Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with Malware infection


  • This topic is locked This topic is locked
19 replies to this topic

#1 CynthiaC

CynthiaC

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 15 March 2010 - 04:44 PM

Hello BC, I am having trouble removing some malware - I am experiencing redirection with Firefox and Explorer - I first ran Malwarebytes and Avira, and then SAS and then SpybotSAD - Avira came up with a couple of trojans, SAS came up with several adware tracking cookies, and Spybot was clean, as with MAM. However, I am still having problems with the redirection. I see this is a common theme in the posts, but I feel I need a little guidance with this one. Please find attached my bits & pieces as per the guide. Thx kindly, C


DDS (Ver_09-12-01.01) - NTFSx86
Run by Cynthia at 20:16:24.20 on Mon 15/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1251.7.1033.18.2030.1310 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Update\1.2.183.17\GoogleCrashHandler.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Cynthia\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl05a\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {49227DB2-EFA4-4F5F-A5FE-42D767B1ACD5} = 77.239.239.5,77.239.238.242
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - f:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - f:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cynthia\applic~1\mozilla\firefox\profiles\39knic30.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.redspective.com/
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: f:\program files\adobe\reader\browser\nppdf32.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-15 11608]
R1 SASDIFSV;SASDIFSV;f:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;f:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-15 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-15 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-28 56816]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-21 133104]
S3 SASENUM;SASENUM;f:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-03-15 19:14:25 0 ----a-w- c:\documents and settings\cynthia\defogger_reenable
2010-03-15 17:43:50 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-15 17:43:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-15 16:43:38 0 d-----w- c:\windows\pss
2010-03-15 16:04:55 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-15 15:50:30 0 d-----w- c:\program files\Avira
2010-03-15 15:50:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-03-15 15:23:12 0 d-----w- c:\windows\system32\scripting
2010-03-15 15:23:12 0 d-----w- c:\windows\l2schemas
2010-03-15 15:23:11 0 d-----w- c:\windows\system32\en
2010-03-15 15:23:10 0 d-----w- c:\windows\system32\bits
2010-03-15 15:16:11 0 d-----w- c:\windows\network diagnostic
2010-03-15 15:12:05 0 d-----w- c:\windows\EHome
2010-03-09 14:47:45 0 d-----w- c:\docume~1\cynthia\applic~1\SUPERAntiSpyware.com
2010-03-07 23:15:54 0 d-----w- c:\windows\system32\NtmsData
2010-03-05 21:44:54 293376 ------w- c:\windows\system32\browserchoice.exe
2010-03-03 20:15:36 0 d-----w- c:\program files\OpenOffice.org 2.4
2010-02-27 22:34:14 0 d-----w- c:\docume~1\cynthia\applic~1\Malwarebytes
2010-02-27 22:34:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-27 22:34:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-27 22:34:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-27 22:34:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-03-15 15:16:05 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-02 23:08:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe

============= FINISH: 20:17:31.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:57 AM

Posted 17 March 2010 - 01:08 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh DDS Log

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 CynthiaC

CynthiaC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 18 March 2010 - 02:25 AM

Hello smile.gif here are the DDS files as requested
Many thanks, Cynthia


DDS (Ver_10-03-17.01) - NTFSx86
Run by Cynthia at 8:20:01.41 on Thu 18/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1251.7.1033.18.2030.1389 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Google\Update\1.2.183.17\GoogleCrashHandler.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Cynthia\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl05a\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {49227DB2-EFA4-4F5F-A5FE-42D767B1ACD5} = 77.239.239.5,77.239.238.242
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - f:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - f:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cynthia\applic~1\mozilla\firefox\profiles\39knic30.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.redspective.com/
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: f:\program files\adobe\reader\browser\nppdf32.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-15 11608]
R1 SASDIFSV;SASDIFSV;f:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;f:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-15 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-15 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-28 56816]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-21 133104]
S3 SASENUM;SASENUM;f:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-03-15 19:14:25 0 ----a-w- c:\documents and settings\cynthia\defogger_reenable
2010-03-15 17:43:50 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-15 17:43:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-15 16:43:38 0 d-----w- c:\windows\pss
2010-03-15 16:04:55 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-15 15:50:30 0 d-----w- c:\program files\Avira
2010-03-15 15:50:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-03-15 15:23:12 0 d-----w- c:\windows\system32\scripting
2010-03-15 15:23:12 0 d-----w- c:\windows\l2schemas
2010-03-15 15:23:11 0 d-----w- c:\windows\system32\en
2010-03-15 15:23:10 0 d-----w- c:\windows\system32\bits
2010-03-15 15:16:11 0 d-----w- c:\windows\network diagnostic
2010-03-15 15:12:05 0 d-----w- c:\windows\EHome
2010-03-09 14:47:45 0 d-----w- c:\docume~1\cynthia\applic~1\SUPERAntiSpyware.com
2010-03-07 23:15:54 0 d-----w- c:\windows\system32\NtmsData
2010-03-05 21:44:54 293376 ------w- c:\windows\system32\browserchoice.exe
2010-03-03 20:15:36 0 d-----w- c:\program files\OpenOffice.org 2.4
2010-02-27 22:34:14 0 d-----w- c:\docume~1\cynthia\applic~1\Malwarebytes
2010-02-27 22:34:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-27 22:34:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-27 22:34:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-27 22:34:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-03-02 23:08:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 8:20:31.79 ===============

Attached Files



#4 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:57 AM

Posted 18 March 2010 - 12:28 PM

Thanks for the logs. smile.gif

I'd like a fresh GMER log from you next.

