Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log, please help me - -search redirect prob


  • This topic is locked This topic is locked
16 replies to this topic

#1 Capt_Dad

Capt_Dad

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 13 November 2009 - 01:17 AM

Hello, I've searched everywhere and tried everything except gooredfix, as I have most all admin rights but for some reason I can't get this program to run without some other special password.. I've run Malwarebytes, superantispyware, windows defender, javara, and a few others alleged fixes for this search redirect issue. I also backed up all my data and made a new restore point, then ran combofix and that just made things worse, after I ran that firefox windows would open by the dozen with dozens of tabs.... so I restored and well here I am begging for assistance from you, the Gods of malware and security. I humbly acknowledge that this malware has me by the throat and I am tapping out and pleading for you vast knowledge and experience to help me. So I'm back to the point where the only true "symptom" is that search engines are redirecting to bs sites... here's my HJT log and yes I acknowledge that this is all my fault and I will learn form this immensely and yes I use a bit torrent share but I thought I was using it safely. Not sure if that's where I got this problem though I wish I could blame my wife but ultimately it's my responsibility .... please help.. and many thanks in advance. Oh and a couple of note, my laptop also will not allow me to run n safe mode, this may be a dufferent problem assosciated wi th my PGP encrytpion but it couold also be related to this malware, but FYI no safe mode darn it :-(

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:58:13, on 11/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.exe
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TFTPServer\TFTPServerSP.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 winwarepro.com
O1 - Hosts: 91.212.127.227 www.winwarepro.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [\\mcunning-ES\EPSON Stylus Photo R380 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE /FU "C:\DOCUME~1\mcunning\LOCALS~1\Temp\E_S62.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x092e -f video -m logitech -d 11.5.0.1145 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x092e -f video -m logitech -d 11.5.0.1145 (User 'Default user')
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: PGPtray.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.164.57.158.15
O15 - Trusted Zone: http://*.170.14.179.78/callcenter_enu
O15 - Trusted Zone: http://*.atg.com
O15 - Trusted Zone: http://*.componentone.com
O15 - Trusted Zone: http://*.envisioninc.com
O15 - Trusted Zone: http://sdol.jpmorgan.com
O15 - Trusted Zone: http://sdolstage.jpmorgan.com
O15 - Trusted Zone: http://sdol.jpmorganchase.com
O15 - Trusted Zone: http://sdol.mastercard.com
O15 - Trusted Zone: http://sdolstage.mastercard.com
O15 - Trusted Zone: http://*.onyx.com
O15 - Trusted Zone: http://*.proworks.com
O15 - Trusted Zone: http://*.ria.thomson.com
O15 - Trusted Zone: http://*.sdol.jpmorgan.com
O15 - Trusted Zone: http://*.sdol.jpmorganchase.com
O15 - Trusted Zone: http://*.sdol.mastercard.com
O15 - Trusted Zone: http://*.sdolstage.jpmorgan.com
O15 - Trusted Zone: http://*.sdolstage.mastercard.com
O15 - Trusted Zone: http://*.164.57.158.15 (HKLM)
O15 - Trusted Zone: http://*.170.14.179.78/callcenter_enu (HKLM)
O15 - Trusted Zone: http://*.atg.com (HKLM)
O15 - Trusted Zone: http://*.componentone.com (HKLM)
O15 - Trusted Zone: http://*.envisioninc.com (HKLM)
O15 - Trusted Zone: http://sdol.jpmorgan.com (HKLM)
O15 - Trusted Zone: http://sdolstage.jpmorgan.com (HKLM)
O15 - Trusted Zone: http://sdol.jpmorganchase.com (HKLM)
O15 - Trusted Zone: http://sdol.mastercard.com (HKLM)
O15 - Trusted Zone: http://sdolstage.mastercard.com (HKLM)
O15 - Trusted Zone: http://*.onyx.com (HKLM)
O15 - Trusted Zone: http://*.proworks.com (HKLM)
O15 - Trusted Zone: http://*.ria.thomson.com (HKLM)
O15 - Trusted Zone: http://*.sdol.jpmorgan.com (HKLM)
O15 - Trusted Zone: http://*.sdol.jpmorganchase.com (HKLM)
O15 - Trusted Zone: http://*.sdol.mastercard.com (HKLM)
O15 - Trusted Zone: http://*.sdolstage.jpmorgan.com (HKLM)
O15 - Trusted Zone: http://*.sdolstage.mastercard.com (HKLM)
O16 - DPF: iLO 2 Remote Console Applet - https://10.4.120.241/dvc.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1234502513968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1234502503140
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.aquire.com/codebase75/OrgPubX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E4B2076-F098-451A-8B18-39C4BDFCEC89}: NameServer = 10.1.9.25
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TFTP Single Port Server (TFTPServer) - Unknown owner - C:\Program Files\TFTPServer\TFTPServerSP.exe

