Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search/Internet Security Virus


  • This topic is locked This topic is locked
17 replies to this topic

#1 mogeluka

mogeluka

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 04 August 2010 - 10:32 PM

Hi guys.....My brother has an infection on his computer. He has tried to eliminate it himself unsuccessfully. Ihave used the great help from this site before to solve a virus problem and wonder if you guys can help me. Its a Dell Mini computer with windows xp. His gooogle searches dont work properly and he gets unwanted windows that open offering registry cleaners or anitvirus programs. I've followed the process and run the defogger and the dds and have uploaded the the text files. When I run the gmer scan the computer freezes up when I try to save it. I have tried 3 times unsuccessfully.....thanks for any help.....I truly appreiate it.

Anthony


DDS (Ver_10-03-17.01) - NTFSx86
Run by ascalise at 20:18:57.75 on Wed 08/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.467 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\Program Files\Wireless Select Switch\WLSS.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Documents and Settings\ascalise\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.nytimes.com/
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6090103
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100608180708.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BTMeter] c:\program files\battery meter\BTMeter.exe
mRun: [WLSS] c:\program files\wireless select switch\WLSS.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0379.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {2E158837-A2A9-4E54-95E4-9E44399AB65F} = 195.242.208.40
TCP: {52A30C34-8B91-407E-BF7A-ADC0B4EFA635} = 195.242.208.40
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ascalise\applic~1\mozilla\firefox\profiles\2rtddxea.default\
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\microsoft\search enhancement pack\search helper\firefoxextension\searchhelperextension\components\SEPsearchhelperff.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-1-3 14248]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-14 385880]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-2-24 173328]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-6-8 82952]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-8 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-8 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-8 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-6-8 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-6-8 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-6-8 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-6-8 55456]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-1-3 93968]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-6-8 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-6-8 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-6-8 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-18 88480]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-1-3 30192]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-18 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-6-8 83496]

=============== Created Last 30 ================

2010-08-05 01:10:21 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-17 16:50:47 0 d-----w- C:\comfix

==================== Find3M ====================

2010-07-31 17:42:39 402 ----a-w- c:\docume~1\ascalise\applic~1\wklnhst.dat
2010-07-20 02:29:11 1183744 ---ha-w- C:\SZKGFS.dat
2010-06-24 22:07:01 52432 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-06-24 22:06:57 68224 ----a-w- c:\windows\system32\drivers\tsk154.tmp
2010-06-24 21:11:35 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-24 01:05:27 68224 ----a-w- c:\windows\system32\drivers\tskFD.tmp
2010-06-18 02:53:43 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

============= FINISH: 20:23:06.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:46 AM

Posted 13 August 2010 - 07:16 AM

Hello mogeluka

Welcome to BleepingComputer smile.gif
==========================
  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 mogeluka

mogeluka
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 14 August 2010 - 12:28 PM

Thanks I will get started and post the results

You guys rock

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:46 AM

Posted 14 August 2010 - 01:36 PM

Ok and thanks smile.gif
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 mogeluka

mogeluka
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 14 August 2010 - 02:18 PM

hey kahdah,

when i run the scan it stops and says: creating restore point do not interrupt

and then freezes.

I tryede it 3 times with the same outcome.....am i doing something wrong?

thanks

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:46 AM

Posted 14 August 2010 - 04:31 PM

Try it like this please:
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 mogeluka

mogeluka
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 16 August 2010 - 12:02 PM

Kahda,

I tried the new method and now it wony even run when I click on run scan....it just freezes. I redownloaded OTL but it still did the same thing. Im not sure whats going wrong

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:46 AM

Posted 16 August 2010 - 06:10 PM

Ok let's just run dds again and post both logs please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 mogeluka

mogeluka
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 17 August 2010 - 07:29 PM

Ok...it took a few tries but I got it to run. Thanks again for your help. Here are the results:

DDS (Ver_10-03-17.01) - NTFSx86
Run by ascalise at 19:19:53.64 on Tue 08/17/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.432 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\Program Files\Wireless Select Switch\WLSS.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Documents and Settings\ascalise\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.nytimes.com/
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6090103
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100608180708.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BTMeter] c:\program files\battery meter\BTMeter.exe
mRun: [WLSS] c:\program files\wireless select switch\WLSS.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0379.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {2E158837-A2A9-4E54-95E4-9E44399AB65F} = 195.242.208.40
TCP: {52A30C34-8B91-407E-BF7A-ADC0B4EFA635} = 195.242.208.40
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ascalise\applic~1\mozilla\firefox\profiles\2rtddxea.default\
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\microsoft\search enhancement pack\search helper\firefoxextension\searchhelperextension\components\SEPsearchhelperff.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-1-3 14248]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-14 385880]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-2-24 173328]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-6-8 82952]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-8 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-8 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-8 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-6-8 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-6-8 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-6-8 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-6-8 55456]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-1-3 93968]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-6-8 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-6-8 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-6-8 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-18 88480]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-1-3 30192]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-18 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-6-8 83496]

