Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with redirect virus when searching.


  • This topic is locked This topic is locked
9 replies to this topic

#1 allanrockalpha

allanrockalpha

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 25 June 2010 - 11:57 AM

Whenever I'm using Google, whether it is in IE or Firefox, I randomly get redirected to sites that have nothing to do with what I am searching for. It doesn't happen until I click a link after the initial search. There are many different redirects, but the one that sticks out the most is asklots.

Any help would be greatly appreciated.

Thank you

James


DDS (Ver_10-03-17.01) - NTFSx86
Run by Barry Road Manager at 11:22:59.71 on Fri 06/25/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.149 [GMT -5:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\BrmfBAgS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\3apps\Catapult\3listen.exe
C:\3apps\Catapult\Sched.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\3apps\Catapult\appipc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Barry Road Manager\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mozilla.com/en-US/firefox/ie.html?utm_id=Q309&utm_source=msn&utm_medium=ppc&utm_campaign=firefox35
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [PROMon.exe] PROMon.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\Smtray.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\docume~1\barryr~1\startm~1\programs\startup\eaglel~1.lnk - c:\3apps\catapult\3listen.exe
StartupFolder: c:\docume~1\barryr~1\startm~1\programs\startup\eagles~1.lnk - c:\3apps\catapult\Sched.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192090498055
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {47BB05DF-000C-42D1-890C-AF86D7300E4F} = 151.164.8.201,151.164.1.8
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\barryr~1\applic~1\mozilla\firefox\profiles\7ou5uuvu.default\
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-25 164048]
R1 bbde;bbde;c:\windows\system32\bbde.sys [2010-4-13 75264]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-25 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-25 40384]
R2 SAVRTPEL;SAVRTPEL;c:\windows\system32\drivers\SAVRTPEL.SYS [2002-7-25 35552]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2008-7-17 2944]
R3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2008-7-17 3168]
R3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2008-7-17 39552]
R3 BrSerWdm;Oce WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2004-11-23 61440]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-25 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-25 40384]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100519.002\NAVENG.Sys [2010-5-21 85552]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100519.002\NavEx15.Sys [2010-5-21 1347504]
S3 SAVRT;SAVRT;c:\windows\system32\drivers\SAVRT.SYS [2002-7-25 235744]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2002-8-8 308936]
S4 ccPwdSvc;Symantec Password Validation Service;c:\program files\common files\symantec shared\ccPwdSvc.exe [2002-8-19 63176]
S4 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-13 54408]

=============== Created Last 30 ================

2010-06-25 15:31:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-06-25 15:19:42 686 ----a-w- c:\windows\system32\reimage.rep
2010-06-25 15:17:37 638 ----a-w- c:\windows\system32\reimage.nat
2010-06-25 15:05:54 15272 ----a-w- c:\windows\system32\Native.exe
2010-06-25 15:05:50 0 d-----w- C:\ReimageUndo
2010-06-25 14:56:44 0 d-----w- c:\windows\system32\appmgmt
2010-06-25 14:48:42 318 ----a-w- c:\windows\reimage.ini
2010-06-25 14:48:19 0 d-----w- C:\rei
2010-06-25 14:48:17 0 d-----w- c:\program files\Reimage
2010-06-11 15:33:25 0 d-----w- c:\documents and settings\barry road manager\DoctorWeb
2010-06-02 12:12:14 352513 ----a-w- c:\windows\system32\savapi3.dll
2010-05-27 15:49:47 2388 ----a-w- c:\windows\DCEBOOT.CFG
2010-05-27 15:49:47 10752 ----a-w- c:\windows\DCEBoot.exe

==================== Find3M ====================

2010-06-25 15:19:42 1104896 ----a-w- c:\windows\system32\msxml3.dll
2010-06-25 15:13:19 91824 ----a-w- c:\windows\system32\vmx_fb.dll
2010-06-25 15:13:19 6656 ----a-w- c:\windows\system32\c_is2022.dll
2010-06-25 15:13:19 51200 ----a-w- c:\windows\system32\wmerrenu.dll
2010-06-25 15:13:19 35328 ----a-w- c:\windows\system32\drivers\pcntpci5.sys
2010-06-25 15:13:19 218112 ----a-w- c:\windows\system32\c_g18030.dll
2010-06-25 15:13:19 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-25 15:13:19 16688 ----a-w- c:\windows\system32\vmx_mode.dll
2010-06-25 15:13:19 14208 ----a-w- c:\windows\system32\drivers\battc.sys
2010-06-25 15:13:19 13952 ----a-w- c:\windows\system32\drivers\cmbatt.sys
2010-06-25 15:13:19 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
2010-06-25 15:06:56 2188928 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-25 15:06:49 2065792 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-05-21 19:01:15 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-16 16:09:09 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2010-04-16 16:09:08 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-04-16 16:09:07 3073024 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-04-16 16:09:07 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2010-04-16 16:09:05 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2010-04-16 16:09:05 251904 ------w- c:\windows\system32\dllcache\iepeers.dll
2010-04-16 16:09:05 1025024 ------w- c:\windows\system32\dllcache\browseui.dll
2010-04-13 05:37:33 75264 ------w- c:\windows\system32\bbde.sys
2010-04-08 19:03:50 2113536 ------w- c:\windows\system32\dllcache\WMVCore.dll

