Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups and Redirects after MBAM and SAS


  • This topic is locked This topic is locked
12 replies to this topic

#1 thekodiak

thekodiak

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 13 May 2010 - 03:35 PM

They say the first step of getting help is admitting the fact you need help, so here goes:

Hello, my name is Adam and I need help with 2 computers. (That wasn't so hard!)

I'll do the first one here and wait on instructions on how to post for the second one. The first one is my wife's computer and hers far more important than mine, as she's an English teacher and needs it for work.

For about 6 weeks or more, I've been using free editions of Malwarebytes and Superantispyware with limited success. The logs say they've quarantined the trojans or the rogues but then I get the numerous pop up browser windows (IE8 or Mozilla) and the google redirects. Before you know it, a window pops up and says you are at risk and starts the fake virus scan alert and I have to start all over again.

Today I purchased the SAS Pro license and tried working with that and MBAM. I completed both scans in safe mode and both programs found and quarantined. Once I restarted and tried to use Firefox, boom! Redirected from Google search to another site. Also, I notice the redirection has an Icon in the Navigation Toolbar. It looks like a giant "2" or a script "Q".

I don't want to restage this computer as it is too old and has too much stuff to back up, so any help you can provide is deeply appreciated. Also, I noticed that IE5 is still on this computer, does it need to be there? And how about Wild Tangent, is it trustworthy? Can I delete these and have more room on the HD?

Thank you in advance for your assistance.

DDS.TXT


DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Owner at 13:34:16.30 on Thu 05/13/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.158 [GMT -4:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar =
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: BrowserHelper Class: {8a9d74f9-560b-4fe7-abeb-3b2e638e5cd6} - c:\program files\sgpsa\SearchAssistant.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: ToolBarIDHelper Class: {b164e6c0-6d72-4e99-8c7c-051f7dceffe5} - c:\program files\fast browser search\ie\htb\ToolBarBHO.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: broward.edu
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2D36AF92-04D3-11D8-B719-0000865F231B} - hxxps://my.sabre.com/jars/TMinReqX.dll
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://www.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} - hxxp://www.mathxl.com/applets/PearsonInstallAsst.cab
DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} - hxxp://www.fastaccess.drivers.bellsouth.net/software/DSLspeedtool/bls_speedop.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SEH: {FA010552-4A27-4cb1-A1BB-3E2D697F1639} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\4v9pwm66.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - component: c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\4v9pwm66.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\microsoft\search enhancement pack\search helper\firefoxextension\searchhelperextension\components\SEPsearchhelperff.dll
FF - plugin: c:\documents and settings\hp_owner\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {2C0643ED-17DA-4DDF-BF5A-633739F09637} - c:\documents and settings\hp_owner\local settings\application data\{2C0643ED-17DA-4DDF-BF5A-633739F09637}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-5-3 218592]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 68168]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-5-3 112592]
S2 navapsvc;Norton AntiVirus Auto-Protect Service;"c:\program files\norton internet security\norton antivirus\navapsvc.exe" --> c:\program files\norton internet security\norton antivirus\navapsvc.exe [?]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\drivers\athfmwdl.sys --> c:\windows\system32\drivers\ATHFMWDL.sys [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2005-9-15 17149]
S3 OMAWGU(Belkin Corporation);My Essential G USB Adapter(Belkin Corporation);c:\windows\system32\drivers\omawgu.sys --> c:\windows\system32\drivers\OMAWGU.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-5-3 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-5-3 1142224]

=============== Created Last 30 ================

2010-05-13 17:34:03 0 ----a-w- c:\documents and settings\hp_owner\defogger_reenable
2010-05-06 19:37:13 0 d-----w- c:\program files\iPod
2010-05-06 19:35:54 0 d-----w- c:\program files\iTunes
2010-05-06 19:35:54 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-06 19:18:13 0 d-----w- c:\program files\Bonjour
2010-05-03 12:42:14 767952 ----a-w- c:\windows\BDTSupport.dll
2010-05-03 12:42:13 882 ----a-w- c:\windows\RegSDImport.xml
2010-05-03 12:42:13 879 ----a-w- c:\windows\RegISSImport.xml
2010-05-03 12:42:12 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-05-03 12:42:12 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-05-03 12:42:12 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-05-03 12:42:12 131 ----a-w- c:\windows\IDB.zip
2010-05-03 12:42:12 1152444 ----a-w- c:\windows\UDB.zip
2010-05-03 12:39:53 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-05-03 12:39:53 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-05-03 12:39:27 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-05-03 12:39:27 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-05-03 12:39:27 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-05-03 12:39:27 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-05-03 12:39:04 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-05-03 12:39:04 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-05-03 12:38:46 0 d-----w- c:\program files\common files\PC Tools
2010-05-03 12:38:45 0 d-----w- c:\program files\Spyware Doctor
2010-05-03 12:38:45 0 d-----w- c:\docume~1\hp_owner\applic~1\PC Tools
2010-05-03 12:38:45 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-04-28 14:32:09 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-28 14:31:14 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-28 14:31:14 0 d-----w- c:\docume~1\hp_owner\applic~1\SUPERAntiSpyware.com
2010-04-28 14:30:40 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-26 02:18:05 0 d-----w- c:\program files\FU
2010-04-25 23:42:07 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-25 23:42:06 664 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-12 03:45:55 658 -c--a-w- c:\docume~1\hp_owner\applic~1\wklnhst.dat
2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 15:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 23:46:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2007-05-15 01:37:45 56 --sh--r- c:\windows\system32\17618D2ED3.sys
2007-05-15 01:37:45 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-10-17 20:35:08 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009101720091018\index.dat

