Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE redirects when web browsing please halp a technophobe!


  • This topic is locked This topic is locked
33 replies to this topic

#1 heresmook

heresmook

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 09 December 2010 - 04:38 PM

Hi, I have picked up some kind of virus that has been redirecting me web browser the odd sites (often when I use back/forward on browser - but not exclusively sometimes also does it when I just click a googled link)

I have received lots of help on here from quietman7 who went through a number of attempts to resolve this issue for me, unfortuantely to no avail. The thread with the different things we tried is here:

http://www.bleepingcomputer.com/forums/topic364996.html

He explained it looks like a rootkit (no idea?!! lol) that is proving particularly difficult to shift and explained I need to post here and wait for help. I followed the preparation steps and post here the DDS logs for you to check over.

Please bear with me if Im a bit slow or clueless I really will try my best but often the instructions are like a foreign language to me! I apologise in advance!

Thank you in advance for your help - I really am so grateful for any assistance

DDS (Ver_10-12-05.01) - NTFSx86
Run by kyra at 21:20:41.63 on 09/12/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.896.402 [GMT 0:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Windows\system32\consent.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\kyra\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Groove Folder Synchronization: {6f6d7093-6172-2f50-382f-01d465f36b8f} - c:\windows\system32\RpcRtRemotee.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
BHO: Sammsoft Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: Sammsoft Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uRun: [AROReminder]
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
StartupFolder: c:\users\kyra\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

============= SERVICES / DRIVERS ===============

R0 35869022;35869022 Boot Guard Driver;c:\windows\system32\drivers\35869022.sys [2010-12-8 37392]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 35869021;35869021;c:\windows\system32\drivers\35869021.sys [2010-12-8 128016]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2010-9-13 308656]
R3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\system32\drivers\athru6.sys [2007-7-5 873472]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 21072]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-16 136176]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-12-9 517448]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-11-17 1343400]

