Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google being redirected


  • This topic is locked This topic is locked
17 replies to this topic

#1 seekeroftruth

seekeroftruth

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 24 December 2009 - 05:29 PM

Several days ago, my computer was infect with a virus to the point it would not boot up. I use the ultimate boot cd 4 windows to get my machine backup and running. I ran spy-bot to remove the virus. My computer would boot but I couldn't log into windows. I googled it found the solution and can now log in. But now evertime I google something it never goes to the site I click on, it redirects me. So, I'm following Grinler's advice on how to post a potential malware problem. So here is my DDS and Rootrepeal Report.


DDS (Ver_09-12-01.01) - NTFSx86
Run by DAD at 14:41:40.14 on Thu 12/24/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.639 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AVG Anti-Virus 7.1.413 *On-access scanning enabled* (Updated) {41564737-3200-1071-989B-0000E87B4FB1}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
svchost.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\DAD\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.yahoo.com
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uSearch Page = hxxp://www.yahoo.com
uDefault_Search_URL =
uDefault_Page_URL =
mDefault_Page_URL = hxxp://www.emachines.com
mSearch Page =
mSearch Bar = hxxp://server224.smartbotpro.net/7search/?hklm
uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mWinlogon: Shell=Explorer.exe c:\windows\userint32.exe
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {0f31d7af-ca54-4ab4-8fe8-41cd04f47a0a} - c:\windows\system32\iassam3232.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {B56A7D7D-6927-48C8-A975-17DF180C71AC} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced Virus Remover] c:\program files\advancedvirusremover\AVR.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\docume~1\dad\locals~1\temp\nos_uninstall_Adobe.dll",Uninstall /Get1noarp
dRun: [AVG7_Run] c:\progra~1\grisoft\avgfre~1\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\dad\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &Search - http://bar.mywebsearch.com/menusearch.html...US_ZNxdm414YYUS
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38033.5703935185
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs: c:\windows\system32\ c:\windows\system32\iassam32.dll c:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dad\applic~1\mozilla\firefox\profiles\xzcj6vw8.default\
FF - prefs.js: browser.startup.homepage - hxxp://middlegeorgia.cox.net/cci/home
FF - component: c:\documents and settings\dad\application data\mozilla\firefox\profiles\xzcj6vw8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-7 207792]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2002-12-3 4064]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2005-10-23 4224]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-10-4 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-10-4 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-10-4 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-10-4 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-10-4 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-10-4 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-10-4 40552]
R3 scrcap;scrcap;c:\windows\system32\drivers\scrcap.sys [2006-9-27 9006]
S1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2006-5-25 775680]
S1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2006-3-14 27776]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsauxs.exe --> c:\program files\spyware doctor\pctsAuxs.exe [?]
S2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctssvc.exe --> c:\program files\spyware doctor\pctsSvc.exe [?]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-11-3 30192]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-10-4 34248]
S4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe --> c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [?]
S4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe --> c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [?]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-12-12 17:29:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-12-08 01:41:24 0 d-----w- c:\program files\a-squared HiJackFree
2009-12-08 00:41:25 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-12-08 00:41:25 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-08 00:41:11 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-08 00:41:11 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-12-08 00:41:11 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-12-08 00:41:11 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-08 00:40:53 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-12-08 00:40:53 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-08 00:40:44 0 d-----w- c:\program files\common files\PC Tools
2009-12-08 00:37:45 55 ----a-w- C:\xcrashdump.dat
2009-12-07 21:45:58 32768 ----a-w- c:\windows\system32\__c0051924.dat.XXX
2009-12-07 01:52:50 0 ----a-w- c:\windows\system32\23281.exe
2009-12-07 01:32:47 0 ----a-w- c:\windows\system32\28145.exe
2009-12-07 01:12:44 0 ----a-w- c:\windows\system32\5705.exe
2009-12-07 00:52:41 0 ----a-w- c:\windows\system32\24464.exe
2009-12-07 00:32:37 0 ----a-w- c:\windows\system32\26962.exe
2009-12-07 00:12:34 0 ----a-w- c:\windows\system32\29358.exe
2009-12-06 23:52:30 0 ----a-w- c:\windows\system32\11478.exe
2009-12-06 23:32:27 0 ----a-w- c:\windows\system32\15724.exe
2009-12-06 23:12:24 0 ----a-w- c:\windows\system32\19169.exe
2009-12-06 22:52:20 0 ----a-w- c:\windows\system32\26500.exe
2009-12-06 22:32:16 0 ----a-w- c:\windows\system32\6334.exe
2009-12-06 22:12:13 0 ----a-w- c:\windows\system32\18467.exe
2009-12-06 21:52:10 0 ----a-w- c:\windows\system32\41.exe
2009-12-06 21:49:45 192512 ----a-w- c:\windows\system32\iassam3232.dll
2009-12-06 19:46:31 1911 ----a-w- c:\windows\GnuHashes.ini
2009-12-06 19:39:08 1228 --sha-w- c:\windows\system32\1285654528
2009-12-06 19:39:07 817 ----a-w- c:\windows\system32\485611600
2009-12-06 19:38:52 0 d-sh--w- c:\windows\system32\SysWoW32
2009-12-06 19:37:54 192512 ----a-w- c:\windows\system32\hypertrm32.dll
2009-12-06 19:37:25 203776 --sh--w- c:\windows\system32\unrar.exe
2009-12-06 19:37:25 0 d-----w- c:\windows\system32\784580407
2009-12-06 19:37:00 741888 --sha-w- c:\windows\system32\76.tmp
2009-12-06 19:37:00 192512 ----a-w- c:\windows\system32\dbmsadsn32.dll
2009-12-06 18:26:16 0 d-----w- c:\docume~1\dad\applic~1\LimeWire

