Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google searches get redirected.


  • This topic is locked This topic is locked
17 replies to this topic

#1 lynnt1958

lynnt1958

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 20 February 2010 - 09:30 PM

I picked up a virus/something by clicking on a link on Facebook. I was able to fix a redirection to a "Private Security" window telling me my computer was infected me and trying to get me to download removal software. I got rid of it by running full scan on Malware Bytes. I have not been as fortunate getting rid of the Google search redirection. It sends me to various other websites that have nothing to do with my search. I am attaching the DDS log. I could not get the GMER to finish without my computer freezing up.

Attached Files

  • Attached File  DDS.txt   14.39KB   10 downloads


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:44 AM

Posted 22 February 2010 - 08:38 AM

Hi lynnt1958,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Please copy and paste the logs instead of attaching them unless it is instructed otherwise. Thank you.
  1. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    CODE
    @ECHO OFF
    mbr.exe -t
    sc query type= driver group= "SCSI Miniport" > Log.txt
    type mbr.log >>log.txt
    Start Log.txt

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: dirlook.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and double-click look.bat on the desktop.
    • A notepad opens, copy and paste the content (mbr.log) to your reply.

  2. Please copy and paste the second log of DDS (Attach.txt) to your reply.


#3 lynnt1958

lynnt1958
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 22 February 2010 - 03:57 PM

Thanks in a
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 1/11/2010 8:38:37 AM
System Uptime: 2/22/2010 3:04:45 PM (0 hours ago)

Motherboard: Dell Inc. | | 0FT292
Processor: Intel® Core™2 CPU T5600 @ 1.83GHz | Microprocessor | 1830/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 132.29 GiB free.
D: is CDROM ()
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 1/11/2010 8:38:37 AM
System Uptime: 2/22/2010 3:04:45 PM (0 hours ago)

Motherboard: Dell Inc. | | 0FT292
Processor: Intel® Core™2 CPU T5600 @ 1.83GHz | Microprocessor | 1830/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 132.29 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

==== System Restore Points ===================

RP1: 1/11/2010 8:38:41 AM - System Checkpoint
RP2: 1/11/2010 11:18:09 AM - Software Distribution Service 3.0
RP3: 1/11/2010 11:54:35 AM - Software Distribution Service 3.0
RP4: 1/12/2010 12:55:39 PM - System Checkpoint
RP5: 1/13/2010 8:23:12 PM - System Checkpoint
RP6: 1/14/2010 8:58:22 AM - Software Distribution Service 3.0
RP7: 1/14/2010 9:19:17 AM - Installed Java™ 6 Update 17
RP8: 1/14/2010 9:43:17 AM - Installed iTunes
RP9: 1/14/2010 10:41:51 AM - Removed Cisco Systems VPN Client 5.0.00.0340
RP10: 1/14/2010 10:42:24 AM - Installed Cisco Systems VPN Client 5.0.00.0340
RP11: 1/14/2010 10:47:37 AM - Installed Cisco Systems VPN Client 5.0.00.0340
RP12: 1/16/2010 5:12:36 PM - System Checkpoint
RP13: 1/18/2010 8:42:33 AM - System Checkpoint
RP14: 1/19/2010 7:19:52 PM - System Checkpoint
RP15: 1/21/2010 7:13:12 AM - Software Distribution Service 3.0
RP16: 1/22/2010 1:45:09 PM - System Checkpoint
RP17: 1/23/2010 10:29:34 AM - Software Distribution Service 3.0
RP18: 1/23/2010 12:36:12 PM - Installed Windows Internet Explorer 8.
RP19: 1/23/2010 12:37:07 PM - Software Distribution Service 3.0
RP20: 1/25/2010 7:22:31 AM - Software Distribution Service 3.0
RP21: 1/25/2010 8:33:25 PM - Installed MSN Toolbar
RP22: 1/27/2010 7:37:44 AM - Installed Java™ 6 Update 18
RP23: 1/28/2010 7:52:48 PM - System Checkpoint
RP24: 1/29/2010 8:17:23 PM - System Checkpoint
RP25: 1/30/2010 11:35:31 PM - System Checkpoint
RP26: 1/31/2010 12:16:44 PM - avast! Free Antivirus Setup
RP27: 2/1/2010 8:56:59 PM - System Checkpoint
RP28: 2/3/2010 10:36:41 AM - System Checkpoint
RP29: 2/4/2010 11:02:01 AM - System Checkpoint
RP30: 2/5/2010 12:20:29 PM - System Checkpoint
RP31: 2/6/2010 2:34:56 PM - System Checkpoint
RP32: 2/7/2010 3:54:04 PM - System Checkpoint
RP33: 2/8/2010 9:11:47 PM - System Checkpoint
RP34: 2/10/2010 12:37:16 AM - System Checkpoint
RP35: 2/10/2010 7:53:04 AM - Software Distribution Service 3.0
RP36: 2/11/2010 12:06:01 PM - System Checkpoint
RP37: 2/11/2010 8:23:42 PM - Installed MediaImpression
RP38: 2/13/2010 1:13:06 PM - Installed Connect Service
RP39: 2/14/2010 7:31:29 PM - System Checkpoint
RP40: 2/15/2010 9:35:49 PM - System Checkpoint
RP41: 2/17/2010 12:52:51 PM - Installed Eos for DHV
RP42: 2/17/2010 1:24:50 PM - Installed Java 2 Runtime Environment, SE v1.4.2_05
RP43: 2/18/2010 2:11:39 PM - System Checkpoint
RP44: 2/19/2010 10:43:45 PM - System Checkpoint
RP45: 2/21/2010 12:26:03 AM - System Checkpoint
RP46: 2/21/2010 6:17:14 AM - Malware Removal System Restore Point

