Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE, Firefox, Chrome Searches Redirected


  • This topic is locked This topic is locked
16 replies to this topic

#1 JNW

JNW

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:53 AM

Posted 13 January 2010 - 03:18 PM

The majority of searches are redirected to seemingly harmless sites. On a previous post (Dec 3, 09) I was told it is may be best to reinstall the OS and change passwords, etc. Before going to this last resort can I find out whatwhat malware is infecting the PC. I have had similar redirect problems in Sept/Oct and Nov 2009. With help from HJT team members the problems were found and fixed. If I have a backdoor trojan is reinstalling the best option? I have backed up a files, pics, music, etc.

I ran scans from SpyBot, MBAM, McAfee with nothing found except an old Combo-fix file that MBAM deleted. attached are the DDS, RootRepeal and MBAM logs.

I know you folks are swamped. Thanks.

DDS (Ver_09-11-29.01) - NTFSx86
Run by Admin at 13:44:25.62 on Wed 01/13/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.581 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\TEMP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.drudgereport.com/
mStart Page = hxxp://www.google.com
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Digital Line Detect.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Microsoft Office.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Nikon Monitor.lnk.disabled
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: EditLevel = 0 (0x0)
dPolicies-explorer: NoCommonGroups = 0 (0x0)
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://144.26.58.59/kxhcm10.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\temp\applic~1\mozilla\firefox\profiles\3cy8tboq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 prohlp01;StarForce Protection Helper Driver v1;c:\windows\system32\drivers\prohlp01.sys [2002-12-26 61728]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-8-28 214664]
R1 prodrv05;StarForce Protection Environment Driver v5;c:\windows\system32\drivers\prodrv05.sys [2002-12-26 53568]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-9 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-8-28 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-8-28 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-8-28 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-8-28 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-8-28 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-8-28 40552]
S2 gupdate1ca3090d017ccc8;Google Update Service (gupdate1ca3090d017ccc8);c:\program files\google\update\GoogleUpdate.exe [2009-9-8 133104]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-8-28 34248]
S3 rootrepeal1;rootrepeal1;\??\c:\windows\system32\drivers\rootrepeal1.sys --> c:\windows\system32\drivers\rootrepeal1.sys [?]
S3 rootrepeal2;rootrepeal2;c:\windows\system32\drivers\rootrepeal2.sys [2009-9-20 34816]
S3 tatertot.scr;tatertot.scr;\??\c:\windows\system32\drivers\tatertot.scr.sys --> c:\windows\system32\drivers\tatertot.scr.sys [?]

=============== Created Last 30 ================

2009-12-20 19:36:40 0 d-----w- c:\program files\Western Digital
2009-12-20 19:21:28 0 d-----w- c:\program files\Western Digital Technologies
2009-12-16 19:58:27 0 d-----w- c:\docume~1\temp\applic~1\Verizon

==================== Find3M ====================

2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2007-01-16 21:47:06 251 -c--a-w- c:\program files\wt3d.ini

============= FINISH: 13:46:18.23 ===============

Malwarebytes' Anti-Malware 1.44
Database version: 3554
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/13/2010 1:35:02 PM
mbam-log-2010-01-13 (13-35-02).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 368209
Time elapsed: 1 hour(s), 57 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\comfix28683c\Combo-Fix.sys (Malware.Trace) -> Quarantined and deleted successfully.



Attached Files



BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:53 AM

Posted 20 January 2010 - 02:04 AM

Hello and welcome.gif to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

*If you have since resolved the original problem you were having, we would appreciate you letting us know.

*If not please perform the following steps below so we can have a look at the current condition of your machine.

*If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

**If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.


You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.
In order to be notified via email when your topic has a reply you need to enable topic notifications. To enable topic notifications you should do the following:

1. Click on the My Controls link at the top of the page to enter your control panel.

2. Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.

3. Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.

4. Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied

The topics you are tracking are shown Here.
Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.
----------------------------*-------------------------------

We need to see some information about what is happening in your machine.

