Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems include link redirects, increased popups, blue screen "fatal error" message


  • This topic is locked This topic is locked
21 replies to this topic

#1 pulindian

pulindian

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 28 May 2010 - 11:32 AM

Hi all, thanks in advance for anyone who takes the time to try to help me out. I am a novice when it comes to this stuff.

I have a 5-year old Dell Inspiron 9000, I have McAfee, and I always use Firefox to surf the internet, though I do have IE and Chrome on my computer. My problems started out a few days ago when I noticed some link redirects. Mainly this happened from google searches - I would click a link, then get redirected to a new page, and the back button would only lead me to the same redirected page. However, if i typed in the URL of the link myself, it would take me to the correct page without problem. Examples of sites that I have been redirected to include: server2.mediajmp.com
asklots.com
marinettecountywi.com

I thought this was fishy, so I searched online to see who else had similar problems and how I could fix them. Through this, I decided to download a-squared and run it - it found 3 trojan files, and I quarantined them. A short time later, while browsing the internet, I got another redirect and realized the problem was not solved. I performed another scan through a-squared, again got rid of the 3 trojan files, and again ran into redirects. Mind you, the redirects only happen some of the time, not after every google search. Also, by this point, redirects had started from links on random webpages, ones that I have visited for years and not had problems with (i.e. jaguars.com).

I stumbled upon this website, thought that it would be helpful, and I decided to post. Well, I followed the steps for getting the log files that I am supposed to post on here. I got DDS.txt and Attach.txt with no problem, but I ran into some problems trying to run gmer. The first time, the computer restarted before the scan finished. The second time, I got a blue screen with a "fatal error" message, and had to manually turn the computer off. So this third time, I re-did DDS and Attach (just in case anything had changed) and I ran gmer, and finally I got everything saved. Also, here are a few other problems that I have noticed that may or may not have to do with the same thing:

- Twice I received an Adobe Reader error that said "A 3D data parsing error has occurred."
- The first time I ran a-squared, it said something that I didn't understand about data files that were moving around. Unfortunately, I didn't write it down.
- Google Chrome isn't working for some reason. I open the browser, but it won't connect to a webpage, even though Firefox and IE work with no problems.
- So far I have only used Firefox. That is, until earlier today, when I tried to log onto bleepingcomputer.com, when it wouldn't let me. I could go to other sites just fine, but bleepingcomputer.com was somehow blocked. I then opened up IE and got on bleepingcomputer.com from there. I still have Firefox open. I just tried opening bleepingcomputer.com from Firefox, and it worked.

Once again, I want to thank anyone who takes the time to help. Here is my DDS:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Pulin at 10:25:16.84 on Fri 05/28/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.313 [GMT -4:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Pulin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uWindow Title = Windows Internet Explorer provided by Comcast
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [Google Update] "c:\documents and settings\pulin\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [kmxamltd] c:\documents and settings\pulin\local settings\application data\clnydviwb\silusnntssd.exe
uRun: [agxeeajj] c:\documents and settings\pulin\local settings\application data\mloxvpell\qqgaqyetssd.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [kmxamltd] c:\documents and settings\pulin\local settings\application data\clnydviwb\silusnntssd.exe
mRun: [agxeeajj] c:\documents and settings\pulin\local settings\application data\mloxvpell\qqgaqyetssd.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: motive.com\patttbc.att
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pulin\applic~1\mozilla\firefox\profiles\7bpn06v5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\documents and settings\pulin\application data\move networks\plugins\071802000001\npqmp071802000001.dll
FF - plugin: c:\documents and settings\pulin\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\pulin\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\pulin\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\pulin\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-5-22 31816]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-5-26 1872320]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-7-7 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-7-7 234888]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-9-4 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-5-22 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-5-22 54608]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-17 24652]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-9-4 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-9-4 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-9-4 174952]
S2 gupdate1ca9926d094a00;Google Update Service (gupdate1ca9926d094a00);c:\program files\google\update\GoogleUpdate.exe [2010-1-19 133104]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2007-9-6 13824]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-10-12 99200]

=============== Created Last 30 ================

2010-05-26 13:57:23 0 d-----w- c:\program files\a-squared Free
2010-05-15 20:00:16 0 d-----w- c:\program files\Novatel Wireless

==================== Find3M ====================

2010-05-27 11:38:08 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-27 11:38:05 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-05-24 20:59:42 53201 ----a-w- c:\windows\system32\nvModes.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-08-15 01:13:08 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009081420090815\index.dat

