Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yahoo, google redirection; theWebSiteSurvey.com popup


  • This topic is locked This topic is locked
27 replies to this topic

#1 pwgales

pwgales

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Port, FL
  • Local time:08:56 AM

Posted 06 January 2010 - 07:53 PM

I have the infamous google, yahoo, bing redirection problem that takes me to a 404 error after clicking results and now have the popup for thewebsitesurvey.com. I have run every malware/virus protection I have found recommended on these and other forums but still have the problem. Originally malwarebytes found something and removed it but since none of the programs find anything. Please, please, please help.


DDS (Ver_09-12-01.01) - NTFSx86
Run by pete at 20:29:03.73 on Wed 01/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.380 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Windows Live\Family Safety\fsssvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Live\Family Safety\fsui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\pete\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\pete\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Documents and Settings\pete\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = file:///C:/webwork/galesfamily/index.html
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\pete\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [Corel File Shell Monitor] c:\program files\corel\corel paint shop pro photo x2\CorelIOMonitor.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [fssui] "c:\program files\windows live\family safety\fsui.exe" -autorun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: &ieSpell Options
IE: &Search
IE: Check &Spelling
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: Convert to existing PDF
IE: E&xport to Microsoft Excel
IE: Google Sidewiki...
IE: Lookup on Merriam Webster
IE: Lookup on Wikipedia
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199549628515
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D}
DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - hxxp://networksolutionsemailpopwizard.com/TrueSwitchEC.exe
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-16 214664]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-11-18 54752]
R2 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-11-16 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-11-16 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-11-16 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-16 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-11-16 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-16 40552]
S0 Lbd;Lbd; [x]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-16 34248]
S3 PinnacleMarvinAVS;Pinnacle AVStream Service for MovieBox Deluxe, 500-USB and 700-USB;c:\windows\system32\drivers\MarvinAVS.sys [2008-10-14 434176]

=============== Created Last 30 ================

2010-01-07 01:02:09 0 d-----w- c:\docume~1\pete\applic~1\Reg Tool
2010-01-07 00:57:45 0 d-----w- c:\program files\Reg Tool
2009-12-28 00:33:21 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-28 00:32:10 0 d-----w- c:\program files\iPod
2009-12-28 00:32:05 0 d-----w- c:\program files\iTunes
2009-12-28 00:08:37 0 d-----r- c:\program files\New Briefcase
2009-12-22 23:58:59 0 dc-h--w- c:\windows\ie8
2009-12-22 18:58:00 7814944 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-22 18:58:00 2900 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-22 18:58:00 19744 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-22 18:58:00 107804 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-22 18:57:47 2731 ----a-w- C:\rollback.ini
2009-12-22 18:46:25 0 d-----w- c:\program files\common files\ParetoLogic
2009-12-22 18:46:24 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-12-22 16:33:25 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-22 16:33:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-12-22 16:21:12 0 d-----w- c:\program files\CCleaner
2009-12-22 15:37:00 0 d-----w- C:\RootkitNO
2009-12-22 14:52:13 0 d-----w- c:\windows\system32\GroupPolicy
2009-12-22 14:52:13 0 d-----w- c:\program files\Windows Desktop Search
2009-12-22 14:51:10 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-12-22 14:51:09 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-12-22 14:51:09 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-12-21 00:09:05 98816 ----a-w- c:\windows\sed.exe
2009-12-21 00:09:05 77312 ----a-w- c:\windows\MBR.exe
2009-12-21 00:09:05 261632 ----a-w- c:\windows\PEV.exe
2009-12-21 00:09:05 161792 ----a-w- c:\windows\SWREG.exe
2009-12-20 23:35:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-20 23:35:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-20 23:35:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-20 22:58:23 2 --shatr- c:\windows\winstart.bat
2009-12-20 22:57:27 0 d-----w- c:\program files\UnHackMe
2009-12-20 14:43:28 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-19 19:16:04 103128 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-13 16:00:38 132096 --sha-r- c:\windows\system32\msxml0.dll

