================

2009-09-14 22:28	<DIR>	--d-----	c:\program files\ESET
2009-09-12 15:19	<DIR>	a-dshr--	C:\cmdcons
2009-09-12 15:17	230,912	a-------	c:\windows\PEV.exe
2009-09-11 22:27	38,224	a-------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-11 22:27	19,160	a-------	c:\windows\system32\drivers\mbam.sys
2009-09-11 22:27	<DIR>	--d-----	c:\program files\Malwarebytes' Anti-Malware
2009-09-08 16:46	153,088	--------	c:\windows\system32\dllcache\triedit.dll
2009-09-07 00:26	<DIR>	--d-----	c:\program files\common files\Merge Modules
2009-08-30 20:23	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-30 20:21	<DIR>	--d-----	c:\program files\Bonjour
2009-08-30 20:16	2,060,288	a-------	c:\windows\system32\usbaaplrc.dll
2009-08-24 16:43	1,089,601	--------	c:\windows\system32\dllcache\ntprint.cat
2009-08-24 08:27	<DIR>	--d-----	c:\windows\system32\XPSViewer
2009-08-23 23:01	<DIR>	--d-----	c:\program files\common files\Wise Installation Wizard
2009-08-23 02:30	<DIR>	--d-----	c:\windows\ServicePackFiles
2009-08-23 01:13	<DIR>	--d-----	c:\program files\Rocker
2009-08-23 00:26	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\3DVIA
2009-08-23 00:26	<DIR>	--d-----	c:\program files\Virtools
2009-08-22 22:42	128,512	--------	c:\windows\system32\dllcache\dhtmled.ocx
2009-08-22 22:35	655,872	--------	c:\windows\system32\dllcache\mstscax.dll
2009-08-22 14:02	<DIR>	--d-----	c:\docume~1\chikisaw\applic~1\Malwarebytes
2009-08-21 20:12	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-19 13:48	<DIR>	--d-----	c:\program files\verizon

==================== Find3M  ====================

2009-08-13 11:16	512,000	a-------	c:\windows\system32\dllcache\jscript.dll
2009-08-05 09:13	55,656	a-------	c:\windows\system32\drivers\avgntflt.sys
2009-08-05 05:11	204,800	a-------	c:\windows\system32\mswebdvd.dll
2009-08-05 05:11	204,800	--------	c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 09:33	3,597,824	a-------	c:\windows\system32\dllcache\mshtml.dll
2009-07-19 09:32	6,067,200	a-------	c:\windows\system32\dllcache\ieframe.dll
2009-07-17 14:55	58,880	a-------	c:\windows\system32\atl.dll
2009-07-17 14:55	58,880	--------	c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43	10,841,088	a-------	c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43	286,208	a-------	c:\windows\system32\wmpdxm.dll
2009-07-13 23:43	286,208	a-------	c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 09:42	1,315,328	--------	c:\windows\system32\dllcache\msoe.dll
2009-06-29 07:07	13,824	a-------	c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 07:07	70,656	a-------	c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 04:35	634,632	a-------	c:\windows\system32\dllcache\iexplore.exe
2009-06-29 04:33	2,452,872	--------	c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 04:33	161,792	a-------	c:\windows\system32\dllcache\ieakui.dll
2009-03-21 01:29	47,360	a-------	c:\docume~1\chikisaw\applic~1\pcouffin.sys
2007-12-04 06:03	454,656	a-------	c:\program files\putty.exe
2007-11-03 10:47	17,128,234	a-------	c:\program files\klmcodec353.exe
2007-10-26 05:52	520,192	a-------	c:\program files\WinDjView-0.5.exe
2006-09-26 15:18	2,625,265	ac------	c:\program files\openofficeorg4.cab
2006-09-26 15:17	56,053,978	ac------	c:\program files\openofficeorg3.cab
2006-09-26 15:11	15,305,884	a-------	c:\program files\openofficeorg2.cab
2006-09-26 15:11	17,831,342	ac------	c:\program files\openofficeorg1.cab
2002-03-11 04:06	1,822,520	a-------	c:\program files\instmsiw.exe
2002-03-11 03:45	1,708,856	a-------	c:\program files\instmsia.exe
2007-09-03 07:50	56	---shr--	c:\windows\system32\76DB98AB77.sys
2007-05-22 17:08	88	---shr--	c:\windows\system32\77AB98DB76.sys
2007-09-03 07:50	5,122	a--sh---	c:\windows\system32\KGyGaAvL.sys

============= FINISH:  0:17:29.54 ===============

~elf.i.am

Attached Files



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 AM

Posted 16 September 2009 - 03:17 PM

Hello.

Update your Java and also update your windows.

Update Java to Version 6 Update 16

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


Update Windows Installation

Your Microsoft Windows installation is out of date.
Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here to check for & install updates to Microsoft applications.

Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

Was there any problems while doing any of the updates, if there was any updates please specify in your next reply.

The main update you need to install here is Service Pack 3.


Then try ESET scan again. Make sure you disable your other anti-virus softwares BEFORE running it. Refer to this page if you are not sure how. Also, DON'T do anything while it's scanning. Let it be and once it's done let me know.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 elf.i.am

elf.i.am
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 17 September 2009 - 04:40 PM

Ok, but I will have to wait till the weekend to do that.

~elf.i.am




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users