==================== Find3M ====================

2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2008-12-29 20:34:54 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122920081230\index.dat

============= FINISH: 14:43:21.12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:42 PM

Posted 26 December 2009 - 10:27 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 seekeroftruth

seekeroftruth
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 26 December 2009 - 05:52 PM

Hello Sam,

Here is the Combofix log you requested.


ComboFix 09-12-26.01 - DAD 12/26/2009 17:22:43.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.762 [GMT -5:00]
Running from: c:\documents and settings\DAD\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus 7.1.413 *On-access scanning enabled* (Updated) {41564737-3200-1071-989B-0000E87B4FB1}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\DAD\Application Data\020000004f89fa4f712C.manifest
c:\documents and settings\DAD\Application Data\020000004f89fa4f712O.manifest
c:\documents and settings\DAD\Application Data\020000004f89fa4f712P.manifest
c:\documents and settings\DAD\Application Data\020000004f89fa4f712S.manifest
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\recycler\S-1-5-21-460486182-1710738407-2939153371-1003
c:\recycler\S-1-5-21-746137067-1788223648-682003330-1003
c:\windows\Fonts\acrsec.fon
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\GnuHashes.ini
c:\windows\Readme.txt
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\41.exe
c:\windows\system32\4bf9lnhi.dat
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\784580407
c:\windows\system32\9qs15j8r.dat
c:\windows\system32\unrar.exe
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-11-26 to 2009-12-26 )))))))))))))))))))))))))))))))
.