==================== Find3M ====================

2010-01-06 12:25:18 2516 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-01-04 02:00:51 871040 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-12-07 19:28:10 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-03-11 19:38:21 8 --sha-r- c:\windows\system32\4644762889.sys

============= FINISH: 20:31:41.45 ===============

Attached Files


Edited by Orange Blossom, 06 January 2010 - 09:24 PM.
Move to HJT forum. ~ OB

Thanks,

Peter Gales

BC AdBot (Login to Remove)

 


#2 pwgales

pwgales
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Port, FL
  • Local time:08:56 AM

Posted 10 January 2010 - 12:45 PM

Using IE and Google Chrome has become impossible due to so many pop ups for surveys, etc.
Thanks,

Peter Gales

#3 pwgales

pwgales
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Port, FL
  • Local time:08:56 AM

Posted 13 January 2010 - 02:10 PM

I know it said it may be a few days for a response, but I'm wondering how long a few days may be? Or should I repost this again?

Thanks
Thanks,

Peter Gales

#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:56 PM

Posted 14 January 2010 - 09:27 AM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 pwgales

pwgales
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Port, FL
  • Local time:08:56 AM

Posted 14 January 2010 - 04:55 PM

Thanks for the response and help. Since the original post McAfee has found and deleted a form of Vundo and Spybot Search and Destroy deleted everything else that was related to it. I still have the original problems with the redirection from search results and the pop-ups. The newest logs from DDS are attached.

Thanks again.



DDS (Ver_09-12-01.01) - NTFSx86
Run by pete at 16:48:54.20 on Thu 01/14/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.465 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Windows Live\Family Safety\fsssvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Live\Family Safety\fsui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\pete\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = file:///C:/webwork/galesfamily/index.html
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\pete\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [Corel File Shell Monitor] c:\program files\corel\corel paint shop pro photo x2\CorelIOMonitor.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [fssui] "c:\program files\windows live\family safety\fsui.exe" -autorun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: &ieSpell Options
IE: &Search
IE: Check &Spelling
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: Convert to existing PDF
IE: E&xport to Microsoft Excel
IE: Google Sidewiki...
IE: Lookup on Merriam Webster
IE: Lookup on Wikipedia
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199549628515
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D}
DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - hxxp://networksolutionsemailpopwizard.com/TrueSwitchEC.exe
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\gajulebi.dll,hivoneka.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: likoyegel - {57751942-87d1-4d15-a66e-4dfd26d4ba20} - c:\windows\system32\gajulebi.dll
STS: gahurihor: {57751942-87d1-4d15-a66e-4dfd26d4ba20} - c:\windows\system32\gajulebi.dll
LSA: Notification Packages = scecli bejowigo.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-16 214664]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-11-18 54752]
R2 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-11-16 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-11-16 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-16 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-11-16 35272]
S0 Lbd;Lbd; [x]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-16 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-16 40552]
S3 PinnacleMarvinAVS;Pinnacle AVStream Service for MovieBox Deluxe, 500-USB and 700-USB;c:\windows\system32\drivers\MarvinAVS.sys [2008-10-14 434176]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-11-16 606736]

