Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AntiMalware 2009 and NewUpdate1142C.exe Help


  • This topic is locked This topic is locked
12 replies to this topic

#1 zalik22

zalik22

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 27 April 2010 - 05:37 AM

Hi,

I got the AntiMalware 2009 and NewUpdate1142C.exe viruses and ran Malwarebytes' Anti-Malware in Safe Mode several times to clean the infections. When I run it now, it does not find any infections. I ran Spybot Search and Destroy and it also found nothing. I ran House Call and it also found nothing.

However, when I click on IE8, nothing happens (a window does not even load). I tried to install IE8 again but nothing happens. Firefox works sporadically but when I do some searches on Google, it occasionally takes me to another site or alters my search results.

My Hijackthis log is attached. Sorry if I did not follow instructions, but I have to go to work now and thought maybe somebody could reply to me while I am working so I can fix this tonight.

Thanks for the help!

Attached Files



BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:11 PM

Posted 27 April 2010 - 06:06 AM

Hello,

Please start with the following.
Step 1
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

Step 2
Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

Step 3
Spybot'ts Tea Timer can block changes needed in the process of removing malware. You must set it to OFF.
Right click the Spybot Icon (blue icon with lock ) in the system tray (notification area).
  • If you have the new version, click once on Resident Protection and make sure it is Unchecked.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    Exit Spybot S&D when done and reboot the system so the changes are in effect.

Step 4
Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".
Step 5
Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present
QUOTE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

Step 5
Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

========================================================
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
========================================================

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.

Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here or
http://download.bleepingcomputer.com/sUBs/dds.scr or
http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.
Then double click dds.scr to run the tool.
DDS will run in a command prompt window and will take 3 to 4 minutes or so.
  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop.
Please include the following logs in your next reply:
GMER log
DDS.txt
Attach.txt


Please Copy & Paste the contents of logs directly into the body of replies. Do NOT use the attachment feature.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 zalik22

zalik22
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 27 April 2010 - 07:25 PM

Thanks for the help!

GMER log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-27 20:13:56
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ZAHEDK~1\LOCALS~1\Temp\pxtdypoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86D30EE4

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

DDS.txt


DDS (Ver_10-03-17.01) - NTFSx86
Run by Zahed Khan at 20:14:12.39 on Tue 04/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.662 [GMT -4:00]

AV: Digital Protection *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CSHelper.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Zahed Khan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.espn.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
EB: &Yapta: {c3c07ad6-ace9-43ee-a2af-45bc13f6275f} - c:\program files\yapta\YaptaSidebar.dll
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Citrus Alarm Clock] c:\program files\citrus alarm clock\citrusac.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\zahedk~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\zahedk~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\zahedk~1\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgetEngine.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {0362b485-11fe-469c-ae98-42f478e581a0} - c:\program files\yapta\YaptaSettings.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0094A600-9BDD-4019-BAFE-487284F7D476} - {C3C07AD6-ACE9-43EE-A2AF-45BC13F6275F} - c:\program files\yapta\YaptaSidebar.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} - hxxps://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zahedk~1\applic~1\mozilla\firefox\profiles\t38bplxg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.hotmail.com|http://www.yahoo.com/
FF - component: c:\documents and settings\zahed khan\application data\mozilla\firefox\profiles\t38bplxg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-10-22 58464]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2007-10-22 108480]
S0 jojixwsx;jojixwsx; [x]
S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]
S4 cthox;cthox;c:\windows\system32\drivers\cyhhyr.sys [2010-4-26 54016]

=============== Created Last 30 ================

2010-04-27 04:47:01 0 d-----w- c:\program files\AskBardis
2010-04-27 04:13:40 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-27 04:13:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-27 03:55:39 0 d-----w- c:\program files\Trend Micro
2010-04-27 03:49:32 0 dc-h--w- c:\windows\ie8
2010-04-27 03:35:33 0 d-----w- c:\program files\CCleaner
2010-04-27 02:55:46 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-04-27 02:55:42 0 d-----w- c:\program files\Security Task Manager
2010-04-26 22:57:03 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-26 21:59:38 54016 ----a-w- c:\windows\system32\drivers\cyhhyr.sys
2010-04-26 21:08:24 0 d-----w- c:\docume~1\zahedk~1\applic~1\Malwarebytes
2010-04-26 21:08:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-26 21:08:14 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 21:08:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-26 21:08:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-26 10:15:22 1113 ----a-w- c:\windows\lsrslt.ini
2010-04-26 10:13:43 0 d-----w- c:\program files\Lavasoft
2010-04-26 09:40:12 120 ----a-w- c:\windows\Hbojobil.dat
2010-04-26 09:40:12 0 ----a-w- c:\windows\Yyimahixusoy.bin
2010-04-26 09:37:57 93184 --sha-r- c:\windows\system32\kbdukk.dll
2010-04-26 09:37:30 0 d-----w- c:\docume~1\zahedk~1\applic~1\3DFDC85A4996850E74C0277350A6B2EF

