Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Searchwebway?


  • This topic is locked This topic is locked
9 replies to this topic

#1 arcpark

arcpark

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 22 December 2010 - 05:38 AM

I keep getting redirected from Google searches to different websites. When I click on a search result it takes me to a completely unrelated site with adverts or porn. From looking at the address bar it seems to be via searchwebway8. I don't know if my computer is also infected with anything else (inherited it from someone who will download anything that pops up) but this is the only problem I have noticed so far. Please help! Thank you!

DDS text


DDS (Ver_10-12-12.02) - FAT32x86
Run by Dave E at 9:26:33.25 on 22/12/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495.53 [GMT 0:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
SVCHOST.EXE
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Dave E\Local Settings\Temporary Internet Files\Content.IE5\F5RC80JU\Defogger[1].exe
C:\Documents and Settings\Dave E\Local Settings\Temporary Internet Files\Content.IE5\RDUZZIU2\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = wireless;*.local;<local>
uInternet Settings,ProxyServer = 10.10.10.99:800
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [LManager] c:\progra~1\launch~1\CPLBCL53.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213192754094
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38176.1490856481
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxsrvc.dll
Hosts: 78.159.110.41 www.google.com
Hosts: 78.159.110.41 www.google.de
Hosts: 78.159.110.41 www.google.fr
Hosts: 78.159.110.41 www.google.co.uk
Hosts: 78.159.110.41 www.google.com.br

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\davee~1\applic~1\mozilla\firefox\profiles\rub6bizs.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

=============== Created Last 30 ================

2010-12-21 22:22:27 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-12-21 22:22:26 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-12-21 22:20:46 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-21 22:19:55 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-12-21 22:14:54 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-12-20 18:21:49 -------- d-----w- c:\windows\system32\scripting
2010-12-20 18:21:37 -------- d-----w- c:\windows\l2schemas
2010-12-20 18:21:36 -------- d-----w- c:\windows\system32\en
2010-12-20 18:10:37 -------- d-----w- c:\windows\network diagnostic
2010-12-19 17:51:58 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2010-12-19 17:51:58 25048 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll
2010-12-19 17:51:58 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2010-12-19 17:51:58 140248 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2010-12-19 00:34:58 136192 ------w- c:\windows\system32\aaclient.dll
2010-12-19 00:34:46 8192 ------w- c:\windows\system32\dllcache\asferror.dll
2010-12-19 00:34:31 233472 ------w- c:\windows\system32\azroles.dll
2010-12-19 00:34:30 7168 ------w- c:\windows\system32\bitsprx4.dll
2010-12-19 00:34:29 286720 ------w- c:\windows\system32\dllcache\blackbox.dll
2010-12-19 00:34:23 159232 ------w- c:\windows\system32\dllcache\cewmdm.dll
2010-12-19 00:34:13 12800 ------w- c:\windows\system32\credssp.dll
2010-12-19 00:34:03 48640 ------w- c:\windows\system32\dhcpqec.dll
2010-12-19 00:34:02 884712 ------w- c:\program files\msn\msncorefiles\install\msn9components\digcore.exe
2010-12-19 00:32:12 6144 ------w- c:\windows\system32\kbdiultn.dll
2010-12-19 00:32:12 6144 ------w- c:\windows\system32\kbdbhc.dll
2010-12-19 00:32:11 6144 ------w- c:\windows\system32\kbdnepr.dll
2010-12-19 00:32:10 6144 ------w- c:\windows\system32\kbdpash.dll
2010-12-19 00:32:09 61440 ------w- c:\windows\system32\kmsvc.dll
2010-12-19 00:30:46 11053008 ------w- c:\program files\msn\msncorefiles\install\msn9components\msncli.exe
2010-12-19 00:29:59 966656 ------w- c:\program files\msn\msncorefiles\oobe\obemetal.dll
2010-12-19 00:28:20 53248 ------w- c:\windows\system32\tsgqec.dll
2010-12-19 00:28:20 50688 ------w- c:\windows\system32\tspkg.dll
2010-12-19 00:28:14 208896 ------w- c:\windows\system32\dllcache\unregmp2.exe
2010-12-17 22:57:47 64512 ----a-w- c:\windows\_detmp.2
2010-12-17 22:35:30 -------- d-----w- c:\windows\system32\appmgmt
2010-12-15 16:27:24 -------- d-----w- c:\windows\pss
2010-12-15 15:12:43 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-12-15 15:12:35 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-12-15 15:11:41 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-12-15 15:09:09 293376 ------w- c:\windows\system32\browserchoice.exe
2010-12-14 15:19:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-14 15:19:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-14 14:53:59 -------- d--h--w- C:\$AVG
2010-12-14 13:56:28 -------- d-----w- c:\docume~1\davee~1\applic~1\AVG10
2010-12-14 13:34:13 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-14 13:31:43 -------- d-----w- c:\windows\system32\drivers\AVG
2010-12-14 13:31:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-14 13:27:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-14 13:27:14 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-12-14 13:23:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34:12 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34:12 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34:12 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34:12 17408 ------w- c:\windows\system32\corpol.dll
2010-11-03 12:25:54 389120 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 9:29:04.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:55 PM