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3
Adobe Shockwave Player 11.5
ALPS Touch Pad Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft MediaImpression for Kodak
AT&T Connect Participant
avast! Free Antivirus
Bonjour
Broadcom Gigabit Integrated Controller
CA Yahoo! Anti-Spy (remove only)
Cisco Systems VPN Client 5.0.00.0340
Conexant HDA D110 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
DefaultProductName
Dell Wireless WLAN Card Utility
Eos for DHV
ERUNT 1.1j
FileNet IDM Viewer 4.0
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Intel® Graphics Media Accelerator Driver
iTunes
Java 2 Runtime Environment, SE v1.4.2_05
Java Auto Updater
Java™ 6 Update 18
LANDesk® Common Base Agent 8
Malwarebytes' Anti-Malware
McAfee Agent
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Outlook 2003
Microsoft Office XP Professional
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.5.5)
MSN Toolbar
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OGA Notifier 2.0.0048.0
Oracle JInitiator 1.1.8.21
QuickTime
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio Update Manager
SAP Front End
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Shockwave
SigmaTel Audio
Sonic Activation Module
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Yahoo! Install Manager
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

2/21/2010 8:53:11 PM, error: PlugPlayManager [11] - The device Root\LEGACY_OKO6\0000 disappeared from the system without first being prepared for removal.
2/21/2010 8:49:13 PM, error: Service Control Manager [7034] - The LANDesk Remote Control Service service terminated unexpectedly. It has done this 1 time(s).
2/21/2010 8:49:13 PM, error: Service Control Manager [7034] - The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
2/18/2010 9:51:21 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
2/17/2010 9:27:47 AM, error: NETLOGON [5719] - No Domain Controller is available for domain CIS1_DOMAIN due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
2/17/2010 7:08:40 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00197DD93AD1. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
2/17/2010 7:06:59 AM, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 00197DD93AD1 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
2/17/2010 7:00:23 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00197DD93AD1. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
2/17/2010 1:36:57 PM, error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
2/15/2010 8:25:10 PM, error: Dhcp [1002] - The IP address lease 192.168.2.4 for the Network Card with network address 00197DD93AD1 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
2/15/2010 12:27:19 PM, error: Dhcp [1002] - The IP address lease 192.168.2.4 for the Network Card with network address 00197DD93AD1 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

