Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox Infected: being hijacked to fake web sites


  • This topic is locked This topic is locked
13 replies to this topic

#1 larryqpc

larryqpc

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 26 December 2009 - 10:10 PM

Well, looks like I too have been infected by whatever is hijacking my browser when I try to search. I seem to get taken to "thewebsitesurvey.com" where a voice comes out and tells me I have been selected for a survey. I have tried all the regular antivirus programs (PC Tools Spyware Doctor; SUPERAntiSpywarel Ad-Awre; a-squared;Maleware Bites Anti-Malware; Spybot Search and Destroy) and nothing has found the problem. I see from some other posts that this is a difficult infection and I need some real expert help. Thanks.

Here is the dds.txt log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by USER at 21:34:25.10 on Sat 12/26/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.1748 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PC Magazine Utilities\TrayManager\TrayMan.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\PC Magazine Utilities\TitleBar Add-Ons\TitleBar Add-Ons.exe
C:\Program Files\Advanced Time Synchronizer\advtimesync.exe
C:\Program Files\filehippo.com\UpdateChecker.exe
C:\PROGRA~1\Clipboard Buddy v3\CBuddy3.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\USER\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe
C:\Program Files\Advanced Time Synchronizer\advtimesync.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Acer\Empowering Technology\eDataSecurity\eDScts.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\WINDOWS\system32\DKabcoms.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\java.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\MSN Toolbar\Platform\5.0.1051.0\mswinext.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Documents and Settings\USER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {403D3981-DF19-3614-9874-5955E1BB9AB3} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1051.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: @c:\program files\msn toolbar\platform\5.0.1051.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1051.0\npwinext.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TClockEx] c:\program files\tclockex\TCLOCKEX.EXE
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [TitleBar Add-Ons] c:\program files\pc magazine utilities\titlebar add-ons\TitleBar Add-Ons.exe
uRun: [Advanced Time Synchronizer] "c:\program files\advanced time synchronizer\advtimesync.exe" noshow
uRun: [filehippo.com] "c:\program files\filehippo.com\UpdateChecker.exe" /background
uRun: [Gadwin PrintScreen] c:\program files\gadwin systems\printscreen\PrintScreen.exe /nosplash
uRun: [Clipboard Buddy 3] c:\progra~1\clipboard buddy v3\CBuddy3.exe
mRun: [LaunchApp] Alaunch
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Acer Empowering Technology Monitor] c:\windows\system32\SysMonitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe 0
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [QuickFinder Scheduler] "c:\program files\corel\wordperfect office x4\programs\QFSCHD140.EXE"
mRun: [FinePrint Dispatcher v5] "c:\windows\system32\spool\drivers\w32x86\3\fpdisp5a.exe" /source=HKLM
mRun: [SetDefPrt] c:\program files\brother\brmfl04g\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [pdfFactory Pro Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM
mRun: [kmw_run.exe] kmw_run.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Bing Bar] "c:\program files\msn toolbar\platform\5.0.1051.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRunOnce: [TrayManager] "c:\program files\pc magazine utilities\traymanager\TrayMan.exe" -s
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\user\startm~1\programs\startup\cnet techtracker.lnk - c:\documents and settings\user\application data\cbs interactive\cnet techtracker\TechTracker.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip quick pick.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\corel\wordperfect office x4\programs\WPLauncher.hta
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227027104343
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\e7dzfken.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2008-01-01 00:35:59 108 --sha-r- c:\windows\neoqaz2.dll

============= FINISH: 21:37:13.57 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:03 AM

Posted 27 December 2009 - 03:21 AM

Hi,

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Then, Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

c:\windows\neoqaz2.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

Also, I see you use Firefox. Do you have this problem in IE as well?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 larryqpc

larryqpc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 27 December 2009 - 05:50 AM

Hi! Thanks for your response. Though I don't use IE, I just tried it and, yes, I do have the problem of re-direction there as well.