=============== Created Last 30 ================

2010-01-07 01:02:09 0 d-----w- c:\docume~1\pete\applic~1\Reg Tool
2010-01-07 00:57:45 0 d-----w- c:\program files\Reg Tool
2009-12-28 00:33:21 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-28 00:32:10 0 d-----w- c:\program files\iPod
2009-12-28 00:32:05 0 d-----w- c:\program files\iTunes
2009-12-28 00:08:37 0 d-----r- c:\program files\New Briefcase
2009-12-22 23:58:59 0 dc-h--w- c:\windows\ie8
2009-12-22 18:58:00 7814944 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-22 18:58:00 2900 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-22 18:58:00 19744 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-22 18:58:00 107804 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-22 18:57:47 2731 ----a-w- C:\rollback.ini
2009-12-22 18:46:25 0 d-----w- c:\program files\common files\ParetoLogic
2009-12-22 18:46:24 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-12-22 16:33:25 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-22 16:33:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-12-22 16:21:12 0 d-----w- c:\program files\CCleaner
2009-12-22 15:37:00 0 d-----w- C:\RootkitNO
2009-12-22 14:52:13 0 d-----w- c:\windows\system32\GroupPolicy
2009-12-22 14:52:13 0 d-----w- c:\program files\Windows Desktop Search
2009-12-22 14:51:10 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-12-22 14:51:09 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-12-22 14:51:09 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-12-21 00:09:05 98816 ----a-w- c:\windows\sed.exe
2009-12-21 00:09:05 77312 ----a-w- c:\windows\MBR.exe
2009-12-21 00:09:05 261632 ----a-w- c:\windows\PEV.exe
2009-12-21 00:09:05 161792 ----a-w- c:\windows\SWREG.exe
2009-12-20 23:35:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-20 23:35:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-20 23:35:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-20 22:58:23 2 --shatr- c:\windows\winstart.bat
2009-12-20 22:57:27 0 d-----w- c:\program files\UnHackMe
2009-12-20 14:43:28 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-19 19:16:04 103128 ---ha-w- c:\windows\system32\mlfcache.dat

==================== Find3M ====================

2010-01-10 22:19:20 2516 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-01-10 20:33:21 871040 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-12-13 16:00:38 132096 --sha-r- c:\windows\system32\msxml0.dll
2009-12-07 19:28:10 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-03-11 19:38:21 8 --sha-r- c:\windows\system32\4644762889.sys

============= FINISH: 16:50:32.98 ===============

Attached Files


Thanks,

Peter Gales

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:56 PM

Posted 15 January 2010 - 01:48 PM

Hello, pwgales
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.




Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 pwgales

pwgales
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Port, FL
  • Local time:08:56 AM

Posted 15 January 2010 - 08:14 PM

I just tried to boot up to run the next process and I'm getting a Blue screen having a problem with isStor.sys

It will not boot via safe mode, command prompt or anything. Any advice?
Thanks,

Peter Gales

#8 pwgales

pwgales
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Port, FL
  • Local time:08:56 AM

Posted 15 January 2010 - 10:23 PM

OK got the BSOD fixed (hopefully). I'll proceed with scan and post back
Thanks,

Peter Gales

#9 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:56 PM

Posted 16 January 2010 - 12:30 PM

How did you fix it, and what did you do before the bsod came up the first time?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#10 pwgales

pwgales
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Port, FL
  • Local time:08:56 AM

Posted 16 January 2010 - 06:28 PM

Tom,

GMER is still running. Third try now in Safe Mode but appears to be running successfully.

The only thing done on the computer the night before the BSOD was the DDS scan for this post, then it was shut off. After doing some quick research on Dell and iaStor.sys I got out my install disk, ran the recovery/repair program so I could view the files, found the iaStor.sys on the computer and seen it had in fact been modified the night before and then I copied the original iaStor.sys from the install disk to the computer. Exited out of recovery/repair mode and re-booted successfully. I allowed no other changes except for the one file being copied so in theory everything is still the same as it was before the DDS scan.

I'm guessing the GMER is looking at every single file, folder, and setting hence the reason it is taking so long. I'll post it as soon as it is complete.

B.T.W. I'm posting from my wifes computer so as to not use the other for anything. It's not even plugged into the network except to download the scan software.

Thanks for everything.

Pete Gales

Edited by pwgales, 16 January 2010 - 06:28 PM.