==== System Restore Points ===================

RP1: 1/11/2010 8:38:41 AM - System Checkpoint
RP2: 1/11/2010 11:18:09 AM - Software Distribution Service 3.0
RP3: 1/11/2010 11:54:35 AM - Software Distribution Service 3.0
RP4: 1/12/2010 12:55:39 PM - System Checkpoint
RP5: 1/13/2010 8:23:12 PM - System Checkpoint
RP6: 1/14/2010 8:58:22 AM - Software Distribution Service 3.0
RP7: 1/14/2010 9:19:17 AM - Installed Java™ 6 Update 17
RP8: 1/14/2010 9:43:17 AM - Installed iTunes
RP9: 1/14/2010 10:41:51 AM - Removed Cisco Systems VPN Client 5.0.00.0340
RP10: 1/14/2010 10:42:24 AM - Installed Cisco Systems VPN Client 5.0.00.0340
RP11: 1/14/2010 10:47:37 AM - Installed Cisco Systems VPN Client 5.0.00.0340
RP12: 1/16/2010 5:12:36 PM - System Checkpoint
RP13: 1/18/2010 8:42:33 AM - System Checkpoint
RP14: 1/19/2010 7:19:52 PM - System Checkpoint
RP15: 1/21/2010 7:13:12 AM - Software Distribution Service 3.0
RP16: 1/22/2010 1:45:09 PM - System Checkpoint
RP17: 1/23/2010 10:29:34 AM - Software Distribution Service 3.0
RP18: 1/23/2010 12:36:12 PM - Installed Windows Internet Explorer 8.
RP19: 1/23/2010 12:37:07 PM - Software Distribution Service 3.0
RP20: 1/25/2010 7:22:31 AM - Software Distribution Service 3.0
RP21: 1/25/2010 8:33:25 PM - Installed MSN Toolbar
RP22: 1/27/2010 7:37:44 AM - Installed Java™ 6 Update 18
RP23: 1/28/2010 7:52:48 PM - System Checkpoint
RP24: 1/29/2010 8:17:23 PM - System Checkpoint
RP25: 1/30/2010 11:35:31 PM - System Checkpoint
RP26: 1/31/2010 12:16:44 PM - avast! Free Antivirus Setup
RP27: 2/1/2010 8:56:59 PM - System Checkpoint
RP28: 2/3/2010 10:36:41 AM - System Checkpoint
RP29: 2/4/2010 11:02:01 AM - System Checkpoint
RP30: 2/5/2010 12:20:29 PM - System Checkpoint
RP31: 2/6/2010 2:34:56 PM - System Checkpoint
RP32: 2/7/2010 3:54:04 PM - System Checkpoint
RP33: 2/8/2010 9:11:47 PM - System Checkpoint
RP34: 2/10/2010 12:37:16 AM - System Checkpoint
RP35: 2/10/2010 7:53:04 AM - Software Distribution Service 3.0
RP36: 2/11/2010 12:06:01 PM - System Checkpoint
RP37: 2/11/2010 8:23:42 PM - Installed MediaImpression
RP38: 2/13/2010 1:13:06 PM - Installed Connect Service
RP39: 2/14/2010 7:31:29 PM - System Checkpoint
RP40: 2/15/2010 9:35:49 PM - System Checkpoint
RP41: 2/17/2010 12:52:51 PM - Installed Eos for DHV
RP42: 2/17/2010 1:24:50 PM - Installed Java 2 Runtime Environment, SE v1.4.2_05
RP43: 2/18/2010 2:11:39 PM - System Checkpoint
RP44: 2/19/2010 10:43:45 PM - System Checkpoint
RP45: 2/21/2010 12:26:03 AM - System Checkpoint
RP46: 2/21/2010 6:17:14 AM - Malware Removal System Restore Point

