Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

being redirected to wellaction.com an google pop ups


  • This topic is locked This topic is locked
45 replies to this topic

#1 mookie2107

mookie2107

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 13 June 2010 - 09:37 PM

hello there well everything was going good til i got to gmer it kept on freezing ran it 3 times an all 3 times froze up an had to restart the computer...just in advance i wanna thank you an so does my 3yr daughter...also do u recommend i stay off the computer an do i remove da programs that i just used? just so u know i am not the smartest when it comes to computers an of course stuff like this but i can follow directions pretty well.... "sorry cook for a living lol"..... here are the logs for dds thank you for ur time............hey i just found out about this attack called Cisco.IOS.Router.Attack...almost everything in the description on how to detected it is whats happening to me...don't know if this would help u any but i figured i let u know. .....thanks again


DDS (Ver_10-03-17.01) - NTFSx86
Run by eris at 18:01:22.73 on Sun 06/13/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.418 [GMT -7:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users.WINDOWS\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\eris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100612144951.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Epson Stylus NX510(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatifia.exe /fu "c:\docume~1\eris\locals~1\temp\E_S5FB.tmp" /EF "HKCU"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [Verizon Custom Uninstall Tracking] c:\docume~1\eris\locals~1\temp\InstallHelper.exe /uninstalltrackingvendor=Verizon
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [LTCM Client] c:\program files\ltcm client\ltcmClient.exe /startup
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [FPCCSMiddleware] c:\documents and settings\eris\desktop\FPCCSMiddleware.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\eris\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\eris\applic~1\mozilla\firefox\profiles\2bazzstx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2415802&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\thrixxx\weblaunch\binaries\npWebLaunch.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-14 385536]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-2 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-2 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-2 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100604.004\IDSXpx86.sys [2010-6-8 331640]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-6-12 82952]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-6-12 54776]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-6-10 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\saskutil.sys [2010-6-10 67656]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-12 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-12 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-12 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-12 271480]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-6-12 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-6-12 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-6-12 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-2-2 117640]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-6-12 55456]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-10 102448]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-6-12 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-6-12 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-6-12 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-6-12 88480]
R3 NAVENG;NAVENG;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100613.018\NAVENG.SYS [2010-6-13 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100613.018\NAVEX15.SYS [2010-6-13 1347504]
S1 SymSMR100;SMR Utility Service;\??\c:\windows\system32\drivers\symsmr100.sys --> c:\windows\system32\drivers\SymSMR100.SYS [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-6-12 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-6-12 83496]

=============== Created Last 30 ================

2010-06-14 00:55:25 0 ----a-w- c:\documents and settings\eris\defogger_reenable
2010-06-13 23:33:24 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-12 21:53:28 0 d-----w- c:\program files\McAfeeMOBK
2010-06-12 21:52:50 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2010-06-12 21:52:31 0 d-----w- c:\program files\McAfee Online Backup
2010-06-12 21:49:49 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-06-12 21:49:40 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-06-12 21:49:40 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-06-12 21:49:40 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-06-12 21:49:39 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-06-12 21:49:39 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-06-12 21:49:39 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-06-12 21:49:38 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-06-12 21:49:21 0 d-----w- c:\program files\common files\Mcafee
2010-06-12 21:49:18 0 d-----w- c:\program files\McAfee.com
2010-06-12 21:48:46 0 d-----w- c:\program files\McAfee
2010-06-10 21:18:10 89264 ----a-w- c:\windows\system32\drivers\DRVMCDB.SYS
2010-06-10 21:18:10 5660 ----a-w- c:\windows\system32\drivers\DLACDBHM.SYS
2010-06-10 21:18:10 45568 ----a-r- c:\windows\system32\drivers\bcm4sbxp.sys
2010-06-10 21:18:10 39904 ----a-w- c:\windows\system32\drivers\cercsr6.sys
2010-06-10 21:18:10 22684 ----a-w- c:\windows\system32\drivers\DLARTL_N.SYS
2010-06-10 21:18:02 0 d-----w- c:\program files\superantispyware
2010-06-10 06:49:04 0 d-----w- c:\docume~1\eris\applic~1\SUPERAntiSpyware.com
2010-06-10 06:49:04 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2010-06-09 01:15:28 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-08 21:45:14 0 d-----w- c:\docume~1\eris\applic~1\Malwarebytes
2010-06-08 21:45:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-08 21:45:02 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-06-08 21:45:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-08 21:45:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-24 23:56:58 0 d-----w- c:\docume~1\alluse~1.win\applic~1\AVS4YOU
2010-05-24 23:55:37 0 d-----w- c:\program files\common files\AVSMedia
2010-05-24 23:54:48 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-05-24 23:54:48 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-05-24 23:54:47 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-05-24 23:54:47 0 d-----w- c:\program files\AVS4YOU

==================== Find3M ====================

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:59:21 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-08 20:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-02-22 23:51:37 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022220090223\index.dat

============= FINISH: 18:03:02.60 ===============

Attached Files


Edited by mookie2107, 14 June 2010 - 02:46 AM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:51 AM

Posted 19 June 2010 - 03:04 AM

Hi mookie2107,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If the issue is not resolved please update me on the current condition of your computer.