Here is the scan from virustotal that you requested:

File neoqaz2.dll received on 2009.12.27 10:21:27 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.27 -
AhnLab-V3 5.0.0.2 2009.12.26 -
AntiVir 7.9.1.122 2009.12.26 -
Antiy-AVL 2.0.3.7 2009.12.25 -
Authentium 5.2.0.5 2009.12.26 -
Avast 4.8.1351.0 2009.12.27 -
AVG 8.5.0.430 2009.12.26 -
BitDefender 7.2 2009.12.27 -
CAT-QuickHeal 10.00 2009.12.26 -
ClamAV 0.94.1 2009.12.27 -
Comodo 3384 2009.12.27 -
DrWeb 5.0.1.12222 2009.12.27 -
eSafe 7.0.17.0 2009.12.24 -
eTrust-Vet 35.1.7198 2009.12.25 -
F-Prot 4.5.1.85 2009.12.26 -
F-Secure 9.0.15370.0 2009.12.27 -
Fortinet 4.0.14.0 2009.12.27 -
GData 19 2009.12.26 -
Ikarus T3.1.1.79.0 2009.12.27 -
Jiangmin 13.0.900 2009.12.27 -
K7AntiVirus 7.10.931 2009.12.26 -
Kaspersky 7.0.0.125 2009.12.27 -
McAfee 5843 2009.12.26 -
McAfee+Artemis 5843 2009.12.26 -
McAfee-GW-Edition 6.8.5 2009.12.27 -
Microsoft 1.5302 2009.12.26 -
NOD32 4718 2009.12.27 -
Norman 6.04.03 2009.12.26 -
nProtect 2009.1.8.0 2009.12.27 -
Panda 10.0.2.2 2009.12.15 -
PCTools 7.0.3.5 2009.12.27 -
Prevx 3.0 2009.12.27 -
Rising 22.27.06.04 2009.12.27 -
Sophos 4.49.0 2009.12.27 -
Sunbelt 3.2.1858.2 2009.12.26 -
Symantec 1.4.4.12 2009.12.27 -
TheHacker 6.5.0.3.113 2009.12.26 -
TrendMicro 9.120.0.1004 2009.12.27 -
VBA32 3.12.12.0 2009.12.26 -
ViRobot 2009.12.26.2109 2009.12.26 -
VirusBuster 5.0.21.0 2009.12.26 -
Additional information
File size: 108 bytes
MD5...: ea519f338b1476fdf2bf9bb36521c4c0
SHA1..: 60140b4341c67664de0e5a95a4f9974322ea472b
SHA256: df62e78d4b8461a2c02bd37c4efcbd84dd8252b026073aadd55b991360b2154d
ssdeep: 3:+j14UR6zD4l61xNSFB3awg7E5tBms01ZDOUN:g1ZcH4eNFb7E8xZDOU
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Unknown!
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:03 AM

Posted 27 December 2009 - 06:18 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 larryqpc

larryqpc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 27 December 2009 - 07:36 AM

Thanks again. Here is the log from ComboFix:

ComboFix 09-12-26.04 - USER 12/27/2009 7:21.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2602 [GMT -5:00]
Running from: c:\documents and settings\USER\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\USER\Application Data\inst.exe
c:\documents and settings\USER\Application Data\PC
c:\recycler\S-1-5-21-325701575-468174001-1974182182-1008
c:\windows\system32\ctfmon_na.exe
c:\windows\unins000.dat
c:\windows\unins000.exe

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 )))))))))))))))))))))))))))))))
.

2009-12-20 10:00 . 2009-12-20 04:09 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-20 04:14 . 2009-12-20 04:14 -------- dc----w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-18 07:08 . 2009-12-20 09:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-14 11:05 . 2009-12-14 11:05 -------- d-----w- c:\program files\Microsoft
2009-12-14 11:05 . 2009-12-14 11:05 -------- d-----w- c:\program files\MSN Toolbar
2009-12-14 05:18 . 2009-12-14 11:05 -------- d-----w- c:\program files\Bing Bar Installer
2009-11-28 14:30 . 2009-11-28 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\page

