Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect - Firefox and IE


  • This topic is locked This topic is locked
12 replies to this topic

#1 Jake57

Jake57

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 07 December 2010 - 02:29 PM

Greetings,

For about a week now both my browsers, Firefox and IE, are redirecting me to different pages. I've scanned with Avira AntiVir personal, Malwarebytes, Spybot Search and Destroy, and SuperAntiSpyware Free Edition, and they find nothing wrong. I'm stumped. Can someone help me? Below is my Hijack This log, although I did what I wasn't supposed to do and fixed three things that appeared wrong to me, based on forums. I've already fixed O2 - BHO: AcroIEHelperStub, O2 - BHO: Ask Toolbar BHO, and O3 - Toolbar: FrostWire Toolbar. I've been trying to get rid of Ask and Frostwire anyway. The browsers still redirect. Thank you in advance!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:07 PM, on 12/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Lynx Studio Technology\LynxTrayVolume.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\CodeMeter\Runtime\bin\CodeMeterCC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: FrostWire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QT Lite\qttask.exe" -atboottime
O4 - S-1-5-21-1004336348-884357618-725345543-1003 Startup: CodeMeter Control Center.lnk = C:\Program Files\CodeMeter\Runtime\bin\CodeMeterCC.exe (User '?')
O4 - Startup: CodeMeter Control Center.lnk = C:\Program Files\CodeMeter\Runtime\bin\CodeMeterCC.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Lynx Tray Volume.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {00020000-0000-1011-8005-0000C06B5161} (CmIdentity Client) - https://my.codemeter.com/Download/WibuCmId32.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267467033843
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://nethope.webex.com/client/T27LB/nbr/ieatgpc.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CodeMeter Runtime Server (CodeMeter.exe) - WIBU-SYSTEMS AG - C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 6108 bytes

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:37 AM

Posted 07 December 2010 - 03:14 PM

Good evening. :)

Please follow steps 6,7 and 8 here and post accordingly into this thread.

So long, and thanks for all the fish.

 

 


#3 Jake57

Jake57
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 11 December 2010 - 01:38 PM

Thank you in advance for your help. Below is the requested information. A couple of additional bits of info that may be helpful: 1) I also get redirects on PayPal and eBay to a site that looks authentic but requests all my credit card information, including my PIN number, 2) I have been unable to uninstall an Ask toolbar installed by Frostwire. My son put on Frostwire... I uninstalled it, but can't uninstall the Ask toolbar, 3) I changed my antivirus software to Microsoft Security Essentials, which found a redirect virus called Trojan:JS/Redirector.DB. (Interestingly, Avira AntiVir, Malwarebytes, Spybot S&D, Emsisoft Anti-Malware, and SUPER AntiSpyware failed to detect this.) This seems to have had some positive effect on browser redirect, HOWEVER, there is still an unusually long pause after I hit enter on a search as if something is still trying to redirect but not fully able to, AND I still get redirects for PayPal and eBay.

Thank you again!!!!


DDS (Ver_10-12-05.01) - NTFSx86
Run by Bill Jacobs at 11:11:21.65 on Sat 12/11/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_22

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: AutorunsDisabled - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRunOnce: [FlashPlayerUpdate] c:\program files\mozilla firefox\plugins\NPSWF32_FlashUtil.exe -p
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
StartupFolder: c:\docume~1\billja~1\startm~1\programs\startup\codeme~1.lnk - c:\program files\codemeter\runtime\bin\CodeMeterCC.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lynxtr~1.lnk - c:\program files\lynx studio technology\LynxTrayVolume.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\post-i~1.lnk - c:\program files\3m\psnlite\PsnLite.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\autorunsdisabled\ati catalyst system tray.lnk.disabled
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: eeaconsultants.com\remote
DPF: {00020000-0000-1011-8005-0000C06B5161} - hxxps://my.codemeter.com/Download/WibuCmId32.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267467033843
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://nethope.webex.com/client/T27LB/nbr/ieatgpc.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\billja~1\applic~1\mozilla\firefox\profiles\kupq2lo0.default\
FF - prefs.js: browser.search.selectedEngine - Google (SSL)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\openoffice.org 3\program\npsoplugin.dll
FF - plugin: c:\program files\pace anti-piracy\ilok\NPPaceILok.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\billja~1\applic~1\mozilla\firefox\profiles\kupq2lo0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - c:\docume~1\billja~1\applic~1\mozilla\firefox\profiles\kupq2lo0.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Extension: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - c:\docume~1\billja~1\applic~1\mozilla\firefox\profiles\kupq2lo0.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