#3 mookie2107

mookie2107
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 22 June 2010 - 09:00 AM

hello farbar thank you for ur time and sorry for the late reply
well the computer is still being redirected n getting slower also it seems that the virus is messing with my wireless router cause we are having the same trouble with my ipod n my brothers laptop when he came to visit.... it happens with the main computer being connected or disconnected to the internet well thanks again hope to hear from u soon have a nice 1......should i stay off the computer n just use it when needed for this repair?

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:51 AM

Posted 22 June 2010 - 09:17 AM

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  1. I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
    1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
    Therefore please go to add/remove in the control panel and remove either Norton or McAfee.

  2. You have the latest version of Java (Java 6 Update 20) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Please unisntall the following:

    J2SE Runtime Environment 5.0 Update 6

  3. Run GMER, uncheck all boxes except the box next to Sections (C drive should remain checked), click Scan.
    When it finished press Save to save the log and post it to your reply. It will not take more than a minute.

  4. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    CODE
    @echo off
    if exist mbr.log del mbr.log
    mbr.exe -t
    ping 1.1.1.1 -n 1 -w 1000 >nul
    start mbr.log

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A notepad opens, copy and paste the content (log.txt) to your reply.

  5. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt


#5 mookie2107

mookie2107
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 22 June 2010 - 10:03 AM

Hey do i download another gmer or use the same one from befor n what do i do to the old one if i have to download another

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:51 AM

Posted 22 June 2010 - 10:07 AM

It doesn't matter if you run the old one or download a new one and GMER can simply be deleted when you want to remove it. I thought you had the old one and that will do.

#7 mookie2107

mookie2107
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 22 June 2010 - 10:20 AM

What boxes do u want to have uncheck from what i understand u want only c;/ selection. Sorry if i am making this more complicated than what it is just wanna make sure iam doing everything for u. Thanks again


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:51 AM

Posted 22 June 2010 - 10:28 AM

C: should remain unchecked anyway.
All the other boxes should be unchecked except Sections. In other words "Sections" should remain checked (and of course C). The other boxes should be unchecked.
In other words two things should remain checked Sections and C:. smile.gif

#9 mookie2107

mookie2107
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 22 June 2010 - 11:19 AM

arite here it is.... im free this whole week so il be checking the computer often for ur reply, so it shouldn't take me long to get back to u... well thankz a million again hope to here from soon :-)............just wondering should i be concerned about my router transfering the virus to my iphone,ipod,laptop and ps3 cause they do the thing when we surf the web on them?

Attached Files



#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:51 AM

Posted 22 June 2010 - 01:45 PM

Please do the step 4 and post the log.

#11 mookie2107

mookie2107
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 22 June 2010 - 02:03 PM

sorry about that got ahead of myself but here it is.....mbr

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:51 AM

Posted 22 June 2010 - 02:17 PM

No worries. The GMER log and the MBR log are clean for that part and that is good news.
  1. Please make sure Norton auto protection is turned off prior to running Combofix and turn it on after the tool produced the log.
    Disable Norton 360:
    • Right click Norton 360 icon in the system tray, select Open Tasks and Settings Window
    • On the right side, under Settings, click on Change advanced settings
    • Next, click on Virus & Spyware Protection Settings
    • Uncheck Turn on Auto-Protect, select Apply
    • You will be asked to select a time for Norton to reactivate,(eg. 1 hour * 5 hours * on reboot) Choose Until I turn it back on.

      Note: Re-enable when our tools have completed their tasks.

  2. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • You will get a warning about the not trusted download sites for ComboFix, click Yes.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.



#13 mookie2107

mookie2107
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 22 June 2010 - 02:47 PM

arite here it is hopefully more good news thanks for ur time an quick reply greatly appreciated



ComboFix 10-06-22.02 - eris 06/22/2010 12:34:17.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.297 [GMT -7:00]
Running from: c:\documents and settings\eris\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 )))))))))))))))))))))))))))))))
.