--
End of file - 12723 bytes

Edited by Capt_Dad, 13 November 2009 - 01:27 AM.


BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:29 PM

Posted 13 November 2009 - 03:05 AM

Hello :(

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
Posted Image

#3 Capt_Dad

Capt_Dad
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 13 November 2009 - 10:16 AM

I already ran combo fix and had to restore after it ran as after the last reboot firefox windows opened all over the place with 12 tabs per window.. you sure I should run it again??

#4 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:29 PM

Posted 13 November 2009 - 10:44 AM

Do you have combofix log? C:\Combofix.txt
Posted Image

#5 Capt_Dad

Capt_Dad
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 13 November 2009 - 10:50 AM

I do , sorry should have attached that last time, I really appreciate your help. Though I can't seem to get recovery console to load and comobofix errored out when trying to get it as well.

Combofix log attached

Attached Files


Edited by Capt_Dad, 13 November 2009 - 10:50 AM.


#6 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:29 PM

Posted 14 November 2009 - 03:50 AM

Hello

It's important have RC installed so let's install it first. Please remove your Combofix.exe. We want to be sure it's newest one so we have to download it again.

Download ComboFix from one of these locations:

Link 1
Link 2


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

:(
Posted Image

#7 Capt_Dad

Capt_Dad
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 14 November 2009 - 10:39 PM

thanks Baabiouz, I've accomplished the tasks you advised me to, and have attached the log file for your review.

Let me know what's next.

Thanks, Mike

Attached Files



#8 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:29 PM

Posted 15 November 2009 - 05:40 AM

Hello :(

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti
Copy/paste the the following file path into the window

c:\documents and settings\mcunning\g2mdlhlpx.exe

Click Submit/Send File
Please post back, to let me know the results.

If Jotti is too busy please try Virustotal



Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    iaStor*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Malwarebytes' Anti-Malware

Launch Malwarebytes' Anti-Malware
  • Choose Update -tab and click Check for updates.
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Please post Jotti results, Systemlook results and Mbam results back here :(

Edited by Baabiouz, 15 November 2009 - 05:41 AM.

Posted Image

#9 Capt_Dad

Capt_Dad
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 15 November 2009 - 02:11 PM

Hi, Hope you're having a good day :-) Here are the results of the tools:


Jotti results:
Filename: g2mdlhlpx.exe
Status:
Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Mon 31 Aug 2009 08:51:42 (CET) Permalink


System look log:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 07:52 on 15/11/2009 by mcunning (Limited User)

========== filefind ==========

Searching for "iaStor*"
C:\Drivers\SATA\iastor.cat --a--- 8180 bytes [19:54 26/07/2006] [10:13 19/10/2005] 1218101163ED69D44FAC44FFDE1C59B0
C:\Drivers\SATA\iastor.inf --a--- 3846 bytes [19:54 26/07/2006] [19:01 12/10/2005] 356A15A494C2AE6855C8D1480E0E1A3D
C:\Drivers\SATA\iastor.PNF --a--- 9388 bytes [02:14 27/07/2006] [02:14 27/07/2006] F8346E3D68F23DB996C19AE56AF932CF
C:\Drivers\SATA\iastor.sys --a--- 874240 bytes [19:54 26/07/2006] [19:07 12/10/2005] 309C4D86D989FB1FCF64BD30DC81C51B
C:\WINDOWS\system32\drivers\iaStor.sys ------ 874240 bytes [19:54 26/07/2006] [19:07 12/10/2005] 3E7790CE76535D96B4893078A8A5ACA4

-=End Of File=-


and MWB results:

Malwarebytes' Anti-Malware 1.41
Database version: 3175
Windows 5.1.2600 Service Pack 3

11/15/2009 11:10:30 AM
mbam-log-2009-11-15 (11-10-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 248001
Time elapsed: 3 hour(s), 2 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\mcunning\My Documents\PC FIX TOOLS\setupxv.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EE649880-A3E7-4157-B684-6F145CDBF99F}\RP759\A0154821.rbf (Rogue.SpyCleaner) -> Quarantined and deleted successfully.

rebooted and the problem still exists :-( Next?