============= FINISH: 11:23:28.75 ===============









Attached Files



BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:00 AM

Posted 30 June 2010 - 01:38 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:

1. Run DDS again and post both DDS.txt and Attach.txt. Do not attach either one, just post them normally.

2. Delete GMER.exe, then follow the instructions below:

Step # 1: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 allanrockalpha

allanrockalpha
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 01 July 2010 - 11:07 AM


DDS (Ver_10-03-17.01) - NTFSx86
Run by Barry Road Manager at 11:06:25.51 on Thu 07/01/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.174 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\3apps\Catapult\3listen.exe
C:\3apps\Catapult\Sched.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\3apps\Catapult\appipc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\BrmfBAgS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Barry Road Manager\Desktop\Stuff\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mozilla.com/en-US/firefox/ie.html?utm_id=Q309&utm_source=msn&utm_medium=ppc&utm_campaign=firefox35
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [PROMon.exe] PROMon.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\Smtray.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\docume~1\barryr~1\startm~1\programs\startup\eaglel~1.lnk - c:\3apps\catapult\3listen.exe
StartupFolder: c:\docume~1\barryr~1\startm~1\programs\startup\eagles~1.lnk - c:\3apps\catapult\Sched.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192090498055
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {47BB05DF-000C-42D1-890C-AF86D7300E4F} = 151.164.8.201,151.164.1.8
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\barryr~1\applic~1\mozilla\firefox\profiles\7ou5uuvu.default\
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-25 164048]
R1 bbde;bbde;c:\windows\system32\bbde.sys [2010-4-13 75264]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-25 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-25 40384]
R2 SAVRTPEL;SAVRTPEL;c:\windows\system32\drivers\SAVRTPEL.SYS [2002-7-25 35552]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-25 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-25 40384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2008-7-17 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2008-7-17 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2008-7-17 39552]
S3 BrSerWdm;Oce WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2004-11-23 61440]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100519.002\NAVENG.Sys [2010-5-21 85552]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100519.002\NavEx15.Sys [2010-5-21 1347504]
S3 SAVRT;SAVRT;c:\windows\system32\drivers\SAVRT.SYS [2002-7-25 235744]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2002-8-8 308936]
S4 ccPwdSvc;Symantec Password Validation Service;c:\program files\common files\symantec shared\ccPwdSvc.exe [2002-8-19 63176]
S4 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-13 54408]

=============== Created Last 30 ================

2010-06-30 18:40:19 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-06-30 18:40:19 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2010-06-30 14:51:05 10 ----a-w- c:\documents and settings\barry road manager\brmfc
2010-06-25 15:31:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-06-25 15:19:42 686 ----a-w- c:\windows\system32\reimage.rep
2010-06-25 15:17:37 638 ----a-w- c:\windows\system32\reimage.nat
2010-06-25 15:05:54 15272 ----a-w- c:\windows\system32\Native.exe
2010-06-25 15:05:50 0 d-----w- C:\ReimageUndo
2010-06-25 14:56:44 0 d-----w- c:\windows\system32\appmgmt
2010-06-25 14:48:42 318 ----a-w- c:\windows\reimage.ini
2010-06-25 14:48:19 0 d-----w- C:\rei
2010-06-25 14:48:17 0 d-----w- c:\program files\Reimage
2010-06-11 15:33:25 0 d-----w- c:\documents and settings\barry road manager\DoctorWeb
2010-06-02 12:12:14 352513 ----a-w- c:\windows\system32\savapi3.dll