=============== Created Last 30 ================

2010-12-09 14:24:27 -------- dc----w- c:\users\kyra\appdata\local\MigWiz
2010-12-09 13:30:45 -------- d--h--w- C:\$AVG
2010-12-09 12:55:41 -------- d-----w- c:\users\kyra\appdata\roaming\AVG10
2010-12-09 12:53:26 -------- d--h--w- c:\progra~2\Common Files
2010-12-09 12:53:14 -------- d-----w- c:\progra~2\AVG Security Toolbar
2010-12-09 12:52:00 -------- d-----w- c:\windows\system32\drivers\AVG
2010-12-09 12:52:00 -------- d-----w- c:\progra~2\AVG10
2010-12-09 12:15:03 -------- d-----w- c:\program files\AVG
2010-12-09 12:11:04 -------- d-----w- c:\progra~2\MFAData
2010-12-09 12:04:54 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-12-09 12:04:54 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2010-12-09 12:04:54 -------- d-----w- c:\program files\SpywareBlaster
2010-12-08 11:47:57 37392 ----a-w- c:\windows\system32\drivers\35869022.sys
2010-12-08 11:47:57 311312 ----a-w- c:\windows\system32\drivers\3586902.sys
2010-12-08 11:47:57 128016 ----a-w- c:\windows\system32\drivers\35869021.sys
2010-12-08 08:40:31 -------- d-----w- c:\progra~2\Kaspersky Lab
2010-12-08 06:12:44 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{c30bc9df-c12e-42bc-955c-90668fe419fa}\mpengine.dll
2010-12-07 09:45:21 -------- d-----w- c:\program files\ESET
2010-12-05 20:17:20 -------- d-----w- c:\users\kyra\appdata\roaming\Malwarebytes
2010-12-05 20:16:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-05 20:16:37 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-05 20:16:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 20:16:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-05 12:37:10 -------- d-----w- c:\users\kyra\appdata\roaming\WhiteSmokeSetup
2010-12-05 12:37:08 -------- d-----w- c:\program files\Quick Web Player
2010-11-29 08:16:55 -------- d-----w- c:\users\kyra\appdata\local\Diagnostics
2010-11-24 05:57:31 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
2010-11-19 15:36:06 691 ----a-w- c:\users\kyra\appdata\roaming\GetValue.vbs
2010-11-19 15:36:06 35 ----a-w- c:\users\kyra\appdata\roaming\SetValue.bat
2010-11-19 15:36:06 2144 ----a-w- c:\windows\system32\tmp.reg
2010-11-19 15:06:15 -------- d-----w- c:\users\kyra\appdata\roaming\Sammsoft
2010-11-19 15:05:39 -------- d-----w- c:\program files\Advanced Registry Optimizer
2010-11-19 15:05:14 -------- d-----w- c:\program files\Ask.com
2010-11-19 05:42:29 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
2010-11-18 20:47:03 -------- d-----w- c:\users\kyra\appdata\roaming\SUPERAntiSpyware.com
2010-11-18 20:47:03 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-11-18 18:39:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-18 18:39:59 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2010-11-17 12:26:38 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-11-17 12:19:49 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-11-17 07:44:05 -------- d-----w- c:\windows\system32\Wat
2010-11-17 05:46:13 -------- d-----w- C:\690ecf33f4d3490b5dbe
2010-11-17 05:46:03 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-11-17 05:46:03 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-11-17 05:46:03 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-11-17 05:46:03 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-11-17 05:46:03 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-11-17 05:45:55 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2010-11-17 05:22:19 4247040 ----a-w- c:\program files\windows nt\accessories\wordpad.exe
2010-11-17 05:22:18 1413632 ----a-w- c:\windows\system32\ole32.dll
2010-11-17 05:22:16 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-11-17 05:22:07 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-11-17 05:22:06 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-11-17 05:20:50 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-11-17 05:15:00 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-11-17 05:15:00 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-11-17 05:15:00 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-11-16 17:02:11 -------- d-----w- c:\windows\Panther
2010-11-16 16:49:32 -------- d-----w- C:\Windows.old
2010-11-16 13:37:53 -------- d-----w- c:\program files\common files\Macrovision Shared
2010-11-16 13:03:37 -------- d-----w- c:\progra~2\McAfee Security Scan
2010-11-16 13:03:31 -------- d-----w- c:\program files\McAfee Security Scan
2010-11-16 13:03:30 -------- d-----w- c:\users\kyra\appdata\local\Adobe
2010-11-16 12:58:41 -------- d-----w- c:\users\kyra\appdata\roaming\OpenOffice.org
2010-11-16 12:56:08 -------- d-----w- c:\program files\JRE
2010-11-16 12:55:50 -------- d-----w- c:\program files\OpenOffice.org 3
2010-11-16 12:55:01 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-16 12:12:44 -------- d-----w- c:\program files\Wise Registry Cleaner
2010-11-16 11:21:48 -------- d-----w- c:\program files\uTorrentBar
2010-11-16 11:21:46 -------- d-----w- C:\extensions
2010-11-16 11:21:31 -------- d-----w- c:\program files\uTorrent
2010-11-16 11:21:28 -------- d-----w- c:\users\kyra\appdata\roaming\uTorrent
2010-11-16 10:53:37 -------- d-----w- c:\users\kyra\appdata\local\Microsoft Help
2010-11-16 10:52:32 -------- d-----w- c:\windows\system32\3012
2010-11-16 10:22:48 196608 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\EKIJ5000PPR.dll
2010-11-16 10:21:02 -------- d-----w- c:\users\kyra\appdata\local\Eastman_Kodak_Company
2010-11-16 10:20:49 -------- d-----w- c:\users\kyra\appdata\local\Microsoft Corporation
2010-11-16 10:18:30 -------- d-----w- c:\windows\system32\kodak
2010-11-16 10:17:20 -------- d-----w- c:\program files\Kodak
2010-11-16 10:17:02 -------- d-----w- c:\program files\Bonjour
2010-11-16 10:16:39 -------- d-----w- c:\progra~2\Kodak
2010-11-16 10:15:33 -------- d-----w- c:\users\kyra\appdata\roaming\Temp
2010-11-16 10:15:31 -------- d-----w- c:\users\kyra\appdata\local\Eastman Kodak Company
2010-11-16 10:01:49 -------- d-----w- c:\program files\Canon
2010-11-16 09:44:12 -------- d-----w- c:\users\kyra\appdata\local\Google
2010-11-16 09:44:05 -------- d-sh--w- c:\windows\Installer
2010-11-16 09:33:19 -------- d-----w- c:\windows\system32\wbem\Performance
2010-11-16 09:31:14 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-11-16 09:31:06 132608 ----a-w- c:\windows\system32\cabview.dll
2010-11-16 09:28:49 -------- d-sh--w- C:\Recovery
2010-11-16 09:24:07 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-11-09 22:20:58 299984 ----a-w- c:\windows\system32\drivers\avgtdix.sys

==================== Find3M ====================

2010-11-16 13:33:12 129784 ------w- c:\windows\system32\pxafs.dll
2010-11-16 13:33:12 118520 ------w- c:\windows\system32\pxinsi64.exe
2010-11-16 13:33:12 116472 ------w- c:\windows\system32\pxcpyi64.exe

============= FINISH: 21:22:12.56 ===============

BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:14 AM

Posted 16 December 2010 - 09:54 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 heresmook

heresmook
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 16 December 2010 - 01:16 PM

Hi thanks for your help - I was told by another helper on this forum that it looks like I have a rootkit in Java and despite trying many things (malwarebites anti malware, norman malware, TDSSkiller.exe, ESET) we had no luck removing it. The link to the thread is above.

I keep being redirected from internet searches and also a Java box keeps popping up asking me to allow it to download something.

The GMER scan stopped unexpectedly and gave an error message saying it could not perform the scan - is it something I have done wrong to make this happen?