Edited by Capt_Dad, 15 November 2009 - 02:22 PM.


#10 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:29 PM

Posted 16 November 2009 - 12:31 AM

Hello :(

Please click Start -> Run. Type in (copy & paste):

cmd /c copy /y C:\Drivers\SATA\iastor.sys c:\ >log.txt&log.txt

and click Ok.

log.txt will open, save the log to your desktop.


  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:
    c:\iastor.sys | c:\windows\system32\drivers\iastor.sys
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log, along with a new HijackThis log in your next reply.

Please run Combofix and post Combofix log, Avenger log and log.txt (on desktop) back here :(
Posted Image

#11 Capt_Dad

Capt_Dad
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 16 November 2009 - 10:32 AM

so I followed the steps above, but when it rebooted an error appeared stating that it could not fine the cleanup.exe file. Tried the steps a few more times with the same result so it doesn't seem like Avenger did it's thing, any thoughts? I did run combofix anyway just in case and here is the output from that:

ComboFix 09-11-15.01 - mcunning 11/16/2009 8:08.3.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3455.2579 [GMT -8:00]
Running from: c:\documents and settings\mcunning\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://SEAMS275.starbucks.net:80
.
((((((((((((((((((((((((( Files Created from 2009-10-16 to 2009-11-16 )))))))))))))))))))))))))))))))
.