============= FINISH: 13:36:52.98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:55 AM

Posted 13 May 2010 - 03:50 PM

Hi thekodiak,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  1. Please download GooredFix from one of the locations below and save it to your Desktop
    Download Mirror #1
    Download Mirror #2
    • Ensure all Firefox windows are closed.
    • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
    • When prompted to run the scan, click Yes.
    • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

  2. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

  3. Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.
      Double-click to run TDLfix.exe, type the following in the command window and press Enter:

      mbr

      A log file opens up. please post the content to your reply.


#3 thekodiak

thekodiak
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 13 May 2010 - 04:45 PM

Farbar,

Thank you for the prompt response. I have followed the directions and posted the results below. Will not do anything to the computer until advised.

Adam

GooredFix by jpshortstuff (08.01.10.1)
Log created at 17:36 on 13/05/2010 (HP_Owner)
Firefox version 3.5.9 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{2C0643ED-17DA-4DDF-BF5A-633739F09637} -> Success!
Deleting C:\Documents and Settings\HP_Owner\Local Settings\Application Data\{2C0643ED-17DA-4DDF-BF5A-633739F09637} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
google-ggic@partners.mozilla.com [22:27 01/02/2008]
{3112ca9c-de6d-4884-a869-9855de68056c} [22:27 01/02/2008]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [18:33 05/05/2007]
{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [23:46 16/02/2010]

C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\4v9pwm66.default\extensions\
youtube2mp3@mondayx.de [22:02 30/04/2010]
{20a82645-c095-46ed-80e3-08825760534b} [22:02 30/04/2010]
{3112ca9c-de6d-4884-a869-9855de68056c} [21:12 30/04/2010]
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [22:02 30/04/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord" [15:11 14/10/2008]
"{3112ca9c-de6d-4884-a869-9855de68056c}"="C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}" [01:34 14/11/2008]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [03:13 07/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [23:46 16/02/2010]
"{27182e60-b5f3-411c-b545-b44205977502}"="C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\" [23:51 16/02/2010]

-=E.O.F=-

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x82EE1EE4]<<
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x4a85300 size 0x1a8 !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x04A85300 !

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:55 AM

Posted 13 May 2010 - 07:17 PM

Thanks Adam.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#5 thekodiak

thekodiak
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 13 May 2010 - 08:54 PM

Farbar,

Here is ComboFix log. I had to restart it due to an interruption by a 10 year old. Please advise if any other steps need to be taken.

Thank you,

Adam



ComboFix 10-05-13.03 - HP_Owner 05/13/2010 21:27:27.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.230 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\27Y2I3x3L.jpg
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\b1cr2.jpg
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\hRPwkV.jpg
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\qo3lovCsi.jpg
c:\program files\Cheat Engine\dbk32.sys
c:\windows\ldlist.txt
c:\windows\system32\drivers\etc\lmhosts
D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-14 to 2010-05-14 )))))))))))))))))))))))))))))))
.