============= SERVICES / DRIVERS ===============


=============== File Associations ===============

JSEFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-12-11 06:45:15 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{0bbd4a60-d65b-48c8-9dce-5f03a248f1ee}\mpengine.dll
2010-12-09 04:18:07 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2010-12-08 04:34:15 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-08 04:32:02 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-12-08 03:59:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-12-08 03:58:57 -------- d-----w- c:\program files\IObit
2010-12-08 03:51:41 -------- d-----w- c:\program files\BHODemon 2
2010-12-07 20:58:05 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2010-12-07 20:44:26 -------- d-----w- C:\MGtools
2010-12-03 14:46:46 -------- d-----w- c:\docume~1\billja~1\locals~1\applic~1\AskToolbar
2010-12-02 18:32:50 -------- d-----w- c:\program files\Incomplete
2010-12-02 18:31:12 -------- d-----w- c:\program files\Ask.com
2010-11-29 06:11:36 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{64F4671E-7EA5-4C5D-AC85-388429D163BB}
2010-11-28 02:29:25 -------- d-----w- c:\program files\Amazon
2010-11-22 01:40:20 -------- d-sha-r- C:\cmdcons
2010-11-22 01:39:37 98816 ----a-w- c:\windows\sed.exe
2010-11-22 01:39:37 89088 ----a-w- c:\windows\MBR.exe
2010-11-22 01:39:37 256512 ----a-w- c:\windows\PEV.exe
2010-11-22 01:39:37 161792 ----a-w- c:\windows\SWREG.exe
2010-11-22 00:57:57 -------- d-----w- c:\docume~1\billja~1\locals~1\applic~1\Real
2010-11-22 00:57:46 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2010-11-22 00:57:38 -------- d-----w- c:\program files\common files\xing shared
2010-11-22 00:57:33 151776 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2010-11-22 00:57:28 100352 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
2010-11-19 04:06:46 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin6.dll
2010-11-19 04:06:46 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2010-11-19 04:06:46 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2010-11-19 04:06:46 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2010-11-19 04:06:46 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2010-11-19 04:06:46 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2010-11-19 04:06:46 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2010-11-19 04:06:45 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll
2010-11-19 04:06:45 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll
2010-11-19 04:06:45 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll
2010-11-19 04:06:45 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll
2010-11-19 04:06:45 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin.dll
2010-11-19 03:59:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-19 03:59:21 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-19 03:59:21 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-11-19 03:57:28 0 ----a-w- c:\windows\system32\REN115.tmp
2010-11-19 03:57:28 0 ----a-w- c:\windows\system32\REN114.tmp
2010-11-19 03:57:28 0 ----a-w- c:\windows\system32\REN113.tmp

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

============= FINISH: 11:12:25.68 ===============

Attached Files

  • Attached File  Ark.zip   5.92KB   1 downloads


#4 Jake57

Jake57
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 11 December 2010 - 01:39 PM

My previous post seemed to be missing the attach.txt attachment.

#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:37 AM

Posted 11 December 2010 - 02:09 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*

  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#6 Jake57

Jake57
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 11 December 2010 - 04:35 PM

ComboFix 10-12-11.03 - Bill Jacobs 12/11/2010 16:23:44.1.2 - x86
Running from: c:\documents and settings\Bill Jacobs\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-11-11 to 2010-12-11 )))))))))))))))))))))))))))))))
.

