Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirecting Malware?


  • This topic is locked This topic is locked
7 replies to this topic

#1 WOMB

WOMB

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 12 December 2009 - 12:45 PM

I was on myspace and a strange new tab opened all by itself. It said my computer was infected; now I get redirected to sites I don't want to go to and at times am actually forced to quit firefox. I have run ad-aware and SAS and Malwarebytes.


DDS (Ver_09-12-01.01) - NTFSx86
Run by HP_Administrator at 12:40:38.92 on Sat 12/12/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1162 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\HP_Administrator\Desktop\RootRepeal.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [Aim6]
uRun: [\\JOHNSON\EPSON Stylus CX9400Fax Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticfa.exe /fu "c:\docume~1\hp_adm~1\locals~1\temp\E_S19.tmp"

/EF "HKCU"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150600.exe -Update -1150600

-"Mozilla/5.0_(Windows;_U;_Windows_NT_5.1;_en-US;_rv:1.9.0.14)_Gecko/2009082707_Firefox/3.0.14_(.NET_CLR_3.5.30729)"

-"http://games.adultswim.com/candy-mountain-massacre-action-online-game.html"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [PCDrProfiler] "c:\program files\pc-doctor 5 for windows\RunProfiler.exe" -r
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DMAScheduler] c:\program files\sonic\digitalmedia plus\digitalmedia archive\DMAScheduler.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ga311s~1.lnk - c:\program files\netgear ga311 adapter\GA311.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxp://connect.comcast.com/dl/Comcast%20Activation%20Controls.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by120fd.bay120.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\2ohjyzwc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\hp_administrator\application data\move networks\plugins\npqmp071502000008.dll
FF - plugin: c:\documents and settings\hp_administrator\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-11 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [2003-9-17 8440]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-21 24652]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2003-8-15 11237]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S3 o1394bul;o1394bul;\??\c:\docume~1\hp_adm~1\locals~1\temp\o1394bul.sys --> c:\docume~1\hp_adm~1\locals~1\temp\o1394bul.sys [?]
S3 PCD5SRVC{085326CB-51A3560A-05010003};PCD5SRVC{085326CB-51A3560A-05010003} - PCDR Kernel Mode Service Helper Driver;\??\c:\progra~1\pc-doc~1\pcd5srvc.pkms

--> c:\progra~1\pc-doc~1\PCD5SRVC.pkms [?]
S3 usbkey;USB Dongle;c:\windows\system32\drivers\USBkey.sys [2006-2-10 28848]

=============== Created Last 30 ================

2009-12-12 15:22:19 4958588 ----a-w- c:\windows\{00000003-00000000-00000009-00001102-00000008-10211102}.BAK
2009-12-12 02:33:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-12 02:33:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-12 02:33:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 05:23:33 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}

==================== Find3M ====================

2009-12-11 20:52:23 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-11 20:52:23 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-09 05:24:38 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-12 02:23:24 46432 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-28 14:36:11 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16 634632 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52:46 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-10 16:00:52 56216 ----a-w- c:\docume~1\hp_adm~1\applic~1\GDIPFONTCACHEV1.DAT
2008-01-08 15:57:58 737960 ----a-w- c:\program files\Repair.exe
2005-05-13 21:12:00 217073 --sha-r- c:\windows\meta4.exe
2005-10-24 15:13:58 66560 --sha-r- c:\windows\MOTA113.exe
2005-10-14 01:27:00 422400 --sha-r- c:\windows\x2.64.exe
2005-10-07 23:14:52 308224 --sha-r- c:\windows\system32\avisynth.dll
2005-07-14 16:31:20 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 19:32:28 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 02:37:42 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 04:00:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2006-04-27 14:24:24 2945024 --sha-r- c:\windows\system32\Smab.dll
2005-02-28 17:16:22 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 04:00:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll

============= FINISH: 12:41:45.09 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:42 AM

Posted 15 December 2009 - 10:58 PM

Hello WOMB,


If you still require assistance, download ComboFix and save it to your desktop.

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.