Posted 22 December 2010 - 03:53 PM

Good evening. :)

Download HostsXpert by FunkyToad from here and save it to your Desktop.

You will need to extract the file(s):
Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see the HostsXpert folder - open it and double click HostsXpert.exe
  • In the top left hand corner of the new window, ensure that the button says "Make ReadOnly?"
    If it says "Make Writable?", click it and it should change to the above.
  • Click on Restore MS Hosts File.
  • In the confirmation window, click on OK.
  • Finally, click the button mentioned above to make it read "Make Writable?".

Once you've done the above, reboot the PC and then run DDS again and let me have both DDS.txt and Attach.txt and also run GMER and post the resulting log as well - as per these instructions.

So long, and thanks for all the fish.

 

 


#3 arcpark

arcpark
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 23 December 2010 - 01:04 PM

Thanks! I've done what you said- here's the stuff :)


DDS (Ver_10-12-12.02) - FAT32x86
Run by Dave E at 17:51:50.33 on 23/12/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495.46 [GMT 0:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
SVCHOST.EXE
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dave E\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = wireless;*.local;<local>
uInternet Settings,ProxyServer = 10.10.10.99:800
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [LManager] c:\progra~1\launch~1\CPLBCL53.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213192754094
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38176.1490856481
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\davee~1\applic~1\mozilla\firefox\profiles\rub6bizs.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

=============== Created Last 30 ================

2010-12-21 22:22:27 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-12-21 22:22:26 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-12-21 22:20:46 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-21 22:19:55 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-12-21 22:14:54 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-12-20 18:21:49 -------- d-----w- c:\windows\system32\scripting
2010-12-20 18:21:37 -------- d-----w- c:\windows\l2schemas
2010-12-20 18:21:36 -------- d-----w- c:\windows\system32\en
2010-12-20 18:10:37 -------- d-----w- c:\windows\network diagnostic
2010-12-19 17:51:58 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2010-12-19 17:51:58 25048 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll
2010-12-19 17:51:58 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2010-12-19 17:51:58 140248 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2010-12-19 00:34:58 136192 ------w- c:\windows\system32\aaclient.dll
2010-12-19 00:34:46 8192 ------w- c:\windows\system32\dllcache\asferror.dll
2010-12-19 00:34:31 233472 ------w- c:\windows\system32\azroles.dll
2010-12-19 00:34:30 7168 ------w- c:\windows\system32\bitsprx4.dll
2010-12-19 00:34:29 286720 ------w- c:\windows\system32\dllcache\blackbox.dll
2010-12-19 00:34:23 159232 ------w- c:\windows\system32\dllcache\cewmdm.dll
2010-12-19 00:34:13 12800 ------w- c:\windows\system32\credssp.dll
2010-12-19 00:34:03 48640 ------w- c:\windows\system32\dhcpqec.dll
2010-12-19 00:34:02 884712 ------w- c:\program files\msn\msncorefiles\install\msn9components\digcore.exe
2010-12-19 00:32:12 6144 ------w- c:\windows\system32\kbdiultn.dll
2010-12-19 00:32:12 6144 ------w- c:\windows\system32\kbdbhc.dll
2010-12-19 00:32:11 6144 ------w- c:\windows\system32\kbdnepr.dll
2010-12-19 00:32:10 6144 ------w- c:\windows\system32\kbdpash.dll
2010-12-19 00:32:09 61440 ------w- c:\windows\system32\kmsvc.dll
2010-12-19 00:30:46 11053008 ------w- c:\program files\msn\msncorefiles\install\msn9components\msncli.exe
2010-12-19 00:29:59 966656 ------w- c:\program files\msn\msncorefiles\oobe\obemetal.dll
2010-12-19 00:28:20 53248 ------w- c:\windows\system32\tsgqec.dll
2010-12-19 00:28:20 50688 ------w- c:\windows\system32\tspkg.dll
2010-12-19 00:28:14 208896 ------w- c:\windows\system32\dllcache\unregmp2.exe
2010-12-17 22:57:47 64512 ----a-w- c:\windows\_detmp.2
2010-12-17 22:35:30 -------- d-----w- c:\windows\system32\appmgmt
2010-12-15 16:27:24 -------- d-----w- c:\windows\pss
2010-12-15 15:12:43 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-12-15 15:12:35 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-12-15 15:11:41 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-12-15 15:09:09 293376 ------w- c:\windows\system32\browserchoice.exe
2010-12-14 15:19:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-14 15:19:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-14 14:53:59 -------- d--h--w- C:\$AVG
2010-12-14 13:56:28 -------- d-----w- c:\docume~1\davee~1\applic~1\AVG10
2010-12-14 13:34:13 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-14 13:31:43 -------- d-----w- c:\windows\system32\drivers\AVG
2010-12-14 13:31:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-14 13:27:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-14 13:27:14 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-12-14 13:23:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34:12 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34:12 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34:12 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34:12 17408 ------w- c:\windows\system32\corpol.dll
2010-11-03 12:25:54 389120 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 17:53:39.65 ===============