The new DDS log is below:

DDS (Ver_10-12-12.02) - NTFSx86
Run by kyra at 18:00:43.68 on 16/12/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.896.302 [GMT 0:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
C:\Windows\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\kyra\Desktop\newdds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Groove Folder Synchronization: {6f6d7093-6172-2f50-382f-01d465f36b8f} - c:\windows\system32\RpcRtRemotee.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
BHO: Sammsoft Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: Sammsoft Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uRun: [AROReminder]
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
StartupFolder: c:\users\kyra\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

============= SERVICES / DRIVERS ===============

R0 35869022;35869022 Boot Guard Driver;c:\windows\system32\drivers\35869022.sys [2010-12-8 37392]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 35869021;35869021;c:\windows\system32\drivers\35869021.sys [2010-12-8 128016]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2010-9-13 308656]
R3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\system32\drivers\athru6.sys [2007-7-5 873472]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 21072]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-16 136176]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-12-9 517448]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-11-17 1343400]

=============== Created Last 30 ================

2010-12-09 14:24:27 -------- dc----w- c:\users\kyra\appdata\local\MigWiz
2010-12-09 13:30:45 -------- d--h--w- C:\$AVG
2010-12-09 12:55:41 -------- d-----w- c:\users\kyra\appdata\roaming\AVG10
2010-12-09 12:53:26 -------- d--h--w- c:\progra~2\Common Files
2010-12-09 12:53:14 -------- d-----w- c:\progra~2\AVG Security Toolbar
2010-12-09 12:52:00 -------- d-----w- c:\windows\system32\drivers\AVG
2010-12-09 12:52:00 -------- d-----w- c:\progra~2\AVG10
2010-12-09 12:15:03 -------- d-----w- c:\program files\AVG
2010-12-09 12:11:04 -------- d-----w- c:\progra~2\MFAData
2010-12-09 12:04:54 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-12-09 12:04:54 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2010-12-09 12:04:54 -------- d-----w- c:\program files\SpywareBlaster
2010-12-08 11:47:57 37392 ----a-w- c:\windows\system32\drivers\35869022.sys
2010-12-08 11:47:57 311312 ----a-w- c:\windows\system32\drivers\3586902.sys
2010-12-08 11:47:57 128016 ----a-w- c:\windows\system32\drivers\35869021.sys
2010-12-08 08:40:31 -------- d-----w- c:\progra~2\Kaspersky Lab
2010-12-08 06:12:44 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{c30bc9df-c12e-42bc-955c-90668fe419fa}\mpengine.dll
2010-12-07 09:45:21 -------- d-----w- c:\program files\ESET
2010-12-05 20:17:20 -------- d-----w- c:\users\kyra\appdata\roaming\Malwarebytes
2010-12-05 20:16:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-05 20:16:37 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-05 20:16:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 20:16:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-05 12:37:10 -------- d-----w- c:\users\kyra\appdata\roaming\WhiteSmokeSetup
2010-12-05 12:37:08 -------- d-----w- c:\program files\Quick Web Player
2010-11-29 08:16:55 -------- d-----w- c:\users\kyra\appdata\local\Diagnostics
2010-11-24 05:57:31 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
2010-11-19 15:36:06 691 ----a-w- c:\users\kyra\appdata\roaming\GetValue.vbs
2010-11-19 15:36:06 35 ----a-w- c:\users\kyra\appdata\roaming\SetValue.bat
2010-11-19 15:36:06 2144 ----a-w- c:\windows\system32\tmp.reg
2010-11-19 15:06:15 -------- d-----w- c:\users\kyra\appdata\roaming\Sammsoft
2010-11-19 15:05:39 -------- d-----w- c:\program files\Advanced Registry Optimizer
2010-11-19 15:05:14 -------- d-----w- c:\program files\Ask.com
2010-11-19 05:42:29 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
2010-11-18 20:47:03 -------- d-----w- c:\users\kyra\appdata\roaming\SUPERAntiSpyware.com
2010-11-18 20:47:03 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-11-18 18:39:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-18 18:39:59 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2010-11-17 12:26:38 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-11-17 12:19:49 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-11-17 07:44:05 -------- d-----w- c:\windows\system32\Wat
2010-11-17 05:46:13 -------- d-----w- C:\690ecf33f4d3490b5dbe
2010-11-17 05:46:03 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-11-17 05:46:03 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-11-17 05:46:03 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-11-17 05:46:03 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-11-17 05:46:03 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-11-17 05:45:55 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2010-11-17 05:22:19 4247040 ----a-w- c:\program files\windows nt\accessories\wordpad.exe
2010-11-17 05:22:18 1413632 ----a-w- c:\windows\system32\ole32.dll
2010-11-17 05:22:16 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-11-17 05:22:07 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-11-17 05:22:06 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-11-17 05:20:50 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-11-17 05:15:00 70656 ----a-w- c:\windows\system32\fontsub.dll

==================== Find3M ====================

2010-11-16 13:33:12 129784 ------w- c:\windows\system32\pxafs.dll
2010-11-16 13:33:12 118520 ------w- c:\windows\system32\pxinsi64.exe
2010-11-16 13:33:12 116472 ------w- c:\windows\system32\pxcpyi64.exe
2010-11-16 12:54:51 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-04 05:52:17 978944 ----a-w- c:\windows\system32\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-04 04:41:26 386048 ----a-w- c:\windows\system32\html.iec
2010-11-04 04:08:54 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-11-02 04:41:12 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-02 04:40:36 496128 ----a-w- c:\windows\system32\taskschd.dll
2010-11-02 04:40:36 305152 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-02 04:39:32 749056 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-02 04:34:44 192000 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 04:34:33 179712 ----a-w- c:\windows\system32\schtasks.exe
2010-10-27 04:32:36 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-20 04:54:18 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-20 03:00:24 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-10-20 02:58:41 294400 ----a-w- c:\windows\system32\atmfd.dll
2010-10-19 10:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-16 04:41:02 101760 ----a-w- c:\windows\system32\consent.exe
2010-10-16 04:36:10 314368 ----a-w- c:\windows\system32\webio.dll