First, delete GMER.exe (and GMER.zip, if on your computer) from your computer, then follow the directions below:


Step # 1: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click No.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#5 CynthiaC

CynthiaC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 18 March 2010 - 04:54 PM

hi again - here is the file for you
(also I apologise, as my replies might be a little slow as I am sitting in Berlin, and our time zones are a bit wacky)
look forward to you reply

Attached Files



#6 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:57 AM

Posted 19 March 2010 - 12:46 AM

Thanks for the log. smile.gif

From now on, please do not attach your logs, just post them normally. Only attach them if I ask you to.

Thanks. smile.gif


Step # 1: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.

Edited by km2357, 19 March 2010 - 12:48 AM.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#7 CynthiaC

CynthiaC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 19 March 2010 - 07:58 AM

All for you smile.gif
cheers



ComboFix 10-03-18.02 - Cynthia 19/03/2010 13:49:36.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1251.7.1033.18.2030.1544 [GMT 1:00]
Running from: c:\documents and settings\Cynthia\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-02-19 to 2010-03-19 )))))))))))))))))))))))))))))))
.

2010-03-15 17:43 . 2010-03-15 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-15 17:43 . 2010-03-15 17:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-15 16:06 . 2010-03-15 16:06 52224 ----a-w- c:\documents and settings\Cynthia\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-15 16:06 . 2010-03-15 16:06 117760 ----a-w- c:\documents and settings\Cynthia\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-15 16:04 . 2010-03-15 16:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-15 15:50 . 2009-03-30 08:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-03-15 15:50 . 2009-02-13 10:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-03-15 15:50 . 2009-02-13 10:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-03-15 15:50 . 2010-03-15 15:50 -------- d-----w- c:\program files\Avira
2010-03-15 15:50 . 2010-03-15 15:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-03-15 15:23 . 2010-03-15 15:23 -------- d-----w- c:\windows\system32\scripting
2010-03-15 15:23 . 2010-03-15 15:23 -------- d-----w- c:\windows\l2schemas
2010-03-15 15:23 . 2010-03-15 15:23 -------- d-----w- c:\windows\system32\en
2010-03-15 15:23 . 2010-03-15 15:23 -------- d-----w- c:\windows\system32\bits
2010-03-15 15:12 . 2010-03-15 15:12 -------- d-----w- c:\windows\EHome
2010-03-14 01:28 . 2010-03-14 01:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Thunderbird
2010-03-14 01:28 . 2010-03-14 01:28 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Thunderbird
2010-03-09 14:47 . 2010-03-15 16:05 -------- d-----w- c:\documents and settings\Cynthia\Application Data\SUPERAntiSpyware.com
2010-03-08 19:10 . 2010-03-08 19:10 503808 ----a-w- c:\documents and settings\Cynthia\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5589d74a-n\msvcp71.dll
2010-03-08 19:10 . 2010-03-08 19:10 499712 ----a-w- c:\documents and settings\Cynthia\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5589d74a-n\jmc.dll
2010-03-08 19:10 . 2010-03-08 19:10 348160 ----a-w- c:\documents and settings\Cynthia\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5589d74a-n\msvcr71.dll
2010-03-08 19:10 . 2010-03-08 19:10 61440 ----a-w- c:\documents and settings\Cynthia\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-238bebaa-n\decora-sse.dll
2010-03-08 19:10 . 2010-03-08 19:10 12800 ----a-w- c:\documents and settings\Cynthia\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-238bebaa-n\decora-d3d.dll
2010-03-07 23:15 . 2010-03-16 17:41 -------- d-----w- c:\windows\system32\NtmsData
2010-03-05 21:44 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-03-05 17:29 . 2010-03-05 17:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-03-03 20:18 . 2010-03-19 09:53 1 ----a-w- c:\documents and settings\Cynthia\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-03-03 20:17 . 2010-03-19 09:53 -------- d-----w- c:\documents and settings\Cynthia\Application Data\OpenOffice.org2
2010-03-03 20:15 . 2010-03-03 20:15 -------- d-----w- c:\program files\OpenOffice.org 2.4
2010-03-02 23:08 . 2010-03-02 23:08 -------- d-----w- c:\program files\Common Files\Java
2010-02-28 18:18 . 2010-02-28 18:18 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-02-28 15:05 . 2010-03-10 15:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-27 22:34 . 2010-02-27 22:34 -------- d-----w- c:\documents and settings\Cynthia\Application Data\Malwarebytes
2010-02-27 22:34 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-27 22:34 . 2010-02-27 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-27 22:34 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-27 22:34 . 2010-02-27 22:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-19 12:46 . 2009-08-08 15:23 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-03-19 12:33 . 2009-06-28 20:26 -------- d-----w- c:\documents and settings\Cynthia\Application Data\Skype
2010-03-19 09:30 . 2009-06-28 20:29 -------- d-----w- c:\documents and settings\Cynthia\Application Data\skypePM
2010-03-16 19:06 . 2009-06-28 21:42 -------- d-----w- c:\documents and settings\Cynthia\Application Data\FileZilla
2010-03-15 17:59 . 2009-06-28 22:40 78176 ----a-w- c:\documents and settings\Cynthia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-15 15:58 . 2009-06-28 18:46 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-15 15:25 . 2009-06-28 18:22 77423 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-03-06 09:41 . 2009-09-06 18:36 -------- d-----w- c:\program files\Google
2010-03-03 19:09 . 2009-08-08 15:26 1 ----a-w- c:\documents and settings\Cynthia\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-02 23:08 . 2009-07-21 19:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-02 23:08 . 2009-07-21 19:44 -------- d-----w- c:\program files\Java
2009-12-31 16:50 . 2004-08-04 10:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-02 25623336]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 933888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\program files\Superantispyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- f:\program files\Superantispyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Cynthia^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Cynthia\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Cynthia^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Cynthia\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 14:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 00:57 35760 ----a-w- f:\program files\Adobe\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 14:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-02-18 15:40 2012912 ----a-w- f:\program files\Superantispyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;f:\program files\Superantispyware\sasdifsv.sys [17/02/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;f:\program files\Superantispyware\SASKUTIL.SYS [17/02/2010 10:15 AM 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [15/03/2010 4:50 PM 108289]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/09/2009 11:26 AM 133104]
S3 SASENUM;SASENUM;f:\program files\Superantispyware\SASENUM.SYS [17/02/2010 10:15 AM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-21 10:26]