============= FINISH: 10:28:21.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:11 AM

Posted 29 May 2010 - 07:43 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



========================================


Asksbar/Ask Toolbar warning:
I strongly suggest that you uninstall Asksbar/Ask Toolbar. Some of the bad practices of this toolbar are:
  1. Promoting its toolbars on sites targeted to kids. Details.
  2. Promoting its toolbars through ads that appear to be part of other companies' sites. Details.
  3. Promoting its toolbars through other companies' spyware. Details.
  4. Installing without any disclosure whatsoever and without any consent whatsoever. Details.
  5. Soliciting installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link. Details.
  6. Making confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit. Details.
Please read the full details HERE.




P2P Warning:
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case LimeWire/Vuze).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."



========================================


Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 pulindian

pulindian
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 30 May 2010 - 04:50 PM

Sempai, thanks for your help.

1. I tried finding the Ask toolbar, but I did not see it in my list for "Add/Remove Programs". I also do not see it anywhere on my browser. How can I remove this?

2. I ran combofix and my computer restarted. I looked in the C:\, but I don't see any file called combofix.txt. However, I do see something named combofix - it has the same icon as My Computer, and when I double-click on this, it shows some drives and folders that are on my computer (i.e. C:\, D:\, My documents). Should I run combofix again?

Thanks again!

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:11 AM

Posted 30 May 2010 - 05:39 PM

Hi,

Please do this:

Click Start > Run then copy/paste the following bolded text below. A log file will open, please post the contents in your next reply.
cmd /c dir /a /s C:\QooBox >log.txt&start log.txt


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 pulindian

pulindian
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 30 May 2010 - 09:48 PM

Sempai, here are the contents of the file:

Volume in drive C has no label.
Volume Serial Number is 280C-378A

Directory of C:\QooBox

05/30/2010 11:15 AM <DIR> .
05/30/2010 11:15 AM <DIR> ..
05/30/2010 11:19 AM <DIR> BackEnv
05/30/2010 11:15 AM <DIR> LastRun
05/30/2010 12:01 PM <DIR> Quarantine
05/30/2010 11:15 AM <DIR> Test
05/30/2010 11:15 AM <DIR> TestC
0 File(s) 0 bytes

Directory of C:\QooBox\BackEnv

05/30/2010 11:19 AM <DIR> .
05/30/2010 11:19 AM <DIR> ..
05/30/2010 11:19 AM 341 appdata.folder.dat
05/30/2010 11:19 AM 398 cache.folder.dat
05/30/2010 11:19 AM 188 Cookies.folder.dat
05/30/2010 11:19 AM 133 desktop.folder.dat
05/30/2010 11:19 AM 193 favorites.folder.dat
05/30/2010 11:19 AM 284 localappdata.folder.dat
05/30/2010 11:19 AM 275 localsettings.folder.dat
05/30/2010 11:19 AM 181 mypictures.folder.dat
05/30/2010 11:19 AM 145 personal.folder.dat
05/30/2010 11:16 AM 267 Profiles.Folder.dat
05/30/2010 11:19 AM 425 Profiles.Folder.folder.dat
05/30/2010 11:19 AM 169 programs.folder.dat
05/30/2010 11:16 AM 5,917 SetPath.bat
05/30/2010 11:19 AM 142 startmenu.folder.dat
05/30/2010 11:19 AM 193 startup.folder.dat
05/30/2010 11:16 AM 2,334 SysPath.dat
05/30/2010 11:19 AM 185 templates.folder.dat
17 File(s) 11,770 bytes

Directory of C:\QooBox\LastRun

05/30/2010 11:15 AM <DIR> .
05/30/2010 11:15 AM <DIR> ..
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine

05/30/2010 12:01 PM <DIR> .
05/30/2010 12:01 PM <DIR> ..
05/30/2010 12:01 PM <DIR> C
05/30/2010 05:08 PM 204 catchme.log
05/30/2010 11:14 AM <DIR> Registry_backups
1 File(s) 204 bytes

Directory of C:\QooBox\Quarantine\C

05/30/2010 12:01 PM <DIR> .
05/30/2010 12:01 PM <DIR> ..
05/30/2010 12:02 PM <DIR> WINDOWS
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS

05/30/2010 12:02 PM <DIR> .
05/30/2010 12:02 PM <DIR> ..
05/30/2010 12:02 PM <DIR> system32
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\system32