2010-12-11 06:45 . 2010-11-10 01:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BBD4A60-D65B-48C8-9DCE-5F03A248F1EE}\mpengine.dll
2010-12-09 04:18 . 2010-11-10 01:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-12-08 04:34 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-08 04:32 . 2010-12-08 04:32 -------- d-----w- c:\windows\LastGood
2010-12-08 04:32 . 2010-12-08 04:32 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-12-08 03:59 . 2010-12-08 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-12-08 03:58 . 2010-12-08 03:58 -------- d-----w- c:\program files\IObit
2010-12-08 03:51 . 2010-12-08 03:53 -------- d-----w- c:\program files\BHODemon 2
2010-12-07 20:58 . 2010-12-11 09:58 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2010-12-07 20:44 . 2010-12-07 20:45 -------- d-----w- C:\MGtools
2010-12-03 14:46 . 2010-12-04 03:31 -------- d-----w- c:\documents and settings\Bill Jacobs\Local Settings\Application Data\AskToolbar
2010-12-02 18:32 . 2010-12-03 23:01 -------- d-----w- c:\program files\Incomplete
2010-12-02 18:31 . 2010-12-02 18:31 -------- d-----w- c:\program files\Ask.com
2010-11-29 06:11 . 2010-11-29 06:11 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{64F4671E-7EA5-4C5D-AC85-388429D163BB}
2010-11-28 02:29 . 2010-11-28 02:29 -------- d-----w- c:\documents and settings\Bill Jacobs\Application Data\Amazon
2010-11-28 02:29 . 2010-11-28 02:29 -------- d-----w- c:\program files\Amazon
2010-11-22 00:57 . 2010-11-22 00:57 -------- d-----w- c:\documents and settings\Bill Jacobs\Local Settings\Application Data\Real
2010-11-22 00:57 . 2010-11-22 00:57 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2010-11-22 00:57 . 2010-11-22 00:57 -------- d-----w- c:\program files\Common Files\xing shared
2010-11-22 00:57 . 2010-11-22 00:57 151776 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2010-11-22 00:57 . 2010-11-22 00:57 100352 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2010-11-22 00:57 . 2010-11-22 00:57 -------- d-----w- c:\program files\real
2010-11-19 04:06 . 2010-11-19 04:06 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
2010-11-19 04:06 . 2010-11-19 04:06 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2010-11-19 04:06 . 2010-11-19 04:06 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2010-11-19 04:06 . 2010-11-19 04:06 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2010-11-19 04:06 . 2010-11-19 04:06 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2010-11-19 04:06 . 2010-11-19 04:06 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2010-11-19 04:06 . 2010-11-19 04:06 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2010-11-19 04:06 . 2010-11-19 04:06 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
2010-11-19 04:06 . 2010-11-19 04:06 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
2010-11-19 04:06 . 2010-11-19 04:06 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
2010-11-19 04:06 . 2010-11-19 04:06 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
2010-11-19 04:06 . 2010-11-19 04:06 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
2010-11-19 03:59 . 2010-11-19 03:59 -------- d-----w- c:\program files\Common Files\Java
2010-11-19 03:59 . 2010-11-19 03:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-19 03:59 . 2010-11-19 03:59 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-11-19 03:59 . 2010-11-19 03:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-19 03:57 . 2010-11-19 03:57 0 ----a-w- c:\windows\system32\REN115.tmp
2010-11-19 03:57 . 2010-11-19 03:57 0 ----a-w- c:\windows\system32\REN114.tmp
2010-11-19 03:57 . 2010-11-19 03:57 0 ----a-w- c:\windows\system32\REN113.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-07 20:45 . 2010-12-07 20:44 164612 ----a-w- C:\MGlogs.zip
2010-11-29 22:42 . 2009-03-15 17:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2009-03-15 17:33 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 16:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 77824]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-11-22 274608]

c:\documents and settings\Bill Jacobs\Start Menu\Programs\Startup\
CodeMeter Control Center.lnk - c:\program files\CodeMeter\Runtime\bin\CodeMeterCC.exe [2007-3-23 4984832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Lynx Tray Volume.lnk - c:\program files\Lynx Studio Technology\LynxTrayVolume.exe [2010-3-24 77824]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-6-2 1622016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
ati catalyst system tray.lnk.disabled [2009-3-15 1851]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"=Digi32.dll
"midi2"=diomidi.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic Professional 6\