2009-12-12 17:29 . 2009-12-12 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-12-08 00:41 . 2009-10-30 16:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-08 00:41 . 2009-11-09 16:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-08 00:41 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-08 00:40 . 2009-09-03 14:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-08 00:40 . 2009-12-08 00:45 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-06 21:49 . 2009-12-06 21:49 192512 ----a-w- c:\windows\system32\iassam3232.dll
2009-12-06 19:38 . 2009-12-13 12:17 -------- d-sh--w- c:\windows\system32\SysWoW32
2009-12-06 19:37 . 2009-12-06 19:37 192512 ----a-w- c:\windows\system32\hypertrm32.dll
2009-12-06 19:37 . 2009-12-06 19:37 192512 ----a-w- c:\windows\system32\dbmsadsn32.dll
2009-12-06 18:26 . 2009-12-26 18:58 -------- d-----w- c:\documents and settings\DAD\Application Data\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-26 22:16 . 2009-01-19 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-26 22:08 . 2005-05-27 13:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7
2009-12-26 19:27 . 2005-06-29 03:27 -------- d-----w- c:\program files\Java
2009-12-26 19:23 . 2009-12-26 19:23 0 ----a-w- c:\windows\system32\REN86.tmp
2009-12-26 19:23 . 2009-12-26 19:23 0 ----a-w- c:\windows\system32\REN85.tmp
2009-12-26 19:23 . 2009-12-26 19:23 0 ----a-w- c:\windows\system32\REN84.tmp
2009-12-26 18:58 . 2006-11-04 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-24 18:45 . 2009-10-04 18:31 -------- d-----w- c:\program files\McAfee
2009-12-08 01:36 . 2007-05-13 00:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-06 19:37 . 2009-12-06 19:37 741888 --sha-w- c:\windows\system32\76.tmp
2009-12-06 18:26 . 2009-12-06 18:26 7680 ----a-w- c:\documents and settings\DAD\Application Data\LimeWire\browser\xulrunner\components\xulutil.dll
2009-12-01 21:45 . 2009-04-15 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-19 16:48 . 2009-12-06 18:22 872960 ----a-w- c:\documents and settings\DAD\Application Data\Mozilla\Firefox\Profiles\xzcj6vw8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 16:48 . 2009-12-06 18:22 43008 ----a-w- c:\documents and settings\DAD\Application Data\Mozilla\Firefox\Profiles\xzcj6vw8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 16:48 . 2009-12-06 18:22 340480 ----a-w- c:\documents and settings\DAD\Application Data\Mozilla\Firefox\Profiles\xzcj6vw8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 16:48 . 2009-12-06 18:22 346624 ----a-w- c:\documents and settings\DAD\Application Data\Mozilla\Firefox\Profiles\xzcj6vw8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-01 18:24 . 2006-10-17 00:00 -------- d-----w- c:\documents and settings\DAD\Application Data\Apple Computer
2009-11-01 18:15 . 2009-11-01 18:13 -------- d-----w- c:\program files\iTunes
2009-11-01 18:15 . 2009-11-01 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-01 18:13 . 2009-11-01 18:13 -------- d-----w- c:\program files\iPod
2009-11-01 18:13 . 2009-01-07 22:09 -------- d-----w- c:\program files\Common Files\Apple
2009-11-01 18:09 . 2004-02-28 15:49 -------- d-----w- c:\program files\QuickTime
2009-11-01 17:53 . 2009-11-01 17:53 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:46 . 2004-02-06 22:05 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2002-08-13 13:42 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-02-28 05:43 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-02-28 05:49 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-02-28 05:48 79872 ----a-w- c:\windows\system32\raschap.dll
2009-11-24 21:08 . 2006-11-04 02:17 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

------- Sigcheck -------

[7] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\kbdclass.sys
[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\kbdclass.sys
[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\drivers\kbdclass.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F31D7AF-CA54-4AB4-8FE8-41CD04F47A0a}]
2009-12-06 21:49 192512 ----a-w- c:\windows\system32\iassam3232.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-24 30192]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeVersionCue]
2004-03-25 15:35 1732608 ----a-w- c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2006-03-28 19:48 622592 ------r- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2002-08-02 18:01 473600 ----a-w- c:\windows\mHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2006-04-10 18:58 61440 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 01:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
2002-09-17 23:31 53248 ----a-w- c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2000-07-13 20:00 28739 ----a-w- c:\program files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3TRAY2]
2003-02-25 09:33 69632 ----a-w- c:\windows\system32\S3tray2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
2005-01-26 22:02 49152 ----a-w- c:\program files\Brother\Brmfl06a\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [12/7/2009 7:41 PM 207792]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [12/3/2002 12:02 PM 4064]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/4/2009 1:37 PM 93320]
R3 scrcap;scrcap;c:\windows\system32\drivers\scrcap.sys [9/27/2006 8:57 AM 9006]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe --> c:\program files\Spyware Doctor\pctsAuxs.exe [?]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/3/2006 9:16 PM 30192]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com
uDefault_Search_URL =
mSearch Bar = hxxp://server224.smartbotpro.net/7search/?hklm
uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Search - http://bar.mywebsearch.com/menusearch.html...US_ZNxdm414YYUS
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\DAD\Application Data\Mozilla\Firefox\Profiles\xzcj6vw8.default\
FF - prefs.js: browser.startup.homepage - hxxp://middlegeorgia.cox.net/cci/home
FF - component: c:\documents and settings\DAD\Application Data\Mozilla\Firefox\Profiles\xzcj6vw8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ISTray - c:\program files\Spyware Doctor\pctsTray.exe
HKU-Default-Run-AVG7_Run - c:\progra~1\Grisoft\AVGFRE~1\avgw.exe
MSConfigStartUp-Spyware Doctor - c:\program files\Spyware Doctor\swdoctor.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-Dynomite Deluxe 2.7 - c:\program files\PopCap Games\Dynomite Deluxe\PopUninstall.exe
AddRemove-JRE 1.3.1 - c:\program files\JavaSoft\JRE\1.3.1\Uninst.isu
AddRemove-JRE 1.3.1_02 - c:\program files\JavaSoft\JRE\1.3.1_02\Uninst.isu
AddRemove-RAYKIT - c:\windows\UbiSoft\UbiSetup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-26 17:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1396)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\System32\locator.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-26 17:41:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-26 22:41