============= FINISH: 18:02:04.98 ===============

#4 heresmook

heresmook
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 16 December 2010 - 01:28 PM

forgot to add the attachment - apologies!!Attached File  Attach dds new.txt   4.97KB   5 downloads

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:14 AM

Posted 17 December 2010 - 11:46 AM

Hi heresmook,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

  • Run GMER, uncheck all boxes but let the box next to Sections and C drive remain checked. Click Scan.
    When it finished press Save to save the log and post it to your reply. It will not take more than a minute.
  • Run GMER agin, uncheck all boxes but let the box next to Registry and C drive remain checked. Click Scan.
    When it finished press Save to save the log and post it to your reply. It will not take more than a minute.


#6 heresmook

heresmook
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 17 December 2010 - 02:44 PM

Hello farbar. Thank you for helping me.

the logs you requested are below:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-17 19:37:35
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\kyra\AppData\Local\Temp\pwldqpow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8288C599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 828B0F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 4E8 828B89F8 4 Bytes [80, B7, E1, 8D]
.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 828B8CC8 8 Bytes [30, B8, E1, 8D, D0, B8, E1, ...] {XOR [EAX-0x472f721f], BH; LOOPZ 0xffffffffffffff95}
.text ntkrnlpa.exe!RtlSidHashLookup + 82C 828B8D3C 4 Bytes [70, B9, E1, 8D] {JO 0xffffffffffffffbb; LOOPZ 0xffffffffffffff91}

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[5972] USER32.dll!CreateWindowExW 76E30E51 5 Bytes JMP 6A58818F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5972] USER32.dll!DialogBoxIndirectParamW 76E54AA7 5 Bytes JMP 6A6AFE70 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5972] USER32.dll!DialogBoxParamW 76E5564A 5 Bytes JMP 6A4A4BA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5972] USER32.dll!DialogBoxParamA 76E6CF6A 5 Bytes JMP 6A6AFE0D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5972] USER32.dll!DialogBoxIndirectParamA 76E6D29C 5 Bytes JMP 6A6AFED3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5972] USER32.dll!MessageBoxIndirectA 76E7E8C9 5 Bytes JMP 6A6AFDA2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5972] USER32.dll!MessageBoxIndirectW 76E7E9C3 5 Bytes JMP 6A6AFD37 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5972] USER32.dll!MessageBoxExA 76E7EA29 5 Bytes JMP 6A6AFCD5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5972] USER32.dll!MessageBoxExW 76E7EA4D 5 Bytes JMP 6A6AFC73 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!CreateDialogParamW 76E29BFF 5 Bytes JMP 6A4DC570 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!EnableWindow 76E2A72E 5 Bytes JMP 6A4DC4EB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!GetAsyncKeyState 76E2C09A 5 Bytes JMP 6A49D6E9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!UnhookWindowsHookEx 76E2CC7B 5 Bytes JMP 6A5983A2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!CallNextHookEx 76E2CC8F 5 Bytes JMP 6A579D8C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!CreateWindowExW 76E30E51 5 Bytes JMP 6A58818F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!SetWindowsHookExW 76E3210A 5 Bytes JMP 6A534643 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!GetKeyState 76E34FDA 5 Bytes JMP 6A4DD762 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!IsDialogMessageW 76E36F06 5 Bytes JMP 6A4A4284 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!CreateDialogParamA 76E43E79 5 Bytes JMP 6A6B0A66 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!IsDialogMessage 76E4407A 5 Bytes JMP 6A6B0307 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!CreateDialogIndirectParamA 76E49110 5 Bytes JMP 6A6B0A9D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!CreateDialogIndirectParamW 76E508AD 5 Bytes JMP 6A6B0AD4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!DialogBoxIndirectParamW 76E54AA7 5 Bytes JMP 6A6AFE70 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!EndDialog 76E5555C 5 Bytes JMP 6A4A5AE9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!DialogBoxParamW 76E5564A 5 Bytes JMP 6A4A4BA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!SetKeyboardState 76E56B52 5 Bytes JMP 6A6B066C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!SendInput 76E57055 5 Bytes JMP 6A6B1230 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!SetCursorPos 76E6C1D8 5 Bytes JMP 6A6B1288 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!DialogBoxParamA 76E6CF6A 5 Bytes JMP 6A6AFE0D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!DialogBoxIndirectParamA 76E6D29C 5 Bytes JMP 6A6AFED3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!MessageBoxIndirectA 76E7E8C9 5 Bytes JMP 6A6AFDA2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!MessageBoxIndirectW 76E7E9C3 5 Bytes JMP 6A6AFD37 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!MessageBoxExA 76E7EA29 5 Bytes JMP 6A6AFCD5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!MessageBoxExW 76E7EA4D 5 Bytes JMP 6A6AFC73 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] USER32.dll!keybd_event 76E7EC9B 5 Bytes JMP 6A6B15BB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] SHELL32.dll!SHChangeNotification_Lock + 45BA 756BB440 4 Bytes [11, 36, D4, 72] {ADC [ESI], ESI; AAM 0x72}
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] SHELL32.dll!SHChangeNotification_Lock + 45C2 756BB448 8 Bytes [5F, 35, D4, 72, D0, 73, D3, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] ole32.dll!OleLoadFromStream 765B5BF6 5 Bytes JMP 6A6B01C3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6060] ole32.dll!CoCreateInstance 7660590C 5 Bytes JMP 6A588C7D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


