Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect and Fake Anti-Virus


  • This topic is locked This topic is locked
39 replies to this topic

#1 DeputyStankus

DeputyStankus

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 19 December 2010 - 02:30 PM

For several weeks, I've had a Google redirect virus. This has been constant. Occasionally, I'll also have fake anti-virus programs launch themselves. I've tried everything I can think of, including programs (Avast, Malwarebytes, Spybot, etc.) and even a system restore. No luck!

Anything you can do will be greatly appreciated. Thank you!



DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by RK at 13:21:57.02 on Sun 12/19/2010
Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4062.2296 [GMT -6:00]

AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_58be29c0\STacSV64.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
C:\Windows\system32\vfsFPService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\PROGRA~2\PHAROS~1\Core\CTskMstr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\SMINST\BLService.exe
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe
C:\Program Files (x86)\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DigitalPersona\Bin\DPAgent.exe
C:\Program Files (x86)\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\ehome\ehsched.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Users\RK\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Users\RK\Desktop\Defogger.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\RK\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.comcast.net/
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - C:\Program Files (x86)\Search Settings\kb128\SearchSettings.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: DigitalPersona Personal Extension: {395610ae-c624-4f58-b89e-23733ea00f9a} - C:\Program Files (x86)\DigitalPersona\Bin\DpOtsPluginIe8.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - C:\Program Files (x86)\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
BHO: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - C:\Program Files (x86)\Search Settings\kb128\SearchSettings.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
mRun: [DpAgent] C:\Program Files (x86)\DigitalPersona\Bin\dpagent.exe
mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun: [<NO NAME>]
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - C:\Program Files (x86)\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro2.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://nac3.app.byu.edu/auth/taweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli DPPWDFLT
BHO-X64: DigitalPersona Personal Extension: {395610AE-C624-4f58-B89E-23733EA00F9A} - C:\Program Files\DigitalPersona\Bin\DpOtsPluginIe8.dll
BHO-X64: DigitalPersona Personal Extension - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssiea.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB-X64: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
mRun-x64: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - C:\Users\RKIMLI~1\AppData\Roaming\Mozilla\Firefox\Profiles\op2ac7yo.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: C:\Program Files (x86)\DigitalPersona\Bin\firefoxext\components\dpffcli.dll
FF - component: C:\Program Files (x86)\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPcol400.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\RK\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Users\RK\AppData\Roaming\Mozilla\Firefox\Profiles\op2ac7yo.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: C:\Users\RK\AppData\Roaming\Mozilla\Firefox\Profiles\op2ac7yo.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: C:\Users\RK\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\RK\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DigitalPersona Extension: otis@digitalpersona.com - C:\Program Files (x86)\DigitalPersona\Bin\FirefoxExt
FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - C:\Program Files (x86)\Google\Google Gears\Firefox
FF - Ext: DigitalPersona Extension: otis@digitalpersona.com - C:\Program Files (x86)\DigitalPersona\Bin\firefoxext
FF - Ext: XULRunner: {4BB1F3CB-B6EA-422D-94DE-47DFEB85A6A7} - C:\Users\RK\AppData\Local\{4BB1F3CB-B6EA-422D-94DE-47DFEB85A6A7}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2010-9-29 121936]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/07/20 02:44:08];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2008-11-28 146928]
R2 Amazon Download Agent;Amazon Download Agent;C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2010-10-31 401920]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2010-9-29 20048]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2010-9-29 61008]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-29 40384]
R2 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2008-3-18 30520]
R2 Recovery Service for Windows;Recovery Service for Windows;C:\Program Files (x86)\SMINST\BLService.exe [2009-2-6 365952]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-8-19 1153368]
R2 SeagateDashboardService;Seagate Dashboard Service;C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe [2010-7-6 14088]
R2 TVCapSvc;TV Background Capture Service (TVBCS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe [2008-11-26 296320]
R2 TVSched;TV Task Scheduler (TVTS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe [2008-11-26 116096]
R2 vfsFPService;Validity Fingerprint Service;C:\Windows\System32\vfsFPService.exe [2008-11-18 721712]
R3 avast! Mail Scanner;avast! Mail Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-29 40384]
R3 avast! Web Scanner;avast! Web Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-29 40384]
R3 AVerBDA6x_x64;AVerMedia SAA716x BDA Service;C:\Windows\System32\drivers\AVerBDA716x_x64.sys [2009-7-20 1317888]
R3 enecir;ENE CIR Receiver;C:\Windows\System32\drivers\enecir.sys [2008-9-4 64000]
R3 EuDisk;EASEUS Disk Enumerator;C:\Windows\System32\drivers\EuDisk.sys [2010-11-28 137608]
R3 JMCR;JMCR;C:\Windows\System32\drivers\jmcr.sys [2008-10-23 128352]
R3 NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\NETw5v64.sys [2009-10-2 6816256]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\System32\drivers\nvhda64v.sys [2009-8-21 84512]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-3-4 135664]
S2 Norton Internet Security;Norton Internet Security;"C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]
S3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-2-6 227896]
S3 EUDSKACS;EUDSKACS;C:\Windows\SysWOW64\drivers\eudskacs.sys [2010-11-28 17800]
S3 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
S3 iscFlash;iscFlash;C:\SWSetup\sp46073\iscflashx64.sys [2009-6-16 25592]
S3 NETw3v64;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\NETw3v64.sys [2008-1-20 3154432]
S3 OracleIRMServiceHost;Oracle IRM Desktop Service Host;C:\Program Files (x86)\Oracle\Information Rights Management\OracleIRMServiceHost.exe [2010-2-2 268608]
S3 pbfilter;pbfilter;C:\Users\RK\Desktop\Detritus\PeerBlock_r181__x64_Release_(Vista)\pbfilter.sys [2009-9-28 19544]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk60x64.sys [2006-11-2 273408]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2010-2-15 89920]