Please perform the following scan:


  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Kind regards
Net_Surfer

horse.gif

#3 JNW

JNW
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:53 AM

Posted 20 January 2010 - 04:24 PM

Thanks, Net_Surfer,

Here are the new DDS logs:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Admin at 16:10:25.78 on Wed 01/20/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.626 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.drudgereport.com/
mStart Page = hxxp://www.google.com
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Digital Line Detect.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Microsoft Office.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Nikon Monitor.lnk.disabled
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: EditLevel = 0 (0x0)
dPolicies-explorer: NoCommonGroups = 0 (0x0)
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://144.26.58.59/kxhcm10.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\temp\applic~1\mozilla\firefox\profiles\3cy8tboq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 prohlp01;StarForce Protection Helper Driver v1;c:\windows\system32\drivers\prohlp01.sys [2002-12-26 61728]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-8-28 214664]
R1 prodrv05;StarForce Protection Environment Driver v5;c:\windows\system32\drivers\prodrv05.sys [2002-12-26 53568]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-9 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-8-28 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-8-28 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-8-28 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-8-28 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-8-28 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-8-28 40552]
S2 gupdate1ca3090d017ccc8;Google Update Service (gupdate1ca3090d017ccc8);c:\program files\google\update\GoogleUpdate.exe [2009-9-8 133104]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-8-28 34248]
S3 rootrepeal1;rootrepeal1;\??\c:\windows\system32\drivers\rootrepeal1.sys --> c:\windows\system32\drivers\rootrepeal1.sys [?]
S3 rootrepeal2;rootrepeal2;c:\windows\system32\drivers\rootrepeal2.sys [2009-9-20 34816]
S3 tatertot.scr;tatertot.scr;\??\c:\windows\system32\drivers\tatertot.scr.sys --> c:\windows\system32\drivers\tatertot.scr.sys [?]

=============== Created Last 30 ================

2010-01-20 21:09:05 0 d--h--w- c:\windows\PIF

==================== Find3M ====================

2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2007-01-16 21:47:06 251 -c--a-w- c:\program files\wt3d.ini

============= FINISH: 16:12:18.65 ===============

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:53 PM

Posted 21 January 2010 - 02:00 AM

Hi JNW,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Download the GMER Rootkit Scanner exe file from here and save it to your desktop.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Disconnect from the Internet and close all running programs.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
    • Sections
    • IAT/EAT
    • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
    • Show All (this one also should be unchecked)
  • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
  • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.


#5 JNW

JNW
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:53 AM

Posted 21 January 2010 - 12:48 PM

Farbar,

I could download and run the GMER Rootkit Scanner but I can't save it or copy and paste the the results. Once I named the file and tried to save to the desktop the program stopped responding. Same results when I tried to copy to notepad. I rebooted and tried again with the same problem. I did see notations of suspicious or rootkit activity in some hard drive sectors.



#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:53 PM

Posted 21 January 2010 - 01:02 PM

Can you note down the Services and Files sections?

#7 JNW

JNW
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:53 AM

Posted 21 January 2010 - 04:09 PM

I'll run it again. Standby

#8 JNW

JNW
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:53 AM

Posted 21 January 2010 - 04:26 PM

I ran it again but copied it to Notepad first and it worked. Note: I did get a blue screen system failure stating that Windows found and error and shut down. This happened when I started McAfee again to enable AV protection. I rebooted and everything seems okay...

He is the GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-21 16:16:08
Windows 5.1.2600 Service Pack 3
Running: tqzquxqm.exe; Driver: C:\DOCUME~1\TEMP\LOCALS~1\Temp\pwtdypoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF035D78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF035D738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF035D74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF035D7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF035D710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF035D724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF035D79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF035D776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF035D762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF035D7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF035D7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF035D7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\00001076 -> \Driver\atapi \Device\Harddisk0\DR0 86C8150C

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:53 PM

Posted 21 January 2010 - 04:36 PM

Well done, we have now what we needed. thumbup2.gif

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#10 JNW

JNW
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:53 AM

Posted 21 January 2010 - 09:47 PM

It took a number of attempts to download ComboFix (something was preventing it from fully downloading). While running it stopped and stated, "ComboFix has detected the presence of rootkit activity and needs to reboot the machine." After rebooting it continued the scan.