THE SECOND SCAN STATED NO CHANGES WERE FOUND AND THE LOG WAS EMPTY

Thanks

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:14 AM

Posted 17 December 2010 - 03:50 PM

Thanks for the log.

To run ComboFix you we need to uninstall AVG as it prevents ComboFix from running and removes Combofix components because it detects the components as malware while it is not the case. As long as AVG is not changing its detection methods the developer of ComboFix has decided the AVG users can not run ComboFix. So it is up to the user to remain infected and keep AVG or to remove AVG and run ComboFix. You can install AVG again after we are done or install another antivirus. If you have a free version of AVG I can recommend you a good free antivirus later on.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#8 heresmook

heresmook
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 17 December 2010 - 04:30 PM

Thanks so much for your help. The log from combofix is below:

ComboFix 10-12-16.05 - kyra 17/12/2010 21:14:36.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.896.385 [GMT 0:00]
Running from: c:\users\kyra\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2010-11-17 to 2010-12-17 )))))))))))))))))))))))))))))))
.

2010-12-17 21:23 . 2010-12-17 21:23 -------- d-----w- c:\users\kyra\AppData\Local\temp
2010-12-17 21:23 . 2010-12-17 21:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-17 21:10 . 2010-12-17 21:11 -------- d-----w- C:\32788R22FWJFW
2010-12-09 14:24 . 2010-12-09 14:24 -------- dc----w- c:\users\kyra\AppData\Local\MigWiz
2010-12-09 12:55 . 2010-12-09 12:55 -------- d-----w- c:\users\kyra\AppData\Roaming\AVG10
2010-12-09 12:53 . 2010-12-09 12:53 -------- d--h--w- c:\programdata\Common Files
2010-12-09 12:52 . 2010-12-17 21:06 -------- d-----w- c:\programdata\AVG10
2010-12-09 12:15 . 2010-12-09 12:15 -------- d-----w- c:\program files\AVG
2010-12-09 12:11 . 2010-12-17 21:02 -------- d-----w- c:\programdata\MFAData
2010-12-09 12:04 . 2010-12-09 12:04 -------- d-----w- c:\program files\SpywareBlaster
2010-12-09 12:04 . 2010-01-10 19:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-12-09 12:04 . 2010-01-10 19:40 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2010-12-08 11:47 . 2009-10-22 12:54 37392 ----a-w- c:\windows\system32\drivers\35869022.sys
2010-12-08 11:47 . 2009-10-09 22:31 311312 ----a-w- c:\windows\system32\drivers\3586902.sys
2010-12-08 11:47 . 2009-09-25 16:59 128016 ----a-w- c:\windows\system32\drivers\35869021.sys
2010-12-08 08:40 . 2010-12-08 20:04 -------- d-----w- c:\programdata\Kaspersky Lab
2010-12-08 06:12 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C30BC9DF-C12E-42BC-955C-90668FE419FA}\mpengine.dll
2010-12-07 09:45 . 2010-12-07 09:45 -------- d-----w- c:\program files\ESET
2010-12-05 20:17 . 2010-12-05 20:17 -------- d-----w- c:\users\kyra\AppData\Roaming\Malwarebytes
2010-12-05 20:16 . 2010-11-30 11:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-05 20:16 . 2010-12-05 20:16 -------- d-----w- c:\programdata\Malwarebytes
2010-12-05 20:16 . 2010-12-05 20:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-05 20:16 . 2010-11-30 11:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 12:37 . 2010-12-05 12:37 -------- d-----w- c:\users\kyra\AppData\Roaming\WhiteSmokeSetup
2010-12-05 12:37 . 2010-12-05 12:37 -------- d-----w- c:\program files\Quick Web Player
2010-12-01 17:05 . 2010-12-01 17:14 -------- d-----w- c:\users\harry
2010-11-29 08:16 . 2010-11-29 08:16 -------- d-----w- c:\users\kyra\AppData\Local\Diagnostics
2010-11-24 05:59 . 2010-11-24 05:59 -------- d-----w- c:\program files\Microsoft.NET
2010-11-24 05:57 . 2010-10-19 08:10 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-11-20 17:30 . 2010-11-20 17:30 -------- d-----w- c:\users\kyra\AppData\Roaming\Canon
2010-11-19 15:36 . 2010-11-19 15:36 691 ----a-w- c:\users\kyra\AppData\Roaming\GetValue.vbs
2010-11-19 15:36 . 2010-11-19 15:36 35 ----a-w- c:\users\kyra\AppData\Roaming\SetValue.bat
2010-11-19 15:06 . 2010-11-19 15:06 -------- d-----w- c:\users\kyra\AppData\Roaming\Sammsoft
2010-11-19 15:05 . 2010-11-19 15:05 -------- d-----w- c:\program files\Advanced Registry Optimizer
2010-11-19 15:05 . 2010-11-19 15:05 -------- d-----w- c:\program files\Ask.com
2010-11-18 20:47 . 2010-11-18 20:47 -------- d-----w- c:\users\kyra\AppData\Roaming\SUPERAntiSpyware.com
2010-11-18 20:47 . 2010-11-18 20:47 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-11-18 18:39 . 2010-11-19 15:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-18 18:39 . 2010-11-19 15:27 -------- d-----w- c:\programdata\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-16 13:33 . 2010-11-16 13:33 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-11-16 13:33 . 2010-11-16 13:33 129784 ------w- c:\windows\system32\pxafs.dll
2010-11-16 13:33 . 2010-11-16 13:33 118520 ------w- c:\windows\system32\pxinsi64.exe
2010-11-16 13:33 . 2010-11-16 13:33 116472 ------w- c:\windows\system32\pxcpyi64.exe
2010-11-16 12:54 . 2010-11-16 12:55 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-19 10:41 . 2010-11-16 09:24 222080 ------w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F6D7093-6172-2F50-382F-01D465F36B8F}]
2009-07-14 01:16 221184 ----a-w- c:\windows\System32\RpcRtRemotee.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2010-10-18 12:26 3908192 ----a-w- c:\program files\uTorrentBar\tbuTor.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-09-28 22:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-10-18 3908192]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-10-18 3908192]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-30 963976]