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-27 12:27 . 2009-05-11 14:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-27 12:27 . 2009-11-16 13:04 7304 ----a-w- c:\windows\TMP0001.TMP
2009-12-27 12:10 . 2009-05-11 14:56 -------- d-----w- c:\program files\Spyware Doctor
2009-12-27 09:31 . 2009-12-18 04:54 52224 ----a-w- c:\documents and settings\USER\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-27 09:31 . 2009-05-11 15:23 117760 ----a-w- c:\documents and settings\USER\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-26 19:56 . 2007-03-21 19:58 304920 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-12-26 16:12 . 2009-06-15 19:38 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Nitro PDF
2009-12-25 23:27 . 2009-06-15 12:08 -------- d-----w- c:\documents and settings\USER\Application Data\Nitro PDF
2009-12-25 23:27 . 2008-11-24 14:25 848 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-12-25 23:27 . 2008-11-24 14:25 848 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-12-25 12:43 . 2009-05-12 03:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-25 12:40 . 2009-05-12 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-24 13:08 . 2009-05-13 12:28 -------- d-----w- c:\documents and settings\USER\Application Data\Clipboard Buddy 3
2009-12-24 13:05 . 2009-10-10 02:39 -------- d-----w- c:\program files\a-squared Free
2009-12-22 10:59 . 2008-11-20 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-12-18 04:55 . 2009-05-11 15:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-16 05:48 . 2009-05-12 03:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-16 05:47 . 2009-09-12 14:58 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-11 08:22 . 2009-12-11 08:22 440696 ----a-w- c:\documents and settings\USER\Application Data\CBS Interactive\CNET TechTracker\data\upgrade\CNET_TechTracker_1_3_52_Update.exe
2009-12-08 19:25 . 2009-05-29 09:32 1331072 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-03 21:14 . 2009-05-12 03:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2009-05-12 03:45 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-02 04:22 . 2009-06-03 04:55 -------- d-----w- c:\program files\QuickTime
2009-12-02 04:21 . 2009-06-03 04:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-28 14:31 . 2008-12-03 19:13 -------- d-----w- c:\documents and settings\USER\Application Data\Ashampoo
2009-11-20 11:12 . 2009-05-20 02:35 -------- d-----w- c:\program files\Common Files\Real
2009-11-20 09:22 . 2009-08-10 12:18 -------- d-----w- c:\program files\Canon
2009-11-19 16:48 . 2009-12-02 04:20 872960 ----a-w- c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\e7dzfken.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 16:48 . 2009-12-02 04:20 43008 ----a-w- c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\e7dzfken.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 16:48 . 2009-12-02 04:20 340480 ----a-w- c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\e7dzfken.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 16:48 . 2009-12-02 04:20 346624 ----a-w- c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\e7dzfken.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-19 14:53 . 2009-05-11 15:44 -------- d-----w- c:\documents and settings\USER\Application Data\PC Magazine Utilities
2009-11-19 10:35 . 2008-12-03 19:02 -------- d-----w- c:\program files\PC Magazine Utilities
2009-11-17 10:09 . 2009-11-16 13:07 -------- d-----w- c:\documents and settings\USER\Application Data\ZoomBrowser EX
2009-11-16 14:03 . 2009-11-16 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-11-16 13:34 . 2009-11-16 13:00 -------- d-----w- c:\program files\Common Files\Canon
2009-11-16 13:04 . 2009-11-16 13:04 0 ----a-w- c:\windows\ativpsrm.bin
2009-11-16 12:55 . 2009-11-16 12:55 -------- d-----w- c:\documents and settings\USER\Application Data\GlarySoft
2009-11-16 12:28 . 2009-11-16 12:28 -------- d-----w- c:\program files\IObit
2009-11-16 12:27 . 2009-05-11 16:07 -------- d-----w- c:\program files\Advanced Time Synchronizer
2009-11-16 12:00 . 2008-12-03 19:03 -------- d-----w- c:\program files\System Explorer
2009-11-16 11:50 . 2009-11-16 11:50 100113 ----a-w- c:\documents and settings\USER\Application Data\CBS Interactive\CNET TechTracker\uninst.exe
2009-11-16 09:13 . 2009-11-16 09:13 -------- d-----w- c:\documents and settings\USER\Application Data\CBS Interactive
2009-11-15 14:55 . 2007-08-15 13:36 105816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-05 20:06 . 2009-11-05 20:06 1108992 ----a-w- c:\documents and settings\USER\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe
2009-11-05 02:01 . 2007-08-15 13:47 -------- d-----w- c:\program files\Java
2009-11-05 02:00 . 2009-11-05 02:00 152576 ----a-w- c:\documents and settings\USER\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-30 00:29 . 2009-10-30 00:29 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-10-29 07:45 . 2007-04-18 12:46 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-25 12:20 . 2008-12-05 17:23 38208 ----a-w- c:\documents and settings\USER\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-21 05:38 . 2004-08-04 05:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 05:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 05:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 05:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 05:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 05:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17 . 2008-12-03 17:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-28 17:11 . 2009-05-11 12:10 177024 ----a-w- c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\e7dzfken.default\FlashGot.exe
2008-01-01 00:35 . 2008-01-01 00:35 108 --sha-r- c:\windows\neoqaz2.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClockEx"="c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-18 2002160]
"TitleBar Add-Ons"="c:\program files\PC Magazine Utilities\TitleBar Add-Ons\TitleBar Add-Ons.exe" [2007-01-03 1105920]
"Advanced Time Synchronizer"="c:\program files\Advanced Time Synchronizer\advtimesync.exe" [2009-05-26 802816]
"filehippo.com"="c:\program files\filehippo.com\UpdateChecker.exe" [2009-09-28 155648]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]
"Clipboard Buddy 3"="c:\progra~1\Clipboard Buddy v3\CBuddy3.exe" [2009-01-19 279552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16380416]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-09 68640]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-19 49152]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-09-29 343040]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2007-07-11 421888]
"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE" [2009-06-22 83232]
"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-11-07 507904]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-11-12 864256]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2007-03-01 503808]
"kmw_run.exe"="kmw_run.exe" [2006-08-03 106496]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-20 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1051.0\mswinext.exe" [2009-11-13 243032]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"TrayManager"="c:\program files\PC Magazine Utilities\TrayManager\TrayMan.exe" [2008-03-31 483328]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]

