Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacked


  • This topic is locked This topic is locked
23 replies to this topic

#1 Terry Mooney

Terry Mooney

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 18 May 2010 - 01:01 PM

Experienced problems with cascading popups and variety of other symptoms. Ran Security Scan at Microsoft, then downloaded Microsoft Malicious Software Removal Tool and installed Microsoft Security Essentials, which removed:
TrojanDowloader:Win32/Bredolab.AA
Trojan:Win32/Hiloti.gen!D
Browser still sluggish and now being hijacked to undesired sites.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Terry Mooney at 10:16:47.14 on Tue 05/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1285 [GMT -7:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
svchost.exe "C:\WINDOWS\system32\ALSndMgrr.exe"
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Terry Mooney\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.ca/hws/sb/dell-row/en/side.html?channel=ca-smb
uSearch Bar = hxxp://www.google.ca/hws/sb/dell-row/en/side.html?channel=ca-smb
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_ca?hl=en&client=dell-row&channel=ca-smb&ibd=1080522
mSearchAssistant = hxxp://www.google.ca/hws/sb/dell-row/en/side.html?channel=ca-smb
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [DLPSP] "c:\program files\dell printers\additional color laser software\status monitor\DLPSP.EXE"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
StartupFolder: c:\docume~1\terrym~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: live.com\onecare
Trusted Zone: mlxchange.com\cls
Trusted Zone: mlxchange.com\mlslink
Trusted Zone: selkirk.ca\rdkb.sgrc
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxp://209.53.137.180/kreb_schedule/ScriptX.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229621143703
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://mlslink.mlxchange.com/5.1.01.7662/Control/IRCSharc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 DLSDB;Dell Printer Status Database;c:\program files\dell printers\additional color laser software\status monitor\dlsdbnt.exe [2009-11-15 135168]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-5-21 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2008-5-21 43608]
S2 TrkWksHidServ;Distributed Link Tracking Client TrkWksHidServ;c:\windows\system32\alsndmgrr.exe srv --> c:\windows\system32\ALSndMgrr.exe srv [?]

=============== Created Last 30 ================

2010-05-18 16:27:01 0 d-----w- c:\windows\pss
2010-05-18 14:05:24 0 d-sh--w- c:\windows\system32\lowsec
2010-05-18 00:03:49 0 d-sh--w- c:\documents and settings\terry mooney\IECompatCache
2010-05-17 23:46:05 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-16 00:33:16 100 --s-a-w- c:\windows\system32\3403034862.dat
2010-05-15 22:44:22 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-15 22:28:38 0 d-----w- c:\program files\Microsoft Security Essentials
2010-05-15 16:43:48 0 d-----w- c:\windows\system32\wbem\Repository
2010-05-14 22:46:59 120 ----a-w- c:\windows\Jhigahemofiv.dat
2010-05-14 22:46:59 0 ----a-w- c:\windows\Kcuvuyanamisunog.bin
2010-05-14 22:45:29 755200 ----a-w- c:\windows\system32\drivers\eyweus.sys
2010-05-14 22:44:37 4278 ----a-w- c:\windows\system32\warnings.html
2010-05-14 22:44:36 20 ----a-w- c:\docume~1\terrym~1\applic~1\qvjsge.dat
2010-04-27 19:24:10 0 d-----w- c:\docume~1\terrym~1\applic~1\OpenOffice.org

==================== Find3M ====================

2010-04-27 22:28:14 13868 ----a-w- c:\docume~1\terrym~1\applic~1\wklnhst.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 18:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-18 18:13:39 81944 ----a-w- c:\docume~1\terrym~1\applic~1\GDIPFONTCACHEV1.DAT
2008-08-26 16:15:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 10:18:07.51 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 PM

Posted 19 May 2010 - 04:23 PM

Hello.

The GMER log doesn't seem complete, but I do see an infection on board but require some more information gathered. Please run GMER again with the following instructions...

Download and Run GMER

We will use GMER to scan for rootkits.
  • Please download GMER from one of the following locations, and save it to your desktop:
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click or on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Terry Mooney

Terry Mooney
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 19 May 2010 - 07:19 PM

Hi Extremeboy,

Sorry, but I've tried six times now both in regular and safe modes and each time end up w/BSOD telling me to contact my system administrator.

