Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE8 Redirect Notice Virus/Malware


  • Please log in to reply
17 replies to this topic

#1 Patty8087

Patty8087

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 22 February 2010 - 05:11 PM

for the past few days when i use IE8 and google search engine i get "redirect notice" on every line i try to click. i can use google chrome and the issue does not happen. I run norton internet security and it has not found any infections. i am also able to boot in safe mode with networking and i no longer get the redirect notice problem. i can not run gmer it quits a few mins in, even in safe mode. please help.

Attached Files

  • Attached File  DDS.txt   22.6KB   11 downloads


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:19 PM

Posted 24 February 2010 - 07:59 PM

hi,

I copy/pasted in your log for easier viewing. Comments are below the log.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Patty at 14:53:17.07 on Mon 02/22/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3071.1436 [GMT -5:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

c:\hp\HPEZBTN\HPBtnSrv.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\svchost.exe -k svcboot_omslvai

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\DRIVERS\xaudio.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Windows\system32\svchost.exe"

C:\hp\support\hpsysdrv.exe

c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

C:\WINDOWS\RtHDVCpl.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Windows\System32\jusched.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe

C:\hp\kbd\kbd.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Users\Patty\Desktop\dds.scr



============== Pseudo HJT Report ===============



uStart Page = hxxp://www.google.com/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop

mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll

mURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.5.0.127\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.5.0.127\IPSBHO.DLL

BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.5.0.127\coIEPlg.dll

TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll

uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY

uRun: [Google Update] "c:\users\patty\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe

mRun: [KBD] c:\hp\kbd\KbdStub.EXE

mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [<NO NAME>]

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

Trusted Zone: real.com\rhap-app-4-0

Trusted Zone: real.com\rhapreg

DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab



================= FIREFOX ===================



FF - ProfilePath - c:\users\patty\appdata\roaming\mozilla\firefox\profiles\hh5btvd8.default\

FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\coffplgn\components\coFFPlgn.dll

FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\ipsffplgn\components\IPSFFPl.dll

FF - component: c:\users\patty\appdata\roaming\mozilla\firefox\profiles\hh5btvd8.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll

FF - component: c:\users\patty\appdata\roaming\mozilla\firefox\profiles\hh5btvd8.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll

FF - plugin: c:\users\patty\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\



---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);



============= SERVICES / DRIVERS ===============



R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1105000.07f\symds.sys [2010-1-21 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1105000.07f\symefa.sys [2010-1-21 172592]

R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\bashdefs\20100211.001\BHDrvx86.sys [2010-2-11 536112]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1105000.07f\cchpx86.sys [2010-1-21 501888]

R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\ipsdefs\20100218.001\IDSvix86.sys [2010-2-19 343088]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1105000.07f\ironx86.sys [2010-1-21 116272]

R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1105000.07f\symtdiv.sys [2010-1-21 340016]

R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]

R2 HPBtnSrv;HP Chasis Button Service;c:\hp\hpezbtn\HPBtnSrv.exe [2007-8-23 198240]

R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.5.0.127\ccsvchst.exe [2010-1-21 126392]

R2 svcboot_omslvai;svcboot_omslvai;c:\windows\system32\svchost.exe -k svcboot_omslvai [2010-1-20 21504]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-1-21 102448]

R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2009-7-14 1443584]

R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-5-24 501248]

S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]

S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-1-20 21504]

S3 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-9-11 167936]



=============== Created Last 30 ================



2010-02-22 19:19:52 0 d-----w- c:\program files\TrendMicro

2010-02-22 19:00:13 0 d-----w- c:\users\patty\appdata\roaming\Malwarebytes

2010-02-22 19:00:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-22 19:00:07 0 d-----w- c:\programdata\Malwarebytes

2010-02-22 19:00:06 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-22 19:00:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-18 18:52:29 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-02-11 17:18:50 0 d-----w- c:\programdata\NOS

2010-02-10 14:24:15 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys

2010-02-10 14:24:15 302080 ----a-w- c:\windows\system32\drivers\srv.sys

2010-02-10 14:24:12 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-10 14:24:12 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-04 18:05:59 0 d-----w- c:\programdata\Lavasoft