==================== Find3M ====================

2010-03-31 02:33:27 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-22 18:38:00 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2008-09-07 07:06:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090720080908\index.dat

============= FINISH: 20:17:05.42 ===============

Attach.txt

#4 zalik22

zalik22
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 27 April 2010 - 10:17 PM

It seems like my Google search results are being redirected now.

#5 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:11 PM

Posted 28 April 2010 - 06:24 AM

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3







* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on Combo-Fix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.

Next
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Combofix.txt
and GooredFix.txt
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#6 zalik22

zalik22
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 28 April 2010 - 07:55 PM

ComboFix:

ComboFix 10-04-28.03 - Zahed Khan 04/28/2010 20:41:30.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.725 [GMT -4:00]
Running from: c:\documents and settings\Zahed Khan\Desktop\Combo-Fix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Zahed Khan\Application Data\3DFDC85A4996850E74C0277350A6B2EF
c:\documents and settings\Zahed Khan\Application Data\3DFDC85A4996850E74C0277350A6B2EF\enemies-names.txt
c:\documents and settings\Zahed Khan\Application Data\3DFDC85A4996850E74C0277350A6B2EF\lsrslt.ini
c:\documents and settings\Zahed Khan\Local Settings\Application Data\{F83D244C-0EE8-4DF3-A868-44C8052DD72A}
c:\documents and settings\Zahed Khan\Local Settings\Application Data\{F83D244C-0EE8-4DF3-A868-44C8052DD72A}\chrome.manifest
c:\documents and settings\Zahed Khan\Local Settings\Application Data\{F83D244C-0EE8-4DF3-A868-44C8052DD72A}\chrome\content\_cfg.js
c:\documents and settings\Zahed Khan\Local Settings\Application Data\{F83D244C-0EE8-4DF3-A868-44C8052DD72A}\chrome\content\overlay.xul
c:\documents and settings\Zahed Khan\Local Settings\Application Data\{F83D244C-0EE8-4DF3-A868-44C8052DD72A}\install.rdf
c:\windows\system32\drivers\cyhhyr.sys

Infected copy of c:\windows\system32\drivers\mouclass.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_cthox
-------\Service_cthox