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]
2010-12-11 07:58 3419528 ----a-w- c:\program files\Emsisoft Anti-Malware\a2guard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 16:17 421888 ----a-w- c:\program files\QT Lite\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneWlanCfgSvc"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"ZuneBusEnum"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QT Lite\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"HydraVisionDesktopManager"=c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" runtime
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QT Lite\QTTask.exe" -atboottime
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\Program Files\\CodeMeter\\Runtime\\bin\\CodeMeter.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Magix\\Samplitude_11\\Sam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"9818:TCP"= 9818:TCP:*:Disabled:Services
"9819:TCP"= 9819:TCP:*:Disabled:Services
"8821:TCP"= 8821:TCP:*:Disabled:Services
"8822:TCP"= 8822:TCP:*:Disabled:Services
"7514:TCP"= 7514:TCP:*:Disabled:Services
"7515:TCP"= 7515:TCP:*:Disabled:Services
"8744:TCP"= 8744:TCP:*:Disabled:Services
"8745:TCP"= 8745:TCP:*:Disabled:Services
"8610:TCP"= 8610:TCP:*:Disabled:Services
"5055:TCP"= 5055:TCP:*:Disabled:Services
"6424:TCP"= 6424:TCP:*:Disabled:Services
"3962:TCP"= 3962:TCP:*:Disabled:Services
"6149:TCP"= 6149:TCP:*:Disabled:Services
"6150:TCP"= 6150:TCP:*:Disabled:Services
"6886:TCP"= 6886:TCP:Services
"6885:TCP"= 6885:TCP:Services
"8213:TCP"= 8213:TCP:Services
"8214:TCP"= 8214:TCP:Services

R1 ntiomin;ntiomin; [x]
R3 dalwdmservice;dal service;c:\windows\system32\drivers\dalwdm.sys [2007-10-31 97808]
R3 MagixASIODrv;MAGIX_ASIO_BoostDriver;c:\magix\Sequoia_V8\mxasio.sys [2002-04-16 4899]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2009-03-24 7808]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
S0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-12-09 16384]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-04-13 717296]
S1 a2injectiondriver;a2injectiondriver;c:\program files\Emsisoft Anti-Malware\a2dix86.sys [2010-09-05 41928]
S1 a2util;a-squared Malware-IDS utility driver;c:\program files\Emsisoft Anti-Malware\a2util32.sys [2010-05-05 11776]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [2010-12-11 2953808]
S2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files\CodeMeter\Runtime\bin\CodeMeter.exe [2007-08-23 2007040]
S2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\DRIVERS\diginet.sys [2007-10-31 16400]
S3 a2acc;a2acc;c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys [2010-09-19 72808]
S3 EMUXMIDI;E-MU Xmidi Driver;c:\windows\system32\DRIVERS\EMUXMIDI.sys [2006-08-19 134912]
S3 iLokDrvr;Usb Driver;c:\windows\system32\DRIVERS\iLokDrvr.sys [2009-05-21 52008]
S3 LynxWDM;LynxWDM;c:\windows\system32\DRIVERS\LynxWDM.sys [2010-03-24 210824]
S3 Powercore;Powercore;c:\windows\system32\DRIVERS\PCore.sys [2008-09-19 74240]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys [2007-10-24 23288]
S3 Wibukey2;Wibukey2;c:\windows\system32\drivers\wibukey2.sys [2004-09-02 17408]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - MPFILTER
*NewlyCreated* - MSMPSVC
*Deregistered* - aflciaod
.
Contents of the 'Scheduled Tasks' folder

2010-12-09 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-04-16 15:47]

2010-12-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]

2010-12-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1004336348-884357618-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]

2010-12-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1004336348-884357618-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]