Terry

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 PM

Posted 20 May 2010 - 06:35 PM

Hello.

That's okay. From the previous GMER log, one of the driver seems attention and fixing. Can you please run Combofix first for me.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Terry Mooney

Terry Mooney
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 20 May 2010 - 11:34 PM

ComboFix 10-05-20.07 - Terry Mooney 05/20/2010 21:24:57.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1576 [GMT -7:00]
Running from: c:\documents and settings\Terry Mooney\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\3403034862.dat
c:\windows\system32\ALSndMgrr.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\warnings.html

Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TRKWKSHIDSERV
-------\Service_TrkWksHidServ


((((((((((((((((((((((((( Files Created from 2010-04-21 to 2010-05-21 )))))))))))))))))))))))))))))))
.

2010-05-18 00:03 . 2010-05-18 00:03 -------- d-sh--w- c:\documents and settings\Terry Mooney\IECompatCache
2010-05-17 23:46 . 2010-05-17 23:45 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-16 00:31 . 2010-05-16 00:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-15 22:44 . 2010-05-06 17:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-15 22:28 . 2010-05-15 22:28 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-05-15 16:55 . 2010-05-15 18:58 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-15 16:43 . 2010-05-15 16:43 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-14 22:54 . 2010-05-14 22:54 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-14 22:46 . 2010-05-14 22:46 120 ----a-w- c:\windows\Jhigahemofiv.dat
2010-05-14 22:46 . 2010-05-14 22:46 0 ----a-w- c:\windows\Kcuvuyanamisunog.bin
2010-05-14 22:46 . 2010-05-15 16:43 -------- d-----w- c:\documents and settings\Terry Mooney\Local Settings\Application Data\{2611E99B-6C11-4B4A-A04D-7C7C3EA370A6}
2010-05-14 22:45 . 2010-05-15 16:44 755200 ----a-w- c:\windows\system32\drivers\eyweus.sys
2010-04-27 19:24 . 2010-05-18 19:43 1 ----a-w- c:\documents and settings\Terry Mooney\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-27 19:24 . 2010-04-27 19:24 -------- d-----w- c:\documents and settings\Terry Mooney\Application Data\OpenOffice.org

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-17 23:55 . 2008-05-22 00:40 -------- d-----w- c:\program files\Google
2010-05-17 23:45 . 2008-05-22 00:35 -------- d-----w- c:\program files\Java
2010-05-14 22:44 . 2010-05-14 22:44 20 ----a-w- c:\documents and settings\Terry Mooney\Application Data\qvjsge.dat
2010-05-01 21:13 . 2008-05-22 00:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-01 19:11 . 2008-05-22 00:35 -------- d-----w- c:\program files\Common Files\Java
2010-04-27 22:28 . 2008-06-16 00:10 13868 ----a-w- c:\documents and settings\Terry Mooney\Application Data\wklnhst.dat
2010-04-25 21:05 . 2008-05-29 22:16 83152 ----a-w- c:\documents and settings\Terry Mooney\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-02 12:16 . 2010-04-02 12:16 503808 ----a-w- c:\documents and settings\Terry Mooney\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-36c80e4d-n\msvcp71.dll
2010-04-02 12:16 . 2010-04-02 12:16 499712 ----a-w- c:\documents and settings\Terry Mooney\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-36c80e4d-n\jmc.dll
2010-04-02 12:16 . 2010-04-02 12:16 348160 ----a-w- c:\documents and settings\Terry Mooney\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-36c80e4d-n\msvcr71.dll
2010-04-02 12:16 . 2010-04-02 12:16 61440 ----a-w- c:\documents and settings\Terry Mooney\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1c87a937-n\decora-sse.dll
2010-04-02 12:16 . 2010-04-02 12:16 12800 ----a-w- c:\documents and settings\Terry Mooney\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1c87a937-n\decora-d3d.dll
2010-03-30 19:23 . 2010-03-30 19:23 -------- d-----w- c:\program files\JRE
2010-03-30 19:23 . 2010-03-30 19:23 -------- d-----w- c:\program files\OpenOffice.org 3
2010-03-30 19:18 . 2008-06-25 21:39 -------- d-----w- c:\program files\OpenOffice.org 2.4
2010-03-30 19:18 . 2008-06-25 21:40 -------- d-----w- c:\documents and settings\Terry Mooney\Application Data\OpenOffice.org2
2010-03-10 06:15 . 2004-08-10 17:51 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-27 01:13 . 2008-06-25 21:41 1 ----a-w- c:\documents and settings\Terry Mooney\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-02-25 06:24 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-10 17:51 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-02-21 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-21 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-21 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-21 137752]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-11-26 2289664]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"DLPSP"="c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2004-07-13 126976]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 16855552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

c:\documents and settings\Terry Mooney\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-12-31 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=