Here is the log:

ComboFix 10-01-21.01 - Admin 01/21/2010 21:14:03.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.546 [GMT -5:00]
Running from: c:\documents and settings\TEMP\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jeff\Cookies\cubo.pif
c:\documents and settings\Jeff\Cookies\isurypahox.vbs
c:\documents and settings\Jeff\Cookies\jaqasojiko._dl
c:\documents and settings\Jeff\Cookies\ojyruxy.ban
c:\documents and settings\Jeff\Cookies\tubo.dl
c:\documents and settings\Jeff\Cookies\utorypaga.lib
c:\documents and settings\Jeff\Cookies\vicogoqubi.db
c:\documents and settings\Jeff\Cookies\ypehi.lib
c:\documents and settings\Jon\Cookies\cenu.pif
c:\documents and settings\Jon\Cookies\dorypo.pif
c:\documents and settings\Jon\Cookies\zebe.pif
c:\documents and settings\Mary\Cookies\hiqyhepixo.sys
c:\documents and settings\Mary\Cookies\sylyde.sys
c:\documents and settings\Mary\Cookies\tygirimaxi.dl
c:\documents and settings\Mary\Cookies\ucakaxy.reg
c:\documents and settings\Mary\Cookies\vejisiqiry.pif
c:\documents and settings\Mary\Cookies\yjupigijac.lib
c:\documents and settings\Mary\Cookies\ypozi.pif
c:\documents and settings\TEMP\Cookies\cibukovuhu.com
c:\documents and settings\TEMP\Cookies\cipygaxe.bat
c:\documents and settings\TEMP\Cookies\ehyly.lib
c:\documents and settings\TEMP\Cookies\ejexycy.vbs
c:\documents and settings\TEMP\Cookies\finyhy.scr
c:\documents and settings\TEMP\Cookies\gaguny.lib
c:\documents and settings\TEMP\Cookies\kana.vbs
c:\documents and settings\TEMP\Cookies\nebido.vbs
c:\documents and settings\TEMP\Cookies\odobo.lib
c:\documents and settings\TEMP\Cookies\ohuqanu.pif
c:\documents and settings\TEMP\Cookies\omemi.vbs
c:\documents and settings\TEMP\Cookies\sefo.ban
c:\documents and settings\TEMP\Cookies\tomixokap.vbs
c:\documents and settings\TEMP\Cookies\umijojyho._sy
c:\documents and settings\TEMP\Cookies\uwynalacos.dat
c:\documents and settings\TEMP\Cookies\vagadecogy.dl
c:\documents and settings\TEMP\Cookies\wowyhol.dll
c:\documents and settings\TEMP\Cookies\xisoqiguf.pif
c:\documents and settings\TEMP\Cookies\xotebohura.dl
c:\documents and settings\TEMP\Cookies\ykuwysiqe.pif
c:\documents and settings\TEMP\Cookies\yqovu.vbs
C:\LOG.TXT
c:\windows\EventSystem.log
c:\windows\system32\18467.exe
c:\windows\system32\26500.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
c:\windows\system32\helper32.dll
c:\windows\system32\smss32.exe
c:\windows\system32\warning.html
c:\windows\system32\winlogon32.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys

.
((((((((((((((((((((((((( Files Created from 2009-12-22 to 2010-01-22 )))))))))))))))))))))))))))))))
.