=============== File Associations ===============

JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*

=============== Created Last 30 ================

2010-12-17 20:16:52 8199504 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{4D7BC642-A4C9-456F-BAA3-762EC8B384EF}\mpengine.dll
2010-12-17 20:12:18 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2010-12-17 20:12:18 2048 ----a-w- C:\Windows\System32\tzres.dll
2010-12-17 20:11:53 855040 ----a-w- C:\Windows\System32\schedsvc.dll
2010-12-17 20:11:52 655872 ----a-w- C:\Windows\System32\taskschd.dll
2010-12-17 20:11:52 500224 ----a-w- C:\Windows\System32\wmicmiplugin.dll
2010-12-17 20:11:52 352768 ----a-w- C:\Windows\SysWow64\taskschd.dll
2010-12-17 20:11:50 410112 ----a-w- C:\Windows\System32\taskcomp.dll
2010-12-17 20:11:50 267776 ----a-w- C:\Windows\System32\taskeng.exe
2010-12-17 20:11:50 171520 ----a-w- C:\Windows\SysWow64\taskeng.exe
2010-12-17 20:11:49 270336 ----a-w- C:\Windows\SysWow64\taskcomp.dll
2010-12-12 19:13:05 -------- d-----w- C:\Users\RKIMLI~1\AppData\Local\{796876E6-B763-48CF-9A9D-6A5CBE55981F}
2010-12-12 18:59:00 -------- d-----w- C:\Users\RKIMLI~1\AppData\Local\Windows Live
2010-12-12 02:48:16 -------- d-----w- C:\Users\RKIMLI~1\AppData\Local\SCE
2010-12-11 15:43:33 -------- d-----w- C:\PC Tools Spyware Doctor Enterprise
2010-12-11 01:17:06 -------- d-----w- C:\PROGRA~3\Hitman Pro
2010-12-01 15:11:46 -------- d-----w- C:\Program Files (x86)\DVDFAST
2010-11-30 00:32:21 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2010-11-30 00:32:17 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2010-11-29 23:29:33 0 ----a-w- C:\Users\RKIMLI~1\AppData\Local\Pvijeyiqamab.bin
2010-11-29 23:29:30 -------- d-----w- C:\Users\RKIMLI~1\AppData\Local\{4BB1F3CB-B6EA-422D-94DE-47DFEB85A6A7}
2010-11-28 20:38:46 26504 ----a-w- C:\Windows\SysWow64\drivers\eufs.sys
2010-11-28 20:37:49 17800 ----a-w- C:\Windows\SysWow64\drivers\eudskacs.sys
2010-11-28 20:37:48 30600 ----a-w- C:\Windows\SysWow64\drivers\eubakup.sys
2010-11-28 20:37:47 137608 ----a-w- C:\Windows\System32\drivers\EuDisk.sys
2010-11-28 20:37:32 -------- d-----w- C:\Program Files (x86)\EASEUS
2010-11-28 20:33:05 -------- d-----w- C:\Users\RKIMLI~1\AppData\Roaming\Seagate
2010-11-28 20:32:22 -------- d-----w- C:\Program Files (x86)\Seagate
2010-11-27 16:12:17 7680 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
2010-11-27 16:12:17 7680 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll

==================== Find3M ====================

2010-11-30 00:42:06 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2010-11-02 06:27:41 1147904 ----a-w- C:\Windows\System32\wininet.dll
2010-11-02 06:24:01 56832 ----a-w- C:\Windows\System32\licmgr10.dll
2010-11-02 06:23:47 1538560 ----a-w- C:\Windows\System32\inetcpl.cpl
2010-11-02 06:23:35 77312 ----a-w- C:\Windows\System32\iesetup.dll
2010-11-02 06:23:35 132096 ----a-w- C:\Windows\System32\iesysprep.dll
2010-11-02 06:01:54 916480 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-11-02 05:57:27 1469440 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2010-11-02 05:57:11 71680 ----a-w- C:\Windows\SysWow64\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2010-11-02 05:25:33 479232 ----a-w- C:\Windows\System32\html.iec
2010-11-02 05:01:31 385024 ----a-w- C:\Windows\SysWow64\html.iec
2010-11-02 04:45:37 162816 ----a-w- C:\Windows\System32\ieUnatt.exe
2010-11-02 04:44:24 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-11-02 04:26:10 133632 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2010-10-28 16:29:18 48128 ----a-w- C:\Windows\System32\atmlib.dll
2010-10-28 15:44:56 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2010-10-28 14:05:21 367104 ----a-w- C:\Windows\System32\atmfd.dll
2010-10-28 13:27:47 292352 ----a-w- C:\Windows\SysWow64\atmfd.dll
2010-10-28 03:12:09 18960 ----a-w- C:\Windows\System32\drivers\LNonPnP.sys
2010-10-19 16:41:44 270720 ------w- C:\Windows\System32\MpSigStub.exe
2010-10-18 15:35:48 87552 ----a-w- C:\Windows\System32\consent.exe
2010-10-18 15:25:36 2753536 ----a-w- C:\Windows\System32\win32k.sys

============= FINISH: 13:23:25.37 ===============

Attached Files


Edited by DeputyStankus, 20 December 2010 - 11:07 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:17 AM

Posted 29 December 2010 - 09:09 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 DeputyStankus

DeputyStankus
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 29 December 2010 - 09:37 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:



I'm definitely still here, and I am SO glad to hear from you. I have run Spybot S&D since I posted this, and I have installed a video game. Should I generate new logs, or can we move forward as is?

Thank you so much!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:17 AM

Posted 29 December 2010 - 09:40 PM

No, we're okay with what we have. Let's look for a rootkit here.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#5 DeputyStankus

DeputyStankus
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 29 December 2010 - 10:59 PM

Thanks for the quick response! Here is the GMER info:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-29 21:54:09
Windows 6.0.6002 Service Pack 2
Running: ogeyjgyx.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00247ea09ea2
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00247ea09ea2@0022a5b7efdf 0xDF 0x72 0x60 0x39 ...
Reg HKLM\SYSTEM\ControlSet011\Services\BTHPORT\Parameters\Keys\00247ea09ea2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\BTHPORT\Parameters\Keys\00247ea09ea2@0022a5b7efdf 0xDF 0x72 0x60 0x39 ...

---- EOF - GMER 1.0.15 ----

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:17 AM

Posted 30 December 2010 - 06:09 AM

Gmer hasn't marked anything either.