2010-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-21 10:26]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {49227DB2-EFA4-4F5F-A5FE-42D767B1ACD5} = 77.239.239.5,77.239.238.242
FF - ProfilePath - c:\documents and settings\Cynthia\Application Data\Mozilla\Firefox\Profiles\39knic30.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.redspective.com/
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: f:\program files\Adobe\Reader\browser\nppdf32.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-iTunesHelper - f:\itunes\iTunesHelper.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-19 13:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(504)
f:\program files\Superantispyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2344)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-03-19 13:55:08
ComboFix-quarantined-files.txt 2010-03-19 12:54

Pre-Run: 1,194,876,928 bytes free
Post-Run: 1,331,359,744 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 38106F0925B517FA3F7BC5BC10223C96


#8 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:57 AM

Posted 19 March 2010 - 01:01 PM

According to your logs, you are extremely low on free space on your Hard Drive. To free up space, you can do the following things. One is to go to Add/Remove Programs and uninstall any programs you no longer use. Be sure to reboot your computer after you're done uninstalling programs. Another thing you can do is if you have any movies, music, etc that you don't need you can delete them. Or if you want to keep them you can move them over to a USB/Flash Drive or to an external Hard Drive.


I also see that Avira is out of date. Please update it as soon as possible.

Finally, do you recognize the following IP Addresses?:

77.239.239.5

77.239.238.242


And do you recognize the following website?:

anthill.ru

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#9 CynthiaC

CynthiaC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 19 March 2010 - 01:30 PM

Hello, I have a partitioned hard drive, and when I updated with service pack 3 recently for some reason it wiped out a fair bit of my free space on C - I am yet to move across some more space from my other partitions - normally I keep it with about 2gig spare and use my C drive for system and programmes only. Music I keep on another partition as with files, as I use my computer for my business also. I have uninstalled some surplus programmes, to save a bit for now.

Avira updated now smile.gif

I don't know the IP addresses you mentioned - but I don't keep track of IP addresses, so unfortunately I wouldn't be able to tell you if they were good or bad. I know mine starts with 79 mostly

Anthill.ru was the internet provider for my apartment in Russia. We don't use them anymore, but many people still do, and the Russia networks are full of nasties. I usually keep my Avira on and up to date if I login over there.

Hope this helps
C


#10 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:57 AM

Posted 19 March 2010 - 07:31 PM

QUOTE
I don't know the IP addresses you mentioned - but I don't keep track of IP addresses, so unfortunately I wouldn't be able to tell you if they were good or bad. I know mine starts with 79 mostly

Anthill.ru was the internet provider for my apartment in Russia. We don't use them anymore, but many people still do, and the Russia networks are full of nasties. I usually keep my Avira on and up to date if I login over there.

Hope this helps
C


It does. smile.gif The two IP addresses of 77.239.239.5 and 77.239.238.242 are IPs belonging to anthill.ru. Since you recognize anthill.ru as being your ISP in Russia and not a bad website, then both the IPs are fine and not malicious.



Step # 1 Remove old versions of Java

Older Java versions have vulnerabilities and need to be removed.

Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

Java™ 6 Update 13

Reboot your Computer.



Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Step # 3: Download and Run GooredFix

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
Step # 4 Run Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware.
  • Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
  • Next click the Scanner tab and select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.
In your next post/reply, I need to see the following:

1. GooredFix Log
2. MalwareBytes' Log
3. A fresh DDS Log

Edited by km2357, 19 March 2010 - 07:34 PM.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#11 CynthiaC

CynthiaC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 20 March 2010 - 07:14 AM

Hi,
Java 13 done, thanks

ATF Cleaner done (great little tool! more easy than what I generally do which was completely manual)

Just wanted to also let you know, Avira is picking up odd trojans (but I guess that means shes working) - the redirection issue seems to have disappeared (which was much nicer to work with yesterday) - but last 2 times I thought I had fixed it, it came back after 3 or 4 days...