c:\documents and settings\USER\Start Menu\Programs\Startup\
CNET TechTracker.lnk - c:\documents and settings\USER\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe [2009-11-5 1108992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-05 10:06 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\DKabcoms.exe"=
"c:\\Program Files\\Dell\\Printer Software\\ErrorApp\\DKab1err.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/12/2009 9:39 PM 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/11/2009 9:56 AM 206256]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [5/11/2009 10:06 AM 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [5/11/2009 10:06 AM 39200]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [5/11/2009 9:56 AM 159600]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 10:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 10:33 AM 74480]
R1 wgo;wgo;c:\windows\system32\drivers\wgo.sys [5/13/2009 7:21 AM 13976]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [10/9/2009 9:39 PM 1858144]
R2 dkab_device;dkab_device;c:\windows\system32\DKabcoms.exe -service --> c:\windows\system32\DKabcoms.exe -service [?]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 2:43 PM 204800]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [6/15/2009 3:13 PM 188736]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/22/2007 11:13 PM 36608]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 10:33 AM 7408]
S2 MSSQL$RELIUS;SQL Server (RELIUS);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sRELIUS --> c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [?]
S2 netlimiter;netlimiter;\??\c:\windows\system32\drivers\netlimiter.sys --> c:\windows\system32\drivers\netlimiter.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1028432]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [5/11/2009 9:56 AM 64392]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/11/2009 9:56 AM 348752]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [5/11/2009 10:06 AM 33056]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\e7dzfken.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\e7dzfken.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\e7dzfken.default\extensions\{6FF1D3C4-61BC-4021-89B7-AF8A8F784EBB}\components\snagitmozextension.dll
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - component: c:\program files\MSN Toolbar\Platform\5.0.1051.0\Firefox\components\DomBridge.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\e7dzfken.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\MSN Toolbar\Platform\5.0.1051.0\npwinext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{403D3981-DF19-3614-9874-5955E1BB9AB3} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
AddRemove-Shutdown icon - Restart Icon_is1 - c:\windows\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 07:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(544)
c:\windows\system32\WININET.dll
c:\windows\system32\MSNCHATHOOK.DLL
c:\windows\system32\sysenv.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\MFC71U.DLL
c:\program files\PC Magazine Utilities\TitleBar Add-Ons\TBSysHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\PC Magazine Utilities\TrayManager\tmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\kmw_dll.dll
c:\windows\system32\WOW32.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\windows\system32\ASTSRV.EXE
c:\windows\system32\DKabcoms.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\kmw_run.exe
c:\acer\Empowering Technology\eDataSecurity\eDScts.exe
c:\windows\system32\KMW_SHOW.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\java.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
.
**************************************************************************
.
Completion time: 2009-12-27 07:32:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-27 12:32