05/30/2010 12:02 PM <DIR> .
05/30/2010 12:02 PM <DIR> ..
05/30/2010 12:02 PM <DIR> Drivers
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\system32\Drivers

05/30/2010 12:02 PM <DIR> .
05/30/2010 12:02 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\Registry_backups

05/30/2010 11:14 AM <DIR> .
05/30/2010 11:14 AM <DIR> ..
0 File(s) 0 bytes

Directory of C:\QooBox\Test

05/30/2010 11:15 AM <DIR> .
05/30/2010 11:15 AM <DIR> ..
0 File(s) 0 bytes

Directory of C:\QooBox\TestC

05/30/2010 11:15 AM <DIR> .
05/30/2010 11:15 AM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
18 File(s) 11,974 bytes
32 Dir(s) 40,746,790,912 bytes free


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:11 AM

Posted 31 May 2010 - 05:25 AM

Hi,

Thanks for the log, please delete your copy of Combofix (Do not uninstall) and run a new copy.

Download Combofix from any of the links below but rename it to CFScan before saving it to your desktop.
Link 1
Link 2
  • Temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on the renamed ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 pulindian

pulindian
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 31 May 2010 - 10:36 PM

The same thing happened when I ran CFScan as when I ran ComboFix the first time - the computer restarted itself and there was no explicit log. I went to the same destination you told me to that time as well (Start > Run > "cmd /c dir /a /s C:\QooBox >log.txt&start log.txt"). This is what I got:

Volume in drive C has no label.
Volume Serial Number is 280C-378A

Directory of C:\QooBox

05/31/2010 11:22 PM <DIR> .
05/31/2010 11:22 PM <DIR> ..
05/31/2010 11:26 PM <DIR> BackEnv
05/30/2010 11:15 AM <DIR> LastRun
05/30/2010 12:01 PM <DIR> Quarantine
05/30/2010 11:15 AM <DIR> Test
05/30/2010 11:15 AM <DIR> TestC
0 File(s) 0 bytes

Directory of C:\QooBox\BackEnv

05/31/2010 11:26 PM <DIR> .
05/31/2010 11:26 PM <DIR> ..
05/31/2010 11:26 PM 228 appdata.folder.dat
05/31/2010 11:26 PM 323 cache.folder.dat
05/31/2010 11:26 PM 145 Cookies.folder.dat
05/31/2010 11:26 PM 90 desktop.folder.dat
05/31/2010 11:26 PM 148 favorites.folder.dat
05/31/2010 11:26 PM 217 localappdata.folder.dat
05/31/2010 11:26 PM 225 localsettings.folder.dat
05/31/2010 11:26 PM 121 mypictures.folder.dat
05/31/2010 11:26 PM 97 personal.folder.dat
05/31/2010 11:23 PM 267 Profiles.Folder.dat
05/31/2010 11:26 PM 425 Profiles.Folder.folder.dat
05/31/2010 11:26 PM 114 programs.folder.dat
05/31/2010 11:23 PM 5,781 SetPath.bat
05/31/2010 11:26 PM 96 startmenu.folder.dat
05/31/2010 11:26 PM 130 startup.folder.dat
05/31/2010 11:23 PM 2,202 SysPath.dat
05/31/2010 11:26 PM 140 templates.folder.dat
17 File(s) 10,749 bytes

Directory of C:\QooBox\LastRun

05/30/2010 11:15 AM <DIR> .
05/30/2010 11:15 AM <DIR> ..
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine

05/30/2010 12:01 PM <DIR> .
05/30/2010 12:01 PM <DIR> ..
05/30/2010 12:01 PM <DIR> C
05/31/2010 11:22 PM 255 catchme.log
05/30/2010 11:14 AM <DIR> Registry_backups
1 File(s) 255 bytes

Directory of C:\QooBox\Quarantine\C

05/30/2010 12:01 PM <DIR> .
05/30/2010 12:01 PM <DIR> ..
05/30/2010 12:02 PM <DIR> WINDOWS
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS

05/30/2010 12:02 PM <DIR> .
05/30/2010 12:02 PM <DIR> ..
05/30/2010 12:02 PM <DIR> system32
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\system32

05/30/2010 12:02 PM <DIR> .
05/30/2010 12:02 PM <DIR> ..
05/30/2010 12:02 PM <DIR> Drivers
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\system32\Drivers

05/30/2010 12:02 PM <DIR> .
05/30/2010 12:02 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\Registry_backups