Attached Files



#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:55 PM

Posted 23 December 2010 - 03:38 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*

  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#5 arcpark

arcpark
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 24 December 2010 - 06:17 AM

Hello! I've done Combofix and the computers running brilliantly! I don't seem to be redirected away from search results any more and everythings a lot faster. Thank you so much, heres the log report.

ComboFix 10-12-23.05 - Dave E 24/12/2010 11:02:31.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495.258 [GMT 0:00]
Running from: c:\documents and settings\Dave E\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dave E\Start Menu\Programs\Security Tool.lnk
c:\windows\system32\Oeminfo.ini

.
((((((((((((((((((((((((( Files Created from 2010-11-24 to 2010-12-24 )))))))))))))))))))))))))))))))
.

2010-12-21 22:22 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-12-21 22:22 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-12-21 22:20 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-21 22:19 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-12-21 22:14 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-12-20 18:21 . 2010-12-20 18:21 -------- d-----w- c:\windows\system32\scripting
2010-12-20 18:21 . 2010-12-20 18:21 -------- d-----w- c:\windows\l2schemas
2010-12-20 18:21 . 2010-12-20 18:21 -------- d-----w- c:\windows\system32\en
2010-12-19 17:51 . 2010-12-03 19:43 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2010-12-19 17:51 . 2010-12-03 19:43 25048 ----a-w- c:\program files\Mozilla Firefox\components\browserdirprovider.dll
2010-12-19 17:51 . 2010-12-03 19:43 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2010-12-19 17:51 . 2010-12-03 19:43 140248 ----a-w- c:\program files\Mozilla Firefox\components\brwsrcmp.dll
2010-12-19 00:34 . 2008-04-14 00:11 136192 ------w- c:\windows\system32\aaclient.dll
2010-12-19 00:34 . 2008-04-13 17:23 8192 ------w- c:\windows\system32\dllcache\asferror.dll
2010-12-19 00:34 . 2008-04-14 00:11 233472 ------w- c:\windows\system32\azroles.dll
2010-12-19 00:34 . 2008-04-14 00:11 7168 ------w- c:\windows\system32\bitsprx4.dll
2010-12-19 00:34 . 2008-04-14 00:11 286720 ------w- c:\windows\system32\dllcache\blackbox.dll
2010-12-19 00:34 . 2008-04-14 00:11 159232 ------w- c:\windows\system32\dllcache\cewmdm.dll
2010-12-19 00:34 . 2008-04-14 00:11 12800 ------w- c:\windows\system32\credssp.dll
2010-12-19 00:34 . 2008-04-14 00:11 48640 ------w- c:\windows\system32\dhcpqec.dll
2010-12-19 00:34 . 2007-04-02 18:34 884712 ------w- c:\program files\MSN\MSNCoreFiles\install\msn9components\digcore.exe
2010-12-19 00:32 . 2008-04-14 00:09 6144 ------w- c:\windows\system32\kbdiultn.dll
2010-12-19 00:32 . 2008-04-14 00:09 6144 ------w- c:\windows\system32\kbdbhc.dll
2010-12-19 00:32 . 2008-04-14 00:09 6144 ------w- c:\windows\system32\kbdnepr.dll
2010-12-19 00:32 . 2008-04-14 00:09 6144 ------w- c:\windows\system32\kbdpash.dll
2010-12-19 00:32 . 2008-04-14 00:11 61440 ------w- c:\windows\system32\kmsvc.dll
2010-12-19 00:30 . 2007-04-02 18:39 11053008 ------w- c:\program files\MSN\MSNCoreFiles\install\msn9components\msncli.exe
2010-12-19 00:29 . 2008-04-14 00:10 966656 ------w- c:\program files\MSN\MSNCoreFiles\oobe\obemetal.dll
2010-12-19 00:28 . 2008-04-14 00:12 53248 ------w- c:\windows\system32\tsgqec.dll
2010-12-19 00:28 . 2008-04-14 00:12 50688 ------w- c:\windows\system32\tspkg.dll
2010-12-19 00:28 . 2008-04-14 00:12 208896 ------w- c:\windows\system32\dllcache\unregmp2.exe
2010-12-17 22:57 . 2000-05-11 13:52 64512 ----a-w- c:\windows\_detmp.2
2010-12-15 15:12 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-12-15 15:12 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-12-15 15:11 . 2010-06-18 13:36 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-12-15 15:09 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-12-14 15:19 . 2010-12-14 15:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-14 15:19 . 2010-12-14 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-12-14 13:56 . 2010-12-14 13:56 -------- d-----w- c:\documents and settings\Dave E\Application Data\AVG10
2010-12-14 13:34 . 2010-12-14 13:34 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-12-14 13:31 . 2010-12-14 13:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-12-14 13:27 . 2010-09-15 04:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-14 13:27 . 2010-09-15 04:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-14 13:23 . 2010-12-14 13:23 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2003-07-01 11:03 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34 . 2004-08-04 08:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34 . 2004-02-06 18:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34 . 1980-01-01 00:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34 . 1980-01-01 00:00 17408 ------w- c:\windows\system32\corpol.dll
2010-11-03 12:25 . 2004-08-04 06:59 389120 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 1980-01-01 00:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 1980-01-01 00:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 1980-01-01 00:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-06-23 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-06-23 114688]
"SoundMan"="SOUNDMAN.EXE" [2003-06-20 55296]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-23 88267]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-07-25 151552]
"LManager"="c:\progra~1\LAUNCH~1\CPLBCL53.EXE" [2003-11-27 262144]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Fax"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