2009-11-16 15:05 . 2009-11-16 15:22 574 ----a-w- C:\cleanup.bat
2009-11-16 15:05 . 2009-11-16 15:22 135168 ----a-w- C:\zip.exe
2009-11-16 15:05 . 2009-11-16 15:05 19286 ----a-w- C:\cleanup.exe.vir
2009-11-13 05:48 . 2009-11-13 05:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-11 22:37 . 2009-11-11 22:37 -------- d-----w- c:\program files\Trend Micro
2009-11-11 18:00 . 2009-11-11 18:00 117760 ------w- c:\documents and settings\mcunning\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-11 17:59 . 2009-11-11 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-11 17:57 . 2009-11-12 21:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-11 17:57 . 2009-11-11 17:57 -------- d-----w- c:\documents and settings\mcunning\Application Data\SUPERAntiSpyware.com
2009-11-11 17:39 . 2009-11-03 04:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-11 17:35 . 2009-11-11 17:35 -------- d-----w- c:\program files\Windows Defender
2009-11-11 03:55 . 2009-11-11 03:55 -------- d-----w- c:\documents and settings\mcunning\Application Data\Malwarebytes
2009-11-11 03:55 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-11 03:55 . 2009-11-11 03:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-11 03:55 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-11 03:55 . 2009-11-11 03:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-07 19:56 . 2009-11-07 19:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-04 00:52 . 2009-11-04 00:52 152576 ------w- c:\documents and settings\mcunning\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-26 04:02 . 2009-10-26 04:02 126970 ------w- c:\documents and settings\mcunning\Application Data\Move Networks\uninstall.exe
2009-10-25 04:13 . 2009-10-25 04:13 185232 ------w- c:\documents and settings\mcunning\Application Data\Mozilla\plugins\atgpcext.dll
2009-10-25 04:13 . 2009-10-25 04:13 28488 ------w- c:\documents and settings\mcunning\Application Data\Mozilla\plugins\atgpcdec.dll
2009-10-25 04:13 . 2009-10-25 04:13 61840 ------w- c:\documents and settings\mcunning\Application Data\Mozilla\plugins\npatgpc.dll
2009-10-25 03:56 . 2009-09-25 16:42 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-10-25 03:56 . 2009-09-25 16:42 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-10-25 03:55 . 2009-10-25 03:55 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-19 17:40 . 2008-12-02 21:22 1507328 ----a-w- c:\windows\system32\editplus.exe
2009-10-18 02:24 . 2009-10-18 02:24 45 ------w- c:\documents and settings\mcunning\jagex_runescape_preferences2.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-14 21:59 . 2009-01-02 21:01 -------- d-----w- c:\documents and settings\mcunning\Application Data\EditPlus 3
2009-11-11 17:57 . 2008-02-21 22:48 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-11 17:23 . 2007-09-06 16:58 -------- d-----w- c:\program files\Java
2009-11-11 15:11 . 2009-01-02 21:01 -------- d-----w- c:\program files\EditPlus 3
2009-10-28 14:21 . 2009-03-27 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-27 14:24 . 2009-09-21 23:51 -------- d-----w- c:\documents and settings\mcunning\Application Data\Azureus
2009-10-26 17:51 . 2009-07-04 20:39 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-26 05:28 . 2009-01-28 02:05 -------- d-----w- c:\documents and settings\mcunning\Application Data\Move Networks
2009-10-26 04:02 . 2009-08-03 21:48 4187512 ------w- c:\documents and settings\mcunning\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-25 06:47 . 2008-08-29 16:23 -------- d-----w- c:\documents and settings\mcunning\Application Data\webex
2009-10-25 03:56 . 2007-09-26 19:40 -------- d-----w- c:\program files\DivX
2009-10-22 19:20 . 2009-09-21 23:50 -------- d-----w- c:\program files\Vuze
2009-10-20 22:12 . 2008-03-07 20:06 3140 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-10-18 03:04 . 2008-07-02 00:22 38 ------w- c:\documents and settings\mcunning\jagex_runescape_preferences.dat
2009-10-15 19:46 . 2009-10-15 19:46 593920 ------w- c:\documents and settings\mcunning\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv305hw-0910150-0-main.dll
2009-10-15 19:46 . 2009-10-15 19:46 319488 ------w- c:\documents and settings\mcunning\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-10-11 12:17 . 2009-01-12 22:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-09 14:31 . 2008-04-02 19:38 73728 -c----w- c:\documents and settings\mcunning\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\ciscounifiedaddin6x0\specialhook.dll
2009-10-09 14:31 . 2008-04-02 19:38 158720 -c----w- c:\documents and settings\mcunning\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\ciscounifiedaddin6x0\audiofunc.dll
2009-10-05 17:21 . 2009-10-05 17:09 -------- d-----w- c:\program files\SelfTest
2009-10-05 14:39 . 2009-10-05 14:39 -------- d-----w- c:\program files\Microsoft
2009-09-25 16:42 . 2008-04-11 18:03 129784 ------w- c:\windows\system32\pxafs.dll
2009-09-25 16:41 . 2009-09-25 16:41 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-24 21:32 . 2009-09-24 21:32 -------- d-----w- c:\program files\DNSControl
2009-09-24 21:32 . 2009-09-24 21:32 249856 ------w- c:\windows\Setup1.exe
2009-09-24 21:31 . 2009-09-24 21:31 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-09-24 18:07 . 2008-04-21 21:36 70984 ------w- c:\documents and settings\mcunning\g2mdlhlpx.exe
2009-09-22 15:44 . 2009-09-22 15:44 10686001 ------w- c:\documents and settings\mcunning\Application Data\Azureus\plugins\azump\mplayer.exe
2009-09-21 23:51 . 2009-09-21 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-09-04 21:03 . 2003-07-02 17:45 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2005-06-18 06:49 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2003-07-02 17:48 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 08:30 . 2009-10-09 23:28 13312 ------w- c:\documents and settings\mcunning\Application Data\Mozilla\Firefox\Profiles\80kzjh32.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll
2009-01-23 22:19 . 2008-09-26 16:18 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-01-23 22:19 . 2008-09-26 16:18 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-11-05 18:06 . 2008-11-05 18:07 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2008-09-26 16:18 . 2008-09-26 16:19 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-10-08 19:52 . 2007-10-08 18:19 80 --sh--r- c:\windows\system32\504148E495.dll
2008-04-10 00:38 . 2008-03-07 20:06 88 --sh--r- c:\windows\system32\88E913FFE9.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-11-15_03.26.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-16 15:26 . 2009-11-16 15:26 16384 c:\windows\Temp\Perflib_Perfdata_53c.dat
+ 2009-11-16 15:25 . 2009-11-16 15:25 16384 c:\windows\Temp\Perflib_Perfdata_22c.dat
- 2003-07-14 19:43 . 2009-11-15 03:05 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2003-07-14 19:43 . 2009-11-16 15:15 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2003-07-14 19:43 . 2009-11-16 15:15 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2003-07-14 19:43 . 2009-11-15 03:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-07 19:56 . 2009-11-16 15:15 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-11-07 19:56 . 2009-11-15 03:05 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2003-07-14 19:43 . 2009-11-16 15:15 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2003-07-14 19:43 . 2009-11-15 03:05 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]
@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
2008-12-11 01:34 311352 ----a-w- c:\windows\system32\PGPfsshl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"\\mcunning-ES\EPSON Stylus Photo R380 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE" [2006-05-29 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2005-12-07 131072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-27 7561216]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-08-14 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-08-14 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-08-14 94208]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-26 563984]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2006-01-30 88203]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-07-04 16250880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-10-12 439568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-2-27 581693]
PGPtray.exe.lnk - c:\windows\Installer\{53EED491-9B3D-4A00-A64D-55C03B7F9DD3}\Icon6560581611.exe [2009-4-28 55296]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 23:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli PGPpwflt