GooredFix by jpshortstuff (08.01.10.1)
Log created at 12:43 on 20/03/2010 (Cynthia)
Firefox version 3.6 (en-US)

========== GooredScan ==========

(none)

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [17:20 15/03/2010]

C:\Documents and Settings\Cynthia\Application Data\Mozilla\Firefox\Profiles\39knic30.default\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [23:08 02/03/2010]

---------- Old Logs ----------

-=E.O.F=-



Malwarebytes' Anti-Malware 1.44
Database version: 3886
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

20/03/2010 12:49:53 PM
mbam-log-2010-03-20 (12-49-53).txt

Scan type: Quick Scan
Objects scanned: 110805
Time elapsed: 4 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



DDS (Ver_10-03-17.01) - NTFSx86
Run by Cynthia at 12:52:14.31 on Sat 20/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1251.7.1033.18.2030.1481 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Cynthia\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl05a\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {32F43FC9-F68C-412C-9A6E-9C7C23D801AE} = 217.0.43.65 217.0.43.81
TCP: {49227DB2-EFA4-4F5F-A5FE-42D767B1ACD5} = 77.239.239.5,77.239.238.242
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cynthia\applic~1\mozilla\firefox\profiles\39knic30.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.redspective.com/
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: f:\program files\adobe\reader\browser\nppdf32.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-15 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-15 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-15 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-28 56816]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-21 133104]

=============== Created Last 30 ================

2010-03-19 12:48:31 0 d-sha-r- C:\cmdcons
2010-03-19 12:47:23 98816 ----a-w- c:\windows\sed.exe
2010-03-19 12:47:23 77312 ----a-w- c:\windows\MBR.exe
2010-03-19 12:47:23 261632 ----a-w- c:\windows\PEV.exe
2010-03-19 12:47:23 161792 ----a-w- c:\windows\SWREG.exe
2010-03-19 12:47:15 0 d-----w- C:\ComboFix
2010-03-15 19:14:25 0 ----a-w- c:\documents and settings\cynthia\defogger_reenable
2010-03-15 17:43:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-15 16:43:38 0 d-----w- c:\windows\pss
2010-03-15 15:50:30 0 d-----w- c:\program files\Avira
2010-03-15 15:50:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-03-15 15:23:12 0 d-----w- c:\windows\system32\scripting
2010-03-15 15:23:12 0 d-----w- c:\windows\l2schemas
2010-03-15 15:23:11 0 d-----w- c:\windows\system32\en
2010-03-15 15:23:10 0 d-----w- c:\windows\system32\bits
2010-03-15 15:16:11 0 d-----w- c:\windows\network diagnostic
2010-03-15 15:12:05 0 d-----w- c:\windows\EHome
2010-03-09 14:47:45 0 d-----w- c:\docume~1\cynthia\applic~1\SUPERAntiSpyware.com
2010-03-07 23:15:54 0 d-----w- c:\windows\system32\NtmsData
2010-03-05 21:44:54 293376 ------w- c:\windows\system32\browserchoice.exe
2010-03-03 20:15:36 0 d-----w- c:\program files\OpenOffice.org 2.4
2010-02-27 22:34:14 0 d-----w- c:\docume~1\cynthia\applic~1\Malwarebytes
2010-02-27 22:34:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-27 22:34:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-27 22:34:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-27 22:34:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-03-02 23:08:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll

============= FINISH: 12:52:38.20 ===============




#12 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:57 AM

Posted 20 March 2010 - 12:12 PM

QUOTE
Just wanted to also let you know, Avira is picking up odd trojans (but I guess that means shes working)


If you still have it, please post the latest Avira Log (that shows what it deleted/removed) in your next post/reply.


QUOTE
the redirection issue seems to have disappeared (which was much nicer to work with yesterday) - but last 2 times I thought I had fixed it, it came back after 3 or 4 days...


Ok. Let me know if the redirects came back at anytime while we are working on your computer.


Your Adobe Reader is out of date. Open up Adobe Reader and click Help then click Check for Updates. Once Adobe Reader is done checking for updates, have it download and install Adobe Reader 9.3.1


Step # 1: Run Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.


In your next post/reply, I need to see the following:

1. The Avira Log
2. The Kaspersky Log

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#13 CynthiaC

CynthiaC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 21 March 2010 - 09:44 AM

Logs for you, Cheers smile.gif



Exported events:

20/03/2010 19:16 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{F901A0DB-FF4A-4AE2-81C9-EB73A9C7F292}\RP253\A0069213.exe'
contained a virus or unwanted program 'TR/Agent.GW.195' [trojan]
Action(s) taken:
The file was moved to '4bd5112b.qua'!

20/03/2010 19:16 [Scanner] Scan
Scan ended [The scan has been done completely.].
Number of files: 232545
Number of folders: 7123
Number of malware: 1
Number of errors: 1

20/03/2010 18:38 [Scheduler] Job started
The job "Complete system scan"
was started successfully.

20/03/2010 12:47 [Guard] Malware found
Virus or unwanted program 'TR/Agent.GW.195 [trojan]'
detected in file 'C:\WINDOWS\system32\dbjvoaxlxi.exe.
Action performed: Move file to quarantine

20/03/2010 12:37 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.196
Version of VDF: 7.10.5.155

20/03/2010 12:37 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

20/03/2010 11:39 [Guard] Service stopped
Service stopped.