=============== Created Last 30 ================

2010-08-18 00:09:53 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

==================== Find3M ====================

2010-08-09 23:29:14 552 ----a-w- c:\docume~1\ascalise\applic~1\wklnhst.dat
2010-07-20 02:29:11 1327104 ---ha-w- C:\SZKGFS.dat
2010-06-24 22:07:01 52432 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-06-24 22:06:57 68224 ----a-w- c:\windows\system32\drivers\tsk154.tmp
2010-06-24 21:11:35 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-24 01:05:27 68224 ----a-w- c:\windows\system32\drivers\tskFD.tmp

============= FINISH: 19:24:01.79 ===============

Attached Files



#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:46 AM

Posted 18 August 2010 - 06:36 AM

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 mogeluka

mogeluka
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 18 August 2010 - 04:35 PM

Thanks here is the info. Im sorry this is turning out to be so hard. thanks again

ComboFix 10-08-17.04 - ascalise 08/18/2010 16:10:31.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.600 [GMT -5:00]
Running from: c:\documents and settings\ascalise\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Favorites\_favdata.dat

Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-07-18 to 2010-08-18 )))))))))))))))))))))))))))))))
.

2010-08-09 03:21 . 2010-08-09 03:21 503808 ----a-w- c:\documents and settings\ascalise\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-20e0a87b-n\msvcp71.dll
2010-08-09 03:21 . 2010-08-09 03:21 499712 ----a-w- c:\documents and settings\ascalise\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-20e0a87b-n\jmc.dll
2010-08-09 03:21 . 2010-08-09 03:21 348160 ----a-w- c:\documents and settings\ascalise\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-20e0a87b-n\msvcr71.dll
2010-08-09 03:21 . 2010-08-09 03:21 61440 ----a-w- c:\documents and settings\ascalise\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-78c42fde-n\decora-sse.dll
2010-08-09 03:21 . 2010-08-09 03:21 12800 ----a-w- c:\documents and settings\ascalise\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-78c42fde-n\decora-d3d.dll
2010-08-08 16:50 . 2010-08-08 16:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\mqfmxxfpd
2010-07-29 04:28 . 2010-07-29 04:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\mnlkqbygb
2010-07-21 19:53 . 2010-07-21 19:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-18 21:25 . 2010-06-03 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-08-18 21:25 . 2010-08-18 21:11 1072 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-08-18 21:14 . 2010-08-18 21:10 2008 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-08-18 20:51 . 2010-06-15 23:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-09 23:29 . 2009-02-16 22:29 552 ----a-w- c:\documents and settings\ascalise\Application Data\wklnhst.dat
2010-07-20 02:29 . 2010-06-03 02:46 1327104 ---ha-w- C:\SZKGFS.dat
2010-06-24 22:07 . 2010-06-24 01:05 52432 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-06-24 22:06 . 2010-06-24 22:06 68224 ----a-w- c:\windows\system32\drivers\tsk154.tmp
2010-06-24 21:20 . 2010-06-24 21:15 -------- d-----w- c:\program files\MSN Toolbar Installer
2010-06-24 21:19 . 2010-06-24 21:19 -------- d-----w- c:\program files\Microsoft
2010-06-24 21:19 . 2010-06-24 21:18 -------- d-----w- c:\program files\MSN Toolbar
2010-06-24 21:15 . 2009-01-03 15:56 -------- d-----w- c:\program files\Common Files\Java
2010-06-24 21:14 . 2010-06-24 21:14 503808 ----a-w- c:\documents and settings\ascalise\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-35101199-n\msvcp71.dll
2010-06-24 21:14 . 2010-06-24 21:14 499712 ----a-w- c:\documents and settings\ascalise\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-35101199-n\jmc.dll
2010-06-24 21:14 . 2010-06-24 21:14 348160 ----a-w- c:\documents and settings\ascalise\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-35101199-n\msvcr71.dll
2010-06-24 21:14 . 2010-06-24 21:14 61440 ----a-w- c:\documents and settings\ascalise\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1f2b0f1a-n\decora-sse.dll
2010-06-24 21:14 . 2010-06-24 21:14 12800 ----a-w- c:\documents and settings\ascalise\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1f2b0f1a-n\decora-d3d.dll
2010-06-24 21:11 . 2010-06-24 21:13 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-24 21:10 . 2009-01-03 15:56 -------- d-----w- c:\program files\Java
2010-06-24 01:05 . 2010-06-24 01:05 68224 ----a-w- c:\windows\system32\drivers\tskFD.tmp
2010-06-23 03:07 . 2010-06-18 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-18 02:53 . 2010-06-18 02:55 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-15 20:48 . 2010-06-15 20:48 63488 ----a-w- c:\documents and settings\ascalise\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-15 20:48 . 2010-06-15 20:48 52224 ----a-w- c:\documents and settings\ascalise\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-15 20:48 . 2010-06-15 20:48 117760 ----a-w- c:\documents and settings\ascalise\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-03 03:21 . 2010-06-03 03:26 1129120 ----a-w- c:\documents and settings\All Users\Application Data\STOPzilla!\vdb\vbcorent.dll
2010-04-27 22:16 . 2010-06-08 23:07 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-06-24_23.09.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-18 20:32 . 2010-08-18 21:13 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-09 22:46 . 2010-08-18 21:13 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-09 22:46 . 2010-06-24 22:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-06-25 20:03 . 2010-08-18 21:13 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-06-09 21:30 . 2010-06-24 22:29 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-07-28 02:06 . 2009-01-03 15:50 144172 c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-03 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-14 1343488]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-14 137752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2008-11-05 623912]
"WLSS"="c:\program files\Wireless Select Switch\WLSS.exe" [2008-09-18 546088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe" [2009-12-09 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-13 16876032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-01-03 16:16 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [1/3/2009 10:59 AM 14248]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [12/7/2009 5:59 PM 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2/24/2010 3:06 PM 173328]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [6/8/2010 6:06 PM 82952]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/8/2010 6:06 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/8/2010 6:06 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [6/8/2010 6:07 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [6/8/2010 6:06 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [6/8/2010 6:06 PM 55456]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [1/3/2009 12:29 PM 93968]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [6/8/2010 6:06 PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/18/2010 9:38 PM 88480]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [12/7/2009 5:59 PM 61328]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/3/2009 11:04 AM 30192]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/18/2010 9:38 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [6/8/2010 6:06 PM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nytimes.com/
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6090103
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {2E158837-A2A9-4E54-95E4-9E44399AB65F} = 195.242.208.40
TCP: {52A30C34-8B91-407E-BF7A-ADC0B4EFA635} = 195.242.208.40
FF - ProfilePath - c:\documents and settings\ascalise\Application Data\Mozilla\Firefox\Profiles\2rtddxea.default\
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-18 16:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(180)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2010-08-18 16:30:19
ComboFix-quarantined-files.txt 2010-08-18 21:30
ComboFix2.txt 2010-06-24 23:17
ComboFix3.txt 2010-06-06 22:05