2010-01-20 21:09 . 2010-01-20 21:09 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-13 15:50 . 2008-12-09 01:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-10 20:12 . 2008-10-01 20:57 -------- d-----w- c:\documents and settings\Kari\Application Data\Canon
2010-01-07 21:07 . 2009-09-20 00:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-09-20 00:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-30 22:48 . 2007-01-08 13:47 -------- d-----w- c:\program files\Google
2009-12-20 19:36 . 2009-12-20 19:36 -------- d-----w- c:\program files\Western Digital
2009-12-20 19:27 . 2009-12-20 19:27 -------- d-----w- c:\documents and settings\TEMP\Application Data\AdobeUM
2009-12-20 19:21 . 2009-12-20 19:21 -------- d-----w- c:\program files\Western Digital Technologies
2009-12-18 01:47 . 2008-08-28 13:41 -------- d-----w- c:\program files\McAfee
2009-12-16 19:58 . 2009-12-16 19:58 -------- d-----w- c:\documents and settings\TEMP\Application Data\Verizon
2009-12-15 00:51 . 2007-01-18 15:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-21 15:51 . 2005-08-16 09:18 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-04 23:43 . 2009-11-04 23:24 134 ----a-w- c:\documents and settings\Jeff.JJKPC1\Local Settings\Application Data\fusioncache.dat
2009-10-29 07:45 . 2005-08-16 09:18 916480 ----a-w- c:\windows\system32\wininet.dll
2007-01-16 21:47 . 2007-01-16 21:47 251 -c--a-w- c:\program files\wt3d.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

c:\documents and settings\Mary\Start Menu\Programs\Startup\
Questionmark to Go Result Uploader.lnk.disabled [2009-3-25 2613]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2007-1-20 1757]
Digital Line Detect.lnk.disabled [2007-1-8 493]
Microsoft Office.lnk.disabled [2007-1-15 1725]
Nikon Monitor.lnk.disabled [2008-6-18 1815]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal1.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal2.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"WIndows Rescue Disk"=c:\docume~1\TEMP\LOCALS~1\Temp\drweb.exe
"Yjafosi8kdf98winmdkmnkmfnwe"=c:\docume~1\TEMP\LOCALS~1\Temp\svchost.exe
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" /startup
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SigmatelSysTrayApp"=stsystra.exe
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"DMXLauncher"=c:\program files\Dell\Media Experience\DMXLauncher.exe
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
"Verizon_McciTrayApp"=c:\program files\Verizon\McciTrayApp.exe
"ehTray"=c:\windows\ehome\ehtray.exe
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\Microsoft.NET\\Framework\\v1.1.4322\\csc.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"=
"c:\\WINDOWS\\ehome\\ehmsas.exe"=
"c:\\Program Files\\Canon\\CAL\\CALMAIN.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\Mcshield.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McProxy\\McProxy.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\McAfee\\MSK\\msksrver.exe"=
"c:\\Program Files\\Verizon\\VSP\\VerizonServicepoint.exe"=
"c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=
"c:\\Program Files\\Dell Support\\DSAgnt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 prohlp01;StarForce Protection Helper Driver v1;c:\windows\system32\drivers\prohlp01.sys [12/26/2002 9:20 AM 61728]
R1 prodrv05;StarForce Protection Environment Driver v5;c:\windows\system32\drivers\prodrv05.sys [12/26/2002 9:14 AM 53568]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/9/2008 4:37 PM 93320]
S2 gupdate1ca3090d017ccc8;Google Update Service (gupdate1ca3090d017ccc8);c:\program files\Google\Update\GoogleUpdate.exe [9/8/2009 9:29 AM 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 rootrepeal1;rootrepeal1;\??\c:\windows\system32\drivers\rootrepeal1.sys --> c:\windows\system32\drivers\rootrepeal1.sys [?]
S3 rootrepeal2;rootrepeal2;c:\windows\system32\drivers\rootrepeal2.sys [9/20/2009 8:01 AM 34816]
S3 tatertot.scr;tatertot.scr;\??\c:\windows\system32\drivers\tatertot.scr.sys --> c:\windows\system32\drivers\tatertot.scr.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-31 14:29]

2010-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-08 14:29]

2010-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-08 14:29]

2008-08-28 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-28 16:22]

2008-08-28 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-28 16:22]

2010-01-22 c:\windows\Tasks\User_Feed_Synchronization-{6FEFD570-42FE-464B-AA37-69438045B969}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.drudgereport.com/
mStart Page = hxxp://www.google.com
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://144.26.58.59/kxhcm10.ocx
FF - ProfilePath - c:\documents and settings\TEMP\Application Data\Mozilla\Firefox\Profiles\3cy8tboq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-21 21:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4072)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-21 21:34:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-22 02:34