20/03/2010 11:39 [Scheduler] Service stopped
The service was stopped.

20/03/2010 10:24 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.196
Version of VDF: 7.10.5.155

20/03/2010 10:24 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

20/03/2010 3:29 [Guard] Service stopped
Service stopped.

20/03/2010 3:29 [Scheduler] Service stopped
The service was stopped.

20/03/2010 0:20 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.196
Version of VDF: 7.10.5.155

20/03/2010 0:20 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

19/03/2010 23:25 [Guard] Service stopped
Service stopped.

19/03/2010 23:25 [Scheduler] Service stopped
The service was stopped.

19/03/2010 21:44 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.196
Version of VDF: 7.10.5.155

19/03/2010 21:44 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

19/03/2010 21:43 [Guard] Service stopped
Service stopped.

19/03/2010 21:43 [Scheduler] Service stopped
The service was stopped.

19/03/2010 21:37 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.196
Version of VDF: 7.10.5.155

19/03/2010 21:37 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

19/03/2010 21:36 [Guard] Service stopped
Service stopped.

19/03/2010 21:36 [Scheduler] Service stopped
The service was stopped.

19/03/2010 21:35 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.196
Version of VDF: 7.10.5.155

19/03/2010 21:35 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

19/03/2010 21:34 [Guard] Service stopped
Service stopped.

19/03/2010 21:34 [Scheduler] Service stopped
The service was stopped.

19/03/2010 21:30 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.196
Version of VDF: 7.10.5.155

19/03/2010 21:30 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

19/03/2010 21:29 [Guard] Service stopped
Service stopped.

19/03/2010 21:29 [Scheduler] Service stopped
The service was stopped.

19/03/2010 20:38 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.196
Version of VDF: 7.10.5.155

19/03/2010 20:38 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

19/03/2010 20:28 [Guard] Service stopped
Service stopped.

19/03/2010 20:28 [Scheduler] Service stopped
The service was stopped.

19/03/2010 19:36 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.196
Version of VDF: 7.10.5.155

19/03/2010 19:36 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

19/03/2010 19:35 [Guard] Service stopped
Service stopped.

19/03/2010 19:35 [Scheduler] Service stopped
The service was stopped.

19/03/2010 19:21 [Updater] Update successfully carried out
Update of Avira AntiVir Personal - Free Antivirus on computer HUNEY
(10.23.45.78) successful.
The following files were updated by http://62.146.66.187/update:
vbase017.vdf 7.10.5.91
vbase018.vdf 7.10.5.121
vbase019.vdf 7.10.5.138
vbase020.vdf 7.10.5.139
vbase021.vdf 7.10.5.140
vbase022.vdf 7.10.5.141
vbase023.vdf 7.10.5.142
vbase024.vdf 7.10.5.143
vbase025.vdf 7.10.5.144
vbase026.vdf 7.10.5.145
vbase027.vdf 7.10.5.146
vbase028.vdf 7.10.5.147
vbase029.vdf 7.10.5.148
vbase030.vdf 7.10.5.149
vbase031.vdf 7.10.5.155
aevdf.dat 7.10.5.155
aecore.dll 8.1.12.3
aegen.dll 8.1.3.2
aehelp.dll 8.1.10.2
aeheur.dll 8.1.1.13
aeoffice.dll 8.1.0.41
aepack.dll 8.2.1.1
aerdl.dll 8.1.4.3
aescript.dll 8.1.3.18
aesbx.dll 8.1.2.1
aeset.dat 8.2.1.196
build.dat 9.0.0.419
wksstats.dll 9.0.0.5

19/03/2010 19:21 [Guard] Reload engine.
The Engine was reloaded.
Engine Version: 8.02.01.196
VDF Version: 7.10.05.155

19/03/2010 19:19 [Scheduler] Job started
The job "Immediate Update"
was started successfully.

19/03/2010 18:00 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

19/03/2010 18:00 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

19/03/2010 17:35 [Guard] Service stopped
Service stopped.

19/03/2010 17:35 [Scheduler] Service stopped
The service was stopped.

19/03/2010 13:45 [Guard] AntiVir Guard disabled
AntiVir Guard was disabled.

19/03/2010 13:44 [Guard] Malware found
Virus or unwanted program 'TR/BHO.adou [trojan]'
detected in file 'C:\32788R22FWJFW\pev.exe.
Action performed: Deny access

19/03/2010 13:40 [Guard] Malware found
Virus or unwanted program 'TR/BHO.adou [trojan]'
detected in file 'C:\32788R22FWJFW\pev.exe.
Action performed: Move file to quarantine

19/03/2010 13:32 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

19/03/2010 13:31 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

19/03/2010 13:18 [Guard] Service stopped
Service stopped.

19/03/2010 13:18 [Scheduler] Service stopped
The service was stopped.

19/03/2010 13:00 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

19/03/2010 13:00 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

19/03/2010 12:06 [Guard] Service stopped
Service stopped.

19/03/2010 12:06 [Scheduler] Service stopped
The service was stopped.

19/03/2010 11:09 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

19/03/2010 11:08 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

19/03/2010 11:03 [Guard] Service stopped
Service stopped.