05/30/2010 11:14 AM <DIR> .
05/30/2010 11:14 AM <DIR> ..
0 File(s) 0 bytes

Directory of C:\QooBox\Test

05/30/2010 11:15 AM <DIR> .
05/30/2010 11:15 AM <DIR> ..
0 File(s) 0 bytes

Directory of C:\QooBox\TestC

05/30/2010 11:15 AM <DIR> .
05/30/2010 11:15 AM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
18 File(s) 11,004 bytes
32 Dir(s) 40,687,460,352 bytes free


#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:11 AM

Posted 01 June 2010 - 06:12 AM

Hi,

Please try to run Combofix again in safe mode, please closely monitor it while running, when Combofix restarts your PC... make sure to boot in safe mode again to complete its process. Thanks.

To boot is safe mode:

This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 pulindian

pulindian
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 01 June 2010 - 03:31 PM

Here is the log (from C:\ComboFix.txt):

ComboFix 10-05-31.02 - Pulin 06/01/2010 12:42:17.1.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.699 [GMT -4:00]
Running from: c:\documents and settings\Pulin\Desktop\CFScan.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\hosts

.
((((((((((((((((((((((((( Files Created from 2010-05-01 to 2010-06-01 )))))))))))))))))))))))))))))))
.

2010-05-28 13:19 . 2010-05-28 13:19 -------- d-----w- c:\documents and settings\Pulin\Local Settings\Application Data\mloxvpell
2010-05-26 13:57 . 2010-05-27 13:46 -------- d-----w- c:\program files\a-squared Free
2010-05-24 16:20 . 2010-05-24 16:20 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-24 00:52 . 2010-05-24 00:52 -------- d-----w- c:\documents and settings\Pulin\Local Settings\Application Data\clnydviwb
2010-05-23 12:03 . 2010-05-23 12:05 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-22 22:59 . 2010-05-22 22:59 348160 ----a-w- c:\documents and settings\Pulin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-50fa8dc8-n\msvcr71.dll
2010-05-22 22:59 . 2010-05-22 22:59 503808 ----a-w- c:\documents and settings\Pulin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-50fa8dc8-n\msvcp71.dll
2010-05-22 22:59 . 2010-05-22 22:59 499712 ----a-w- c:\documents and settings\Pulin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-50fa8dc8-n\jmc.dll
2010-05-22 22:59 . 2010-05-22 22:59 61440 ----a-w- c:\documents and settings\Pulin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-532eb88b-n\decora-sse.dll
2010-05-22 22:59 . 2010-05-22 22:59 12800 ----a-w- c:\documents and settings\Pulin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-532eb88b-n\decora-d3d.dll
2010-05-15 20:00 . 2010-05-15 20:00 -------- d-----w- c:\program files\Novatel Wireless

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-27 11:38 . 2009-04-19 16:51 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-27 11:38 . 2009-05-21 01:22 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-05-27 03:54 . 2009-05-10 23:08 -------- d-----w- c:\documents and settings\Pulin\Application Data\Skype
2010-05-27 03:45 . 2009-05-10 23:10 -------- d-----w- c:\documents and settings\Pulin\Application Data\skypePM
2010-05-26 15:30 . 2009-10-28 04:41 -------- d-----w- c:\program files\GAMS23.2
2010-05-24 20:59 . 2008-06-18 00:25 53201 ----a-w- c:\windows\system32\nvModes.dat
2010-05-14 14:26 . 2009-10-02 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-09 05:47 . 2010-02-21 00:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-19 18:59 . 2010-04-19 18:59 255472 ----a-w- c:\documents and settings\Pulin\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 18:38 . 2008-06-02 22:18 69232 ----a-w- c:\documents and settings\Pulin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-06 03:29 . 2009-09-05 18:12 144053 ----a-w- c:\documents and settings\Pulin\Application Data\Move Networks\uninstall.exe
2010-03-06 03:29 . 2010-02-11 19:31 5640640 ----a-w- c:\documents and settings\Pulin\Application Data\Move Networks\plugins\071802000001\npqmp071802000001.dll
2009-09-25 05:42 . 2009-09-25 05:42 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-09-25 05:42 . 2009-09-25 05:42 185232 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-09-25 05:42 . 2009-09-25 05:42 99216 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 16:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Pulin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-17 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-30 4636672]
"nwiz"="nwiz.exe" [2004-11-30 921600]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-23 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 20:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Documents and Settings\\Pulin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Pulin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\Pulin\\Application Data\\PowerChallenge\\PowerSoccer\\PowerSoccer.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [5/26/2010 9:57 AM 1872320]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [7/7/2009 4:57 PM 464264]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [7/7/2009 4:58 PM 234888]
S2 gupdate1ca9926d094a00;Google Update Service (gupdate1ca9926d094a00);c:\program files\Google\Update\GoogleUpdate.exe [1/19/2010 12:40 PM 133104]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/17/2008 10:36 PM 24652]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [9/6/2007 3:30 PM 13824]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [10/12/2007 4:04 PM 99200]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PARPORT
.
Contents of the 'Scheduled Tasks' folder