==================== Find3M ====================

2010-06-25 15:13:19 91824 ----a-w- c:\windows\system32\vmx_fb.dll
2010-06-25 15:13:19 6656 ----a-w- c:\windows\system32\c_is2022.dll
2010-06-25 15:13:19 51200 ----a-w- c:\windows\system32\wmerrenu.dll
2010-06-25 15:13:19 35328 ----a-w- c:\windows\system32\drivers\pcntpci5.sys
2010-06-25 15:13:19 218112 ----a-w- c:\windows\system32\c_g18030.dll
2010-06-25 15:13:19 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-25 15:13:19 16688 ----a-w- c:\windows\system32\vmx_mode.dll
2010-06-25 15:13:19 14208 ----a-w- c:\windows\system32\drivers\battc.sys
2010-06-25 15:13:19 13952 ----a-w- c:\windows\system32\drivers\cmbatt.sys
2010-06-25 15:13:19 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
2010-05-27 15:49:50 10752 ----a-w- c:\windows\DCEBoot.exe
2010-05-21 19:01:15 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-16 16:09:09 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09:09 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2010-04-16 16:09:08 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-04-16 16:09:07 3073024 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-04-16 16:09:07 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2010-04-16 16:09:05 81920 ------w- c:\windows\system32\ieencode.dll
2010-04-16 16:09:05 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2010-04-16 16:09:05 251904 ------w- c:\windows\system32\dllcache\iepeers.dll
2010-04-16 16:09:05 1025024 ------w- c:\windows\system32\dllcache\browseui.dll
2010-04-13 05:37:33 75264 ------w- c:\windows\system32\bbde.sys
2010-04-08 19:03:50 2113536 ------w- c:\windows\system32\dllcache\WMVCore.dll

============= FINISH: 11:06:49.95 ===============

Attached Files



#4 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:00 AM

Posted 01 July 2010 - 01:34 PM

Step # 1:Remove one of your Anti Virus programs.

You are operating your computer with multiple Anti Virus programs running in memory at once:

avast! Free Antivirus

Norton AntiVirus 2003


Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Please remove one of them.


If you keep Avast:

Please disable avast! Antivirus as it may interfere with the fixes. Remember to re-enable it back before posting the logs.

* Right click on avast! Antivirus icon near the clock and select Stop On-Access Protection.
* Right click on this icon again and select Program Settings.
* On the left, click on Troubleshooting.
* Uncheck (untick) this box - Disable avast! self-defense module.
* Click OK to apply the settings

If the above doesn't work, do the following:

Right click on the toolbar icon, then pull down "avast shield control" and click "Disable for 1 hour".


Step # 2: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please post C:\ComboFix.txt in your next reply.


MalWare Removal University Master

Member of ASAP
unite_Invision.png


#5 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:00 AM

Posted 04 July 2010 - 11:52 AM

allanrockalpha? Do you still need help?

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#6 allanrockalpha

allanrockalpha
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 05 July 2010 - 10:04 AM

Sorry about that, here is the combofix log

ComboFix 10-07-04.04 - Barry Road Manager 07/05/2010 9:53.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.224 [GMT -5:00]
Running from: c:\documents and settings\Barry Road Manager\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-06-05 to 2010-07-05 )))))))))))))))))))))))))))))))
.