19/03/2010 11:03 [Scheduler] Service stopped
The service was stopped.

19/03/2010 10:56 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

19/03/2010 10:56 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

19/03/2010 10:55 [Guard] Service stopped
Service stopped.

19/03/2010 10:55 [Scheduler] Service stopped
The service was stopped.

19/03/2010 10:48 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

19/03/2010 10:48 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

19/03/2010 10:47 [Guard] Service stopped
Service stopped.

19/03/2010 10:47 [Scheduler] Service stopped
The service was stopped.

19/03/2010 10:42 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

19/03/2010 10:42 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

19/03/2010 10:41 [Guard] Service stopped
Service stopped.

19/03/2010 10:41 [Scheduler] Service stopped
The service was stopped.

19/03/2010 10:33 [Guard] AntiVir Guard disabled
AntiVir Guard was disabled.

19/03/2010 10:29 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

19/03/2010 10:29 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

19/03/2010 10:18 [Guard] Service stopped
Service stopped.

19/03/2010 10:18 [Scheduler] Service stopped
The service was stopped.

19/03/2010 9:28 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

19/03/2010 9:28 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

19/03/2010 0:56 [Guard] Service stopped
Service stopped.

19/03/2010 0:56 [Scheduler] Service stopped
The service was stopped.

18/03/2010 20:41 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

18/03/2010 20:41 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

18/03/2010 20:19 [Guard] Service stopped
Service stopped.

18/03/2010 20:19 [Scheduler] Service stopped
The service was stopped.

18/03/2010 12:45 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

18/03/2010 12:44 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

18/03/2010 12:32 [Guard] Service stopped
Service stopped.

18/03/2010 12:32 [Scheduler] Service stopped
The service was stopped.

18/03/2010 7:57 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

18/03/2010 7:56 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

18/03/2010 2:12 [Guard] Service stopped
Service stopped.

18/03/2010 2:12 [Scheduler] Service stopped
The service was stopped.

18/03/2010 0:40 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

18/03/2010 0:40 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

17/03/2010 20:22 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

17/03/2010 20:21 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

17/03/2010 20:15 [Guard] Service stopped
Service stopped.

17/03/2010 20:15 [Scheduler] Service stopped
The service was stopped.

17/03/2010 18:54 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

17/03/2010 18:53 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

17/03/2010 18:48 [Guard] Service stopped
Service stopped.

17/03/2010 18:48 [Scheduler] Service stopped
The service was stopped.

17/03/2010 15:30 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

17/03/2010 15:30 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

17/03/2010 15:08 [Guard] Service stopped
Service stopped.

17/03/2010 15:08 [Scheduler] Service stopped
The service was stopped.

17/03/2010 13:04 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

17/03/2010 13:04 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

17/03/2010 12:55 [Guard] Service stopped
Service stopped.

17/03/2010 12:55 [Scheduler] Service stopped
The service was stopped.

17/03/2010 10:30 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

17/03/2010 10:30 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

17/03/2010 10:18 [Guard] Service stopped
Service stopped.

17/03/2010 10:18 [Scheduler] Service stopped
The service was stopped.

17/03/2010 9:24 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

17/03/2010 9:23 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

17/03/2010 0:53 [Guard] Service stopped
Service stopped.

17/03/2010 0:53 [Scheduler] Service stopped
The service was stopped.

16/03/2010 23:27 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

16/03/2010 23:27 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

16/03/2010 23:01 [Guard] Service stopped
Service stopped.

16/03/2010 23:01 [Scheduler] Service stopped
The service was stopped.

16/03/2010 20:19 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

16/03/2010 20:19 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

16/03/2010 20:07 [Guard] Service stopped
Service stopped.

16/03/2010 20:07 [Scheduler] Service stopped
The service was stopped.

16/03/2010 18:37 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

16/03/2010 18:37 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

16/03/2010 18:01 [Guard] Service stopped
Service stopped.

16/03/2010 18:01 [Scheduler] Service stopped
The service was stopped.

16/03/2010 13:56 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

16/03/2010 13:55 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

16/03/2010 13:09 [Guard] Service stopped
Service stopped.

16/03/2010 13:09 [Scheduler] Service stopped
The service was stopped.

16/03/2010 12:14 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

16/03/2010 12:14 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

16/03/2010 11:04 [Guard] Malware found
Virus or unwanted program 'EXP/Pidief.36193 [exploit]'
detected in file 'C:\Documents and Settings\NetworkService\Local
Settings\Temporary Internet
Files\Content.IE5\KLUFXDEM\s002106201317r0019R10c69b1cX3e55ec02Y75cb197bZ0100f08
0[1].pdf.
Action performed: Move file to quarantine

16/03/2010 11:04 [Guard] Malware found
Virus or unwanted program 'EXP/Pidief.36193 [exploit]'
detected in file 'C:\Documents and Settings\NetworkService\Local
Settings\Temporary Internet
Files\Content.IE5\KLUFXDEM\s002106201317r0019R10c69b1cX3e55ec02Y75cb197bZ0100f08
0[1].pdf.
Action performed: Deny access

16/03/2010 9:43 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

16/03/2010 9:42 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

16/03/2010 9:26 [Guard] Service stopped
Service stopped.