2010-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-19 16:39]

2010-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-19 16:39]

2010-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-329068152-1644491937-839522115-1004Core.job
- c:\documents and settings\Pulin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-17 01:21]

2010-06-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-329068152-1644491937-839522115-1004UA.job
- c:\documents and settings\Pulin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-17 01:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: motive.com\patttbc.att
FF - ProfilePath - c:\documents and settings\Pulin\Application Data\Mozilla\Firefox\Profiles\7bpn06v5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\documents and settings\Pulin\Application Data\Move Networks\plugins\071802000001\npqmp071802000001.dll
FF - plugin: c:\documents and settings\Pulin\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Pulin\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKCU-Run-kmxamltd - c:\documents and settings\Pulin\Local Settings\Application Data\clnydviwb\silusnntssd.exe
HKCU-Run-agxeeajj - c:\documents and settings\Pulin\Local Settings\Application Data\mloxvpell\qqgaqyetssd.exe
HKLM-Run-ATT-SST_McciTrayApp - c:\program files\ATT-SST\McciTrayApp.exe
HKLM-Run-kmxamltd - c:\documents and settings\Pulin\Local Settings\Application Data\clnydviwb\silusnntssd.exe
HKLM-Run-agxeeajj - c:\documents and settings\Pulin\Local Settings\Application Data\mloxvpell\qqgaqyetssd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-01 12:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(228)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2010-06-01 12:56:03
ComboFix-quarantined-files.txt 2010-06-01 16:55

Pre-Run: 40,668,753,920 bytes free
Post-Run: 43,425,775,616 bytes free

- - End Of File - - 6A49174E56E9D2F01F161378F0C6B324


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:11 AM

Posted 02 June 2010 - 04:51 AM

Hi,

Thanks for the log and for your patience.


============================


1. Click Start > Run > copy/paste the bolded text below > press Enter. A text file will pop up, please post the contents of that file.
"C:\Qoobox\Add-Remove Programs.txt" > uninstall.txt& start uninstall.txt




2. Please follow the instruction on how to disable McAfee so it will not interfere while we run ComboFix. After doing all the steps, please re enable it again so you will stay protected while waiting for my response, I will advice you to disable it again if needed. Thanks.


How to disable McAfee:
  • Please open McAfee Security Centre
  • Under Common Tasks click on Home
  • Click Computer Files
  • Click Configure
  • Make sure the following are disabled by ticking the "Off" button.
    Virus protection
    Spyware protection
    System Guards Protection
    Script Scanning Protection (you may have to scroll down to see it)
  • Next, select never for "When to re-enable real time scanning"
  • and click OK.
Further info on disabling and re-enabling McAfee: http://help.aol.com/help/microsites/micros...ternalID=222820



We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
File::
c:\windows\system32\drivers\lvuvc.hs
c:\windows\system32\drivers\logiflt.iad

DDS::
TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [kmxamltd] c:\documents and settings\pulin\local settings\application data\clnydviwb\silusnntssd.exe
uRun: [agxeeajj] c:\documents and settings\pulin\local settings\application data\mloxvpell\qqgaqyetssd.exe
mRun: [kmxamltd] c:\documents and settings\pulin\local settings\application data\clnydviwb\silusnntssd.exe
mRun: [agxeeajj] c:\documents and settings\pulin\local settings\application data\mloxvpell\qqgaqyetssd.exe

DirLook::
c:\documents and settings\Pulin\Local Settings\Application Data\mloxvpell
c:\documents and settings\Pulin\Local Settings\Application Data\clnydviwb

Driver::


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




3. Please run another DDS scan and post the latest DDS report. No need to attach the attach.txt. Thanks.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 pulindian

pulindian
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 02 June 2010 - 08:33 PM