2010-02-03 22:34:57 0 d-----w- c:\program files\iPod

2010-02-03 22:34:54 0 d-----w- c:\program files\iTunes

2010-02-02 15:40:32 0 d-----w- c:\program files\NVIDIA Corporation

2010-01-28 22:00:06 107368 ----a-w- c:\windows\system32\GEARAspi.dll

2010-01-28 22:00:05 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2010-01-28 21:59:16 0 d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2010-01-28 21:58:40 0 d-----w- c:\program files\Bonjour

2010-01-28 21:57:26 0 d-----w- c:\programdata\Apple Computer

2010-01-28 21:54:30 0 d-----w- c:\programdata\Apple

2010-01-26 16:09:45 486 ----a-w- c:\windows\system32\Support.xml

2010-01-24 00:10:46 0 d-----w- c:\programdata\Office Genuine Advantage



==================== Find3M ====================



2010-02-22 19:29:59 34895 ----a-w- c:\programdata\nvModes.dat

2010-02-05 14:00:55 51200 ----a-w- c:\windows\inf\infpub.dat

2010-02-05 14:00:55 143360 ----a-w- c:\windows\inf\infstrng.dat

2010-02-04 17:16:58 143360 ----a-w- c:\windows\inf\infstor.dat

2010-01-21 17:33:21 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-01-21 17:33:21 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-01-21 17:33:21 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-01-21 15:48:13 665600 ----a-w- c:\windows\inf\drvindex.dat

2010-01-21 15:47:53 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf

2010-01-21 14:54:15 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf

2010-01-21 14:43:50 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont

2010-01-21 03:41:27 174 --sha-w- c:\program files\desktop.ini

2010-01-21 03:06:06 101888 ----a-w- c:\windows\system32\ifxcardm.dll

2010-01-21 03:06:03 82432 ----a-w- c:\windows\system32\axaltocm.dll

2010-01-20 18:43:29 55072 ----a-w- c:\windows\system32\jureg.exe

2010-01-20 18:43:29 386872 ----a-w- c:\windows\system32\jucheck.exe

2010-01-20 18:43:29 149280 ----a-w- c:\windows\system32\jusched.exe

2010-01-20 18:43:27 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-01-20 17:29:49 72704 ----a-w- c:\windows\system32\fontsub.dll