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-706763690-313548223-9522986-160079\Scripts\Logon\0\0]
"Script"=\\starbucks.net\SysVol\starbucks.net\scripts\ScreenSaverCheck3.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-706763690-313548223-9522986-160079\Scripts\Logon\1\0]
"Script"=\\starbucks.net\sysvol\starbucks.net\scripts\TNSFileCopy.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Firewall Client Connectivity Monitor.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Firewall Client Connectivity Monitor.LNK
backup=c:\windows\pss\Firewall Client Connectivity Monitor.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"freeFTPdService"=2 (0x2)
"iPod Service"=3 (0x3)
"FileZilla Server"=2 (0x2)
"AspectUniphiAdapterSvc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Cisco Systems\\Cisco IP Communicator\\communicatork9.exe"=
"c:\\Program Files\\Cisco Systems\\Cisco IP Communicator\\AudioTuningWizard.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\TFTPServer\\TFTPServerSP.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [12/10/2008 5:34 PM 134712]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [1/18/2005 2:16 PM 58464]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [3/6/2009 11:34 AM 35691]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [7/26/2006 7:12 PM 87936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/26/2006 11:53 AM 36352]
S2 TFTPServer;TFTP Single Port Server;c:\program files\TFTPServer\TFTPServerSP.exe [1/29/2009 9:43 AM 214363]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 12:22 PM 34064]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
S4 AspectUniphiAdapterSvc;Aspect Uniphi Connect Adapter Service;c:\program files\Aspect Software\Uniphi Connect\UniphiAdapterSvc.exe [3/14/2006 10:14 PM 20480]
S4 freeFTPdService;freeFTPdService;c:\program files\freeFTPd\FreeFTPDService.exe [9/25/2008 2:42 PM 1028096]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\wmactedp.inf,PerUserStub
.
Contents of the 'Scheduled Tasks' folder