c:\users\kyra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

R1 SASDIFSV;SASDIFSV;c:\users\kyra\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\kyra\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 136176]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 NDISKIO;NDISKIO;c:\users\kyra\AppData\Local\Temp\00000edd.nmc\nse\bin\ndiskio.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-17 1343400]
S0 35869022;35869022 Boot Guard Driver;c:\windows\system32\DRIVERS\35869022.sys [2009-10-22 37392]
S1 35869021;35869021;c:\windows\system32\DRIVERS\35869021.sys [2009-09-25 128016]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [2010-09-13 308656]
S3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\system32\DRIVERS\athru6.sys [2007-07-05 873472]

.
Contents of the 'Scheduled Tasks' folder

2010-12-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 09:44]

2010-12-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 09:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-AROReminder - (no file)
HKLM-Run-Conime - c:\windows\system32\conime.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-12-17 21:26:09
ComboFix-quarantined-files.txt 2010-12-17 21:26

Pre-Run: 50,379,378,688 bytes free
Post-Run: 50,345,377,792 bytes free

- - End Of File - - 672EFFFE9A3CD70B458298821A1B4DFB

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:14 AM

Posted 17 December 2010 - 04:50 PM

Close any open browsers.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

File::
c:\windows\system32\drivers\35869022.sys
c:\windows\system32\drivers\3586902.sys
c:\windows\system32\drivers\35869021.sys
Driver::
35869022
35869021

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#10 heresmook

heresmook
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 18 December 2010 - 04:58 AM

Thank you again. I completed the steps you requested and the combofix programme said that the logs needed to be submitted for further analysis and asked me to connect to the internet. I did this, but was then told something prevented this from completing and that the logs had been saved for me to manually submit later.

The log created is posted below:

ComboFix 10-12-17.02 - kyra 18/12/2010 9:41.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.896.503 [GMT 0:00]
Running from: c:\users\kyra\Desktop\ComboFix.exe
Command switches used :: c:\users\kyra\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\drivers\3586902.sys"
"c:\windows\system32\drivers\35869021.sys"
"c:\windows\system32\drivers\35869022.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\3586902.sys
c:\windows\system32\drivers\35869021.sys
c:\windows\system32\drivers\35869022.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_35869021
-------\Legacy_35869022
-------\Service_35869021
-------\Service_35869022


((((((((((((((((((((((((( Files Created from 2010-11-18 to 2010-12-18 )))))))))))))))))))))))))))))))
.