2010-01-20 17:29:49 34304 ----a-w- c:\windows\system32\atmlib.dll

2010-01-20 17:29:49 289792 ----a-w- c:\windows\system32\atmfd.dll

2010-01-20 17:29:49 23552 ----a-w- c:\windows\system32\lpk.dll

2010-01-20 17:29:49 156672 ----a-w- c:\windows\system32\t2embed.dll

2010-01-20 17:29:49 10240 ----a-w- c:\windows\system32\dciman32.dll

2010-01-20 17:28:19 61440 ----a-w- c:\windows\system32\winipsec.dll

2010-01-20 17:28:19 272896 ----a-w- c:\windows\system32\polstore.dll

2010-01-20 17:23:34 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE

2010-01-20 17:23:34 17920 ----a-w- c:\windows\system32\netevent.dll

2010-01-20 17:23:34 11264 ----a-w- c:\windows\system32\MRINFO.EXE

2010-01-20 17:23:33 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE

2010-01-20 17:23:33 27136 ----a-w- c:\windows\system32\NETSTAT.EXE

2010-01-20 17:23:33 19968 ----a-w- c:\windows\system32\ARP.EXE

2010-01-20 17:23:33 17920 ----a-w- c:\windows\system32\ROUTE.EXE

2010-01-20 17:23:33 105984 ----a-w- c:\windows\system32\netiohlp.dll

2010-01-20 17:23:33 10240 ----a-w- c:\windows\system32\finger.exe

2010-01-20 17:18:25 127488 ----a-w- c:\windows\system32\L2SecHC.dll

2010-01-20 17:18:24 68096 ----a-w- c:\windows\system32\wlanhlp.dll

2010-01-20 17:18:24 65024 ----a-w- c:\windows\system32\wlanapi.dll

2010-01-20 17:18:23 513536 ----a-w- c:\windows\system32\wlansvc.dll

2010-01-20 17:18:23 302592 ----a-w- c:\windows\system32\wlansec.dll

2010-01-20 17:18:23 293376 ----a-w- c:\windows\system32\wlanmsm.dll

2010-01-20 17:18:20 15181 ----a-w- c:\windows\system32\gatherWirelessInfo.vbs

2010-01-20 17:16:49 1248768 ----a-w- c:\windows\system32\msxml3.dll

2010-01-20 17:16:48 1401856 ----a-w- c:\windows\system32\msxml6.dll

2010-01-20 17:16:47 2048 ----a-w- c:\windows\system32\msxml3r.dll

2010-01-20 17:16:46 2048 ----a-w- c:\windows\system32\msxml6r.dll

2010-01-20 17:15:07 9728 ----a-w- c:\windows\system32\lsass.exe

2010-01-20 17:15:07 72704 ----a-w- c:\windows\system32\secur32.dll

2010-01-20 17:15:07 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2010-01-20 17:15:07 218624 ----a-w- c:\windows\system32\msv1_0.dll