R2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe [11/15/2009 11:05 PM 135168]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [5/21/2008 5:18 PM 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [5/21/2008 5:18 PM 43608]
.
Contents of the 'Scheduled Tasks' folder

2010-05-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 01:02]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_ca?hl=en&client=dell-row&channel=ca-smb&ibd=1080522
Trusted Zone: live.com\onecare
Trusted Zone: mlxchange.com\cls
Trusted Zone: mlxchange.com\mlslink
Trusted Zone: selkirk.ca\rdkb.sgrc
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://mlslink.mlxchange.com/5.1.01.7662/Control/IRCSharc.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-20 21:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3716)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\DRIVERS\o2flash.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2010-05-20 21:39:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-21 04:39

Pre-Run: 43,158,970,368 bytes free
Post-Run: 43,407,015,936 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 3A049A5F84F668B268D9EC7F9BFB7251


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 PM

Posted 22 May 2010 - 09:03 AM

Hello.

Combofix dealt with the infection successfully.

However, one of the infection removed was a password.stealer infection.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

--
Next, we need to get you to install an Anti-Virus software. Go here: http://computermalwaresecurity.blogspot.co...tware-list.html and under Anti-Virus Softwares, please choose and click on the URL to install one of the Anti-Virus softwares there. Install and update it.

After that, I want you to perform a Malwarebytes scan as followed...

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link


Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Terry Mooney

Terry Mooney
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 22 May 2010 - 10:08 AM

Good morning, extremeboy,

I've updated Security Essentials, but when I click on the link for the malware download, I get shunted through a secure link then back to an insecure link to majorgeeks.com. The appropriate link is not obvious to me and I am, understandably, nervous about just clicking on one of their download buttons, when none of them show me the specific name you have provided.

Thanks,

Terry

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 PM

Posted 22 May 2010 - 04:21 PM

The Microsoft link to Security Essentials would be this one: http://www.microsoft.com/security_essentials/

You have Microsoft Security Essentials installed so no need to worry about that, for some reason I saw that you had no anti-virus installed.

Just continue with Malwarebytes and the rest of the instructions please. smile.gif

Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 Terry Mooney

Terry Mooney
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 22 May 2010 - 05:19 PM

Sorry, I guess I wasn't clear about my problem. Yes, I have Security Essentials and updated it as you instructed. However, when I click on either of the links to download Malwarebytes, first I see the Security Alert that I'm going on a secured Internet link that no one else can see. Click yes. Then url www.besttechie.com/tools/mbam-setup.exe w/Security Alert that I'm leaving the secured connection. Click yes and then I'm at www.majorgeeks/download.php?det=5756 and I don't see
Download_mbam-setup.exe anywhere.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 PM

Posted 23 May 2010 - 05:27 PM

If you're in the MajorGeeks website, you should see the Download Locations on your right hand side. Major Geeks is a legit site.

Alternatively, if you find navigating that page difficult just download it from >>here<<.

~

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 Terry Mooney

Terry Mooney
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 23 May 2010 - 10:33 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Hi extremeboy,

Thanks. That link worked just fine. Below ae the results

Regards,

Terry

Database version: 4136

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/23/2010 8:38:34 PM
mbam-log-2010-05-23 (20-38-34).txt

Scan type: Quick scan
Objects scanned: 129166
Time elapsed: 8 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 PM

Posted 24 May 2010 - 01:05 PM

Hello.

That's looking good so far. Let's get an online scan done. Almost done here. How's your computer running?

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 Terry Mooney

Terry Mooney
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 24 May 2010 - 07:54 PM

Hi extremeboy,

Hopefully, I've done this all correctly. I wanted to let you know that, in addition to these threats, Microsoft Security Essentials removed Win32/Alureon.H two times today. which were also among those removed back when I started this endeavor on the 15th of May.