2010-12-18 09:50 . 2010-12-18 09:52 -------- d-----w- c:\users\kyra\AppData\Local\temp
2010-12-09 14:24 . 2010-12-09 14:24 -------- dc----w- c:\users\kyra\AppData\Local\MigWiz
2010-12-09 12:55 . 2010-12-09 12:55 -------- d-----w- c:\users\kyra\AppData\Roaming\AVG10
2010-12-09 12:53 . 2010-12-09 12:53 -------- d--h--w- c:\programdata\Common Files
2010-12-09 12:52 . 2010-12-17 21:06 -------- d-----w- c:\programdata\AVG10
2010-12-09 12:15 . 2010-12-09 12:15 -------- d-----w- c:\program files\AVG
2010-12-09 12:11 . 2010-12-17 21:02 -------- d-----w- c:\programdata\MFAData
2010-12-09 12:04 . 2010-12-09 12:04 -------- d-----w- c:\program files\SpywareBlaster
2010-12-09 12:04 . 2010-01-10 19:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-12-09 12:04 . 2010-01-10 19:40 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2010-12-08 08:40 . 2010-12-08 20:04 -------- d-----w- c:\programdata\Kaspersky Lab
2010-12-08 06:12 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C30BC9DF-C12E-42BC-955C-90668FE419FA}\mpengine.dll
2010-12-07 09:45 . 2010-12-07 09:45 -------- d-----w- c:\program files\ESET
2010-12-05 20:17 . 2010-12-05 20:17 -------- d-----w- c:\users\kyra\AppData\Roaming\Malwarebytes
2010-12-05 20:16 . 2010-11-30 11:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-05 20:16 . 2010-12-05 20:16 -------- d-----w- c:\programdata\Malwarebytes
2010-12-05 20:16 . 2010-12-05 20:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-05 20:16 . 2010-11-30 11:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 12:37 . 2010-12-05 12:37 -------- d-----w- c:\users\kyra\AppData\Roaming\WhiteSmokeSetup
2010-12-05 12:37 . 2010-12-05 12:37 -------- d-----w- c:\program files\Quick Web Player
2010-12-01 17:05 . 2010-12-01 17:14 -------- d-----w- c:\users\harry
2010-11-29 08:16 . 2010-11-29 08:16 -------- d-----w- c:\users\kyra\AppData\Local\Diagnostics
2010-11-24 05:59 . 2010-11-24 05:59 -------- d-----w- c:\program files\Microsoft.NET
2010-11-24 05:57 . 2010-10-19 08:10 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-11-20 17:30 . 2010-11-20 17:30 -------- d-----w- c:\users\kyra\AppData\Roaming\Canon
2010-11-19 15:36 . 2010-11-19 15:36 691 ----a-w- c:\users\kyra\AppData\Roaming\GetValue.vbs
2010-11-19 15:36 . 2010-11-19 15:36 35 ----a-w- c:\users\kyra\AppData\Roaming\SetValue.bat
2010-11-19 15:06 . 2010-11-19 15:06 -------- d-----w- c:\users\kyra\AppData\Roaming\Sammsoft
2010-11-19 15:05 . 2010-11-19 15:05 -------- d-----w- c:\program files\Advanced Registry Optimizer
2010-11-19 15:05 . 2010-11-19 15:05 -------- d-----w- c:\program files\Ask.com
2010-11-18 20:47 . 2010-11-18 20:47 -------- d-----w- c:\users\kyra\AppData\Roaming\SUPERAntiSpyware.com
2010-11-18 20:47 . 2010-11-18 20:47 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-11-18 18:39 . 2010-11-19 15:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-18 18:39 . 2010-11-19 15:27 -------- d-----w- c:\programdata\Spybot - Search & Destroy

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:14 AM

Posted 18 December 2010 - 06:23 AM

Thanks for the feedback. :thumbup2:

  • I would like to have a close look the following file. To submit the file:
    • Click on this link: http://www.bleepingcomputer.com/submit-malware.php?channel=4
    • Click Browse... and navigate to this file and highlight it to select:

      C:\QooBox\Quarantine\[4]Submit_Date@Time.zip

      Note: Date and Time are the date and the time the zip file is made. Example: [4]-Submit_2009-02-06@7.06.zip
    • Click Open.
    • Copy the following link (link to this topic) in the appropriate box: http://www.
    • Click Send File.
  • The log is not complete. Please go to start -> Run. Copy and paste the bold line in the run-box and click OK:

    C:\ComboFix.txt

    If a text file opens up, copy and paste the content to your reply.


#12 heresmook

heresmook
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 18 December 2010 - 06:46 AM

:-) Thanks so much. I have submitted the file you requested successfully and paste below the text file that appeared after entering the bold text into the run box:

ComboFix 10-12-17.02 - kyra 18/12/2010 9:41.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.896.503 [GMT 0:00]
Running from: c:\users\kyra\Desktop\ComboFix.exe
Command switches used :: c:\users\kyra\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\drivers\3586902.sys"
"c:\windows\system32\drivers\35869021.sys"
"c:\windows\system32\drivers\35869022.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\3586902.sys
c:\windows\system32\drivers\35869021.sys
c:\windows\system32\drivers\35869022.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_35869021
-------\Legacy_35869022
-------\Service_35869021
-------\Service_35869022


((((((((((((((((((((((((( Files Created from 2010-11-18 to 2010-12-18 )))))))))))))))))))))))))))))))
.