Too many symptoms to dismiss this one. Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 DeputyStankus

DeputyStankus
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 30 December 2010 - 11:02 AM

I wasn't sure if you wanted me to paste or attach the log. Here is a paste. Let me know if I need to attach. Thanks!

ComboFix 10-12-29.02 - RK 12/30/2010 8:16:11.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4062.2569 [GMT -6:00]
Running from: C:\Users\RK\Desktop\comfix.exe
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files (x86)\Search Settings
C:\Program Files (x86)\Search Settings\kb128\SeARchsettings.dll
C:\Program Files (x86)\Search Settings\kb128\SearchSettingsRes409.dll
C:\Program Files (x86)\Search Settings\SearchSettings.exe
C:\Users\RK\AppData\Local\{4BB1F3CB-B6EA-422D-94DE-47DFEB85A6A7}
C:\Users\RK\AppData\Local\{4BB1F3CB-B6EA-422D-94DE-47DFEB85A6A7}\chrome.manifest
C:\Users\RK\AppData\Local\{4BB1F3CB-B6EA-422D-94DE-47DFEB85A6A7}\chrome\content\_cfg.js
C:\Users\RK\AppData\Local\{4BB1F3CB-B6EA-422D-94DE-47DFEB85A6A7}\chrome\content\overlay.xul
C:\Users\RK\AppData\Local\{4BB1F3CB-B6EA-422D-94DE-47DFEB85A6A7}\install.rdf
C:\Users\RK\AppData\Roaming\Adobe\AdobeUpdate .exe
C:\Users\RK\AppData\Roaming\Adobe\plugs
C:\Users\RK\g2mdlhlpx.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-30 )))))))))))))))))))))))))))))))
.

2010-12-30 14:48:02 . 2010-12-30 14:58:01 -------- d-----w- C:\Users\RK\AppData\Local\temp
2010-12-30 14:48:02 . 2010-12-30 14:48:02 -------- d-----w- C:\Users\Default\AppData\Local\temp
2010-12-30 02:20:03 . 2010-11-16 18:01:20 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{45FF0D6E-044A-4A38-A24F-BF9D2B861E6F}\mpengine.dll
2010-12-27 01:13:34 . 2010-12-27 01:14:24 -------- d-----w- C:\Windows\C6359569E03E4CDC98E8CDD080C6EEB5.TMP
2010-12-26 18:54:40 . 2010-12-27 01:14:36 -------- d-----w- C:\Program Files (x86)\LeapFrog
2010-12-26 18:54:40 . 2010-12-26 19:46:43 -------- d-----w- C:\ProgramData\Leapfrog
2010-12-25 17:49:43 . 2002-01-21 04:33:28 131072 ----a-w- C:\Windows\system\SP5X_32.DLL
2010-12-25 17:49:42 . 2010-12-25 17:49:43 -------- d-----w- C:\Program Files (x86)\Webcam Driver
2010-12-25 17:49:42 . 2002-08-01 08:40:02 16384 ----a-w- C:\Windows\SysWow64\Dext1528.ax
2010-12-17 22:45:54 . 2010-06-02 10:55:30 74072 ----a-w- C:\Windows\SysWow64\XAPOFX1_5.dll
2010-12-17 22:45:54 . 2010-06-02 10:55:30 527192 ----a-w- C:\Windows\SysWow64\XAudio2_7.dll
2010-12-17 22:45:53 . 2010-06-02 10:55:30 239960 ----a-w- C:\Windows\SysWow64\xactengine3_7.dll
2010-12-17 22:45:52 . 2010-05-26 17:41:02 248672 ----a-w- C:\Windows\SysWow64\d3dx11_43.dll
2010-12-17 22:45:52 . 2010-05-26 17:41:02 2106216 ----a-w- C:\Windows\SysWow64\D3DCompiler_43.dll
2010-12-17 22:45:52 . 2010-05-26 17:41:02 1868128 ----a-w- C:\Windows\SysWow64\d3dcsx_43.dll
2010-12-17 22:45:51 . 2010-05-26 17:41:02 470880 ----a-w- C:\Windows\SysWow64\d3dx10_43.dll
2010-12-17 22:45:50 . 2010-05-26 17:41:02 1998168 ----a-w- C:\Windows\SysWow64\D3DX9_43.dll
2010-12-17 22:45:50 . 2010-02-04 16:01:14 74072 ----a-w- C:\Windows\SysWow64\XAPOFX1_4.dll
2010-12-17 22:45:50 . 2010-02-04 16:01:14 528216 ----a-w- C:\Windows\SysWow64\XAudio2_6.dll
2010-12-17 22:45:49 . 2010-02-04 16:01:14 238936 ----a-w- C:\Windows\SysWow64\xactengine3_6.dll
2010-12-17 22:45:48 . 2010-02-04 16:01:14 22360 ----a-w- C:\Windows\SysWow64\X3DAudio1_7.dll
2010-12-17 20:12:18 . 2010-10-28 13:20:12 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2010-12-17 20:11:52 . 2010-11-04 18:55:38 352768 ----a-w- C:\Windows\SysWow64\taskschd.dll
2010-12-17 20:11:50 . 2010-11-04 16:34:06 171520 ----a-w- C:\Windows\SysWow64\taskeng.exe
2010-12-17 20:11:49 . 2010-11-04 18:55:38 270336 ----a-w- C:\Windows\SysWow64\taskcomp.dll
2010-12-12 19:13:05 . 2010-12-12 19:13:22 -------- d-----w- C:\Users\RK\AppData\Local\{796876E6-B763-48CF-9A9D-6A5CBE55981F}
2010-12-12 18:59:00 . 2010-12-12 19:11:27 -------- d-----w- C:\Users\RK\AppData\Local\Windows Live
2010-12-12 02:48:16 . 2010-12-12 02:48:16 -------- d-----w- C:\Users\RK\AppData\Local\SCE
2010-12-12 02:47:55 . 2010-12-12 02:47:55 -------- d-----w- C:\Users\Public\Sony Online Entertainment
2010-12-11 15:43:33 . 2010-12-11 15:43:44 -------- d-----w- C:\PC Tools Spyware Doctor Enterprise
2010-12-11 01:17:06 . 2010-12-11 01:17:06 -------- d-----w- C:\ProgramData\Hitman Pro
2010-12-01 15:11:46 . 2010-12-01 15:11:46 -------- d-----w- C:\Program Files (x86)\DVDFAST