Pre-Run: 99,345,031,168 bytes free
Post-Run: 104,031,084,544 bytes free

- - End Of File - - C51235D7166CEC3A245DCB199F9AA975

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:53 PM

Posted 21 January 2010 - 11:59 PM

Good job. ComboFix removed the infection and the redirecting should have been stopped.
  1. Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    CODE
    File::
    c:\windows\system32\drivers\rootrepeal2.sys
    Rootkit::
    c:\windows\system32\drivers\tatertot.scr.sys
    c:\windows\system32\drivers\rootrepeal1.sys
    Registry::
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop"=-
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal1.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal2.sys]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=-
    Driver::
    rootrepeal1
    rootrepeal2
    tatertot.scr


    Save this as CFScript.txt, in the same location as ComboFix.exe




    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

  2. Update Java to Java version 6 update 17 and uninstall Java version 6 update 16.

  3. Please tell me how is the computer running.


#12 JNW

JNW
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:53 AM

Posted 22 January 2010 - 10:24 AM

I had to download ComboFix again to the desktop in order to drag CFScript to it to run. I had to run it without saving it to the desktop. I hope that this was okay. The log shows the firewall as enabled but it was disabled before I ran the scan. Not sure if this matters. Attached is the latest log.

The machine is running better, no redirecting on IE8, Firefox or Chrome. I did have some changes occur to my desktop properties but I could change them back.

The Java site lists the Java v6 update 18. Should I use this or update 17?

Thanks

ComboFix 10-01-21.08 - Admin 01/22/2010 9:35.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.681 [GMT -5:00]
Running from: c:\documents and settings\TEMP\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\TEMP\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\drivers\rootrepeal2.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\rootrepeal2.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ROOTREPEAL1
-------\Legacy_TATERTOT.SCR
-------\Service_rootrepeal1
-------\Service_rootrepeal2
-------\Service_tatertot.scr


((((((((((((((((((((((((( Files Created from 2009-12-22 to 2010-01-22 )))))))))))))))))))))))))))))))
.

2010-01-20 21:09 . 2010-01-20 21:09 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-13 15:50 . 2008-12-09 01:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-13 15:50 . 2010-01-13 15:50 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-10 20:12 . 2008-10-01 20:57 -------- d-----w- c:\documents and settings\Kari\Application Data\Canon
2010-01-07 21:07 . 2009-09-20 00:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-09-20 00:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-30 22:48 . 2007-01-08 13:47 -------- d-----w- c:\program files\Google
2009-12-21 19:14 . 2005-08-16 09:18 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-20 19:36 . 2009-12-20 19:36 -------- d-----w- c:\program files\Western Digital
2009-12-20 19:27 . 2009-12-20 19:27 -------- d-----w- c:\documents and settings\TEMP\Application Data\AdobeUM
2009-12-20 19:21 . 2009-12-20 19:21 8854 ----a-r- c:\documents and settings\TEMP\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\Uninstall_WD_Diagnos_0AB76F69E7614CFAB9B0A1906B4E9E4B.exe
2009-12-20 19:21 . 2009-12-20 19:21 40960 ----a-r- c:\documents and settings\TEMP\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
2009-12-20 19:21 . 2009-12-20 19:21 10134 ----a-r- c:\documents and settings\TEMP\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\ARPPRODUCTICON.exe
2009-12-20 19:21 . 2009-12-20 19:21 -------- d-----w- c:\program files\Western Digital Technologies
2009-12-18 01:47 . 2008-08-28 13:41 -------- d-----w- c:\program files\McAfee
2009-12-16 19:58 . 2009-12-16 19:58 -------- d-----w- c:\documents and settings\TEMP\Application Data\Verizon
2009-12-15 00:51 . 2007-01-18 15:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-21 15:51 . 2005-08-16 09:18 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-04 23:43 . 2009-11-04 23:24 134 ----a-w- c:\documents and settings\Jeff.JJKPC1\Local Settings\Application Data\fusioncache.dat
2007-01-16 21:47 . 2007-01-16 21:47 251 -c--a-w- c:\program files\wt3d.ini
.