2010-01-20 17:15:07 175104 ----a-w- c:\windows\system32\wdigest.dll

2010-01-20 17:15:07 1259008 ----a-w- c:\windows\system32\lsasrv.dll

2010-01-20 17:13:17 98816 ----a-w- c:\windows\system32\mfps.dll

2010-01-20 17:13:17 53248 ----a-w- c:\windows\system32\rrinstaller.exe

2010-01-20 17:13:17 2868224 ----a-w- c:\windows\system32\mf.dll

2010-01-20 17:13:17 24576 ----a-w- c:\windows\system32\mfpmp.exe

2010-01-20 17:13:17 2048 ----a-w- c:\windows\system32\mferror.dll

2010-01-20 17:11:11 2048 ----a-w- c:\windows\system32\tzres.dll

2010-01-20 17:06:10 71680 ----a-w- c:\windows\system32\atl.dll

2010-01-20 16:52:10 160256 ----a-w- c:\windows\system32\wkssvc.dll

2010-01-20 16:50:57 53248 ----a-w- c:\windows\system32\tsgqec.dll

2010-01-20 16:50:57 2066432 ----a-w- c:\windows\system32\mstscax.dll

2010-01-20 16:50:57 136192 ----a-w- c:\windows\system32\aaclient.dll

2010-01-20 16:36:40 623616 ----a-w- c:\windows\system32\localspl.dll

2010-01-20 16:35:37 65024 ----a-w- c:\windows\system32\avicap32.dll

2010-01-20 16:20:26 6656 ----a-w- c:\windows\system32\kbd106n.dll

2010-01-20 16:08:49 411648 ----a-w- c:\windows\system32\drivers\http.sys

2010-01-20 16:08:49 30720 ----a-w- c:\windows\system32\httpapi.dll

2010-01-20 16:08:49 24064 ----a-w- c:\windows\system32\nshhttp.dll

2010-01-20 16:05:16 37888 ----a-w- c:\windows\system32\printcom.dll

2010-01-20 16:04:27 2036736 ----a-w- c:\windows\system32\win32k.sys

2010-01-20 16:03:39 14848 ----a-w- c:\windows\system32\wshrm.dll

2010-01-20 16:02:45 313344 ----a-w- c:\windows\system32\wmpdxm.dll

2010-01-20 15:36:28 41984 ----a-w- c:\windows\system32\netfxperf.dll

2010-01-20 15:22:51 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

2010-01-20 15:22:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

2010-01-20 15:22:49 1696768 ----a-w- c:\windows\system32\gameux.dll

2010-01-20 15:21:48 84480 ----a-w- c:\windows\system32\INETRES.dll

2010-01-20 15:21:34 60928 ----a-w- c:\windows\system32\msasn1.dll

2010-01-20 15:20:38 784896 ----a-w- c:\windows\system32\rpcrt4.dll

2010-01-20 15:19:17 144896 ----a-w- c:\windows\system32\drivers\srv2.sys

2010-01-20 15:18:45 243712 ----a-w- c:\windows\system32\rastls.dll

2010-01-20 15:18:28 355328 ----a-w- c:\windows\system32\WSDApi.dll

2010-01-20 15:16:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL

2010-01-20 15:16:16 8147456 ----a-w- c:\windows\system32\wmploc.DLL

2010-01-20 15:16:16 310784 ----a-w- c:\windows\system32\unregmp2.exe

2010-01-20 15:16:14 7680 ----a-w- c:\windows\system32\spwmp.dll

2010-01-20 15:16:13 4096 ----a-w- c:\windows\system32\dxmasf.dll

2010-01-20 14:19:46 2421760 ----a-w- c:\windows\system32\wucltux.dll

2010-01-20 14:19:18 87552 ----a-w- c:\windows\system32\wudriver.dll

2010-01-20 14:18:40 33792 ----a-w- c:\windows\system32\wuapp.exe

2010-01-20 14:18:40 171608 ----a-w- c:\windows\system32\wuwebv.dll

2010-01-20 14:14:48 1910 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_GN553AA-ABA m9040n_YC_0Pavi_QCNH737_E74NAv3PrA1_49_IBerkeley_SASUSTeK Computer INC._V1.xx_B5.07_T070808_WUH0_L409_M3071_J320_7Intel_8Core2 Quad Q6600_92.39_#071113_N8086294C_Z14F12F20_G10DE0640.MRK

2010-01-14 16:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe

2010-01-12 03:18:00 962664 ----a-w- c:\windows\system32\nvsvc.dll

2010-01-12 03:18:00 13679720 ----a-w- c:\windows\system32\nvcpl.dll

2010-01-12 03:18:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe

2010-01-12 03:18:00 110696 ----a-w- c:\windows\system32\nvmctray.dll

2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll

2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll

2007-08-23 13:15:36 8192 --sha-w- c:\windows\users\default\NTUSER.DAT



============= FINISH: 14:54:35.01 ===============
comments:
did you install this toolbar?
Zynga Toolbar

We will start with malwarebytes:

Please download Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

How Can I Reduce My Risk to Malware?


#3 Patty8087

Patty8087
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 27 February 2010 - 08:09 PM

Hi, i got fustrated with this pc since its my main PC that i do everything on and just reformated the hard drive and installed my ghost "factory shipped" set-up yesterday. spend the day re-installing my purchased software and million microsoft updates and now I think I am all set on this pc ... the "redirect" on IE8 doesnt happen anymore. I have 3 PCs at the house and the issue/probem still exists on the other two. Once i reformated this harddrive i took those other 2 PCs off my network to prevent re-infection. Can you help me remove the malware from my other PC? I can take the good PC off the network and put my other one back on and run the logs u want for the begining look. Or do you want me to start a brand new case?

#4 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:19 PM

Posted 28 February 2010 - 08:27 AM

May as well stay in this thread. yes, keep the machine you reformatted off the network and pick one machine to start with. Get the needed logs and post them. Since malware attracts more malware i would make sure theres no internet connectivity when its not in use or just power it off.

How Can I Reduce My Risk to Malware?


#5 Patty8087

Patty8087
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 28 February 2010 - 08:38 PM