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-21 00:09:00 . 2010-11-30 00:32:21 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2010-11-29 23:29:33 . 2010-11-29 23:29:33 0 ----a-w- C:\Users\RK\AppData\Local\Pvijeyiqamab.bin
2010-10-28 03:11:20 . 2010-10-28 03:11:20 53248 ----a-r- C:\Users\RK\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 94208 ----a-w- C:\Users\RK\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 94208 ----a-w- C:\Users\RK\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 94208 ----a-w- C:\Users\RK\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"avast5"="C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
"DpAgent"="C:\Program Files (x86)\DigitalPersona\Bin\dpagent.exe"

R2 Ca1528av;SPCA1528 Video Camera Service;C:\Windows\system32\Drivers\Ca1528av.sys [2008-12-18 04:46:12 533760]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 17:16:28 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 18:27:14 138576]
R2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-03-05 01:36:57 135664]
R2 Norton Internet Security;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
R3 Bulk1528;SPCA1528 Still Camera Service;C:\Windows\system32\Drivers\Bulk1528.sys [2008-06-29 05:43:02 14848]
R3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2010-01-12 14:57:38 227896]
R3 EUDSKACS;EUDSKACS;C:\Windows\sysWow64\drivers\eudskacs.sys [2009-12-02 19:20:58 17800]
R3 iscFlash;iscFlash;C:\SwSetup\sp46073\iscflashx64.sys [2009-06-16 19:05:16 25592]
R3 NETw3v64;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw3v64.sys [2008-01-21 02:46:57 3154432]
R3 OracleIRMServiceHost;Oracle IRM Desktop Service Host;C:\Program Files (x86)\Oracle\Information Rights Management\OracleIRMServiceHost.exe [2010-02-03 04:23:10 268608]
R3 pbfilter;pbfilter;C:\Users\RK\Desktop\Detritus\PeerBlock_r181__x64_Release_(Vista)\pbfilter.sys [2009-11-12 15:39:47 19544]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 18:27:14 1020768]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x64.sys [2006-10-04 01:45:36 273408]
S0 EUBAKUP;EUBAKUP;C:\Windows\sysWow64\drivers\eubakup.sys [2009-12-02 19:20:56 30600]
S0 EUFS;EUFS;C:\Windows\sysWow64\drivers\eufs.sys [2009-12-02 19:21:00 26504]
S1 aswSP;aswSP; [x]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/07/20 02:44:08];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2008-11-29 01:04:24 146928]
S2 Amazon Download Agent;Amazon Download Agent;C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 18:31:44 401920]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;C:\Windows\system32\drivers\aswMonFlt.sys [2010-09-07 14:47:33 61008]
S2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe [2010-07-16 19:03:58 30520]
S2 Recovery Service for Windows;Recovery Service for Windows;C:\Program Files (x86)\SMINST\BLService.exe [2008-12-18 00:11:40 365952]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 21:31:10 1153368]
S2 SeagateDashboardService;Seagate Dashboard Service;C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe [2010-07-06 19:32:04 14088]
S2 TVCapSvc;TV Background Capture Service (TVBCS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe [2008-11-27 00:13:08 296320]
S2 TVSched;TV Task Scheduler (TVTS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe [2008-11-27 00:13:08 116096]
S2 vfsFPService;Validity Fingerprint Service;C:\Windows\system32\vfsFPService.exe [2008-11-18 13:09:46 721712]