====================================================


Double click on combofix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#3 WOMB

WOMB
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 16 December 2009 - 07:01 PM

Hey thanks for the help. I ran that and attached the log. C:\ComboFix.txt


ComboFix 09-12-16.01 - HP_Administrator 12/16/2009 18:31:13.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1559 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\KittyFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-527237240-179605362-725345543-500
c:\windows\Fonts\RandFont.dll
c:\windows\kb913800.exe
c:\windows\system32\ps2.bat
D:\Autorun.inf
K:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-11-16 to 2009-12-16 )))))))))))))))))))))))))))))))
.

2009-12-15 03:58 . 2009-12-15 03:58 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2009-12-12 05:25 . 2009-12-12 05:25 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-12 02:33 . 2009-12-12 02:34 4844295 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-12 02:33 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-12 02:33 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-12 02:33 . 2009-12-12 02:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 05:24 . 2009-12-09 05:24 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-09 05:23 . 2009-12-09 05:23 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-09 05:23 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-14 23:20 . 2008-12-10 21:22 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\uTorrent
2009-12-13 01:59 . 2008-12-11 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
2009-12-12 05:24 . 2009-05-16 20:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-12 05:24 . 2009-05-16 20:09 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-12-12 05:23 . 2008-02-09 22:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-11 20:52 . 2004-08-09 21:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-12 02:23 . 2009-11-12 02:23 46432 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-29 07:46 . 2004-08-09 21:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-09 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-09 21:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-28 23:08 . 2009-09-26 02:35 127872 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Move Networks\uninstall.exe
2009-10-28 23:08 . 2009-09-26 02:35 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Move Networks
2009-10-28 23:08 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-10-28 23:08 . 2009-10-28 23:08 1685856 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Move Networks\MoveMediaPlayerWinSilent_071503000010.exe
2009-10-23 12:21 . 2009-10-23 12:21 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Viewpoint
2009-10-21 05:38 . 2004-08-09 21:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-09 21:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-09 21:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-09 21:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-09 21:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-09 21:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-26 02:35 . 2009-05-27 23:29 4183416 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071502000008.dll
2009-09-24 04:01 . 2009-09-24 04:01 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2009-09-24 04:01 . 2009-03-12 04:01 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys
2009-09-24 04:01 . 2009-03-12 04:01 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2009-09-24 04:01 . 2009-06-18 04:01 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-09-23 12:55 . 2009-03-12 04:01 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-22 00:33 . 2009-09-22 00:33 17204720 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup\rp\.exe
2009-09-22 00:33 . 2009-09-22 00:33 8406648 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2009-09-22 00:33 . 2009-09-22 00:33 10309448 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup\chr\ChromeInstaller.exe
2009-09-22 00:33 . 2009-09-22 00:33 81920 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup\RUP\inst_config\compat.dll
2009-09-22 00:33 . 2009-09-22 00:33 64000 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll
2009-09-22 00:33 . 2009-09-22 00:33 52288 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll
2009-09-22 00:33 . 2009-09-22 00:33 50688 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll
2009-09-22 00:33 . 2009-09-22 00:33 488968 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup\setup.exe
2009-09-21 21:09 . 2009-09-21 21:09 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2008-01-08 15:57 . 2008-01-08 15:57 737960 ----a-w- c:\program files\Repair.exe
2005-05-13 21:12 . 2005-05-13 21:12 217073 --sha-r- c:\windows\meta4.exe
2005-10-24 15:13 . 2005-10-24 15:13 66560 --sha-r- c:\windows\MOTA113.exe
2005-10-14 01:27 . 2005-10-14 01:27 422400 --sha-r- c:\windows\x2.64.exe
2005-10-07 23:14 . 2005-10-07 23:14 308224 --sha-r- c:\windows\system32\avisynth.dll
2005-07-14 16:31 . 2005-07-14 16:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 19:32 . 2005-06-26 19:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 02:37 . 2005-06-22 02:37 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 04:00 . 2004-01-25 04:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2006-04-27 14:24 . 2006-04-27 14:24 2945024 --sha-r- c:\windows\system32\Smab.dll
2005-02-28 17:16 . 2005-02-28 17:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 04:00 . 2004-01-25 04:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-10-23 2363392]
"\\JOHNSON\EPSON Stylus CX9400Fax Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICFA.EXE" [2007-03-23 182272]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe" [2009-06-05 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13684736]
"nwiz"="nwiz.exe" [2009-03-28 1657376]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1126400]
"WD Button Manager"="WDBtnMgr.exe" [2007-12-19 364544]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-12-09 788880]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 86016]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-23 15969280]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"DMAScheduler"="c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 90112]
"CTHelper"="CTHELPER.EXE" [2005-12-08 16384]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-10 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
GA311 Smart Wizard Utility.lnk - c:\program files\NETGEAR GA311 Adapter\GA311.exe [2003-11-6 270336]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\l:\0autocheck autochk *\0lsdelete