2009-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-11-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=proxy.starbucks.net:8080;https=proxy.starbucks.net:8080;ftp=proxy.starbucks.net:8080;gopher=proxy.starbucks.net:8080;socks=proxy.starbucks.net:8080
uInternet Settings,ProxyOverride = 10.*;*.starbucks.net;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\windows\system32\PGPlsp.dll
Trusted Zone: 164.57.158.15
Trusted Zone: 170.14.179.78/callcenter_enu
Trusted Zone: atg.com
Trusted Zone: authoria.com
Trusted Zone: authoria.com/AIMNetEdition
Trusted Zone: authoria.com/AIMNetEdition/Start.asp
Trusted Zone: componentone.com
Trusted Zone: envisioninc.com
Trusted Zone: jpmorgan.com\sdol
Trusted Zone: jpmorgan.com\sdolstage
Trusted Zone: jpmorganchase.com\sdol
Trusted Zone: mastercard.com\sdol
Trusted Zone: mastercard.com\sdolstage
Trusted Zone: onyx.com
Trusted Zone: proworks.com
Trusted Zone: ria.thomson.com
Trusted Zone: sbux.com
Trusted Zone: sdol.jpmorgan.com
Trusted Zone: sdol.jpmorganchase.com
Trusted Zone: sdol.mastercard.com
Trusted Zone: sdolstage.jpmorgan.com
Trusted Zone: sdolstage.mastercard.com
Trusted Zone: starbucks.net
Trusted Zone: 164.57.158.15
Trusted Zone: 170.14.179.78/callcenter_enu
Trusted Zone: atg.com
Trusted Zone: authoria.com
Trusted Zone: authoria.com/AIMNetEdition
Trusted Zone: authoria.com/AIMNetEdition/Start.asp
Trusted Zone: componentone.com
Trusted Zone: envisioninc.com
Trusted Zone: jpmorgan.com\sdol
Trusted Zone: jpmorgan.com\sdolstage
Trusted Zone: jpmorganchase.com\sdol
Trusted Zone: mastercard.com\sdol
Trusted Zone: mastercard.com\sdolstage
Trusted Zone: onyx.com
Trusted Zone: proworks.com
Trusted Zone: ria.thomson.com
Trusted Zone: sbux.com
Trusted Zone: sdol.jpmorgan.com
Trusted Zone: sdol.jpmorganchase.com
Trusted Zone: sdol.mastercard.com
Trusted Zone: sdolstage.jpmorgan.com
Trusted Zone: sdolstage.mastercard.com
Trusted Zone: starbucks.net
TCP: {6E4B2076-F098-451A-8B18-39C4BDFCEC89} = 10.1.9.25
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: iLO 2 Remote Console Applet - hxxps://10.4.120.241/dvc.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} - hxxp://www.aquire.com/codebase75/OrgPubX.cab
FF - ProfilePath - c:\documents and settings\mcunning\Application Data\Mozilla\Firefox\Profiles\80kzjh32.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\mcunning\Application Data\Mozilla\Firefox\Profiles\80kzjh32.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\mcunning\Application Data\Mozilla\Firefox\Profiles\80kzjh32.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll
FF - plugin: c:\documents and settings\mcunning\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\mcunning\Application Data\Mozilla\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-16 08:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1588)
c:\windows\system32\PGPlsp.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1644)
c:\windows\system32\PGPlsp.dll
c:\windows\system32\EntApi.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(5344)
c:\windows\system32\WININET.dll
c:\windows\system32\EntApi.dll
c:\windows\system32\PGPhk.dll
c:\windows\system32\PGPfsshl.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-16 08:21
ComboFix-quarantined-files.txt 2009-11-16 16:21
ComboFix2.txt 2009-11-15 03:32
ComboFix3.txt 2009-11-12 21:05

Pre-Run: 36,653,228,032 bytes free
Post-Run: 36,602,355,712 bytes free

- - End Of File - - 3EBE7245A2DF0087143064DDB32A2C68

oh and the 1st item created a log that just said 1 file copied FYI.
I've run some tests of the problem as well and I do not seem to be getting redirected any longer..
Let me know thanks. Hope you had a great day so far.
Mike

Edited by Capt_Dad, 16 November 2009 - 11:24 AM.


#12 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:29 PM

Posted 16 November 2009 - 12:05 PM

Hello

Yes I think Avenger worked well because Combofix didn't notice bad iastor.sys and you are no longer redirected :(

Have you set all these trusted zones by yourself?