2010-06-13 23:33 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-10 21:48 . 2010-06-10 21:48 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-06-10 21:18 . 2010-06-10 21:18 89264 ----a-w- c:\windows\system32\drivers\DRVMCDB.SYS
2010-06-10 21:18 . 2010-06-10 21:18 5660 ----a-w- c:\windows\system32\drivers\DLACDBHM.SYS
2010-06-10 21:18 . 2010-06-10 21:18 45568 ----a-r- c:\windows\system32\drivers\bcm4sbxp.sys
2010-06-10 21:18 . 2010-06-10 21:18 39904 ----a-w- c:\windows\system32\drivers\cercsr6.sys
2010-06-10 21:18 . 2010-06-10 21:18 22684 ----a-w- c:\windows\system32\drivers\DLARTL_N.SYS
2010-06-10 21:18 . 2010-06-11 02:48 -------- d-----w- c:\program files\superantispyware
2010-06-10 21:17 . 2010-06-10 21:17 -------- d-----w- c:\program files\quicktime
2010-06-10 21:17 . 2010-06-10 21:17 -------- d-----w- c:\program files\7-zip
2010-06-10 19:28 . 2010-06-10 19:28 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-10 19:28 . 2010-06-10 19:28 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-10 19:28 . 2010-06-10 19:28 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-10 19:28 . 2010-06-10 19:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-06-10 19:01 . 2010-06-10 19:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-10 18:51 . 2010-06-10 18:51 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c17b23f-n\msvcp71.dll
2010-06-10 18:51 . 2010-06-10 18:51 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c17b23f-n\jmc.dll
2010-06-10 18:51 . 2010-06-10 18:51 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c17b23f-n\msvcr71.dll
2010-06-10 18:51 . 2010-06-10 18:51 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-22495751-n\decora-sse.dll
2010-06-10 18:51 . 2010-06-10 18:51 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-22495751-n\decora-d3d.dll
2010-06-10 18:38 . 2010-06-10 18:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2010-06-10 16:26 . 2010-06-10 16:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\SoftwareDetectionScripts
2010-06-10 16:25 . 2010-06-10 16:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-06-10 16:25 . 2010-06-10 16:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-06-10 16:25 . 2010-06-10 16:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Epson
2010-06-10 16:25 . 2010-06-10 16:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Leader Technologies
2010-06-10 16:17 . 2010-06-10 21:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE
2010-06-10 16:09 . 2010-06-10 16:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-06-10 16:03 . 2010-06-10 16:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-06-10 16:03 . 2010-06-10 16:03 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-10 06:49 . 2010-06-10 06:49 63488 ----a-w- c:\documents and settings\eris\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-10 06:49 . 2010-06-10 06:49 52224 ----a-w- c:\documents and settings\eris\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-10 06:49 . 2010-06-10 06:49 117760 ----a-w- c:\documents and settings\eris\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-10 06:49 . 2010-06-10 06:49 -------- d-----w- c:\documents and settings\eris\Application Data\SUPERAntiSpyware.com
2010-06-10 06:49 . 2010-06-10 06:49 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2010-06-09 23:09 . 2010-06-12 21:20 -------- d-----w- c:\documents and settings\eris\Local Settings\Application Data\NPE
2010-06-09 19:00 . 2010-06-09 19:00 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Mozilla
2010-06-09 18:27 . 2010-06-09 18:27 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\McAfee
2010-06-09 01:15 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-08 21:45 . 2010-06-08 21:45 -------- d-----w- c:\documents and settings\eris\Application Data\Malwarebytes
2010-06-08 21:45 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-08 21:45 . 2010-06-08 21:45 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-06-08 21:45 . 2010-06-08 21:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-08 21:45 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-26 20:30 . 2010-05-26 20:30 503808 ----a-w- c:\documents and settings\eris\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5702e29d-n\msvcp71.dll
2010-05-26 20:30 . 2010-05-26 20:30 499712 ----a-w- c:\documents and settings\eris\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5702e29d-n\jmc.dll
2010-05-26 20:30 . 2010-05-26 20:30 348160 ----a-w- c:\documents and settings\eris\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5702e29d-n\msvcr71.dll
2010-05-26 20:30 . 2010-05-26 20:30 61440 ----a-w- c:\documents and settings\eris\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3fb2ef9f-n\decora-sse.dll
2010-05-26 20:30 . 2010-05-26 20:30 12800 ----a-w- c:\documents and settings\eris\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3fb2ef9f-n\decora-d3d.dll
2010-05-24 23:56 . 2010-05-24 23:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVS4YOU
2010-05-24 23:55 . 2010-05-25 06:05 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-05-24 23:54 . 2007-02-28 02:36 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-05-24 23:54 . 2007-02-28 02:36 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-05-24 23:54 . 2010-05-25 06:05 -------- d-----w- c:\program files\AVS4YOU
2010-05-24 23:54 . 2007-02-28 02:36 24576 ----a-w- c:\windows\system32\msxml3a.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-22 18:59 . 2009-02-24 06:03 -------- d-----w- c:\documents and settings\eris\Application Data\LimeWire
2010-06-22 15:59 . 2009-07-15 05:37 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-06-22 15:06 . 2009-10-05 23:58 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee
2010-06-22 15:00 . 2009-02-22 03:11 -------- d-----w- c:\program files\Java
2010-06-22 15:00 . 2009-02-22 03:11 -------- d-----w- c:\program files\Common Files\Java
2010-06-10 07:52 . 2009-10-19 20:42 -------- d-----w- c:\program files\Total Video Converter
2010-06-10 07:51 . 2010-03-15 23:42 -------- d-----w- c:\program files\OJOsoft
2010-06-09 23:09 . 2009-05-22 05:58 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton
2010-06-05 01:34 . 2009-04-30 21:31 -------- d-----w- c:\documents and settings\eris\Application Data\U3
2010-05-27 19:03 . 2009-07-13 00:53 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-26 17:54 . 2009-03-02 20:47 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2010-05-13 14:53 . 2009-04-20 06:47 -------- d-----w- c:\program files\Safari
2010-05-13 14:53 . 2010-05-13 14:53 79144 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-05-13 14:50 . 2009-02-17 07:09 -------- d-----w- c:\program files\iTunes
2010-05-13 14:50 . 2009-02-17 07:09 -------- d-----w- c:\program files\iPod
2010-05-13 14:44 . 2009-02-17 07:09 -------- d-----w- c:\program files\Bonjour
2010-05-13 14:43 . 2010-05-13 14:43 73000 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-06 10:41 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 11:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:59 . 2010-04-20 05:59 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-20 05:30 . 2004-08-10 11:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2008-06-30 21:44 . 2009-02-22 18:09 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-11 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-12 669520]
"LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2009-03-02 1583808]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-06-10 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\eris\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-9-18 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2010-06-10 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-06-10 21:18 548352 ----a-w- c:\program files\superantispyware\saswinlo.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/2/2010 6:11 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/2/2010 6:11 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/2/2010 6:11 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100617.005\IDSXpx86.sys [6/22/2010 6:44 AM 331640]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [6/10/2010 2:18 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\saskutil.sys [6/10/2010 2:18 PM 67656]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2/2/2010 6:10 PM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/10/2010 5:35 PM 102448]
S1 SymSMR100;SMR Utility Service;\??\c:\windows\System32\drivers\SymSMR100.SYS --> c:\windows\System32\drivers\SymSMR100.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2010-06-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-05-27 c:\windows\Tasks\Install.job
- c:\windows\system32\Macromed\Shockwave 10\nssstub.exe [2010-03-29 04:04]