Pre-Run: 7,085,813,760 bytes free
Post-Run: 7,466,639,360 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=1 Sets=1,2,3,4
- - End Of File - - AF50CD73CE3ED2B5345D702D1241A8F4


#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:46 AM

Posted 19 August 2010 - 06:31 AM

You are welcome.
The threat has been removed so it should be almost over.

================================Malwarebytes' Anti-Malware=================================
Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.
  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
================================Online scan=================================
* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 mogeluka

mogeluka
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 19 August 2010 - 07:31 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4449

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/19/2010 7:30:07 PM
mbam-log-2010-08-19 (19-30-07).txt

Scan type: Full scan (C:\|)
Objects scanned: 166637
Time elapsed: 42 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{64534B76-601D-4598-8429-4DF73C537AF3}\RP5\A0015170.exe (Rogue.Installer) -> Quarantined and deleted successfully.


#14 mogeluka

mogeluka
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 19 August 2010 - 09:53 PM

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=bb4406456b00b14d9c430478ac13a687
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-20 02:43:26
# local_time=2010-08-19 09:43:26 (-0600, Central Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16777173 100 75 2575851 13115580 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=64448
# found=9
# cleaned=9
# scan_time=6072
C:\Documents and Settings\ascalise\Application Data\Sun\Java\Deployment\cache\6.0\14\8fb968e-102a78c4 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\ascalise\Application Data\Sun\Java\Deployment\cache\6.0\21\2ac5d895-11b0163a multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\ascalise\Application Data\Sun\Java\Deployment\cache\6.0\60\46d2753c-494bfd97 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\15\2ce4f5cf-4948c471 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\26\575401da-63afb45e Java/TrojanDownloader.Agent.NBJ trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\3\4e84bf83-412f4a37 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\40\75c96a28-7ce9d95f multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\44\34db286c-4f08b0a4 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\52\70e692f4-3e5bc38c multiple threats (deleted - quarantined) 00000000000000000000000000000000 C


#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:46 AM

Posted 20 August 2010 - 06:07 AM

Great let me know how things are running and run dds once more and post the DDS.txt.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users