16/03/2010 9:26 [Scheduler] Service stopped
The service was stopped.

16/03/2010 7:16 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

16/03/2010 7:15 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

16/03/2010 0:59 [Guard] Service stopped
Service stopped.

16/03/2010 0:59 [Scheduler] Service stopped
The service was stopped.

15/03/2010 22:29 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

15/03/2010 22:28 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

15/03/2010 21:55 [Guard] Service stopped
Service stopped.

15/03/2010 21:55 [Scheduler] Service stopped
The service was stopped.

15/03/2010 19:53 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

15/03/2010 19:52 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

15/03/2010 19:39 [Guard] Service stopped
Service stopped.

15/03/2010 19:39 [Scheduler] Service stopped
The service was stopped.

15/03/2010 18:39 [Scanner] Malware found
The file 'C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\DA5G13N5\inc[1].exe'
contained a virus or unwanted program 'TR/Agent.dnze.5' [trojan]
Action(s) taken:
The file was moved to '4c017140.qua'!

15/03/2010 18:39 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{F901A0DB-FF4A-4AE2-81C9-EB73A9C7F292}\RP246\A0063539.exe'
contained a virus or unwanted program 'TR/Agent.dnze.5' [trojan]
Action(s) taken:
The file was moved to '4bce7102.qua'!

15/03/2010 18:39 [Scanner] Scan
Scan ended [The scan has been done completely.].
Number of files: 261155
Number of folders: 7218
Number of malware: 3
Number of errors: 1

15/03/2010 18:39 [Scanner] Malware found
The file 'C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\DA5G13N5\ind[1].exe'
contained a virus or unwanted program 'TR/Obfuscated.CW.38' [trojan]
Action(s) taken:
The file was moved to '4c027140.qua'!

15/03/2010 18:03 [Scanner] Scan
Scan ended [The scan has been done completely.].
Number of files: 3
Number of folders: 1
Number of malware: 0
Number of errors: 0

15/03/2010 17:49 [Scheduler] Job started
The job "Complete system scan"
was started successfully.

15/03/2010 17:47 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

15/03/2010 17:47 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

15/03/2010 17:46 [Guard] Service stopped
Service stopped.

15/03/2010 17:46 [Scheduler] Service stopped
The service was stopped.

15/03/2010 17:38 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.180
Version of VDF: 7.10.5.87

15/03/2010 17:37 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

15/03/2010 17:36 [Guard] Service stopped
Service stopped.

15/03/2010 17:36 [Scheduler] Service stopped
The service was stopped.

15/03/2010 17:14 [Guard] Malware found
Virus or unwanted program 'TR/Agent.dnze.5 [trojan]'
detected in file 'C:\WINDOWS\system32\bxylwepqz.exe.
Action performed: Move file to quarantine

15/03/2010 17:00 [Scanner] Scan
Scan ended [The scan has been canceled!].
Number of files: 0
Number of folders: 0
Number of malware: 0
Number of errors: 0

15/03/2010 17:00 [Scheduler] Job started
The job "Complete system scan"
was started successfully.

15/03/2010 16:54 [Scanner] Scan
Scan ended [The scan has been done completely.].
Number of files: 108
Number of folders: 0
Number of malware: 0
Number of errors: 0

15/03/2010 16:54 [Updater] Update successfully carried out
Update of Avira AntiVir Personal - Free Antivirus on computer HUNEY
(10.23.45.78) successful.
The following files were updated by http://62.146.66.187/update:
vbase001.vdf 7.10.1.0
vbase002.vdf 7.10.3.1
vbase003.vdf 7.10.3.75
vbase004.vdf 7.10.4.203
vbase005.vdf 7.10.4.204
vbase006.vdf 7.10.4.205
vbase007.vdf 7.10.4.206
vbase008.vdf 7.10.4.207
vbase009.vdf 7.10.4.208
vbase010.vdf 7.10.4.209
vbase011.vdf 7.10.4.210
vbase012.vdf 7.10.4.211
vbase013.vdf 7.10.4.242
vbase014.vdf 7.10.5.17
vbase015.vdf 7.10.5.44
vbase016.vdf 7.10.5.69
vbase017.vdf 7.10.5.70
vbase018.vdf 7.10.5.71
vbase019.vdf 7.10.5.72
vbase020.vdf 7.10.5.73
vbase021.vdf 7.10.5.74
vbase022.vdf 7.10.5.75
vbase023.vdf 7.10.5.76
vbase024.vdf 7.10.5.77
vbase025.vdf 7.10.5.78
vbase026.vdf 7.10.5.79
vbase027.vdf 7.10.5.80
vbase028.vdf 7.10.5.81
vbase029.vdf 7.10.5.82
vbase030.vdf 7.10.5.83
vbase031.vdf 7.10.5.87
aevdf.dat 7.10.5.87
aecore.dll 8.1.12.2
aegen.dll 8.1.2.0
aehelp.dll 8.1.10.1
aeheur.dll 8.1.1.7
aeoffice.dll 8.1.0.39
aepack.dll 8.2.1.0
aerdl.dll 8.1.4.2
aescn.dll 8.1.5.0
aescript.dll 8.1.3.17
aevdf.dll 8.1.1.3
aesbx.dll 8.1.2.0
aeset.dat 8.2.1.180
avrep.dll 8.0.0.7
Important new program files are available for download./r Please access the
user interface configuration and select /r "Start product update" to load and
install these new files.