I don't notice any of the "hijacking" symptoms. I'm really nervous about being on the Internet now, though. I had always thought I practiced "safe computing" and I've only had one problem in the past, which came in through a hole in the Microsoft Outlook program. I don't suppose there's anything you can do to "fix" me, but I can't thank you enough for all the help you've given me on my computer. Are you able to tell me anything about the source of these threats or even when I acquired it/them?

Thanks again for everything,

Terry

Attached Files



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 PM

Posted 24 May 2010 - 08:07 PM

QUOTE
Hopefully, I've done this all correctly. I wanted to let you know that, in addition to these threats, Microsoft Security Essentials removed Win32/Alureon.H two times today. which were also among those removed back when I started this endeavor on the 15th of May.

Can you if possible post that log as well? A screenshot of what it detected of those files will help too.

There's something we need to removed still however.
Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    http://www.bleepingcomputer.com/forums/t/317580/browser-hijacked/
    Collect::[68]
    c:\windows\system32\drivers\eyweus.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
  • Please post the contents of the Combofix log in your next reply.

Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.


Let me know how it goes and if the upload went successfully or not in your next reply.

QUOTE
Are you able to tell me anything about the source of these threats or even when I acquired it/them?

Unfortunately no. Malware comes in various of forms and ways. Some prevention tips I wrote here: http://computermalwaresecurity.blogspot.co...ntion-tips.html describes some of the ways you could have got the infection. Not only that, infections "mask" certain things including dates, which is even harder to tell when you got it. Usually, you can find that out is through symptoms that you had earlier and that would be a general time frame where you probably got the infection.

Post the log once done.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 Terry Mooney

Terry Mooney
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 25 May 2010 - 01:23 PM

Good morning, extremeboy,

I've attached a copy of the screen shot from Security Essentials w/history. I don't know how to create a log, sorry.

Don't know that it has anything to do with the malware, but my wireless link is operating at 1.0mps as opposed to my pc upstairs, also running wirelessly at 11.0mps.

ComboFix said the server was down and the log didn't upload, so here's the copy of the log.

ComboFix 10-05-24.07 - Terry Mooney 05/25/2010 10:44:41.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1499 [GMT -7:00]
Running from: c:\documents and settings\Terry Mooney\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Terry Mooney\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

file zipped: c:\windows\system32\drivers\eyweus.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Terry Mooney\Local Settings\Application Data\{2611E99B-6C11-4B4A-A04D-7C7C3EA370A6}
c:\documents and settings\Terry Mooney\Local Settings\Application Data\{2611E99B-6C11-4B4A-A04D-7C7C3EA370A6}\chrome\content\_cfg.js
c:\documents and settings\Terry Mooney\Local Settings\Application Data\{2611E99B-6C11-4B4A-A04D-7C7C3EA370A6}\chrome\content\overlay.xul
c:\documents and settings\Terry Mooney\Local Settings\Application Data\{2611E99B-6C11-4B4A-A04D-7C7C3EA370A6}\install.rdf
c:\windows\system32\drivers\eyweus.sys

.
((((((((((((((((((((((((( Files Created from 2010-04-25 to 2010-05-25 )))))))))))))))))))))))))))))))
.

2010-05-25 17:18 . 2010-05-25 17:18 -------- d-----w- c:\documents and settings\Terry Mooney\Local Settings\Application Data\PCHealth
2010-05-25 17:03 . 2010-05-25 17:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-05-24 03:26 . 2010-05-24 03:26 -------- d-----w- c:\documents and settings\Terry Mooney\Application Data\Malwarebytes
2010-05-24 03:26 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-24 03:26 . 2010-05-24 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-24 03:26 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-24 03:26 . 2010-05-24 03:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-18 00:03 . 2010-05-18 00:03 -------- d-sh--w- c:\documents and settings\Terry Mooney\IECompatCache
2010-05-17 23:46 . 2010-05-17 23:45 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-16 00:31 . 2010-05-16 00:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-15 22:44 . 2010-05-12 18:21 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-15 22:28 . 2010-05-15 22:28 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-05-15 16:55 . 2010-05-15 18:58 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-15 01:15 . 2008-05-22 00:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-05-15 01:15 . 2010-05-15 16:43 -------- d-s---w- c:\documents and settings\Administrator
2010-05-14 22:54 . 2010-05-14 22:54 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-14 22:46 . 2010-05-14 22:46 120 ----a-w- c:\windows\Jhigahemofiv.dat
2010-05-14 22:46 . 2010-05-14 22:46 0 ----a-w- c:\windows\Kcuvuyanamisunog.bin
2010-04-27 19:24 . 2010-05-24 16:13 1 ----a-w- c:\documents and settings\Terry Mooney\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-27 19:24 . 2010-04-27 19:24 -------- d-----w- c:\documents and settings\Terry Mooney\Application Data\OpenOffice.org