S3 AVerBDA6x_x64;AVerMedia SAA716x BDA Service;C:\Windows\system32\DRIVERS\AVerBDA716x_x64.sys [2008-12-03 02:22:54 1317888]
S3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys [2008-09-04 17:48:00 64000]
S3 EuDisk;EASEUS Disk Enumerator;C:\Windows\system32\DRIVERS\EuDisk.sys [2009-12-02 19:20:56 137608]
S3 JMCR;JMCR;C:\Windows\system32\DRIVERS\jmcr.sys [2008-10-23 09:42:06 128352]
S3 NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw5v64.sys [2009-10-03 02:23:14 6816256]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys [2009-08-22 02:24:04 84512]


[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-12-30 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-03-05 01:37:08 . 2010-03-05 01:36:57]

2010-12-30 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-03-05 01:37:08 . 2010-03-05 01:36:57]

2010-12-30 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1136182667-1290710473-3031169773-1000Core.job
- C:\Users\RK\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-11 00:10:10 . 2009-08-11 00:10:09]

2010-12-30 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1136182667-1290710473-3031169773-1000UA.job
- C:\Users\RK\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-11 00:10:10 . 2009-08-11 00:10:09]
.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 97792 ----a-w- C:\Users\RK\AppData\Roaming\Dropbox\bin\DropboxExt64.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 97792 ----a-w- C:\Users\RK\AppData\Roaming\Dropbox\bin\DropboxExt64.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 97792 ----a-w- C:\Users\RK\AppData\Roaming\Dropbox\bin\DropboxExt64.13.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="C:\comfix\CF26681.cfxxe" [X]
"SysTrayApp"="C:\Program Files\IDT\WDM\sttray64.exe" [2009-07-22 04:33:32 450048]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2009-10-03 18:01:00 16395880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uLocal Page = C:\Windows\system32\blank.htm
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.comcast.net/
mLocal Page = C:\Windows\SysWOW64\blank.htm
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://nac3.app.byu.edu/auth/taweb.cab
FF - ProfilePath - C:\Users\RK\AppData\Roaming\Mozilla\Firefox\Profiles\op2ac7yo.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DigitalPersona Extension: otis@digitalpersona.com - C:\Program Files (x86)\DigitalPersona\Bin\FirefoxExt
FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - C:\Program Files (x86)\Google\Google Gears\Firefox
FF - Ext: DigitalPersona Extension: otis@digitalpersona.com - C:\Program Files (x86)\DigitalPersona\Bin\firefoxext
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - C:\Program Files (x86)\DivX\DivXCodecUninstall.exe
AddRemove-{8ADFC4160D694100B5B8A22DE9DCABD9} - C:\Program Files (x86)\DivX\DivXPlayerUninstall.exe

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:17 AM

Posted 30 December 2010 - 11:24 AM

Use Windows Explorer to find and delete this files:

C:\Users\RK\AppData\Local\Pvijeyiqamab.bin

As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete



Next please run ESET

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Leave the top box checked and then check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#9 DeputyStankus

DeputyStankus
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 30 December 2010 - 11:52 PM

Okay, that took forever! It found several items. Here's the log. Thanks again for all the help!