Semp,

1. Here is the log:

a-squared Free 4.5
Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.3.2
Adobe Shockwave Player 11.5
AIM 6
Apple Mobile Device Support
Apple Software Update
Arena 10.0 (CPR 7)
Bonjour
Bonjour Core for Windows
Broadcom 440x 10/100 Integrated Controller
C-Major Audio
Comcast High-Speed Internet Install Wizard
Compatibility Pack for the 2007 Office system
Conexant D110 MDC V.9x Modem
Dell ResourceCD
Desktop Doctor
DivX Plus Web Player
Download Updater (AOL LLC)
Free Audio CD Burner version 1.2
Free YouTube to MP3 Converter version 3.2
GAMS Distribution 23.2
Google Chrome
Google Talk Plugin
Google Update Helper
Goombah Partner COM Server
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel® PROSet/Wireless Software
iPod 2 iPod
iTunes
Java 2 Runtime Environment, SE v1.4.1_02
Java Auto Updater
Java Web Start
Java™ 6 Update 18
Java™ 6 Update 6
Java™ 6 Update 7
LimeWire 4.18.3
Logitech Legacy USB Camera Driver Package
Logitech QuickCam
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft VC9 runtime libraries
mIWA
mIWCA
mLogView
mMHouse
Mobile Broadband Generic Drivers
Move Media Player
Mozilla Firefox (3.6.3)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
mToolkit
mWlsSafe
mXML
mZConfig
NVIDIA Drivers
OGA Notifier 2.0.0048.0
QuickTime
Scientific-Atlanta WebSTAR 2000 series Cable Modem
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB980470)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Skype™ 4.0
Sprint Mobile Broadband (Novatel Wireless) - Lite
Uninstall 1.0.0.1
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb981726)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
Viewpoint Media Player
VoiceOver Kit
Vuze
Vuze Toolbar
WebEx
WebEx Support Manager for Internet Explorer
WebFldrs XP
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver

2. This is probably going to sound dumb, but I can't fully disable McAfee. I can disable things like On-Access Scan, Access Protection, Buffer Overflow Protection, and On-Delvery E-mail Scanner. However, I tried fully disabling McAfee through the instructions from the website that you sent, and I run into some problems. First, my version of McAfee (VirusScan Enterprise 8.5.0i) does not have a security center. I tried using the following website for help (even though it's for a different version):

https://kc.mcafee.com/corporate/index?page=...&id=KB66280

When I get to step 2, I try stopping the McAfee McShield. I get the following error:

"Could not stop the McAfee McShield service on Local Computer.

Error 5: Access is denied."

Should I just disable what I can? Do you think I might need to uninstall McAfee?

Thanks for all of your help and time.

3. Should I run the DDS anyway? I wasn't sure if this should be done after completing step 2.

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:11 AM

Posted 03 June 2010 - 06:05 AM

Hi Pulin,

AskbarDis is not showing in your uninstall list meaning it was installed together with the other currently installed program. Let's try to remove it by doing the following:

Try this first:
Please go to C:\Program FIles and open the AskbarDis folder, look for the uninstaller (the file name must be uninstall.exe, uninstaller.exe or something like that) and run it.


2nd option if above didn't work:
Please open your firefox > Tools > Add-ons > Extensions > Locate and Highlight AskbarDis > Click uninstall. Then go to C:\Program files and delete the entire AskbarDis folder if still present.


===================================


Your McAfee is conflicting with ComboFix, while we clean your PC... can you please uninstall it then install Avast! as your temporary AV program. You can reinstall it back once we're done.

Note: Please follow the instructions HERE on how to properly uninstall McAfee.


===================================


After removing McAfee, please follow again the instructions on my previous post and run the ComboFix script followed by another DDS scan. Thanks.



~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 pulindian

pulindian
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 04 June 2010 - 05:58 AM

Semp,

I uninstalled both AskBarDis and McAfee. Here are the logs:

1. ComboFix:

ComboFix 10-06-03.01 - Pulin 06/03/2010 18:35:24.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.715 [GMT -4:00]
Running from: c:\documents and settings\Pulin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Pulin\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\drivers\logiflt.iad"
"c:\windows\system32\drivers\lvuvc.hs"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\msvideo.dll
c:\windows\system32\drivers\logiflt.iad
c:\windows\system32\drivers\lvuvc.hs

Infected copy of c:\windows\system32\drivers\omci.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
.