Thanks,

Peter Gales

#11 pwgales

pwgales
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Port, FL
  • Local time:08:56 AM

Posted 16 January 2010 - 08:55 PM

Tom,
Here is the GMER log:


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-16 20:44:37
Windows 5.1.2600 Service Pack 3
Running: 0qj6r2mr.exe; Driver: C:\DOCUME~1\pete\LOCALS~1\Temp\kxtdapoc.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x37 0xA4 0xAA 0xC3 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x05 0x73 0x21 0xDD ...

---- EOF - GMER 1.0.15 ----


Thanks,

Pete
Thanks,

Peter Gales

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:56 PM

Posted 17 January 2010 - 04:10 PM

Hi,


Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 pwgales

pwgales
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Port, FL
  • Local time:08:56 AM

Posted 17 January 2010 - 05:41 PM

Tom,

Here is the ComboFix.txt:

ComboFix 10-01-16.04 - pete 01/17/2010 17:10:01.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.455 [GMT -5:00]
Running from: c:\documents and settings\pete\Desktop\a1b2c3.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\msxml0.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.

2010-01-08 19:00 . 2010-01-08 19:00 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-01-07 01:02 . 2010-01-07 01:12 -------- d-----w- c:\documents and settings\pete\Application Data\Reg Tool
2010-01-07 00:57 . 2010-01-07 01:12 -------- d-----w- c:\program files\Reg Tool
2010-01-04 01:46 . 2010-01-04 01:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\nagasoft
2009-12-28 00:33 . 2008-04-17 18:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-28 00:32 . 2009-12-28 00:32 -------- d-----w- c:\program files\iPod
2009-12-28 00:32 . 2009-12-28 00:33 -------- d-----w- c:\program files\iTunes
2009-12-28 00:30 . 2009-12-28 00:31 -------- d-----w- c:\program files\QuickTime
2009-12-28 00:08 . 2009-12-28 00:08 -------- d-----r- c:\program files\New Briefcase
2009-12-22 23:58 . 2009-12-22 23:59 -------- dc-h--w- c:\windows\ie8
2009-12-22 18:58 . 2009-12-22 23:48 7814944 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-22 18:58 . 2009-12-22 23:48 19744 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-22 18:46 . 2009-12-22 23:40 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-12-22 18:46 . 2009-12-22 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-12-22 16:33 . 2010-01-13 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-22 16:33 . 2009-12-22 16:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-22 16:21 . 2009-12-22 16:21 -------- d-----w- c:\program files\CCleaner
2009-12-22 16:00 . 2009-12-22 16:00 -------- d-----w- c:\documents and settings\pete\Local Settings\Application Data\Threat Expert
2009-12-22 15:37 . 2009-12-22 15:37 -------- d-----w- C:\RootkitNO
2009-12-22 14:52 . 2009-12-22 15:38 -------- d-----w- c:\program files\Windows Desktop Search
2009-12-22 14:52 . 2009-12-22 14:52 -------- d-----w- c:\windows\system32\GroupPolicy
2009-12-22 14:51 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-12-22 14:51 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-12-22 14:51 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-12-21 01:23 . 2009-12-21 01:23 -------- d-----w- c:\documents and settings\pete\Local Settings\Application Data\VS Revo Group
2009-12-20 23:35 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-20 23:35 . 2010-01-08 05:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-20 23:35 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-20 22:58 . 2009-12-23 01:40 2 --shatr- c:\windows\winstart.bat
2009-12-20 22:57 . 2009-12-29 13:12 -------- d-----w- c:\program files\UnHackMe
2009-12-20 14:43 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-19 19:16 . 2009-12-19 19:16 103128 ---ha-w- c:\windows\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 12:26 . 2008-01-14 21:40 5904 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2010-01-10 22:19 . 2009-03-08 13:38 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-10 22:19 . 2009-03-08 13:38 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-02 22:28 . 2010-01-02 22:30 816392 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\Components\DownloadQB17\Patch\qbpatch2.exe
2009-12-28 00:32 . 2008-01-05 20:44 -------- d-----w- c:\program files\Common Files\Apple
2009-12-28 00:31 . 2008-01-05 19:51 -------- d-----w- c:\program files\Bonjour
2009-12-24 00:49 . 2008-01-05 21:15 -------- d-----w- c:\program files\Warcraft III
2009-12-22 23:48 . 2009-12-22 18:58 2900 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-22 23:48 . 2009-12-22 18:58 107804 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-22 19:04 . 2009-12-22 19:04 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2009-12-22 16:16 . 2008-01-05 20:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-22 14:44 . 2008-01-30 22:53 -------- d-----w- c:\program files\Google
2009-12-21 01:08 . 2009-09-12 14:51 -------- d-----w- c:\documents and settings\pete\Application Data\Move Networks