((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-29 00:41 . 2010-04-29 00:41 -------- d-----w- C:\quarantine
2010-04-28 02:12 . 2010-04-28 02:12 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-28 02:12 . 2010-04-28 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-28 02:12 . 2010-04-28 02:12 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-27 21:14 . 2010-04-27 21:14 -------- d-----w- c:\program files\ERUNT
2010-04-27 04:47 . 2010-04-27 04:47 -------- d-----w- c:\program files\AskBardis
2010-04-27 04:13 . 2010-04-27 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-27 04:13 . 2010-04-27 04:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-27 03:55 . 2010-04-27 03:55 -------- d-----w- c:\program files\Trend Micro
2010-04-27 03:49 . 2010-04-27 03:50 -------- dc-h--w- c:\windows\ie8
2010-04-27 03:35 . 2010-04-27 03:35 -------- d-----w- c:\program files\CCleaner
2010-04-27 02:55 . 2010-04-27 02:55 92 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109610090400000000000F01FEC.dll
2010-04-27 02:55 . 2010-04-27 02:55 51 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_000021091A0090400000000000F01FEC.dll
2010-04-27 02:55 . 2010-04-27 02:55 1509 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109440090400000000000F01FEC.dll
2010-04-27 02:55 . 2010-04-27 02:55 108 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109010090400000000000F01FEC.dll
2010-04-27 02:55 . 2010-04-27 02:55 107 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109510090400000000000F01FEC.dll
2010-04-27 02:55 . 2010-04-27 02:55 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109711090400000000000F01FEC.dll
2010-04-27 02:55 . 2010-04-27 02:55 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109511090400000000000F01FEC.dll
2010-04-27 02:55 . 2010-04-27 02:55 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109411090400000000000F01FEC.dll
2010-04-27 02:55 . 2010-04-27 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-04-27 02:55 . 2010-04-27 02:55 -------- d-----w- c:\program files\Security Task Manager
2010-04-26 23:37 . 2010-04-26 23:37 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-26 22:57 . 2010-04-26 22:57 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-26 22:10 . 2010-04-26 22:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-26 22:08 . 2010-04-26 22:08 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-26 21:08 . 2010-04-26 21:08 -------- d-----w- c:\documents and settings\Zahed Khan\Application Data\Malwarebytes
2010-04-26 21:08 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-26 21:08 . 2010-04-26 21:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-26 21:08 . 2010-04-26 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-26 21:08 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 10:13 . 2010-04-26 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-26 10:13 . 2010-04-26 23:00 -------- d-----w- c:\program files\Lavasoft
2010-04-26 09:40 . 2010-04-26 09:40 120 ----a-w- c:\windows\Hbojobil.dat
2010-04-26 09:40 . 2010-04-26 09:40 0 ----a-w- c:\windows\Yyimahixusoy.bin
2010-04-26 09:37 . 2010-04-26 09:37 93184 --sha-r- c:\windows\system32\kbdukk.dll
2010-04-15 03:26 . 2010-03-26 14:33 1496064 ----a-w- c:\documents and settings\Zahed Khan\Application Data\Mozilla\Firefox\Profiles\t38bplxg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-04-15 03:26 . 2010-03-26 14:33 43008 ----a-w- c:\documents and settings\Zahed Khan\Application Data\Mozilla\Firefox\Profiles\t38bplxg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-04-15 03:26 . 2010-03-26 14:33 339456 ----a-w- c:\documents and settings\Zahed Khan\Application Data\Mozilla\Firefox\Profiles\t38bplxg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-04-15 03:26 . 2010-03-26 14:32 346112 ----a-w- c:\documents and settings\Zahed Khan\Application Data\Mozilla\Firefox\Profiles\t38bplxg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-31 02:35 . 2010-03-31 02:35 -------- d-----w- c:\documents and settings\Zahed Khan\Local Settings\Application Data\Real
2010-03-31 02:34 . 2010-03-31 02:34 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-31 02:34 . 2010-03-31 02:34 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-31 02:34 . 2010-03-31 02:34 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-31 02:34 . 2010-03-31 02:34 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-31 02:34 . 2010-03-31 02:34 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-31 02:34 . 2010-03-31 02:34 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-31 02:34 . 2010-03-31 02:34 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-31 02:34 . 2010-03-31 02:34 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-31 02:34 . 2010-03-31 02:34 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 00:31 . 2007-10-22 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-28 03:09 . 2004-08-04 02:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-28 02:12 . 2007-10-20 11:04 -------- d-----w- c:\documents and settings\Zahed Khan\Application Data\U3
2010-04-27 03:40 . 2007-12-24 21:03 -------- d-----w- c:\documents and settings\Zahed Khan\Application Data\Azureus
2010-03-31 02:34 . 2009-02-12 02:42 -------- d-----w- c:\program files\Common Files\Real
2010-03-31 02:34 . 2009-07-06 21:46 -------- d-----w- c:\program files\Real
2010-03-31 02:33 . 2003-06-05 16:57 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-22 18:38 . 2010-03-22 18:38 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-03-06 13:50 . 2007-10-22 21:29 -------- d-----w- c:\documents and settings\Zahed Khan\Application Data\Skype
2010-02-24 13:11 . 2004-08-04 03:15 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2004-08-04 03:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 04:56 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 03:07 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"Citrus Alarm Clock"="c:\program files\Citrus Alarm Clock\citrusac.exe" [2001-10-22 513024]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-22 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]
"nwiz"="nwiz.exe" [2007-06-29 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-23 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-31 202256]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-04-28 5937984]

c:\documents and settings\Zahed Khan\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-7-20 2913584]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49999:TCP"= 49999:TCP:p1
"49999:UDP"= 49999:UDP:p2

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [10/22/2007 5:13 PM 58464]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2/18/2009 6:04 AM 266240]
S0 jojixwsx;jojixwsx; [x]
S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]
S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe --> c:\program files\AskBarDis\bar\bin\AskService.exe [?]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-22 22:56]