THanks - computer #2 DDS logs


DDS (Ver_09-12-01.01) - NTFSx86
Run by Bob at 20:35:17.67 on Sun 02/28/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3071.1540 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\taskeng.exe
C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k svcboot_omslvai
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\system32\DllHost.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
"C:\Windows\system32\svchost.exe"
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\taskeng.exe
C:\Users\Bob\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Bob\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Bob\Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.5.0.127\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.5.0.127\IPSBHO.DLL
BHO: IEHlprObj Class: {8ca5ed52-f3fb-4414-a105-2e3491156990} - c:\program files\iwin games\iWinGamesHookIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.5.0.127\coIEPlg.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\bob\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [HPADVISOR] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY
mRun: [<NO NAME>]
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\bob\appdata\roaming\mozilla\firefox\profiles\ey10tdhu.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo!
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\mozilla firefox\components\1379791.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\mozilla firefox\extensions\npmozax@real.com\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppanda3d.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll
FF - plugin: c:\programdata\realarcade\npraclient.dll
FF - plugin: c:\users\bob\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1105000.07f\SymDS.sys [2010-2-27 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1105000.07f\SymEFA.sys [2010-2-27 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\bashdefs\20100211.001\BHDrvx86.sys [2010-2-11 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1105000.07f\cchpx86.sys [2010-2-27 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\ipsdefs\20100224.002\IDSvix86.sys [2010-2-27 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1105000.07f\Ironx86.sys [2010-2-27 116272]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1105000.07f\symtdiv.sys [2010-2-27 340016]
R2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};{22D78859-9CE9-4B77-BF18-AC83E81A9263};c:\program files\hp\dvdplay\000.fcl [2007-11-12 39408]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.5.0.127\ccSvcHst.exe [2010-2-27 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-27 102448]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2007-11-12 1129344]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-5-24 501248]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-8 21504]
S4 HPBtnSrv;HP Chasis Button Service;c:\hp\hpezbtn\HPBtnSrv.exe [2007-11-12 198240]
S4 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2009-11-24 78104]

=============== Created Last 30 ================

2010-02-27 17:26:04 44080 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-02-27 17:08:02 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-27 17:08:02 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-27 17:08:02 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-27 17:06:59 0 d-----w- c:\program files\Norton Internet Security
2010-02-27 17:06:47 0 d-----w- c:\program files\NortonInstaller
2010-02-27 16:15:19 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-27 16:15:02 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-27 16:15:02 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-27 16:15:00 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-27 16:15:00 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-27 16:15:00 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-27 16:15:00 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-27 16:14:59 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-27 16:14:59 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-27 16:14:59 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-27 16:14:58 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-27 16:14:57 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-27 16:14:57 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-26 21:08:33 0 d-----w- c:\users\bob\appdata\roaming\Tific
2010-02-24 21:35:11 0 d-----w- c:\users\bob\appdata\roaming\PeerNetworking
2010-02-23 21:11:20 0 d-----w- c:\users\bob\appdata\roaming\funkitron
2010-02-22 23:13:19 0 d-----w- c:\program files\Trend Micro
2010-02-22 13:48:25 10752 ----a-w- c:\windows\DCEBoot.exe
2010-02-21 15:07:00 0 d-----w- c:\program files\Panda3D
2010-02-17 14:41:00 197120 ----a-w- c:\windows\system32\Warriors Screensaver.scr
2010-02-17 14:41:00 0 d-----w- c:\windows\system32\Warriors Screensaver dir
2010-02-09 22:37:48 0 ----a-w- c:\windows\ResortingToDanger.INI
2010-02-07 17:13:55 0 d-----w- c:\programdata\Wild Tangent
2010-02-06 15:17:46 0 d-----w- c:\users\bob\appdata\roaming\Mean Hamster Software
2010-02-06 15:17:46 0 d-----w- c:\programdata\Mean Hamster Software
2010-02-06 14:11:29 0 d-----w- c:\users\bob\appdata\roaming\MysteryStudio
2010-02-05 23:03:25 0 d-----w- c:\users\bob\appdata\roaming\Boomzap
2010-02-03 00:55:37 0 d-----w- c:\users\bob\appdata\roaming\eGames
2010-02-02 22:08:22 0 d-----w- c:\programdata\Ubisoft
2010-02-02 22:07:40 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2010-02-02 22:06:59 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-02-02 16:27:12 0 d-sh--w- C:\found.000

==================== Find3M ====================

2010-02-27 17:26:01 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-27 17:26:00 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-27 17:26:00 143360 ----a-w- c:\windows\inf\infstor.dat
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-08 20:01:02 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:01:02 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-04 18:30:05 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-04 18:29:41 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-04 18:28:52 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-04 18:28:51 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-04 18:28:51 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-04 18:28:49 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-04 18:28:27 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-04 18:28:21 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-04 18:27:12 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-11-18 22:32:57 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-05-09 00:05:25 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-31 23:33:01 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-24 16:48:30 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-11-13 03:29:32 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 20:36:35.44 ===============


#6 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:19 PM

Posted 28 February 2010 - 09:12 PM

ok lets start with malwarebytes for now. link and directions;

Please download Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

How Can I Reduce My Risk to Malware?