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3
Adobe Shockwave Player 11.5
ALPS Touch Pad Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft MediaImpression for Kodak
AT&T Connect Participant
avast! Free Antivirus
Bonjour
Broadcom Gigabit Integrated Controller
CA Yahoo! Anti-Spy (remove only)
Cisco Systems VPN Client 5.0.00.0340
Conexant HDA D110 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
DefaultProductName
Dell Wireless WLAN Card Utility
Eos for DHV
ERUNT 1.1j
FileNet IDM Viewer 4.0
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Intel® Graphics Media Accelerator Driver
iTunes
Java 2 Runtime Environment, SE v1.4.2_05
Java Auto Updater
Java™ 6 Update 18
LANDesk® Common Base Agent 8
Malwarebytes' Anti-Malware
McAfee Agent
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Outlook 2003
Microsoft Office XP Professional
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.5.5)
MSN Toolbar
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OGA Notifier 2.0.0048.0
Oracle JInitiator 1.1.8.21
QuickTime
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio Update Manager
SAP Front End
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Shockwave
SigmaTel Audio
Sonic Activation Module
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Yahoo! Install Manager
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

2/21/2010 8:53:11 PM, error: PlugPlayManager [11] - The device Root\LEGACY_OKO6\0000 disappeared from the system without first being prepared for removal.
2/21/2010 8:49:13 PM, error: Service Control Manager [7034] - The LANDesk Remote Control Service service terminated unexpectedly. It has done this 1 time(s).
2/21/2010 8:49:13 PM, error: Service Control Manager [7034] - The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
2/18/2010 9:51:21 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
2/17/2010 9:27:47 AM, error: NETLOGON [5719] - No Domain Controller is available for domain CIS1_DOMAIN due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
2/17/2010 7:08:40 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00197DD93AD1. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
2/17/2010 7:06:59 AM, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 00197DD93AD1 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
2/17/2010 7:00:23 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00197DD93AD1. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
2/17/2010 1:36:57 PM, error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
2/15/2010 8:25:10 PM, error: Dhcp [1002] - The IP address lease 192.168.2.4 for the Network Card with network address 00197DD93AD1 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
2/15/2010 12:27:19 PM, error: Dhcp [1002] - The IP address lease 192.168.2.4 for the Network Card with network address 00197DD93AD1 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================
dvance for the help.I am copying the files to this post. (I hope)

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:44 AM

Posted 22 February 2010 - 05:32 PM

The Attach.txt is posted twice while the log file of the batch file is broken. smile.gif
Could you please run the look.bat once more and post the log.

#5 lynnt1958

lynnt1958
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 22 February 2010 - 07:31 PM

This is all I get.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:44 AM

Posted 22 February 2010 - 08:41 PM

Let's try this one, remove look.bat from your desktop.

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


CODE
@ECHO OFF
sc query type= driver group= "SCSI Miniport" >Log.txt 2>&1
mbr.exe -t
ping 1.1.1.1 -n 1 -w 1500 >nul
type mbr.log >>log.txt
echo %date%%time% >>log.txt
Start Log.txt

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: look.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate look.bat on the desktop. It should look like this:
  • Double-click to run it.
  • A notepad opens, copy and paste the content (log.txt) to your reply.


#7 lynnt1958

lynnt1958
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 22 February 2010 - 09:24 PM

when I double-click that icon, it flashes open for a half second then closes. It won't allow me to copy and paste. Also, I see nothing labeled "code box"

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:44 AM

Posted 22 February 2010 - 09:36 PM

step1.gif
The following bold part is what you should copy and paste, thus everything except the word CODE:

@ECHO OFF
sc query type= driver group= "SCSI Miniport" >Log.txt 2>&1
mbr.exe -t
ping 1.1.1.1 -n 1 -w 1500 >nul
type mbr.log >>log.txt
echo %date%%time% >>log.txt
Start Log.txt


step2.gif
QUOTE
It won't allow me to copy and paste

What do you exactly mean?

step3.gif
Download the attached file instead and and run it.