2010-04-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1220945662-1482476501-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-04-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1220945662-1482476501-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.espn.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{0362b485-11fe-469c-ae98-42f478e581a0} - c:\program files\Yapta\YaptaSettings.exe
IE: {{0094A600-9BDD-4019-BAFE-487284F7D476} - {C3C07AD6-ACE9-43EE-A2AF-45BC13F6275F} - c:\program files\Yapta\YaptaSidebar.dll
FF - ProfilePath - c:\documents and settings\Zahed Khan\Application Data\Mozilla\Firefox\Profiles\t38bplxg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.hotmail.com|http://www.yahoo.com/
FF - component: c:\documents and settings\Zahed Khan\Application Data\Mozilla\Firefox\Profiles\t38bplxg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll
SafeBoot-klmdb.sys
AddRemove-Ask Toolbar_is1 - c:\program files\AskBarDis\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-28 20:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(584)
c:\windows\system32\EntApi.dll

- - - - - - - > 'explorer.exe'(4084)
c:\windows\system32\EntApi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-28 20:52:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-29 00:52

Pre-Run: 273,216,389,120 bytes free
Post-Run: 273,126,244,352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - EABAF8ED94E70B7749B427A2C97BA943

Gooredfix:

GooredFix by jpshortstuff (08.01.10.1)
Log created at 20:53 on 28/04/2010 (Zahed Khan)
Firefox version 3.6.3 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
browserhighlighter@ebay.com [15:37 04/05/2009]
google-cjk@partners.mozilla.com [21:49 22/10/2007]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [21:49 22/10/2007]
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [10:18 03/12/2007]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [23:16 14/12/2007]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [19:08 15/03/2008]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [20:15 15/07/2008]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [15:04 03/12/2008]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [23:10 07/04/2009]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [21:06 09/06/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [01:03 05/08/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [23:24 04/11/2009]
{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [09:08 27/01/2010]

C:\Documents and Settings\Zahed Khan\Application Data\Mozilla\Firefox\Profiles\t38bplxg.default\extensions\
{3112ca9c-de6d-4884-a869-9855de68056c} [03:26 15/04/2010]
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [03:35 27/04/2010]
{E9A1DEE0-C623-4439-8932-001E7D17607D} [20:57 05/12/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{3112ca9c-de6d-4884-a869-9855de68056c}"="C:\Documents and Settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}" [21:49 22/10/2007]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [15:04 03/12/2008]

-=E.O.F=-

Thanks!

#7 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:11 PM

Posted 29 April 2010 - 05:59 AM

Your logs showed some peer-to-peer filesharing apps: specifically, Azureus. I must insist you de-install it before we proceed further. Filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.
File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

P2P file sharing: Know the risks

Confirm that you have removed Azureus.

Next, download Rooter.exe and save to your desktop.
alternate download link
  • Double-click on Rooter.exe to start the tool. If using Vista, right-click and Run as Administrator...
  • Click the Scan button to begin.
  • Once the scan is complete, Notepad will open with a report named Rooter_#.txt (where # is the number assigned to the report).
  • A folder will be created at the %systemdrive% (usually, C:\Rooter$) where the log will be saved.
  • Rooter will automatically close. If it doesn't, just press the Close button.
  • Copy and paste the contents of Rooter_#.txt in your next reply.
Important: Before performing a scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Confirm removal of Azureus, and post copy of the Rooter txt log.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#8 zalik22

zalik22
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 29 April 2010 - 04:17 PM

Azerus is uninstalled and here is the log:

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 15 Model 2 Stepping 9, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
Mozilla Firefox 3.6.3 (en-US)
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:279 Go - Free:254 Go )
D:\ [CD_Rom]
.
Scan : 17:11.23
Path : C:\Documents and Settings\Zahed Khan\Desktop\Rooter.exe
User : Zahed Khan ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (448)
______ \??\C:\WINDOWS\system32\csrss.exe (496)
______ \??\C:\WINDOWS\system32\winlogon.exe (520)
______ C:\WINDOWS\system32\services.exe (564)
______ C:\WINDOWS\system32\lsass.exe (576)
______ C:\WINDOWS\system32\svchost.exe (736)
______ C:\WINDOWS\system32\svchost.exe (792)
______ C:\WINDOWS\System32\svchost.exe (860)
______ C:\WINDOWS\system32\svchost.exe (928)
______ C:\WINDOWS\system32\svchost.exe (1004)
______ C:\WINDOWS\system32\LEXBCES.EXE (1192)
______ C:\WINDOWS\system32\spoolsv.exe (1220)
______ C:\WINDOWS\system32\LEXPPS.EXE (1228)
______ C:\WINDOWS\Explorer.EXE (1492)
______ C:\WINDOWS\system32\RUNDLL32.EXE (1668)
______ C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE (1676)
______ C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe (1708)
______ C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe (1760)
______ C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (1768)
______ C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (1796)
______ C:\Program Files\Common Files\Java\Java Update\jusched.exe (1824)
______ C:\Program Files\iTunes\iTunesHelper.exe (1840)
______ C:\Program Files\Common Files\Real\Update_OB\realsched.exe (1864)
______ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (1944)
______ C:\WINDOWS\system32\svchost.exe (284)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (416)
______ C:\Program Files\Bonjour\mDNSResponder.exe (428)
______ C:\WINDOWS\system32\CSHelper.exe (492)
______ C:\Program Files\Java\jre6\bin\jqs.exe (628)
______ C:\Program Files\Network Associates\Common Framework\FrameworkService.exe (884)
______ C:\Program Files\Network Associates\VirusScan\Mcshield.exe (624)
______ C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe (1408)
______ C:\WINDOWS\system32\nvsvc32.exe (1480)
______ C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (1072)
______ C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe (1652)
______ C:\WINDOWS\system32\svchost.exe (1960)
______ C:\Program Files\iPod\bin\iPodService.exe (2796)
______ C:\WINDOWS\System32\alg.exe (3336)
______ C:\WINDOWS\system32\ctfmon.exe (3804)
______ C:\WINDOWS\System32\svchost.exe (3956)
______ C:\WINDOWS\system32\wuauclt.exe (1728)
______ C:\Documents and Settings\Zahed Khan\Desktop\Rooter.exe (1848)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:300058182144)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\Google Software Updater.job
C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-1220945662-1482476501-725345543-1003.job
C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-1220945662-1482476501-725345543-1003.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 17:11.26
.
C:\Rooter$\Rooter_1.txt - (29/04/2010 | 17:11.26)


Thanks!

#9 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:11 PM

Posted 29 April 2010 - 05:04 PM

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Step 1
Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 2
Re-enable your AntiVirus and AntiSpyware applications

Download and SAVE the HijackThis from TrendMicro

Save the HJT program to your desktop or the folder of your choice, then navigate to that folder and double-click Hijackthis.exe to start it.
Do a "Scan and Save log".

Exit out of HJT


Reply with copy of the MBAM scan log
and the Hijackthis log

Edited by Maurice Naggar, 29 April 2010 - 05:05 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#10 zalik22

zalik22
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 29 April 2010 - 08:13 PM

MBAM:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/29/2010 9:10:10 PM
mbam-log-2010-04-29 (21-10-10).txt

Scan type: Quick scan
Objects scanned: 120731
Time elapsed: 4 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hijack this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:28 PM, on 4/29/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CSHelper.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Citrus Alarm Clock] C:\Program Files\Citrus Alarm Clock\citrusac.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll
O9 - Extra button: Yapta Settings - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra 'Tools' menuitem: Yapta Settings... - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\system32\CSHelper.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 9950 bytes

Thanks!

#11 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:11 PM

Posted 30 April 2010 - 06:20 AM

These reports are good. Is Internet Explorer 8 running ok? and Firefox ? are you getting redirected when doing a search?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#12 zalik22

zalik22
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 30 April 2010 - 03:52 PM

Hi,

Things appear to be running well. Is it ok to log into secure sites? I don't want personal information to be stolen. For the past week, I haven't logged into any sites that require user name and password, with the exception of this one.

Also, how can I make a PayPal donation to you or your site?

Thanks!

#13 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:11 PM

Posted 30 April 2010 - 05:02 PM

You may login to other sites after the steps below.
May help is free and this forum does not have a donation section. Kindly consider making a donation to a charity like the Red Cross for the benefit of Haiti disaster relief.

Cleanups after the tools we used
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders.
The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.
Note the space after exe and before the slash mark.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.
  • Click Start, then click Run.

    In the command box that opens, Copy the whole line verbatim and then paste into Run-Open box
    Combo-Fix.exe /uninstall
    and then click OK.
  • Download OTL by OldTimer, saving it to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  • Please double-click OTL.com to start it.
  • Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.
pc secuity adviceWe are finished here. Best regards.



~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users