#7 Patty8087

Patty8087
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 02 March 2010 - 07:55 PM

Malwarebytes' Anti-Malware 1.44
Database version: 3808
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

3/1/2010 8:04:49 AM
mbam-log-2010-03-01 (08-04-49).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 389586
Time elapsed: 1 hour(s), 44 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#8 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:19 PM

Posted 02 March 2010 - 08:19 PM

well that looks good. Is the machine on the internet? Redirects or popups or anything going on?

How Can I Reduce My Risk to Malware?


#9 Patty8087

Patty8087
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 03 March 2010 - 08:34 AM

i have 3 computers and all 3 pcs had this issue at first. my main pc i just reformated the hard drive and started over. Now only 1 pc is on the network at a time. Here's what happens: when i go to internet explorer 8 and try to do a google search it comes back with web pages but when i click on the page i want - i get a "redirect notice". The issue does not happen in safe mode and only happens on IE8 .. can do same search in firefox or chrome on google without issues.


#10 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:19 PM

Posted 03 March 2010 - 07:09 PM

thanks for the info. I dont see any malware in the logs. Only IE and on google? the redirect notice, does it send you to a different page? Do you finally get to the page your looking for.
Can you post the URL of the redirect notice. copy/paste in the http://....
Is that a new symptom on the machine or one you have been having? Iam trying to see if its malware related.

How Can I Reduce My Risk to Malware?


#11 Patty8087

Patty8087
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 03 March 2010 - 09:26 PM

ok on IE8 using google i typed: bleeping computer

here's the url that comes up when i click on the bleeping computer hyperlink from google:

http://www.google.com/url?sa=t&source=...amp;safe=active

and i see this:

Redirect Notice
The previous page is sending you to http://www.bleepingcomputer.com/.

If you do not want to visit that page, you can return to the previous page.


if i do the same thing in chrome or firefox on google the issue does not happen. I can also (last time i checked) boot in safe mode with networking and go to IE8 use google and the issue also does not happen. This PC (#2) did have a rootkit virus (cant remember which) that housecall online scanner found and removed. i cleared the temp files so i cant see the results anymore. PC #1 (the one i reformated) had this same problem but norton internet security 2010, housecall online scanner, malwarebytes, etc found no virus or malware. i just got fustrated and reformated PC#1 after a few days. PC#3 i havent even posted anything about that yet, is also having same problem. Once i noticed issue, only one PC has been on and connected to my network at a time.



#12 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:19 PM

Posted 04 March 2010 - 07:00 PM

uhmm. try this; this should be close to how to do it in IE 8.0. I am in linux right now and cant check.

start>settings>Control Panel> click the Internet options icon

Next:

Click on Delete Cookies.

Click on Delete Files, Make sure Delete all offline content is checked and then click on OK


Then click on Settings, then click on View Files if there is any thing in there, delete what you can
(edit>select all--- then file>delete)

click on start and type in cmd, click enter. A windows should open, at the cursor you can copy and paste in;
CODE
ipconfig /flushdns

click enter and reboot machine.

How Can I Reduce My Risk to Malware?


#13 Patty8087

Patty8087
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 04 March 2010 - 08:06 PM

when i do ipconfig /flushdns at a command prompt i get "the requested operation requires elevation"

#14 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:19 PM

Posted 04 March 2010 - 08:25 PM

Try temporarily disabling UAC (user account control);

Go to Start -> Control Panel, then click on User Accounts
click on User Accounts.
Click Turn User Account Control on or off in User Accounts window.

If you are using Control Panel in classic view mode, you can come to this page by going to Start ->Control Panel -> User Accounts
Uncheck Use User Account Control (UAC) to help protect your computer and click OK at last.
May have to reboot your machine.

How Can I Reduce My Risk to Malware?


#15 Patty8087

Patty8087
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 08 March 2010 - 02:44 PM

ok, sorry for the delay... changed the user acct control, and did the ipconfig /flushdns successfully. Still wont let me do a google search on IE8.. UGH






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users