#9 lynnt1958

lynnt1958
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 22 February 2010 - 11:42 PM

this is all I can get to comeup when I runthat.

SERVICE_NAME: atapi
DISPLAY_NAME: Standard IDE/ESDI Hard Disk Controller
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
kernel: MBR read successfully
user & kernel MBR OK
Mon 02/22/201023:34:15.54




#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:44 AM

Posted 23 February 2010 - 03:57 AM

That all what we need. thumbup2.gif
    QUOTE
    It won't allow me to copy and paste
  1. Could you give me detailed feedback about this. What do you mean and is there anything wrong with copy and paste?

  2. You have the latest version of Java (Java 6 Update 18) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components:
    Click "start" and then "Control Panel" icon.
    Doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    Java 2 Runtime Environment, SE v1.4.2_05

  3. I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
    1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
    Therefore please go to add/remove in the control panel and remove either McAfee or Avast.

  4. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  5. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt

  6. Tell me if the redirection take places both in Firefox and Internet Explorer or is limited to one of them.


#11 lynnt1958

lynnt1958
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 23 February 2010 - 09:17 AM

There is nothing wrong with my copy and paste function. I just couldn't get the window to stay open long enough earlier.
I am pasting the requested logs.
After trying Google searches in both IE and firefox, it appears my redirection problem is gone! The only thing I'm noticing is in my Windows login box, there is a message that says "the security logs on this system are full".






Malwarebytes' Anti-Malware 1.44
Database version: 3779
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/23/2010 8:59:08 AM
mbam-log-2010-02-23 (08-59-08).txt

Scan type: Quick Scan
Objects scanned: 123494
Time elapsed: 5 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\okogrp (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)








DDS (Ver_09-12-01.01) - NTFSx86
Run by TolbeLy at 9:03:03.82 on Tue 02/23/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.405 [GMT -5:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\qipclnt.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\interwise\participant\pull.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Tolbely\Local Settings\Temporary Internet Files\Content.IE5\Y1824AEL\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://m.www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [IntelAPMClient] "c:\program files\landesk\ldclient\amclient.exe" /apm /s /ro
mRun: [LANDeskInventoryClient] "c:\program files\landesk\ldclient\LDIScn32.exe" /NTT=LANDESK:5007 /S=LANDESK /I=HTTP://LANDESK/ldlogon/ldappl3.ldz /NOUI
mRun: [LANDeskVulscanClient] "c:\program files\landesk\ldclient\vulScan.exe" /agentBehavior=1
mRun: [SDClientMonitor] "c:\program files\landesk\ldclient\webportal\sdclientmonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pushcl~1.lnk - c:\program files\interwise\participant\pull.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263225850234
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {b5859259-c40b-4b2a-af9d-3bf0f634b1d5}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tolbely\applic~1\mozilla\firefox\profiles\z6e21fti.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com//?fr=fp-tyc8
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2009-1-27 31848]
R2 CBA8;LANDesk® Management Agent;c:\program files\landesk\shared files\residentAgent.exe [2005-11-22 122880]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-25 120128]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2009-1-27 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2009-1-27 54608]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [2009-7-10 11904]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [2009-7-10 3328]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-7-8 73512]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-7-8 34408]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 177864]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [2009-7-10 3712]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-02-22 01:48:14 0 d-sha-r- C:\cmdcons
2010-02-22 01:46:21 98816 ----a-w- c:\windows\sed.exe
2010-02-22 01:46:21 77312 ----a-w- c:\windows\MBR.exe
2010-02-22 01:46:21 261632 ----a-w- c:\windows\PEV.exe
2010-02-22 01:46:21 161792 ----a-w- c:\windows\SWREG.exe
2010-02-22 01:45:06 0 d-----w- c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP
2010-02-20 23:33:15 0 ----a-w- c:\documents and settings\tolbely\defogger_reenable
2010-02-20 22:14:58 0 d-----w- c:\program files\common files\Scanner
2010-02-20 22:14:50 0 d-----w- c:\program files\CA Yahoo! Anti-Spy
2010-02-19 02:01:50 0 d-----w- c:\docume~1\tolbely\applic~1\Malwarebytes
2010-02-19 02:01:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 02:01:44 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 02:01:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-19 02:01:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-18 22:19:24 1 ----a-w- c:\windows\lgo
2010-02-17 17:52:53 0 d-----w- C:\eos
2010-02-12 01:26:13 0 d-----w- c:\docume~1\alluse~1\applic~1\ArcSoft
2010-02-12 01:24:39 18688 ----a-w- c:\windows\system32\drivers\afc.sys
2010-02-12 01:24:36 245408 ----a-w- c:\windows\system32\unicows.dll
2010-02-12 01:23:42 0 d-----w- c:\program files\Kodak
2010-02-03 14:29:55 0 d-----w- c:\program files\iPod
2010-02-03 14:29:41 0 d-----w- c:\program files\iTunes
2010-01-31 17:16:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-01-31 15:40:18 0 d-----w- C:\Quarantine
2010-01-28 18:10:38 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-26 01:33:48 0 d--h--w- c:\windows\msdownld.tmp