2010-05-13 12:32 . 2010-05-13 12:32 63488 ----a-w- c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-06 19:37 . 2010-05-06 19:37 -------- d-----w- c:\program files\iPod
2010-05-06 19:35 . 2010-05-06 19:38 -------- d-----w- c:\program files\iTunes
2010-05-06 19:35 . 2010-05-06 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-06 19:27 . 2010-05-06 19:29 -------- d-----w- c:\program files\QuickTime
2010-05-06 19:18 . 2010-05-06 19:18 -------- d-----w- c:\program files\Bonjour
2010-05-06 19:14 . 2010-05-06 19:14 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-03 12:42 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-05-03 12:42 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-05-03 12:42 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-05-03 12:42 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-05-03 12:42 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip
2010-05-03 12:42 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip
2010-05-03 12:39 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-05-03 12:39 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-05-03 12:39 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-05-03 12:39 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-05-03 12:38 . 2010-05-03 12:42 -------- d-----w- c:\program files\Common Files\PC Tools
2010-05-03 12:38 . 2010-05-03 15:42 -------- d-----w- c:\program files\Spyware Doctor
2010-05-03 12:38 . 2010-05-03 12:38 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\PC Tools
2010-05-03 12:38 . 2010-05-03 12:38 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-05-03 12:38 . 2010-05-14 01:12 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-30 21:12 . 2010-03-26 14:33 43008 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\4v9pwm66.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-04-30 21:12 . 2010-03-26 14:33 339456 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\4v9pwm66.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-04-30 21:12 . 2010-03-26 14:33 1496064 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\4v9pwm66.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-04-30 21:12 . 2010-03-26 14:32 346112 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\4v9pwm66.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-04-28 14:32 . 2010-04-28 14:32 52224 ----a-w- c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-28 14:32 . 2010-05-13 12:32 117760 ----a-w- c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-28 14:32 . 2010-04-28 14:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-28 14:31 . 2010-05-12 18:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-28 14:31 . 2010-04-28 14:31 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com
2010-04-28 14:30 . 2010-04-28 14:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-26 02:18 . 2010-04-28 12:53 -------- d-----w- c:\program files\FU
2010-04-25 23:42 . 2010-04-25 23:42 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-25 23:42 . 2010-04-25 23:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-25 23:41 . 2010-05-08 18:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-14 01:39 . 2010-02-13 21:49 -------- d-----w- c:\program files\Cheat Engine
2010-05-06 19:37 . 2009-09-22 22:25 -------- d-----w- c:\program files\Common Files\Apple
2010-04-29 19:39 . 2010-01-13 22:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-01-13 22:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 10:30 . 2010-01-15 04:21 0 ----a-w- c:\windows\Ovazetofiwupu.bin
2010-04-28 10:30 . 2010-01-15 04:21 120 ----a-w- c:\windows\Rnonoku.dat
2010-04-12 23:05 . 2009-06-05 15:32 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-12 23:04 . 2009-07-20 20:34 38784 ----a-w- c:\documents and settings\HP_Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-12 03:45 . 2005-09-16 02:49 658 -c--a-w- c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-21 14:38 . 2005-11-05 13:16 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-03-10 06:15 . 2004-08-04 04:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 04:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2004-08-04 04:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 23:47 . 2010-02-16 23:47 503808 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4ef4a9c5-n\msvcp71.dll
2010-02-16 23:47 . 2010-02-16 23:47 499712 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4ef4a9c5-n\jmc.dll
2010-02-16 23:47 . 2010-02-16 23:47 348160 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4ef4a9c5-n\msvcr71.dll
2010-02-16 23:47 . 2010-02-16 23:47 61440 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-41acbb01-n\decora-sse.dll
2010-02-16 23:47 . 2010-02-16 23:47 12800 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-41acbb01-n\decora-d3d.dll
2010-02-16 23:46 . 2010-02-16 23:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-16 13:25 . 2004-08-04 11:00 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2008-04-05 15:08 . 2008-04-05 15:08 24 --sh--w- c:\windows\S80B951FE.tmp
2007-05-15 01:37 . 2007-05-15 01:37 56 --sh--r- c:\windows\system32\17618D2ED3.sys
2007-05-15 01:37 . 2007-05-15 01:37 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-12 2017280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^My Essentials Wireless USB Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\My Essentials Wireless USB Utility.lnk
backup=c:\windows\pss\My Essentials Wireless USB Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111T Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111T Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG111T Smart Wizard.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
2006-05-22 17:26 694272 -c--a-w- c:\program files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-11-02 08:59 126976 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2005-02-25 22:34 245760 -c--a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 20:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
2010-03-09 12:40 1286608 ----a-w- c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 19:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2004-10-14 13:54 253952 -c--a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-07-17 16:12 288080 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar]
2009-12-09 02:29 240992 ----a-w- c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-02-06 22:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-r- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 20:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-05-05 19:05 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
2005-09-16 03:49 100056 -c--a-w- c:\progra~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-10-14 15:10 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/3/2010 8:39 AM 218592]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 68168]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [5/3/2010 8:42 AM 112592]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys --> c:\windows\system32\Drivers\ATHFMWDL.sys [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [9/15/2005 10:26 PM 17149]
S3 OMAWGU(Belkin Corporation);My Essential G USB Adapter(Belkin Corporation);c:\windows\system32\DRIVERS\OMAWGU.sys --> c:\windows\system32\DRIVERS\OMAWGU.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/3/2010 8:38 AM 366840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: broward.edu
DPF: {2D36AF92-04D3-11D8-B719-0000865F231B} - hxxps://my.sabre.com/jars/TMinReqX.dll
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\4v9pwm66.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - component: c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\4v9pwm66.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - plugin: c:\documents and settings\HP_Owner\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{FA010552-4A27-4cb1-A1BB-3E2D697F1639} - (no file)
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-ccPrxy - ccPrxy.exe
MSConfigStartUp-FBSearch - c:\program files\Search Guard Plus\SearchGuardPlus.exe
MSConfigStartUp-Omonopu - c:\windows\ohocohotuce.dll
MSConfigStartUp-PCMMRealtime - c:\program files\PC MightyMax\pcmm.exe
MSConfigStartUp-SGPUpdater - c:\program files\Search Guard PlusU\sgpUpdaters.exe
MSConfigStartUp-Spam Blocker for Outlook Express - c:\progra~1\SPAMBL~1\Bin\484~1.0\SBInst.exe
MSConfigStartUp-SpamBlocker - c:\program files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-vptray - c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe
MSConfigStartUp-WeatherOnTray - c:\program files\SpamBlockerUtility\Bin\4.8.4.0\SbWeatherOnTray.exe
MSConfigStartUp-wxyvclcr - c:\windows\system32\ylorbiag.exe
AddRemove-WinZip - c:\documents and settings\HP_Owner\My Documents\index_files\WinZip\WINZIP32.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-13 21:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052065164-3442178029-4279136078-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
.
Completion time: 2010-05-13 21:48:54
ComboFix-quarantined-files.txt 2010-05-14 01:48