C:\Users\RK\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\53c8c5da-1da284ed multiple threats deleted - quarantined
C:\Users\RK\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\30feb821-25db3304 Java/TrojanDownloader.Agent.NBK trojan deleted - quarantined
C:\Users\RK\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\40591084-27d155a4 Java/TrojanDownloader.Agent.NBL trojan deleted - quarantined
C:\Users\RK\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\5541aec4-1ee7d890 Java/TrojanDownloader.Agent.NBM trojan deleted - quarantined
C:\Users\RK\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\34a3fab-7ed00e6c multiple threats deleted - quarantined
C:\Users\RK\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\31bba1f4-3914fd0f Java/TrojanDownloader.Agent.NBL trojan deleted - quarantined
C:\Users\RK\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\12283177-68bcdb6b probably a variant of Win32/Agent.FQRCZBA trojan deleted - quarantined
C:\Users\RK\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\3d3353bc-2f07f14c multiple threats deleted - quarantined
C:\Users\RK\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\4f698bbc-224eeefb probably a variant of Win32/Agent.FXHNPDJ trojan deleted - quarantined
C:\Users\RK\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\3f5641c8-2ed08d65 Java/TrojanDownloader.Agent.NBK trojan deleted - quarantined

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:17 AM

Posted 31 December 2010 - 03:14 PM

ESET is a deep scanner and goes through quite a few unusual places, one of which is the Java cache and this is where these malware files have been found. They have been removed now so although they are dormant they are better off gone.

Where does this leave us now. Are you still getting redirects?
Posted Image
m0le is a proud member of UNITE

#11 DeputyStankus

DeputyStankus
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 01 January 2011 - 10:10 AM

A reply on a holiday--what service!

I haven't had any redirects yet, but it was never consistent. I'll keep an eye out.

What do you mean when you say that they were dormant? Does that mean these weren't the viruses causing these symptoms?

Also, every time I turn on my PC now I see a DOS window open up and say something about ComboFix, before shutting down quickly. Is that a concern?

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:17 AM

Posted 01 January 2011 - 11:56 AM

A reply on a holiday--what service!


Thanks. :) There's the difference between volunteers and workers

I haven't had any redirects yet, but it was never consistent. I'll keep an eye out.

Yes please. It may still turn up again and if it does we may need to look at other places. Test run the system for a day or so and come back to me.

What do you mean when you say that they were dormant? Does that mean these weren't the viruses causing these symptoms?


Sorry, I'll explain a bit more. Java has cached a copy of the malware file so it is a copy of the original file. The original files are dangerous and were the cause of your machine's problems but the copies can be removed by Java or deleted by something like ESET.

Also, every time I turn on my PC now I see a DOS window open up and say something about ComboFix, before shutting down quickly. Is that a concern?

No problem. This is the recovery console prompt that Combofix installs as a backup. If things go wrong then you have the ability to enter the console and access the PC. When we're done here we can remove that option.
Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:17 AM

Posted 04 January 2011 - 08:53 PM

How's things going?
Posted Image
m0le is a proud member of UNITE

#14 DeputyStankus

DeputyStankus
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 05 January 2011 - 12:31 AM

Good, I think. I haven't had any redirects, but I have something else going on. When I use Google, I click on the search result and it links me through fine. When I click the "back" button on the browser, however, the browser starts taking me back, but it freezes. It shows the Google results URL in the address bar, but the screen is blank. Then I hit refresh and it shows the results.

Like I said, I'm not being redirected, but it seems really weird. I'm using Firefox and Vista 64 bit, if that makes a difference.

Thanks again for the awesome help.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:17 AM

Posted 05 January 2011 - 01:39 PM

This could be an add-on problem.

Boot into safe mode and run Firefox and see if the freezing continues.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users