Pre-Run: 13,823,483,904 bytes free
Post-Run: 13,839,425,536 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
[spybotsd]
timeout.old=30

- - End Of File - - C7A89668032CDCE46DC0B90CFB827E51

Attached Files


Edited by Buckeye_Sam, 26 December 2009 - 07:31 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:42 PM

Posted 26 December 2009 - 07:44 PM

Please do not attach log files unless specifically requested to do so. Just copy the text in the log and then paste it directly into your reply.
It makes it much easier for me to review the information if I can see it all in one place.


You have multiple antivirus programs running. This can cause conflicts and also puts a significant strain on your system. Please uninstall two of these programs so that you are only running one antivirus.

AV: AVG Anti-Virus 7.1.413
AV: McAfee VirusScan
AV: Spyware Doctor with AntiVirus




Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

======================


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.


Let me know how your computer is behaving now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 seekeroftruth

seekeroftruth
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 27 December 2009 - 02:40 PM

Sam,

After logging in I went to the google page. I made a search for sears. It came back with a list of sears web sites. When I clicked on a link it sent me to juggle.com search. I googled specialized mountain bikes, after clicking on a link it sent me to lower price shopper.com. And finally, the last one sent me to search find site.com

So, here is the MBAM Log.

Malwarebytes' Anti-Malware 1.42
Database version: 3439
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/27/2009 2:01:26 PM
mbam-log-2009-12-27 (14-01-26).txt

Scan type: Quick Scan
Objects scanned: 128661
Time elapsed: 12 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\iassam3232.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0f31d7af-ca54-4ab4-8fe8-41cd04f47a0a} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0f31d7af-ca54-4ab4-8fe8-41cd04f47a0a} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0f31d7af-ca54-4ab4-8fe8-41cd04f47a0a} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\SysWoW32 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\iassam3232.dll (Trojan.BHO.H) -> Delete on reboot.
C:\Documents and Settings\DAD\My Documents\downloads\update_for_media_player_(KB972036).exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dbmsadsn32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hypertrm32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\76.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c0051924.dat.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1185645066v4.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1185645066v4.XXX (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1185645066v5.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1185645066v5.XXX (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1185645066v6.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1185645066v6.XXX (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1185645066v7.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1185645066v7.XXX (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1185645066v0.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1185645066v0.XXX (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1185645066v1.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1185645066v1.XXX (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1185645066v2.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1185645066v2.XXX (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1185645066v3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1185645066v3.XXX (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsaupdater.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\casinoprophet.ico (Malware.Trace) -> Quarantined and deleted successfully.