Pre-Run: 1,296,154,624 bytes free
Post-Run: 2,811,650,048 bytes free

- - End Of File - - 71BDACA3AF6464C187BCE6F9B44DF300

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:55 AM

Posted 13 May 2010 - 09:10 PM

ComboFix took care of the rootkit and removed some bad files. The redirection should have been stopped.

Let's check the system once.

FYI: It too late over here and I'm going to sleep, see the log tomorrow.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push



#7 thekodiak

thekodiak
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 14 May 2010 - 05:50 AM

Hello Farbar,

Hope you got some rest. Didn't realize you were burning the Midnight Oil overseas.
Here are the results from the Eset scan below.

I will be off to work a 24 hour shift and not return until Saturday morning, so I wont be able to reply if you need me to do something. The family has promised NOT to touch this computer until you give the okay.

Thank you again and have a great day.

Adam


C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\32\404cc9a0-74ef8aea Java/TrojanDownloader.Agent.NAM trojan deleted - quarantined

C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\37\1a762365-3afdbb0b multiple threats deleted - quarantined

C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\48\62fa4370-2daf5ea4 multiple threats deleted - quarantined

C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\58\3248d7a-782e3897 Java/TrojanDownloader.Agent.NAM trojan deleted - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\atapi.sys.vir Win32/Olmarik.ZC trojan cleaned - quarantined

C:\WINDOWS\system32\hewwdmiw.exe multiple threats deleted - quarantined


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:55 AM

Posted 14 May 2010 - 07:46 AM

Yes from time to time I burn the Midnight Oil and last night was one of those occasions. I have less problem with it than other at home:)

Take your time as we are almost done, just need some cleaning. Thanks for letting me know.
  1. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  2. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove Java 6 update 18
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  3. Tell me also how is your computer running.


#9 thekodiak

thekodiak
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 15 May 2010 - 08:25 AM

Hello Farbar,

I've completed all the steps in your last post. I haven't seen any browser pops, nor have any google searches been redirected. THANK YOU!

I have two more questions for you if you don't mind. First is, what's the best prevention for this happening again? I've tried to educate the kids on what sites to avoid and not to click on ANYTHING that offers a free scan or service. I do have the Superantispyware pro edition running, and I have Symantec AV Corporate edition that I can put back on this computer. Anything else I can do?

Second is my desktop computer, do I start a new post or can I use any of the tools you've instructed me to use here?

Thank you again for your prompt and professional guidance, it's truly appreciated.

Adam

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:55 AM

Posted 15 May 2010 - 10:27 AM

Hi Adam,

Everything looks good and we are going to round off. thumbup2.gif

  1. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  2. Also remove any tool or log we used from your computer.


As far as your questions:

Keep Malwarebytes and SuperAntiSpyware Pro. You have to update Malwarebytes once a while manually.

You may install Symantec but first uninstall Spyware Doctor. Running two antiviruses at the same time might cause more trouble than some malware does.

When you download anything check the size of download before and after downloading.

The best practice is to avoid bad sites, the following applications will be helpful to do that.
  1. I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  2. I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

Happy Surfing Adam. smile.gif

#11 thekodiak

thekodiak
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 15 May 2010 - 10:52 AM

Thanks Farbar, will do.

lastly, do I need to start a new thread for a second computer in the house with similar problems?

Thx,

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:55 AM

Posted 15 May 2010 - 03:11 PM

I'm sorry, forgot to mention it. Combobix should be run under suppervision. it is better to start a new topic. If you don't get a reply within 24 hours send me a PM and I'll take it ASAP.

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:55 AM

Posted 18 May 2010 - 03:15 AM


This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users