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-22 23:30 . 2008-05-22 00:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-17 23:55 . 2008-05-22 00:40 -------- d-----w- c:\program files\Google
2010-05-17 23:45 . 2008-05-22 00:35 -------- d-----w- c:\program files\Java
2010-05-16 00:32 . 2010-05-16 00:32 4 ----a-w- c:\documents and settings\NetworkService\Application Data\ofubwi.dat
2010-05-14 22:44 . 2010-05-14 22:44 20 ----a-w- c:\documents and settings\Terry Mooney\Application Data\qvjsge.dat
2010-05-01 19:11 . 2008-05-22 00:35 -------- d-----w- c:\program files\Common Files\Java
2010-04-27 22:28 . 2008-06-16 00:10 13868 ----a-w- c:\documents and settings\Terry Mooney\Application Data\wklnhst.dat
2010-04-25 21:05 . 2008-05-29 22:16 83152 ----a-w- c:\documents and settings\Terry Mooney\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-02 12:16 . 2010-04-02 12:16 503808 ----a-w- c:\documents and settings\Terry Mooney\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-36c80e4d-n\msvcp71.dll
2010-04-02 12:16 . 2010-04-02 12:16 499712 ----a-w- c:\documents and settings\Terry Mooney\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-36c80e4d-n\jmc.dll
2010-04-02 12:16 . 2010-04-02 12:16 348160 ----a-w- c:\documents and settings\Terry Mooney\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-36c80e4d-n\msvcr71.dll
2010-04-02 12:16 . 2010-04-02 12:16 61440 ----a-w- c:\documents and settings\Terry Mooney\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1c87a937-n\decora-sse.dll
2010-04-02 12:16 . 2010-04-02 12:16 12800 ----a-w- c:\documents and settings\Terry Mooney\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1c87a937-n\decora-d3d.dll
2010-03-30 19:23 . 2010-03-30 19:23 -------- d-----w- c:\program files\JRE
2010-03-30 19:23 . 2010-03-30 19:23 -------- d-----w- c:\program files\OpenOffice.org 3
2010-03-30 19:18 . 2008-06-25 21:39 -------- d-----w- c:\program files\OpenOffice.org 2.4
2010-03-30 19:18 . 2008-06-25 21:40 -------- d-----w- c:\documents and settings\Terry Mooney\Application Data\OpenOffice.org2
2010-03-10 06:15 . 2004-08-10 17:51 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-27 01:13 . 2008-06-25 21:41 1 ----a-w- c:\documents and settings\Terry Mooney\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-02-25 06:24 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-02-21 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-21 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-21 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-21 137752]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-11-26 2289664]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"DLPSP"="c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2004-07-13 126976]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 16855552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Terry Mooney\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-12-31 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=

R2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe [11/15/2009 11:05 PM 135168]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [5/21/2008 5:18 PM 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [5/21/2008 5:18 PM 43608]
.
Contents of the 'Scheduled Tasks' folder

2010-05-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 01:02]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_ca?hl=en&client=dell-row&channel=ca-smb&ibd=1080522
Trusted Zone: live.com\onecare
Trusted Zone: mlxchange.com\cls
Trusted Zone: mlxchange.com\mlslink
Trusted Zone: selkirk.ca\rdkb.sgrc
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://mlslink.mlxchange.com/5.1.01.7662/Control/IRCSharc.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-25 10:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-05-25 10:50:07
ComboFix-quarantined-files.txt 2010-05-25 17:49
ComboFix2.txt 2010-05-21 04:39

Pre-Run: 45,289,861,120 bytes free
Post-Run: 45,420,335,104 bytes free

- - End Of File - - 4C6FE2C06AD4584FDD443A25F59A39C4






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users