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:42 PM

Posted 28 December 2009 - 09:34 AM

What browser are you using when these redirections happen?
If it's Firefox, see if you still get redirected using IE also.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 seekeroftruth

seekeroftruth
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 28 December 2009 - 04:11 PM

Sam,

You are right. I'm only being redirected when using Firefox browser. Everything worked fine when using IE.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:42 PM

Posted 28 December 2009 - 07:16 PM

Let's narrow it down a bit more. Using the info at this link, start Firefox in safe mode.
http://support.mozilla.com/en-US/kb/Safe+Mode

Let me know if the redirections still happen when using Firefox in this mode.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 seekeroftruth

seekeroftruth
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 28 December 2009 - 07:42 PM

There was no redirection when starting firefox in safe mode.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:42 PM

Posted 28 December 2009 - 08:13 PM

Open Firefox and install the Mr Tech Toolkit extension from here.
https://addons.mozilla.org/en-US/firefox/addon/421

Once installed, restart Firefox as prompted.
Click Tools -> My Config -> Save - Text
Save the report to your desktop.
Please copy and paste the contents of that report.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 seekeroftruth

seekeroftruth
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 28 December 2009 - 09:21 PM

Generated: Mon Dec 28 2009 21:19:16 GMT-0500 (Eastern Standard Time)
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 GTB6 (.NET CLR 3.5.30729)
Build ID: 20091201220228

Enabled Extensions: [13]
- Adobe DLM (powered by getPlus®) 1.5.2.35: http://www.nosltd.com/
- Google Toolbar for Firefox 6.1.20091119W: http://www.google.com/
- Java Console 6.0.11: http://www.google.com/search?q=Firefox%20Java%20Console
- Java Console 6.0.13: http://www.google.com/search?q=Firefox%20Java%20Console
- Java Console 6.0.17: http://www.google.com/search?q=Firefox%20Java%20Console
- Java Quick Starter 1.0: http://www.google.com/search?q=Firefox%20J...Quick%20Starter
- McAfee SiteAdvisor 3.0: http://www.siteadvisor.com/
- Microsoft .NET Framework Assistant 1.1: http://www.windowsclient.net/
- MR Tech Toolkit 6.0.4: http://www.mrtech.com/extensions/
- Veoh Web Player Video Finder 1.4: http://www.veoh.com
- XUL Cache 1.0: http://www.google.com/search?q=Firefox%20XUL%20Cache
- XUL Cache 1.0: http://www.google.com/search?q=Firefox%20XUL%20Cache
- Yahoo! Toolbar 1.5.4.20081105: http://us.toolbar.yahoo.com/

Installed Themes: [1]
- Default: http://www.mozilla.org/

Installed Plugins: (16)
- Adobe Acrobat
- AOL Media Playback Plugin
- Google Updater
- iTunes Application Detector
- Java Deployment Toolkit 6.0.170.4
- Java™ Platform SE 6 U17
- Microsoft® DRM
- Mozilla ActiveX control and plugin support
- Mozilla Default Plug-in
- QuickTime Plug-in 7.6.4
- Shockwave Flash
- Snapfish Plugin for Firefox
- Veoh Web Player Beta
- VeohTV Plugin
- Windows Media Player Plug-in Dynamic Link Library
- Windows Presentation Foundation

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:42 PM

Posted 30 December 2009 - 01:28 PM

Disable XUL Cache 1.0
It looks there is two of them, so make sure you get both.

Let me know if you are still being redirected.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 seekeroftruth

seekeroftruth
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 30 December 2009 - 08:10 PM

Sam,

It looks like that has cleared up my problem. I am not having anymore redirects.

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:42 PM

Posted 31 December 2009 - 12:27 PM

Let's see if we clean it out completely.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 seekeroftruth

seekeroftruth
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 31 December 2009 - 01:41 PM

GooredFix by jpshortstuff (28.12.09.1)
Log created at 13:13 on 31/12/2009 (DAD)
Firefox version 3.5.6 (en-US)

========== GooredScan ==========

Deleting "C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\xzcj6vw8.default\extensions\{8036243e-86cc-4474-a83d-35be6602b981}" -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [16:05 26/01/2006]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [22:00 17/12/2008]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [16:03 18/04/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [17:47 27/12/2009]

C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\xzcj6vw8.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [19:22 06/09/2009]
{3112ca9c-de6d-4884-a869-9855de68056c} [18:22 06/12/2009]
{9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC} [02:18 29/12/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{3112ca9c-de6d-4884-a869-9855de68056c}"="C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}" [22:45 16/12/2008]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [18:30 11/04/2009]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [18:37 04/10/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [17:46 27/12/2009]

-=E.O.F=-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users