==================== Find3M ====================

2010-01-19 01:35:27 18020 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll

============= FINISH: 9:03:52.51 ===============


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:44 AM

Posted 23 February 2010 - 02:52 PM

I see you have run ComboFix after posting the log. Please run ComboFix once more and post the log.

#13 lynnt1958

lynnt1958
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 23 February 2010 - 03:16 PM

Ran it before I had recieved a response. Haven't done anything since you've been helping me.
Here's the new log.


ComboFix 10-02-22.07 - TolbeLy 02/23/2010 15:04:34.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.590 [GMT -5:00]
Running from: c:\documents and settings\Tolbely\Desktop\System Tools\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((( Files Created from 2010-01-23 to 2010-02-23 )))))))))))))))))))))))))))))))
.

2010-02-23 13:38 . 2010-02-23 13:38 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-22 20:32 . 2010-02-22 20:32 195 ----a-w- c:\documents and settings\Tolbely\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\dirlook.bat
2010-02-22 01:45 . 2010-02-22 01:45 -------- d-----w- c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP
2010-02-21 11:16 . 2010-02-21 11:16 -------- d-----w- c:\program files\ERUNT
2010-02-20 22:14 . 2010-02-20 22:14 -------- d-----w- c:\program files\Common Files\Scanner
2010-02-20 22:14 . 2010-02-20 22:19 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2010-02-19 02:01 . 2010-02-19 02:01 -------- d-----w- c:\documents and settings\Tolbely\Application Data\Malwarebytes
2010-02-19 02:01 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 02:01 . 2010-02-19 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-19 02:01 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 02:01 . 2010-02-23 13:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-17 18:24 . 2010-02-17 18:24 -------- d-----w- c:\documents and settings\Tolbely\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142050}
2010-02-17 17:52 . 2010-02-17 17:53 -------- d-----w- C:\eos
2010-02-12 01:26 . 2010-02-12 01:26 -------- d-----w- c:\documents and settings\Tolbely\Local Settings\Application Data\ArcSoft
2010-02-12 01:26 . 2010-02-13 17:16 -------- d-----w- c:\documents and settings\Tolbely\Application Data\ArcSoft
2010-02-12 01:26 . 2010-02-13 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-02-12 01:24 . 2006-11-10 20:05 18688 ----a-w- c:\windows\system32\drivers\afc.sys
2010-02-12 01:24 . 2005-04-27 21:36 245408 ----a-w- c:\windows\system32\unicows.dll
2010-02-12 01:23 . 2010-02-12 01:24 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-02-12 01:23 . 2010-02-12 01:23 -------- d-----w- c:\program files\Kodak
2010-02-05 00:21 . 2008-04-14 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-02-03 14:29 . 2010-02-03 14:29 -------- d-----w- c:\program files\iPod
2010-02-03 14:29 . 2010-02-03 14:30 -------- d-----w- c:\program files\iTunes
2010-02-03 14:10 . 2010-02-03 14:10 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-03 13:56 . 2010-02-03 13:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-01-31 17:16 . 2010-01-31 17:16 -------- d-----w- c:\program files\Alwil Software
2010-01-31 17:16 . 2010-01-31 17:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-01-31 15:40 . 2010-02-21 05:56 -------- d-----w- C:\Quarantine
2010-01-28 18:10 . 2010-01-28 18:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-27 12:38 . 2010-01-27 12:38 503808 ----a-w- c:\documents and settings\Tolbely\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6ba81a23-n\msvcp71.dll
2010-01-27 12:38 . 2010-01-27 12:38 499712 ----a-w- c:\documents and settings\Tolbely\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6ba81a23-n\jmc.dll
2010-01-27 12:38 . 2010-01-27 12:38 348160 ----a-w- c:\documents and settings\Tolbely\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6ba81a23-n\msvcr71.dll
2010-01-27 12:38 . 2010-02-23 13:16 -------- d-----w- c:\program files\Common Files\Java
2010-01-27 12:38 . 2010-01-27 12:38 61440 ----a-w- c:\documents and settings\Tolbely\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-147379c7-n\decora-sse.dll
2010-01-27 12:38 . 2010-01-27 12:38 12800 ----a-w- c:\documents and settings\Tolbely\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-147379c7-n\decora-d3d.dll
2010-01-26 01:33 . 2010-01-26 01:33 -------- d--h--w- c:\windows\msdownld.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 13:16 . 2009-07-08 20:48 -------- d-----w- c:\program files\Java
2010-02-17 17:52 . 2009-07-08 14:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-03 14:29 . 2010-01-14 14:41 -------- d-----w- c:\program files\Common Files\Apple
2010-01-22 18:23 . 2010-01-11 16:21 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-19 01:35 . 2010-01-19 01:35 18020 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-18 20:24 . 2010-01-18 20:24 -------- d-----w- c:\documents and settings\Tolbely\Application Data\Interwise