2010-06-30 18:40 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-06-30 18:40 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2010-06-25 15:32 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-25 15:32 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-25 15:32 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-25 15:32 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-25 15:32 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-25 15:32 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-25 15:32 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-25 15:32 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-06-25 15:32 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-25 15:31 . 2010-06-25 15:31 -------- d-----w- c:\program files\Alwil Software
2010-06-25 15:31 . 2010-06-25 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-25 15:16 . 2010-06-25 15:13 91824 ----a-w- c:\windows\system32\vmx_fb.dll
2010-06-25 15:16 . 2010-06-25 15:13 16688 ----a-w- c:\windows\system32\vmx_mode.dll
2010-06-25 15:16 . 2010-06-25 15:13 35328 ----a-w- c:\windows\system32\drivers\pcntpci5.sys
2010-06-25 15:16 . 2010-06-25 15:13 6656 ----a-w- c:\windows\system32\c_is2022.dll
2010-06-25 15:16 . 2010-06-25 15:13 218112 ----a-w- c:\windows\system32\c_g18030.dll
2010-06-25 15:16 . 2010-06-25 15:13 14208 ----a-w- c:\windows\system32\drivers\battc.sys
2010-06-25 15:16 . 2010-06-25 15:13 13952 ----a-w- c:\windows\system32\drivers\cmbatt.sys
2010-06-25 15:16 . 2010-06-25 15:13 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
2010-06-25 15:05 . 2010-06-25 15:05 15272 ----a-w- c:\windows\system32\Native.exe
2010-06-25 15:05 . 2010-06-25 15:15 -------- d-----w- C:\ReimageUndo
2010-06-25 14:48 . 2010-06-25 15:18 -------- d-----w- C:\rei
2010-06-25 14:48 . 2010-06-25 14:48 -------- d-----w- c:\program files\Reimage
2010-06-11 15:33 . 2010-06-11 15:53 -------- d-----w- c:\documents and settings\Barry Road Manager\DoctorWeb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-05 14:42 . 2010-05-21 19:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-07-05 14:42 . 2010-05-21 19:03 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-05 14:42 . 2010-05-21 19:03 -------- d-----w- c:\program files\Norton AntiVirus
2010-06-30 18:45 . 2008-07-17 14:47 34 ----a-w- c:\windows\system32\ODFX3000.DAT
2010-06-25 15:20 . 2008-07-23 15:04 92608 -c--a-w- c:\documents and settings\Barry Road Manager\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-25 15:19 . 2008-09-06 16:06 -------- d-----w- c:\program files\Google
2010-06-25 15:13 . 2002-09-23 20:30 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-25 15:13 . 1980-01-01 07:00 51200 ----a-w- c:\windows\system32\wmerrenu.dll
2010-06-25 14:59 . 2008-06-06 20:57 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-25 14:58 . 2010-01-06 15:41 -------- d-----w- c:\program files\DECA System
2010-06-02 12:12 . 2010-06-02 12:12 352513 ----a-w- c:\windows\system32\savapi3.dll
2010-05-27 15:49 . 2010-05-27 15:49 10752 ----a-w- c:\windows\DCEBoot.exe
2010-05-24 21:58 . 2010-05-24 21:58 503808 ----a-w- c:\documents and settings\Barry Road Manager\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-25df7ab5-n\msvcp71.dll
2010-05-24 21:58 . 2010-05-24 21:58 499712 ----a-w- c:\documents and settings\Barry Road Manager\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-25df7ab5-n\jmc.dll
2010-05-24 21:58 . 2010-05-24 21:58 348160 ----a-w- c:\documents and settings\Barry Road Manager\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-25df7ab5-n\msvcr71.dll
2010-05-24 21:58 . 2010-05-24 21:58 61440 ----a-w- c:\documents and settings\Barry Road Manager\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1273c8b3-n\decora-sse.dll
2010-05-24 21:58 . 2010-05-24 21:58 12800 ----a-w- c:\documents and settings\Barry Road Manager\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1273c8b3-n\decora-d3d.dll
2010-05-23 16:17 . 2010-05-21 19:03 -------- d-----w- c:\program files\Symantec
2010-05-21 19:03 . 2010-05-21 19:03 -------- d-----w- c:\documents and settings\Barry Road Manager\Application Data\Symantec
2010-05-21 19:01 . 2010-05-21 19:01 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-21 19:01 . 2010-05-21 19:01 -------- d-----w- c:\program files\Java
2010-05-02 05:22 . 1980-01-01 07:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 1980-01-01 07:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2006-06-23 16:33 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2008-07-23 05:57 81920 ------w- c:\windows\system32\ieencode.dll
2010-04-13 05:37 . 2010-04-13 05:37 75264 ------w- c:\windows\system32\bbde.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-10-15 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-10-15 114688]
"BluetoothAuthenticationAgent"="irprops.cpl" [2008-04-14 380416]
"PROMon.exe"="PROMon.exe" [2002-04-19 73728]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 90112]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-13 202256]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]

c:\documents and settings\Barry Road Manager\Start Menu\Programs\Startup\
Eagle Listener.lnk - c:\3apps\Catapult\3listen.exe [2008-7-17 565248]
Eagle Scheduler.lnk - c:\3apps\Catapult\Sched.exe [2008-7-17 724992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^Barry Road Manager^Start Menu^Programs^Startup^DING!.lnk]
path=c:\documents and settings\Barry Road Manager\Start Menu\Programs\Startup\DING!.lnk
backup=c:\windows\pss\DING!.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Barry Road Manager^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Barry Road Manager\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SBService"=2 (0x2)
"PLSRemoteSvc"=3 (0x3)
"gusvc"=2 (0x2)
"gupdate"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/25/2010 10:32 AM 164048]
R1 bbde;bbde;c:\windows\system32\bbde.sys [4/13/2010 12:37 AM 75264]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/25/2010 10:32 AM 19024]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 5:57 AM 135664]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [7/17/2008 9:47 AM 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [7/17/2008 9:47 AM 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [7/17/2008 9:47 AM 39552]
S3 BrSerWdm;Oce WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [11/23/2004 6:39 AM 61440]
.
Contents of the 'Scheduled Tasks' folder