((((((((((((((((((((((((((((( SnapShot@2010-01-22_02.27.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-22 14:46 . 2010-01-22 14:46 16384 c:\windows\Temp\Perflib_Perfdata_cc.dat
+ 2006-11-08 02:03 . 2009-12-21 19:14 55296 c:\windows\system32\msfeedsbs.dll
- 2006-11-08 02:03 . 2009-10-29 07:45 55296 c:\windows\system32\msfeedsbs.dll
+ 2005-08-16 09:18 . 2009-12-21 19:14 25600 c:\windows\system32\jsproxy.dll
- 2005-08-16 09:18 . 2009-10-29 07:45 25600 c:\windows\system32\jsproxy.dll
+ 2009-06-30 20:20 . 2009-12-21 19:14 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-06-30 20:20 . 2009-10-29 07:45 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2007-05-09 10:45 . 2009-12-21 19:14 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-05-09 10:45 . 2009-10-29 07:45 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-01-08 13:32 . 2009-10-29 07:45 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2007-01-08 13:32 . 2009-12-21 19:14 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2010-01-22 12:24 . 2010-01-22 12:24 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-01-13 01:35 . 2010-01-22 12:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-01-13 01:35 . 2010-01-22 01:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-01-22 12:24 . 2010-01-22 12:24 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-01-22 12:26 . 2009-10-29 07:45 12800 c:\windows\ie8updates\KB978207-IE8\xpshims.dll
+ 2010-01-22 12:26 . 2009-10-29 07:45 55296 c:\windows\ie8updates\KB978207-IE8\msfeedsbs.dll
+ 2010-01-22 12:26 . 2009-10-29 07:45 25600 c:\windows\ie8updates\KB978207-IE8\jsproxy.dll
+ 2005-08-16 09:18 . 2009-12-21 19:14 206848 c:\windows\system32\occache.dll
- 2005-08-16 09:18 . 2009-10-29 07:45 206848 c:\windows\system32\occache.dll
+ 2006-11-08 02:03 . 2009-12-21 19:14 594432 c:\windows\system32\msfeeds.dll
- 2006-11-08 02:03 . 2009-10-29 07:45 594432 c:\windows\system32\msfeeds.dll
+ 2005-08-16 09:18 . 2009-12-21 19:14 184320 c:\windows\system32\iepeers.dll
- 2005-08-16 09:18 . 2009-10-29 07:45 184320 c:\windows\system32\iepeers.dll
- 2005-08-16 09:18 . 2009-10-29 07:45 387584 c:\windows\system32\iedkcs32.dll
+ 2005-08-16 09:18 . 2009-12-21 19:14 387584 c:\windows\system32\iedkcs32.dll
- 2005-08-16 09:18 . 2009-10-28 14:40 173056 c:\windows\system32\ie4uinit.exe
+ 2005-08-16 09:18 . 2009-12-21 13:19 173056 c:\windows\system32\ie4uinit.exe
- 2007-01-08 13:32 . 2009-10-29 07:45 916480 c:\windows\system32\dllcache\wininet.dll
+ 2007-01-08 13:32 . 2009-12-21 19:14 916480 c:\windows\system32\dllcache\wininet.dll
- 2006-10-17 17:04 . 2009-10-29 07:45 206848 c:\windows\system32\dllcache\occache.dll
+ 2006-10-17 17:04 . 2009-12-21 19:14 206848 c:\windows\system32\dllcache\occache.dll
+ 2007-05-09 10:45 . 2009-12-21 19:14 594432 c:\windows\system32\dllcache\msfeeds.dll
- 2007-05-09 10:45 . 2009-10-29 07:45 594432 c:\windows\system32\dllcache\msfeeds.dll
- 2009-06-30 20:20 . 2009-10-29 07:45 246272 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-06-30 20:20 . 2009-12-21 19:14 246272 c:\windows\system32\dllcache\ieproxy.dll
- 2007-01-08 13:32 . 2009-10-29 07:45 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2007-01-08 13:32 . 2009-12-21 19:14 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2006-11-07 08:27 . 2009-12-21 19:14 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2006-11-07 08:27 . 2009-10-29 07:45 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2006-11-07 08:26 . 2009-10-28 14:40 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2006-11-07 08:26 . 2009-12-21 13:19 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2010-01-22 12:26 . 2009-10-29 07:45 916480 c:\windows\ie8updates\KB978207-IE8\wininet.dll
+ 2010-01-22 12:26 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB978207-IE8\spuninst\updspapi.dll
+ 2010-01-22 12:26 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB978207-IE8\spuninst\spuninst.exe
+ 2010-01-22 12:26 . 2009-10-29 07:45 206848 c:\windows\ie8updates\KB978207-IE8\occache.dll
+ 2010-01-22 12:26 . 2009-10-29 07:45 594432 c:\windows\ie8updates\KB978207-IE8\msfeeds.dll
+ 2010-01-22 12:26 . 2009-10-29 07:45 246272 c:\windows\ie8updates\KB978207-IE8\ieproxy.dll
+ 2010-01-22 12:26 . 2009-10-29 07:45 184320 c:\windows\ie8updates\KB978207-IE8\iepeers.dll
+ 2010-01-22 12:26 . 2009-10-29 07:45 387584 c:\windows\ie8updates\KB978207-IE8\iedkcs32.dll
+ 2010-01-22 12:26 . 2009-10-28 14:40 173056 c:\windows\ie8updates\KB978207-IE8\ie4uinit.exe
- 2005-08-16 09:18 . 2009-10-29 07:45 1208832 c:\windows\system32\urlmon.dll
+ 2005-08-16 09:18 . 2009-12-21 19:14 1208832 c:\windows\system32\urlmon.dll
+ 2005-08-16 09:18 . 2009-12-21 19:14 5942784 c:\windows\system32\mshtml.dll
+ 2006-10-17 16:57 . 2009-12-21 19:14 1985536 c:\windows\system32\iertutil.dll
- 2006-10-17 16:57 . 2009-10-29 07:45 1985536 c:\windows\system32\iertutil.dll
- 2007-01-08 13:32 . 2009-10-29 07:45 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2007-01-08 13:32 . 2009-12-21 19:14 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2007-01-08 13:32 . 2009-12-21 19:14 5942784 c:\windows\system32\dllcache\mshtml.dll
- 2007-05-09 10:45 . 2009-10-29 07:45 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2007-05-09 10:45 . 2009-12-21 19:14 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2010-01-22 12:26 . 2009-10-29 07:45 1208832 c:\windows\ie8updates\KB978207-IE8\urlmon.dll
+ 2010-01-22 12:26 . 2009-10-29 07:45 5940736 c:\windows\ie8updates\KB978207-IE8\mshtml.dll
+ 2010-01-22 12:26 . 2009-10-29 07:45 1985536 c:\windows\ie8updates\KB978207-IE8\iertutil.dll
+ 2006-11-08 02:03 . 2009-12-21 19:14 11070464 c:\windows\system32\ieframe.dll
+ 2007-05-09 10:45 . 2009-12-21 19:14 11070464 c:\windows\system32\dllcache\ieframe.dll
+ 2010-01-22 12:26 . 2009-10-29 07:45 11069952 c:\windows\ie8updates\KB978207-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