Trusted Zone: 164.57.158.15
Trusted Zone: 170.14.179.78/callcenter_enu
Trusted Zone: atg.com
Trusted Zone: authoria.com
Trusted Zone: authoria.com/AIMNetEdition
Trusted Zone: authoria.com/AIMNetEdition/Start.asp
Trusted Zone: componentone.com
Trusted Zone: envisioninc.com
Trusted Zone: jpmorgan.com\sdol
Trusted Zone: jpmorgan.com\sdolstage
Trusted Zone: jpmorganchase.com\sdol
Trusted Zone: mastercard.com\sdol
Trusted Zone: mastercard.com\sdolstage
Trusted Zone: onyx.com
Trusted Zone: proworks.com
Trusted Zone: ria.thomson.com
Trusted Zone: sbux.com
Trusted Zone: sdol.jpmorgan.com
Trusted Zone: sdol.jpmorganchase.com
Trusted Zone: sdol.mastercard.com
Trusted Zone: sdolstage.jpmorgan.com
Trusted Zone: sdolstage.mastercard.com
Trusted Zone: starbucks.net
Trusted Zone: 164.57.158.15
Trusted Zone: 170.14.179.78/callcenter_enu
Trusted Zone: atg.com
Trusted Zone: authoria.com
Trusted Zone: authoria.com/AIMNetEdition
Trusted Zone: authoria.com/AIMNetEdition/Start.asp
Trusted Zone: componentone.com
Trusted Zone: envisioninc.com
Trusted Zone: jpmorgan.com\sdol
Trusted Zone: jpmorgan.com\sdolstage
Trusted Zone: jpmorganchase.com\sdol
Trusted Zone: mastercard.com\sdol
Trusted Zone: mastercard.com\sdolstage
Trusted Zone: onyx.com
Trusted Zone: proworks.com
Trusted Zone: ria.thomson.com
Trusted Zone: sbux.com
Trusted Zone: sdol.jpmorgan.com
Trusted Zone: sdol.jpmorganchase.com
Trusted Zone: sdol.mastercard.com
Trusted Zone: sdolstage.jpmorgan.com
Trusted Zone: sdolstage.mastercard.com
Trusted Zone: starbucks.net

Posted Image

#13 Capt_Dad

Capt_Dad
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 16 November 2009 - 12:13 PM

Yes I set those long ago I don't think I need them any longer though.

So are we all completed? You are wonderful and I greatly appreciate all the exceptional assistance!

#14 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:29 PM

Posted 16 November 2009 - 12:18 PM

Hello

Yes we are completed :(

Looks clean, great job! :(

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Hide system files
  • Open My Computer.
  • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Do not show hidden files and folders.
  • Check (tick) Hide extensions of known file types.
  • Check (tick) Hide protected operating system files (Recommended).
  • Click OK.
  • Close My Computer.
Create a new, clean System Restore point
  • Click on Start > All Programs > Accessories > System Tools > System Restore.
  • On the Welcome Page, select Create a restore point. Click Next.
  • Give this restore point a descriptive name and click Create.
  • When done, click Close.
Warning: Do not clear infected System Restore points before creating a new System Restore point first!

Please read the above to create a new System Restore point first, then clear out the infected System Restore points.


Clear infected System Restore points
  • Click on Start > All Programs > Accessories > System Tools > Disk Cleanup.
  • Select C drive and click OK.
  • Select the More Options tab.
  • Under System Restore, click on Clean up....
  • You will be prompted. Click Yes.
  • When done, click OK.
  • You will be prompted again. Press Yes to confirm.
  • When done, Disk Cleanup will close automatically.
Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows

Go to Start > All Programs > Windows Update

To update Office

Open up any Office program.

Go to Help > Check for Updates

Alternatively, you can visit the links below to update Windows and Office products.

Windows Update
Office Update

If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:
  • Go to Start > Control Panel > Automatic Updates
  • Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
  • Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
  • Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.
Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.
  • Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
  • Never open emails from unknown senders.
  • Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
  • Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.
Surf safely

Many of the exploits are directed to users of Internet Explorer and Firefox.

Using Firefox with NoScript add-on helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.

If you prefer to use Internet Explorer, please refer to this website to learn how to secure Internet Explorer 6.

To secure Internet Explorer 7, please read this article.


Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection
  • Spyware Blaster
    SpywareBlaster is a program that is used to secure Internet Explorer by making it harder for ActiveX programs to run on your computer. It does this by disabling known offending ActiveX programs from running at all.

    You can download SpywareBlaster from Javacool.

    If you need help in using SpywareBlaster, you can read SpywareBlaster's tutorial at Bleeping Computer.

  • Hosts File
    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:

    MVPS Hosts File
    Bluetack's Hosts File
    Bluetack's Host Manager
    hpHosts

    A tutorial about Hosts File can be found at Malware Removal.

  • Malwarebytes RogueNET Bleeping Computer
    Before downloading any anti-spyware programs, always check it. This will save you from a lot of trouble. If in doubt, don't ever download it.
Here are some more things to read about:

Securing Skype
Greater email safety
Phishing - what is it?
80 Super Security Tips

Happy surfing and stay clean!
Posted Image

#15 Capt_Dad

Capt_Dad
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 16 November 2009 - 12:28 PM

Great stuff and I will definately be safer, I very much appreciate your assistance! Do you have a way to accept donations?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users