2010-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 10:57]

2010-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 10:57]

2010-07-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2800693223-2311378876-846568663-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-07-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2800693223-2311378876-846568663-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-07-05 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2010-05-21 14:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mozilla.com/en-US/firefox/ie.html?utm_id=Q309&utm_source=msn&utm_medium=ppc&utm_campaign=firefox35
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {47BB05DF-000C-42D1-890C-AF86D7300E4F} = 151.164.8.201,151.164.1.8
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Barry Road Manager\Application Data\Mozilla\Firefox\Profiles\7ou5uuvu.default\
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-ccRegVfy - c:\program files\Common Files\Symantec Shared\ccRegVfy.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-05 10:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-07-05 10:03:21
ComboFix-quarantined-files.txt 2010-07-05 15:03

Pre-Run: 26,448,965,632 bytes free
Post-Run: 26,673,836,032 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - C7F45947ACD0394E3510194EFDED9A9A


#7 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:00 AM

Posted 05 July 2010 - 01:37 PM

Step # 1: Download and Run GooredFix

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).



Step # 2: Download and Run HAMeb_Check by noahdfear.

Download HAMeb_check.exe and save it to your Desktop

Run HAMeb_check.exe

Post the contents of the resulting log.



Step # 3 Upload Files

Go to Jotti
Copy the following line into the white textbox:
c:\windows\system32\bbde.sys
Click Submit.
Please post the results of this scan to this thread.


If Jotti is busy, Go to VirusTotal and scan the file(s) there.



Step # 4: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Step # 5 Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


In your next post/reply, I need to see the following:

1. GooredFix Log
2. HAMebCheck Log
3. Jotti/Virustotal results
4. MalwareBytes' Log

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#8 allanrockalpha

allanrockalpha
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 07 July 2010 - 10:10 AM

Ok, here we go...



GooredFix Log

GooredFix by jpshortstuff (03.07.10.1)
Log created at 09:50 on 07/07/2010 (Barry Road Manager)
Firefox version 3.6.6 (en-US)

========== GooredScan ==========

(none)

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [15:23 25/06/2010]
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [19:01 21/05/2010]

C:\Documents and Settings\Barry Road Manager\Application Data\Mozilla\Firefox\Profiles\7ou5uuvu.default\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext" [12:38 13/03/2010]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [19:01 21/05/2010]

-=E.O.F=-



HAMebCheck Log

C:\Documents and Settings\Barry Road Manager\Desktop\HAMeb_check.exe
Wed 07/07/2010 at 9:50:25.12

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~



Jotti Results

Said the file was 0 bytes


MalwareBytes' Log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4289

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/7/2010 10:05:32 AM
mbam-log-2010-07-07 (10-05-32).txt

Scan type: Quick scan
Objects scanned: 140070
Time elapsed: 8 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Thank you

#9 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:00 AM

Posted 07 July 2010 - 01:36 PM

Your version of Adobe Acrobat Reader is out of date. Open up Adobe Reader, click Help, then click Check for Updates. Once Adobe is done checking for updates, have it download and install the update for Adobe Reader 9.3.3.


Step # 1: Run CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    CODE
    http://www.bleepingcomputer.com/forums/t/327025/infected-with-redirect-virus-when-searching/

    KILLALL::

    Suspect::

    c:\windows\system32\bbde.sys



  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.







    Note: This CFScript is for use on allanrockalpha's computer only! Do not use it on your computer.


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please Note:

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. ComboFix is capturing a file/files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.


Please let me know if the file was successfully submitted. Thanks.



Step # 2 Download HostsXpert

Download HostsXpert and unzip it to your desktop.

Open HostsXpert that you earlier unzipped on your Desktop.
  • Click "Make Hosts Writable?" upper right corner (if available)
  • Click "Restore Microsoft's Original Hosts File" and then click OK
  • Close HostsXpert

Note; IF you used any custom Hosts (eg. MVPS Hosts), you will have put them back manually



Step # 3: Run Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.
In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step 1 has been completed.
2. The Kaspersky Log
3. A fresh DDS Log taken after Step 3 has been completed.
4. How is your computer doing, any problems?

Edited by km2357, 07 July 2010 - 01:37 PM.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#10 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:00 AM

Posted 11 July 2010 - 11:46 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

MalWare Removal University Master

Member of ASAP
unite_Invision.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users