2009-12-21 01:06 . 2008-07-24 21:29 -------- d-----w- c:\program files\Java
2009-12-21 01:03 . 2009-02-03 21:07 -------- d-----w- c:\program files\Audacity
2009-12-21 00:59 . 2009-02-03 21:02 -------- d-----w- c:\program files\AoA Audio Extractor
2009-12-21 00:59 . 2009-11-28 01:37 -------- d-----w- c:\program files\Any Video Converter
2009-12-21 00:59 . 2009-11-28 01:37 -------- d-----w- c:\documents and settings\pete\Application Data\Any Video Converter
2009-12-20 20:03 . 2008-01-16 00:52 132496 ----a-w- c:\documents and settings\devon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-20 14:38 . 2008-09-07 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-20 00:16 . 2008-11-29 01:28 -------- d-----w- c:\program files\Windows Live Safety Center
2009-12-15 23:01 . 2009-07-09 21:12 -------- d-----w- c:\documents and settings\pete\Application Data\Amazon
2009-12-14 19:26 . 2008-10-25 21:29 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-13 22:01 . 2009-11-27 22:16 -------- d-----w- c:\documents and settings\pete\Application Data\U3
2009-12-07 19:28 . 2009-12-07 19:28 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-12-06 14:34 . 2009-12-06 14:34 -------- d-----w- c:\documents and settings\pete\Application Data\com.warnerbros.DigitalCopyManager.449F66ACC381FDC604DC2AA255FEECEEBBBEE1E5.1
2009-12-06 14:34 . 2009-12-06 14:34 -------- d-----w- c:\program files\Warner Bros. Digital Copy Manager
2009-12-06 13:26 . 2009-03-13 22:25 -------- d-----w- c:\documents and settings\pete\Application Data\Smilebox
2009-12-02 22:57 . 2008-12-08 03:45 132496 ----a-w- c:\documents and settings\dylan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-24 22:02 . 2008-01-05 14:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-22 00:08 . 2008-01-08 01:59 -------- d-----w- c:\documents and settings\pete\Application Data\AdobeUM
2009-11-21 15:51 . 2004-08-10 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 00:15 . 2009-11-17 04:42 -------- d-----w- c:\program files\McAfee
2009-11-18 23:27 . 2009-11-18 23:27 -------- d-----w- c:\program files\Windows Live
2009-11-18 23:27 . 2009-11-18 23:27 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-17 04:45 . 2008-01-05 15:45 132496 ----a-w- c:\documents and settings\pete\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-16 07:21 . 2009-02-24 08:04 205448 ----a-w- c:\documents and settings\pete\Application Data\Smilebox\SmileboxDvd.exe
2009-11-16 07:21 . 2009-02-24 11:58 373384 ----a-w- c:\documents and settings\pete\Application Data\Smilebox\SmileboxStarter.exe
2009-11-16 07:21 . 2009-02-24 11:40 168584 ----a-w- c:\documents and settings\pete\Application Data\Smilebox\SmileboxBrowserEngine.dll
2009-11-16 07:21 . 2009-02-24 08:04 266888 ----a-w- c:\documents and settings\pete\Application Data\Smilebox\SmileboxTray.exe
2009-11-16 07:12 . 2009-11-16 07:12 1581704 ----a-w- c:\documents and settings\pete\Application Data\Smilebox\SmileboxClient.exe
2009-11-16 06:17 . 2009-11-16 06:17 340616 ----a-w- c:\documents and settings\pete\Application Data\Smilebox\SmileboxDvdEngine.dll
2009-11-16 06:17 . 2009-11-16 06:17 123528 ----a-w- c:\documents and settings\pete\Application Data\Smilebox\SmileboxUpdater.exe
2009-11-12 22:07 . 2009-11-12 22:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-12 21:17 . 2009-11-12 21:17 152576 ----a-w- c:\documents and settings\pete\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-12 21:16 . 2009-11-12 21:16 79488 ----a-w- c:\documents and settings\pete\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-10-29 07:45 . 2004-08-10 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-22 21:34 . 2008-01-21 17:28 132496 ----a-w- c:\documents and settings\amy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-21 05:38 . 2004-08-10 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-10 11:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-03-11 19:38 . 2009-03-11 19:38 8 --sha-r- c:\windows\system32\4644762889.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google Update"="c:\documents and settings\pete\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-01 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2008-08-18 16712]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"fssui"="c:\program files\Windows Live\Family Safety\fsui.exe" [2009-08-06 647520]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqiscfg.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [11/18/2009 6:27 PM 54752]
R2 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
S0 Lbd;Lbd; [x]
S3 PinnacleMarvinAVS;Pinnacle AVStream Service for MovieBox Deluxe, 500-USB and 700-USB;c:\windows\system32\drivers\MarvinAVS.sys [10/14/2008 7:53 PM 434176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-1035525444-725345543-1003Core.job
- c:\documents and settings\pete\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-01 20:32]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-1035525444-725345543-1003UA.job
- c:\documents and settings\pete\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-01 20:32]