2010-06-01 16:40 . 2010-06-01 16:56 -------- d-----w- C:\CFScan
2010-05-28 13:19 . 2010-05-28 13:19 -------- d-----w- c:\documents and settings\Pulin\Local Settings\Application Data\mloxvpell
2010-05-26 13:57 . 2010-05-27 13:46 -------- d-----w- c:\program files\a-squared Free
2010-05-24 16:20 . 2010-05-24 16:20 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-24 00:52 . 2010-05-24 00:52 -------- d-----w- c:\documents and settings\Pulin\Local Settings\Application Data\clnydviwb
2010-05-23 12:03 . 2010-05-23 12:05 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-22 22:59 . 2010-05-22 22:59 348160 ----a-w- c:\documents and settings\Pulin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-50fa8dc8-n\msvcr71.dll
2010-05-22 22:59 . 2010-05-22 22:59 503808 ----a-w- c:\documents and settings\Pulin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-50fa8dc8-n\msvcp71.dll
2010-05-22 22:59 . 2010-05-22 22:59 499712 ----a-w- c:\documents and settings\Pulin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-50fa8dc8-n\jmc.dll
2010-05-22 22:59 . 2010-05-22 22:59 61440 ----a-w- c:\documents and settings\Pulin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-532eb88b-n\decora-sse.dll
2010-05-22 22:59 . 2010-05-22 22:59 12800 ----a-w- c:\documents and settings\Pulin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-532eb88b-n\decora-d3d.dll
2010-05-15 20:00 . 2010-05-15 20:00 -------- d-----w- c:\program files\Novatel Wireless

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-03 01:18 . 2010-02-21 00:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-27 03:54 . 2009-05-10 23:08 -------- d-----w- c:\documents and settings\Pulin\Application Data\Skype
2010-05-27 03:45 . 2009-05-10 23:10 -------- d-----w- c:\documents and settings\Pulin\Application Data\skypePM
2010-05-26 15:30 . 2009-10-28 04:41 -------- d-----w- c:\program files\GAMS23.2
2010-05-24 20:59 . 2008-06-18 00:25 53201 ----a-w- c:\windows\system32\nvModes.dat
2010-05-14 14:26 . 2009-10-02 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-19 18:59 . 2010-04-19 18:59 255472 ----a-w- c:\documents and settings\Pulin\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 18:38 . 2008-06-02 22:18 69232 ----a-w- c:\documents and settings\Pulin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-06 03:29 . 2009-09-05 18:12 144053 ----a-w- c:\documents and settings\Pulin\Application Data\Move Networks\uninstall.exe
2010-03-06 03:29 . 2010-02-11 19:31 5640640 ----a-w- c:\documents and settings\Pulin\Application Data\Move Networks\plugins\071802000001\npqmp071802000001.dll
2009-09-25 05:42 . 2009-09-25 05:42 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-09-25 05:42 . 2009-09-25 05:42 185232 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-09-25 05:42 . 2009-09-25 05:42 99216 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Pulin\Local Settings\Application Data\clnydviwb ----


---- Directory of c:\documents and settings\Pulin\Local Settings\Application Data\mloxvpell ----



((((((((((((((((((((((((((((( SnapShot@2010-06-01_16.53.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-03 22:32 . 2010-06-03 22:32 16384 c:\windows\temp\Perflib_Perfdata_18c.dat
+ 2010-06-03 22:13 . 2010-06-03 22:13 262144 c:\windows\system32\config\systemprofile\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Pulin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-17 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-30 4636672]
"nwiz"="nwiz.exe" [2004-11-30 921600]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 20:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Documents and Settings\\Pulin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Pulin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\Pulin\\Application Data\\PowerChallenge\\PowerSoccer\\PowerSoccer.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [5/26/2010 9:57 AM 1872320]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/17/2008 10:36 PM 24652]
S2 gupdate1ca9926d094a00;Google Update Service (gupdate1ca9926d094a00);c:\program files\Google\Update\GoogleUpdate.exe [1/19/2010 12:40 PM 133104]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [9/6/2007 3:30 PM 13824]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [10/12/2007 4:04 PM 99200]
.
Contents of the 'Scheduled Tasks' folder

2010-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-19 16:39]

2010-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-19 16:39]

2010-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-329068152-1644491937-839522115-1004Core.job
- c:\documents and settings\Pulin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-17 01:21]