c:\documents and settings\Mary\Start Menu\Programs\Startup\
Questionmark to Go Result Uploader.lnk.disabled [2009-3-25 2613]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2007-1-20 1757]
Digital Line Detect.lnk.disabled [2007-1-8 493]
Microsoft Office.lnk.disabled [2007-1-15 1725]
Nikon Monitor.lnk.disabled [2008-6-18 1815]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"WIndows Rescue Disk"=c:\docume~1\TEMP\LOCALS~1\Temp\drweb.exe
"Yjafosi8kdf98winmdkmnkmfnwe"=c:\docume~1\TEMP\LOCALS~1\Temp\svchost.exe
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" /startup
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SigmatelSysTrayApp"=stsystra.exe
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"DMXLauncher"=c:\program files\Dell\Media Experience\DMXLauncher.exe
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
"Verizon_McciTrayApp"=c:\program files\Verizon\McciTrayApp.exe
"ehTray"=c:\windows\ehome\ehtray.exe
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\Microsoft.NET\\Framework\\v1.1.4322\\csc.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"=
"c:\\WINDOWS\\ehome\\ehmsas.exe"=
"c:\\Program Files\\Canon\\CAL\\CALMAIN.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\Mcshield.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McProxy\\McProxy.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\McAfee\\MSK\\msksrver.exe"=
"c:\\Program Files\\Verizon\\VSP\\VerizonServicepoint.exe"=
"c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=
"c:\\Program Files\\Dell Support\\DSAgnt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 prohlp01;StarForce Protection Helper Driver v1;c:\windows\system32\drivers\prohlp01.sys [12/26/2002 9:20 AM 61728]
R1 prodrv05;StarForce Protection Environment Driver v5;c:\windows\system32\drivers\prodrv05.sys [12/26/2002 9:14 AM 53568]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/9/2008 4:37 PM 93320]
S2 gupdate1ca3090d017ccc8;Google Update Service (gupdate1ca3090d017ccc8);c:\program files\Google\Update\GoogleUpdate.exe [9/8/2009 9:29 AM 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
.
Contents of the 'Scheduled Tasks' folder