2010-01-18 20:23 . 2010-01-18 20:23 -------- d-----w- c:\program files\interwise
2010-01-16 20:45 . 2009-07-08 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-16 01:23 . 2010-01-16 01:23 1924200 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-01-16 00:02 . 2010-01-16 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-01-15 12:02 . 2009-07-08 20:40 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-14 21:45 . 2010-01-14 14:44 -------- d-----w- c:\documents and settings\Tolbely\Application Data\Apple Computer
2010-01-14 16:48 . 2010-01-14 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-14 15:31 . 2009-07-10 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\vulScan
2010-01-14 15:19 . 2009-07-10 18:13 -------- d-----w- c:\program files\LANDesk
2010-01-14 15:03 . 2010-01-14 15:03 0 ----a-w- c:\windows\nsreg.dat
2010-01-14 14:55 . 2010-01-14 14:54 -------- d-----w- c:\documents and settings\Tolbely\Application Data\Roxio
2010-01-14 14:46 . 2010-01-14 14:46 18304 ----a-w- c:\documents and settings\Tolbely\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-14 14:44 . 2010-01-14 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-14 14:43 . 2010-01-14 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-14 14:43 . 2010-01-14 14:43 -------- d-----w- c:\program files\Bonjour
2010-01-14 14:42 . 2010-01-14 14:42 -------- d-----w- c:\program files\QuickTime
2010-01-14 14:42 . 2010-01-14 14:42 -------- d-----w- c:\program files\Apple Software Update
2010-01-14 14:18 . 2010-01-14 14:18 152576 ----a-w- c:\documents and settings\Tolbely\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-14 14:18 . 2010-01-14 14:18 79488 ----a-w- c:\documents and settings\Tolbely\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-14 14:16 . 2010-01-14 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-01-14 14:16 . 2010-01-14 14:15 -------- d-----w- c:\program files\Yahoo!
2010-01-14 14:16 . 2010-01-14 14:16 -------- d-----w- c:\documents and settings\Tolbely\Application Data\Yahoo!
2010-01-11 18:03 . 2010-01-11 18:03 -------- d-----w- c:\documents and settings\Tolbely\Application Data\McAfee
2010-01-11 18:03 . 2010-01-11 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\LANDesk
2010-01-11 17:27 . 2010-01-11 17:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee
2010-01-11 17:26 . 2010-01-11 17:26 5271393 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\EPOAGENT3000\Install\0409\FramePkg.exe
2010-01-11 16:36 . 2010-01-11 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2008-04-14 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 22:14 . 2009-07-08 20:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43 . 2009-07-07 19:31 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2008-04-14 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2008-04-14 00:01 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2008-04-14 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2008-04-14 12:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2008-04-14 05:42 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2008-04-14 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2008-04-14 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2008-04-14 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2008-04-14 05:41 48128 ----a-w- c:\windows\system32\iyuv_32.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-22_01.56.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-23 13:28 . 2010-02-23 13:28 16384 c:\windows\Temp\Perflib_Perfdata_390.dat
+ 2008-04-14 12:00 . 2010-02-23 13:32 72306 c:\windows\system32\perfc009.dat
- 2008-04-14 12:00 . 2010-02-21 11:26 72306 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2010-02-23 13:32 444596 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2010-02-21 11:26 444596 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-04-30 2396160]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"IntelAPMClient"="c:\program files\LANDesk\LDClient\amclient.exe" [2005-10-17 311296]
"LANDeskInventoryClient"="c:\program files\LANDesk\LDClient\LDIScn32.exe" [2006-01-12 745472]
"LANDeskVulscanClient"="c:\program files\LANDesk\LDClient\vulScan.exe" [2006-06-30 651264]
"SDClientMonitor"="c:\program files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2004-12-20 253952]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Push Client.LNK - c:\program files\interwise\participant\pull.exe [2010-1-18 894192]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2010-1-14 6144]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\cba\\pds.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"c:\\Program Files\\SAP\\FrontEnd\\SAPgui\\saplgpad.exe"=
"c:\\WINDOWS\\system32\\msgsys.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"8085:TCP"= 8085:TCP:OKOGate