2010-06-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-329068152-1644491937-839522115-1004UA.job
- c:\documents and settings\Pulin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-17 01:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: motive.com\patttbc.att
FF - ProfilePath - c:\documents and settings\Pulin\Application Data\Mozilla\Firefox\Profiles\7bpn06v5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\documents and settings\Pulin\Application Data\Move Networks\plugins\071802000001\npqmp071802000001.dll
FF - plugin: c:\documents and settings\Pulin\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Pulin\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-03 18:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8609BD01]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763ff28
\Driver\ACPI -> ACPI.sys @ 0xf74b2cb8
\Driver\atapi -> atapi.sys @ 0xf7426852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7332bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7321a0d
SendHandler -> NDIS.sys @ 0xf7335b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\WININET.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'lsass.exe'(1056)
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-03 18:50:35
ComboFix-quarantined-files.txt 2010-06-03 22:50
ComboFix2.txt 2010-06-01 16:56

Pre-Run: 43,589,931,008 bytes free
Post-Run: 43,571,138,560 bytes free

- - End Of File - - 384379BD9582793556029A2AB1DD477A




2. DDS:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Pulin at 6:53:12.23 on Fri 06/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.500 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Pulin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Google Update] "c:\documents and settings\pulin\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: motive.com\patttbc.att
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pulin\applic~1\mozilla\firefox\profiles\7bpn06v5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\documents and settings\pulin\application data\move networks\plugins\071802000001\npqmp071802000001.dll
FF - plugin: c:\documents and settings\pulin\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\pulin\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-5-26 1872320]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-17 24652]
S2 gupdate1ca9926d094a00;Google Update Service (gupdate1ca9926d094a00);c:\program files\google\update\GoogleUpdate.exe [2010-1-19 133104]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2007-9-6 13824]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-10-12 99200]

=============== Created Last 30 ================

2010-06-03 22:10:35 0 d-----w- c:\windows\system32\appmgmt
2010-06-01 16:40:39 0 d-----w- C:\CFScan
2010-05-30 15:32:32 0 d-sha-r- C:\cmdcons
2010-05-30 15:15:48 98816 ----a-w- c:\windows\sed.exe
2010-05-30 15:15:48 77312 ----a-w- c:\windows\MBR.exe
2010-05-30 15:15:48 256512 ----a-w- c:\windows\PEV.exe
2010-05-30 15:15:48 161792 ----a-w- c:\windows\SWREG.exe
2010-05-26 13:57:23 0 d-----w- c:\program files\a-squared Free
2010-05-15 20:00:16 0 d-----w- c:\program files\Novatel Wireless

==================== Find3M ====================

2010-05-24 20:59:42 53201 ----a-w- c:\windows\system32\nvModes.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-08-15 01:13:08 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009081420090815\index.dat

============= FINISH: 6:54:48.70 ===============



Thanks again!


#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:11 AM

Posted 04 June 2010 - 07:19 AM

Hi again Pulin,

Did you know that when you installed Free YouTube to MP3 Converter version 3.2 the following programs were also installed:
Free Audio CD Burner version 1.2
Free Studio Manager/Uninstall 1.0.0.1

Uninstall 1.0.0.1 is the uninstaller for Free Studio Manager.

Can you please uninstall them while we clean your PC. If you really want/need them you can reinstall them back if you want. Please go to Control Panel > Add Remove Programs and remove the following:
  1. Free YouTube to MP3 Converter version 3.2
  2. Free Audio CD Burner version 1.2
  3. Uninstall 1.0.0.1
Reboot your PC afterward and do the next sets of instructions.


=============================


1. Please delete the following folder:
c:\documents and settings\Pulin\Local Settings\Application Data\clnydviwb
c:\documents and settings\Pulin\Local Settings\Application Data\mloxvpell




2. Go to Start > Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c mbr -t& start mbr.log
  • mbr.log will pop up, please post the contents in your reply.



3. Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following checkboxes:
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
  • Post the contents of that report when you reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 pulindian

pulindian
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 04 June 2010 - 07:24 PM

Semp,

I uninstalled those programs and deleted the folders. Here are the logs:

mbr:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x866F7D01]<<
kernel: MBR read successfully
user & kernel MBR OK



ark:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-04 20:19:00
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Pulin\LOCALS~1\Temp\uwrcyaoc.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\Pulin\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1048] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[1048] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00DB000A
.text C:\Program Files\a-squared Free\a2service.exe[1572] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 00454E05 C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
.text C:\WINDOWS\Explorer.EXE[2676] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 001F000A
.text C:\WINDOWS\Explorer.EXE[2676] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0020000A
.text C:\WINDOWS\Explorer.EXE[2676] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 001E000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat F087FD20

---- EOF - GMER 1.0.15 ----


Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users