2010-12-11 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-09-29 03:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: eeaconsultants.com\remote
DPF: {00020000-0000-1011-8005-0000C06B5161} - hxxps://my.codemeter.com/Download/WibuCmId32.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\documents and settings\Bill Jacobs\Application Data\Mozilla\Firefox\Profiles\kupq2lo0.default\
FF - prefs.js: browser.search.selectedEngine - Google (SSL)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\OpenOffice.org 3\program\npsoplugin.dll
FF - plugin: c:\program files\PACE Anti-Piracy\iLok\NPPaceILok.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Bill Jacobs\Application Data\Mozilla\Firefox\Profiles\kupq2lo0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - c:\documents and settings\Bill Jacobs\Application Data\Mozilla\Firefox\Profiles\kupq2lo0.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Extension: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - c:\documents and settings\Bill Jacobs\Application Data\Mozilla\Firefox\Profiles\kupq2lo0.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-11 16:28
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3044)
c:\windows\system32\WININET.dll
c:\program files\Emsisoft Anti-Malware\a2hooks32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2HELP.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-12-11 16:32:07
ComboFix-quarantined-files.txt 2010-12-11 21:32
ComboFix2.txt 2010-12-05 23:06
ComboFix3.txt 2010-11-22 01:46

Pre-Run: 64,481,107,968 bytes free
Post-Run: 64,471,408,640 bytes free

- - End Of File - - 3F53FDA342260634C0A50F25874BCF22

#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:37 AM

Posted 11 December 2010 - 05:01 PM

Pay a visit to the ESET Online Scanner.
  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

Also let me know how the PC is behaving now.

So long, and thanks for all the fish.

 

 


#8 Jake57

Jake57
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 11 December 2010 - 05:24 PM

When I try to log on to eBay, both Firefox and IE7 take me to a fake eBay page that asks for my credit card PIN number. I can't imagine that they'd ever ask for my PIN number, although the site looks real. I am not being redirected to other fake pages the same was as I was before I installed Microsoft Security Essentials and it detected a redirect virus, HOWEVER, when I do a Google search from either the Firefox or IE7 toolbar I get a blank white screen for several seconds before the search results appear, as if something is still trying to redirect me. Before the search results came up quickly. As for the fake eBay page, it even says its secure by Verisign in the status bar. So, it seems like the browsers are trying to redirect, and when trying to go on eBay they are redirecting to a site that asks for my PIN number. I don't know if this is related, but the Ask/Frostwire toolbar will still not uninstall, although I don't see it anymore on the browsers.

#9 Jake57

Jake57
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 11 December 2010 - 05:26 PM

OK I'll try what you suggested above at 5:01.

#10 Jake57

Jake57
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 11 December 2010 - 07:15 PM

Here are the results of the ESET online scan. Its an old audio plug-in I forgot I had. I can delete it.

C:\Documents and Settings\User1\My Documents\Downloads\Compressed\Refined Audiometrics PLPar EQ VST 2.17\Refined Audiometrics PLPar EQ VST 2.17\keygen.exe a variant of Win32/Keygen.AD application

#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:37 AM

Posted 12 December 2010 - 02:28 PM

Good evening. :)

Download CKScanner by askey127 from here and save it to your Desktop.

  • Double click CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • Please copy and paste the contents of CKFiles.txt into your next reply.

So long, and thanks for all the fish.

 

 


#12 Jake57

Jake57
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 15 December 2010 - 02:31 PM

Greetings. It seems like my redirect problems are fixed. Microsoft Security Essentials found a redirect virus or trojan, which helped some, but I was still being redirected to a phishing site on eBay that asked for credit card info, including my pin number. Then, I read somewhere on Bleeping Computer to try Dr. Web's Cure-It, which found another trojan in the master boot record and fixed it. My browsers are working correctly now - no more redirecting - and I can go back on eBay. Everything seems to be working OK. Thank you for your help! I'll be back if the problem returns.

#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:37 AM

Posted 15 December 2010 - 02:38 PM

Always like a happy ending. As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users