15/03/2010 16:54 [Guard] Reload engine.
The Engine was reloaded.
Engine Version: 8.02.01.180
VDF Version: 7.10.05.87

15/03/2010 16:52 [Scheduler] Job started
The job "Immediate Update"
was started successfully.

15/03/2010 16:51 [Scheduler] Service started
The service was started.
Version of service 9.0.0.9

15/03/2010 16:51 [Guard] Service started
Service started.
Version of service: 9.0.1.32
Version of Engine: 8.2.1.59
Version of VDF: 7.10.0.33


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, March 21, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, March 21, 2010 09:36:05
Records in database: 3837196
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 58887
Threats found: 31
Infected objects found: 52
Suspicious objects found: 0
Scan duration: 01:51:54


File name / Threat / Threats count
C:\Documents and Settings\Cynthia\Application Data\Sun\Java\Deployment\cache\6.0\38\67df4166-2efcc205 Infected: Trojan-Downloader.Java.OpenConnection.at 1
C:\Documents and Settings\Cynthia\Application Data\Sun\Java\Deployment\cache\6.0\58\1cbe047a-2efbe485 Infected: Trojan-Downloader.Java.Agent.ax 3
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\Local Folders\Junk Infected: Backdoor.Win32.Bredolab.bvb 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\Local Folders\Junk Infected: Trojan.Win32.Pakes.nwx 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\Local Folders\Junk Infected: Trojan.Win32.FraudPack.anmu 2
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\Local Folders\Junk Infected: Trojan.Win32.Agent2.cpgi 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\Local Folders\Junk Infected: Backdoor.Win32.Bredolab.czy 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\Local Folders\Junk Infected: Trojan.Win32.FraudPack.aoda 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\Local Folders\Junk Infected: Trojan-Downloader.Win32.Agent.dira 2
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Inbox Infected: Backdoor.Win32.Bredolab.ma 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Inbox Infected: Backdoor.Win32.Bredolab.my 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Inbox Infected: Backdoor.Win32.Bredolab.qf 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Inbox Infected: Backdoor.Win32.Bredolab.ra 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Inbox Infected: Backdoor.Win32.Bredolab.sh 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Inbox Infected: Backdoor.Win32.Bredolab.tq 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Inbox Infected: Backdoor.Win32.Bredolab.up 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Inbox Infected: Backdoor.Win32.Bredolab.vh 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Inbox Infected: Backdoor.Win32.Bredolab.aue 3
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Inbox Infected: Backdoor.Win32.Bredolab.aug 4
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Inbox Infected: Backdoor.Win32.Bredavi.ajd 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Inbox Infected: Backdoor.Win32.Bredolab.aka 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Inbox Infected: Packed.Win32.Krap.x 2
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Inbox Infected: Trojan.Win32.FraudPack.xek 2
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Inbox Infected: Backdoor.Win32.Bredolab.ats 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Inbox Infected: Backdoor.Win32.Bredolab.atx 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Inbox Infected: Packed.Win32.Krap.aj 2
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Trash Infected: Trojan.Win32.Agent.dlek 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Trash Infected: Trojan.Win32.Agent.dmyq 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Trash Infected: Trojan-PSW.Win32.Agent.qdy 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\pop.redspective.com\Trash Infected: Trojan-Downloader.Win32.FraudLoad.gmx 3
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\redspective.com\Inbox Infected: Trojan.Win32.FraudPack.anmu 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\redspective.com\Inbox Infected: Trojan.Win32.Agent2.cpgi 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\redspective.com\Inbox Infected: Trojan.Win32.FraudPack.aoda 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\redspective.com\Inbox Infected: Trojan-Downloader.Win32.Agent.dira 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\redspective.com\Inbox Infected: Trojan-PSW.Win32.Agent.qdy 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\redspective.com\Inbox Infected: Trojan.Win32.Sasfis.ajhu 1
C:\Documents and Settings\Cynthia\Application Data\Thunderbird\Profiles\x7aztmx2.default\Mail\redspective.com\Inbox Infected: Trojan-Downloader.Win32.FraudLoad.gmx 2

Selected area has been scanned.





#14 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:57 AM

Posted 21 March 2010 - 12:07 PM

I'd like for you to open up Thunderbird and delete any e-mails in the Inbox that you no longer need. Also delete all e-mails that are in the Junk/Spam/Bulk/Trash folder.

Your version of Thunderbird is out of date as well.

The latest version is 3.0.3. You can get it from the link below:

http://www.mozillamessaging.com/en-US/thunderbird/


Step # 1 Clear Java's Cache

Click Start > Control Panel
  • Double-click the Java icon in the control panel. (coffeecup icon)
  • Click Settings under Temporary Internet Files.

    -The Temporary Files Settings dialog box appears.
  • Click Delete Files.

    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
  • Delete Files
  • View Applications
  • View Applets

Click OK on Delete Temporary Files window.

-Note: This deletes all the Downloaded Applications and Applets from the cache.

Click OK on Temporary Files Settings window.
Close the Java Control Panel

You can view those instructions along with graphics here

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#15 CynthiaC

CynthiaC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 21 March 2010 - 02:34 PM

all done, thank you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users