.
Contents of the 'Scheduled Tasks' folder

2010-12-23 c:\windows\Tasks\User_Feed_Synchronization-{DE061F25-679D-4B67-97F6-47AAB3349003}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]

2009-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = wireless;*.local;<local>
uInternet Settings,ProxyServer = 10.10.10.99:800
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dave E\Application Data\Mozilla\Firefox\Profiles\rub6bizs.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-77134527 - c:\docume~1\ALLUSE~1\APPLIC~1\77134527\77134527.exe
AddRemove-Indeo® Software - c:\program files\Ligos\Indeo\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-24 11:06
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\sxs.dll
.
Completion time: 2010-12-24 11:08:52
ComboFix-quarantined-files.txt 2010-12-24 11:08

Pre-Run: 8,377,647,104 bytes free
Post-Run: 8,700,674,048 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 90CE03E535FE31D523352E7C6E40C8AB

#6 arcpark

arcpark
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 24 December 2010 - 06:19 AM

Oh, the only thing was that I had to uninstall AVG 2011 for combofix to run. Can you let me know when I'm allowed to reinstall that? Thanks!

#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:55 PM

Posted 24 December 2010 - 03:13 PM

Good evening. :)

Go ahead and reinstall AVG. It unfortunately doesn't play nicely with ComboFix and messes up some of the routines that it tries to run.

I think we'll have a second opinion, just because we can, and assuming that all is well, a little housekeeping and you should be pulling crackers rather than playing about with the PC before too long.

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.
I'd also like a fresh DDS log as well.

So long, and thanks for all the fish.

 

 


#8 arcpark

arcpark
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 26 December 2010 - 05:05 AM

Merry christmas!

The Eset scan came up with this

C:\Documents and Settings\Dave E\My Documents\LimeWire\Saved\fade out radio head.mp3 WMA/TrojanDownloader.GetCodec.C trojan
C:\Documents and Settings\Dave E\My Documents\LimeWire\Saved\silence dilirium.mp3 WMA/TrojanDownloader.GetCodec.C trojan
C:\Documents and Settings\Dave E\My Documents\LimeWire\Saved\Top Hits - All together now - The Farm.mp3 WMA/TrojanDownloader.GetCodec.C trojan
C:\Documents and Settings\Dave E\My Documents\LimeWire\Saved\Prodigy - One love.mp3 WMA/TrojanDownloader.GetCodec.C trojan
C:\Documents and Settings\Dave E\My Documents\LimeWire\Saved\cuddley toy rochford - greatest hits.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan


The fresh DDs log is this
Thanks for your help!