Pre-Run: 194,966,798,336 bytes free
Post-Run: 195,020,963,840 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=alwaysoff

- - End Of File - - 83BCA1E94B2ABD7D0AFBD35D1A3A6B27

#6 larryqpc

larryqpc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 27 December 2009 - 07:43 AM

miekiemoes,

I note the process eliminated found and replace infected iastore.sys.

Is it possible that this has fixed the problem? I went in and tried a whole bunch of searches and NONE of them got hijacked!

Just though I should report that result. I will keep trying, and meanwhile I will await your response before I do anything else.

Thanks so much for your help so far.

Larryqpc

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:03 AM

Posted 27 December 2009 - 08:59 AM

Hi,

Yes, this infection infects a driver. Combofix found it to be infected and replaced it again with a clean one.
So, yes, that has fixed the problem :(

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 larryqpc

larryqpc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 27 December 2009 - 12:34 PM

Thanks so much. I'm in my office now (December is very busy for me) and the infected computer is home, so I'll be uninstalling ComboFix later this evening and will let you know the results. I have already made a contribution to the author of ComboFix; can't tell you how grateful I am for your help.

Will send you another reply later tonight.

Larry.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:03 AM

Posted 27 December 2009 - 12:37 PM

That's fine.

Everything should be OK again though..

Glad I could help. :(

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 larryqpc

larryqpc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 27 December 2009 - 12:44 PM

miekiemoes,

I see you are a "big cheese" at Malwarebytes. Query: is this something that you expect Malwarebytes will eventually deal with on it's own? If not, I'd be interested why not (not TOO technical; my head might explode). Thanks.

Larry.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:03 AM

Posted 27 December 2009 - 12:55 PM

Hi,

This infection infected a very important system file, in your case iastor.sys. That's why most scanners don't take the risk to touch it, since it has to be replaced with a valid copy, otherwise the pc won't boot anymore. There's also an extra risk involved, because some systems don't have a valid - non infected copy of it present, or the copy is corrupt.
So it's better safe than sorry and not touch it instead of causing an unbootable situation.
This can happen with using Combofix as well as there's always a risk, but Combofix takes this risk since we don't recommend people to use Combofix without supervision. So in case something goes wrong, we can then instruct how to fix this. For a commercial scanner, it's more difficult to take these risks since these scanners are used without supervision. :(
Hope that explains why most scanners won't deal with this :(

Also, this is a very advanced infection, so it also bypasses many detections, because when the infection is active, it basically shows the infected system file as legit since it has the correct MD5 hash etc etc..

Edited by miekiemoes, 27 December 2009 - 12:56 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 larryqpc

larryqpc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 27 December 2009 - 10:14 PM

Hi!

I have run the Combofix uninstall and all is well.

Again, it has been a pleasure and thank you for your prompt attention to my problem!

Also, I have reviewed you Prevention Page (I've bookmarked it). Thanks for all the useful info there as wel.

Take care.

Happy New Year.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:03 AM

Posted 28 December 2009 - 12:49 AM

You're most welcome and a Happy New Year as well :(
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:03 AM

Posted 22 January 2010 - 08:33 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users