2010-03-25 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-02-23 15:26]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\eris\Application Data\Mozilla\Firefox\Profiles\2bazzstx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2415802&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-FPCCSMiddleware - c:\documents and settings\eris\Desktop\FPCCSMiddleware.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-WudfPf
SafeBoot-WudfRd



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-22 12:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-606747145-1844237615-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,b7,bc,05,ca,19,5d,43,b3,51,ad,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,b7,bc,05,ca,19,5d,43,b3,51,ad,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-22 12:41:27
ComboFix-quarantined-files.txt 2010-06-22 19:41

Pre-Run: 178,598,526,976 bytes free
Post-Run: 182,282,158,080 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 156366A3F7E7B717F9D2F6053AAD0C42


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:51 AM

Posted 22 June 2010 - 02:56 PM

Could you check to see if you still get redirected? Thanks.

Close any open browsers.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

CODE
RegLock::
[HKEY_USERS\S-1-5-21-606747145-1844237615-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:0
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:0
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:0
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:1
Skipfix::


Save this as CFScript.txt, in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#15 mookie2107

mookie2107
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 22 June 2010 - 03:19 PM

yea its still redirecting me but not as bad, internet is opening a bit quicker n not lagging as much...... its hasn't redirected me to welllaction.com but i still get pop ups and the google-analytics.com open a new tab still....thanks agagin

il post the log n a bit




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users