2010-12-18 09:50 . 2010-12-18 09:52 -------- d-----w- c:\users\kyra\AppData\Local\temp
2010-12-09 14:24 . 2010-12-09 14:24 -------- dc----w- c:\users\kyra\AppData\Local\MigWiz
2010-12-09 12:55 . 2010-12-09 12:55 -------- d-----w- c:\users\kyra\AppData\Roaming\AVG10
2010-12-09 12:53 . 2010-12-09 12:53 -------- d--h--w- c:\programdata\Common Files
2010-12-09 12:52 . 2010-12-17 21:06 -------- d-----w- c:\programdata\AVG10
2010-12-09 12:15 . 2010-12-09 12:15 -------- d-----w- c:\program files\AVG
2010-12-09 12:11 . 2010-12-17 21:02 -------- d-----w- c:\programdata\MFAData
2010-12-09 12:04 . 2010-12-09 12:04 -------- d-----w- c:\program files\SpywareBlaster
2010-12-09 12:04 . 2010-01-10 19:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-12-09 12:04 . 2010-01-10 19:40 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2010-12-08 08:40 . 2010-12-08 20:04 -------- d-----w- c:\programdata\Kaspersky Lab
2010-12-08 06:12 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C30BC9DF-C12E-42BC-955C-90668FE419FA}\mpengine.dll
2010-12-07 09:45 . 2010-12-07 09:45 -------- d-----w- c:\program files\ESET
2010-12-05 20:17 . 2010-12-05 20:17 -------- d-----w- c:\users\kyra\AppData\Roaming\Malwarebytes
2010-12-05 20:16 . 2010-11-30 11:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-05 20:16 . 2010-12-05 20:16 -------- d-----w- c:\programdata\Malwarebytes
2010-12-05 20:16 . 2010-12-05 20:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-05 20:16 . 2010-11-30 11:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 12:37 . 2010-12-05 12:37 -------- d-----w- c:\users\kyra\AppData\Roaming\WhiteSmokeSetup
2010-12-05 12:37 . 2010-12-05 12:37 -------- d-----w- c:\program files\Quick Web Player
2010-12-01 17:05 . 2010-12-01 17:14 -------- d-----w- c:\users\harry
2010-11-29 08:16 . 2010-11-29 08:16 -------- d-----w- c:\users\kyra\AppData\Local\Diagnostics
2010-11-24 05:59 . 2010-11-24 05:59 -------- d-----w- c:\program files\Microsoft.NET
2010-11-24 05:57 . 2010-10-19 08:10 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-11-20 17:30 . 2010-11-20 17:30 -------- d-----w- c:\users\kyra\AppData\Roaming\Canon
2010-11-19 15:36 . 2010-11-19 15:36 691 ----a-w- c:\users\kyra\AppData\Roaming\GetValue.vbs
2010-11-19 15:36 . 2010-11-19 15:36 35 ----a-w- c:\users\kyra\AppData\Roaming\SetValue.bat
2010-11-19 15:06 . 2010-11-19 15:06 -------- d-----w- c:\users\kyra\AppData\Roaming\Sammsoft
2010-11-19 15:05 . 2010-11-19 15:05 -------- d-----w- c:\program files\Advanced Registry Optimizer
2010-11-19 15:05 . 2010-11-19 15:05 -------- d-----w- c:\program files\Ask.com
2010-11-18 20:47 . 2010-11-18 20:47 -------- d-----w- c:\users\kyra\AppData\Roaming\SUPERAntiSpyware.com
2010-11-18 20:47 . 2010-11-18 20:47 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-11-18 18:39 . 2010-11-19 15:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-18 18:39 . 2010-11-19 15:27 -------- d-----w- c:\programdata\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-16 13:33 . 2010-11-16 13:33 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-11-16 13:33 . 2010-11-16 13:33 129784 ------w- c:\windows\system32\pxafs.dll
2010-11-16 13:33 . 2010-11-16 13:33 118520 ------w- c:\windows\system32\pxinsi64.exe
2010-11-16 13:33 . 2010-11-16 13:33 116472 ------w- c:\windows\system32\pxcpyi64.exe
2010-11-16 12:54 . 2010-11-16 12:55 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-19 10:41 . 2010-11-16 09:24 222080 ------w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F6D7093-6172-2F50-382F-01D465F36B8F}]
2009-07-14 01:16 221184 ----a-w- c:\windows\System32\RpcRtRemotee.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2010-10-18 12:26 3908192 ----a-w- c:\program files\uTorrentBar\tbuTor.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-09-28 22:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-10-18 3908192]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-10-18 3908192]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-30 963976]

c:\users\kyra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

R1 SASDIFSV;SASDIFSV;c:\users\kyra\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\kyra\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 NDISKIO;NDISKIO;c:\users\kyra\AppData\Local\Temp\00000edd.nmc\nse\bin\ndiskio.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-17 1343400]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 136176]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [2010-09-13 308656]
S3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\system32\DRIVERS\athru6.sys [2007-07-05 873472]

.
Contents of the 'Scheduled Tasks' folder

2010-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 09:44]

2010-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 09:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\conhost.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-12-18 09:55:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-18 09:55
ComboFix2.txt 2010-12-17 21:26

Pre-Run: 50,405,871,616 bytes free
Post-Run: 49,996,468,224 bytes free

- - End Of File - - F73B355A9EB59890E3CE5DD61C6E8F8C

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:14 AM

Posted 18 December 2010 - 06:55 AM

Thank you for submitting the file. :thumbup2:

Are you still getting redirected?

#14 heresmook

heresmook
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 18 December 2010 - 07:05 AM

YES! Oh my goodness! It seems to have stopped, Ive tried a few different sites and gone backwards and forwards on the browser buttons and no re-direction!

Could I ask what caused it?

And is there anything I can do to protect my machine from now on?

THANK YOU! :thumbsup:

#15 heresmook

heresmook
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 18 December 2010 - 07:11 AM

I mean NO its not being redirected but YES its fixed haha!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users