R2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [11/22/2005 2:07 PM 122880]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [7/10/2009 1:15 PM 11904]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [7/10/2009 1:15 PM 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [7/10/2009 1:15 PM 3712]
.
Contents of the 'Scheduled Tasks' folder

2010-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {b5859259-c40b-4b2a-af9d-3bf0f634b1d5}
FF - ProfilePath - c:\documents and settings\Tolbely\Application Data\Mozilla\Firefox\Profiles\z6e21fti.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com//?fr=fp-tyc8
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1240)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(2320)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-23 15:10:39
ComboFix-quarantined-files.txt 2010-02-23 20:10
ComboFix2.txt 2010-02-22 01:59

Pre-Run: 141,994,958,848 bytes free
Post-Run: 141,960,777,728 bytes free

- - End Of File - - 0D77A2BD444060C6C90B4C9B07AA4096


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:44 AM

Posted 23 February 2010 - 05:20 PM

It looks good. Considering the kind of infection, want just to check one thing to make sure there is no risk of reinfection.

Please download OTL by OldTimer.
  • Save it to your desktop.
  • Double click on the OTL icon on your desktop.
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Click Run Scan button.
  • Two reports will open, attach them to your reply:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Edited by farbar, 23 February 2010 - 05:20 PM.


#15 lynnt1958

lynnt1958
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 23 February 2010 - 07:03 PM

I am attaching the 2 logs as per your instructions.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users