2009-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-31 14:29]

2010-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-08 14:29]

2010-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-08 14:29]

2008-08-28 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-28 16:22]

2008-08-28 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-28 16:22]

2010-01-22 c:\windows\Tasks\User_Feed_Synchronization-{6FEFD570-42FE-464B-AA37-69438045B969}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.drudgereport.com/
mStart Page = hxxp://www.google.com
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://144.26.58.59/kxhcm10.ocx
FF - ProfilePath - c:\documents and settings\TEMP\Application Data\Mozilla\Firefox\Profiles\3cy8tboq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-22 09:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2396)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-22 09:53:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-22 14:53
ComboFix2.txt 2010-01-22 02:34

Pre-Run: 103,860,948,992 bytes free
Post-Run: 103,778,050,048 bytes free

- - End Of File - - C9B45F40A2086B21E8B94DBDC6BB19C0

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:53 PM

Posted 22 January 2010 - 10:53 AM

QUOTE
The Java site lists the Java v6 update 18. Should I use this or update 17?

Yes, I see the latest update is now update 18. Thanks for mentioning it. It is better to update to update 18.

It looks good. thumbup2.gif

It is important to uninstall ComboFix.

Go to Start => Run => copy and paste next command in the field then hit enter:

"c:\documents and settings\TEMP\Desktop\ComboFix.exe" /Uninstall

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.




#14 JNW

JNW
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:53 AM

Posted 22 January 2010 - 11:53 AM

Thanks for the help!

One question (probably a dumb one): for the Java 6U18, which platform do I use? Windows or Windows X64? I'm guessing windows X64 because I'm running XP Pro, AMD 64 X2 Dual Core Processor?

Also, can I set up McAfee, or Spybot, etc to scan a link/site before a virus can be installed? McAfee does have a SiteAdvisor that we use. We were problem free for years until we downloaded the initial malware back in sept 09. I have looked through all of the tutorials. I'm I wishing for too much?

Thanks again for the assistance. We are looking good...hopefully for longer....

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:53 PM

Posted 22 January 2010 - 01:10 PM

QUOTE
One question (probably a dumb one): for the Java 6U18, which platform do I use? Windows or Windows X64? I'm guessing windows X64 because I'm running XP Pro, AMD 64 X2 Dual Core Processor?

You don't have Windows X64 and should not install that one. If it was Windows X64 I would see it on the logs and we could not even run ComboFix on it. Your Windows is the usual Windows which is actually Windows X86 based. See also the ComboFix and DDS logs:

QUOTE
ComboFix 10-01-21.08 - Admin 01/22/2010 9:35.8.2 - x86

QUOTE
DDS (Ver_09-11-29.01) - NTFSx86


QUOTE
Also, can I set up McAfee, or Spybot, etc to scan a link/site before a virus can be installed? McAfee does have a SiteAdvisor that we use.

McAfee SiteAdvisor does a pretty decent job in indicating the safety of a site. But McAfee antivirus is doing below average nowadays.

Do you have any question before we close the topic?








0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users