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Installers\\WoW-BurningCrusade-enUS-Installer-downloader.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Repair.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/11/2009 11:01 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [9/17/2003 2:57 PM 8440]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1184912]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/21/2009 3:13 PM 24652]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [8/15/2003 1:55 AM 11237]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S3 o1394bul;o1394bul;\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\o1394bul.sys --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\o1394bul.sys [?]
S3 PCD5SRVC{085326CB-51A3560A-05010003};PCD5SRVC{085326CB-51A3560A-05010003} - PCDR Kernel Mode Service Helper Driver;\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms --> c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [?]
S3 usbkey;USB Dongle;c:\windows\system32\drivers\USBkey.sys [2/10/2006 1:07 PM 28848]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-10-23 00:55 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\2ohjyzwc.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071502000008.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-PCDrProfiler - c:\program files\PC-Doctor 5 for Windows\RunProfiler.exe
HKLM-Run-HPHUPD08 - c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
HKLM-Run-DiscUpdateManager - c:\program files\DISC\DiscUpdateMgr.exe
HKLM-Run-DISCover - c:\program files\DISC\DISCover.exe
HKLM-Run-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-16 18:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC{085326CB-51A3560A-05010003}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4048100148-1549810711-3937912552-1008\Software\SecuROM\License information*]
"datasecu"=hex:f2,62,c9,69,a3,f7,15,77,c8,88,6b,e9,f3,e8,30,f5,69,05,e1,b9,54,
31,cf,18,ec,4c,8d,7c,9c,b8,8a,7d,e1,7d,61,e2,6a,cc,f7,f6,13,20,1c,d4,af,da,\
"rkeysecu"=hex:35,74,ee,0b,86,4f,33,fc,b7,ef,fa,f2,33,a4,a4,dd
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3044)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\ARPWRMSG.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\hp\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-12-16 18:48:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-16 23:48

Pre-Run: 117,294,825,472 bytes free
Post-Run: 117,387,386,880 bytes free

- - End Of File - - A845B95A593997CDD24F954886D9728F

Attached Files


Edited by Ried, 16 December 2009 - 11:17 PM.


#4 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:42 AM

Posted 16 December 2009 - 11:34 PM

You're welcome. : )

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 17 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 17 -"
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u17 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH CheckedApplications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
After you've completed the above, it's important run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
How is the system behaving now?

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#5 WOMB

WOMB
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 17 December 2009 - 06:36 PM

I have completed all that you told me to do. I have not been redirected yet, but have had little time to peruse. The Kaspersky found rootkit I believe. Here is the log for that. Thanks again!

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, December 17, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, December 17, 2009 06:16:52
Records in database: 3380899
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics:
Objects scanned: 142380
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:55:04


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.y 1

Selected area has been scanned.

Attached Files


Edited by Ried, 17 December 2009 - 09:42 PM.


#6 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:42 AM

Posted 17 December 2009 - 09:56 PM

Hi WOMB,

I don't expect you to be redirected anymore. The rootkit that was causing the redirects has been taken care of. Kaspersky is only reporting backups that were created during the course of this fix which the next procedure will take care of. Please do not skip this step as it will implement important cleanup procedures as well as reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point for you.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /uninstall

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

As 'Googling' is such an integral part of internet life, I recommend that you get the following free program if you do not already have it:

WOT - Web of Trust. This is a free browser add on that warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and IE.


Take care, and remember to Think Prevention. Posted Image

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#7 WOMB

WOMB
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 18 December 2009 - 01:01 AM

Everything seems to be working great. thank you for your help and tips on prevention!!!!!!!

#8 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:42 AM

Posted 19 December 2009 - 07:41 PM

You're welcome. Take care. Posted Image

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users