2009-11-17 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-17 17:22]

2009-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-17 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/webwork/galesfamily/index.html
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options
IE: &Search
IE: Check &Spelling
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: Convert to existing PDF
IE: E&xport to Microsoft Excel
IE: Google Sidewiki...
IE: Lookup on Merriam Webster
IE: Lookup on Wikipedia
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - hxxp://networksolutionsemailpopwizard.com/TrueSwitchEC.exe
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
SharedTaskScheduler-{57751942-87d1-4d15-a66e-4dfd26d4ba20} - c:\windows\system32\gajulebi.dll
SSODL-likoyegel-{57751942-87d1-4d15-a66e-4dfd26d4ba20} - c:\windows\system32\gajulebi.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 17:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\wbem\Performance\WmiApRpl_new.ini 924 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d4,99,29,fc,5b,99,44,b3,d2,bc,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d4,99,29,fc,5b,99,44,b3,d2,bc,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3864)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Photodex\ProShowProducer\ScsiAccess.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-17 17:30:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-17 22:30
ComboFix2.txt 2009-12-21 01:54
ComboFix3.txt 2009-12-21 00:35

Pre-Run: 43,321,225,216 bytes free
Post-Run: 43,324,510,208 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 7CEBC007DB9F868AFC9E536F5F66A070


Thanks,
Pete
Thanks,

Peter Gales

#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:56 PM

Posted 18 January 2010 - 01:48 PM

Hi,

Please uninstall RegTool through Add/Remove Programs.



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
Rootkit::
c:\windows\system32\wbem\Performance\WmiApRpl_new.ini
Folder::
c:\documents and settings\pete\Application Data\Reg Tool
c:\program files\Reg Tool
File::
c:\windows\system32\4644762889.sys
Driver::
Lbd


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 pwgales

pwgales
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Port, FL
  • Local time:08:56 AM

Posted 18 January 2010 - 05:51 PM

Tom,

There is no Reg Tool in Add/Remove Programs and no uninstall in the c:\program files\Reg Tool folder. There is only a subdirectory named PW with five html files and a css file. I'll wait for a reply before continuing with the script.

Thanks

Pete
Thanks,

Peter Gales




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users