DDS (Ver_10-12-12.02) - FAT32x86
Run by Dave E at 9:56:35.80 on 26/12/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495.100 [GMT 0:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
SVCHOST.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Dave E\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = wireless;*.local;<local>
uInternet Settings,ProxyServer = 10.10.10.99:800
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [LManager] c:\progra~1\launch~1\CPLBCL53.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213192754094
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38176.1490856481
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\davee~1\applic~1\mozilla\firefox\profiles\rub6bizs.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: AVG Security Toolbar em:version=6.010.023.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg10\toolbar\firefox\avg@igeared

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

=============== Created Last 30 ================

2010-12-25 20:45:37 -------- d-----w- c:\docume~1\davee~1\locals~1\applic~1\Temp
2010-12-25 18:59:17 -------- d-----w- c:\program files\ESET
2010-12-25 18:47:28 -------- d-----w- c:\docume~1\davee~1\locals~1\applic~1\AVG Security Toolbar
2010-12-25 18:35:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-12-25 18:33:23 -------- d-----w- c:\windows\system32\drivers\AVG
2010-12-25 16:08:12 -------- d-sh--w- C:\Recycled
2010-12-24 13:11:32 -------- d-----w- c:\docume~1\davee~1\locals~1\applic~1\Adobe
2010-12-24 11:01:33 -------- d-sha-r- C:\cmdcons
2010-12-24 10:55:29 98816 ----a-w- c:\windows\sed.exe
2010-12-24 10:55:29 89088 ----a-w- c:\windows\MBR.exe
2010-12-24 10:55:29 256512 ----a-w- c:\windows\PEV.exe
2010-12-24 10:55:29 161792 ----a-w- c:\windows\SWREG.exe
2010-12-21 22:22:27 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-12-21 22:22:26 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-12-21 22:20:46 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-21 22:19:55 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-12-21 22:14:54 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-12-20 18:21:49 -------- d-----w- c:\windows\system32\scripting
2010-12-20 18:21:37 -------- d-----w- c:\windows\l2schemas
2010-12-20 18:21:36 -------- d-----w- c:\windows\system32\en
2010-12-20 18:10:37 -------- d-----w- c:\windows\network diagnostic
2010-12-19 17:51:58 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2010-12-19 17:51:58 25048 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll
2010-12-19 17:51:58 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2010-12-19 17:51:58 140248 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2010-12-19 00:34:58 136192 ------w- c:\windows\system32\aaclient.dll
2010-12-19 00:34:46 8192 ------w- c:\windows\system32\dllcache\asferror.dll
2010-12-19 00:34:31 233472 ------w- c:\windows\system32\azroles.dll
2010-12-19 00:34:30 7168 ------w- c:\windows\system32\bitsprx4.dll
2010-12-19 00:34:29 286720 ------w- c:\windows\system32\dllcache\blackbox.dll
2010-12-19 00:34:23 159232 ------w- c:\windows\system32\dllcache\cewmdm.dll
2010-12-19 00:34:13 12800 ------w- c:\windows\system32\credssp.dll
2010-12-19 00:34:03 48640 ------w- c:\windows\system32\dhcpqec.dll
2010-12-19 00:34:02 884712 ------w- c:\program files\msn\msncorefiles\install\msn9components\digcore.exe
2010-12-19 00:32:12 6144 ------w- c:\windows\system32\kbdiultn.dll
2010-12-19 00:32:12 6144 ------w- c:\windows\system32\kbdbhc.dll
2010-12-19 00:32:11 6144 ------w- c:\windows\system32\kbdnepr.dll
2010-12-19 00:32:10 6144 ------w- c:\windows\system32\kbdpash.dll
2010-12-19 00:32:09 61440 ------w- c:\windows\system32\kmsvc.dll
2010-12-19 00:30:46 11053008 ------w- c:\program files\msn\msncorefiles\install\msn9components\msncli.exe
2010-12-19 00:29:59 966656 ------w- c:\program files\msn\msncorefiles\oobe\obemetal.dll
2010-12-19 00:28:20 53248 ------w- c:\windows\system32\tsgqec.dll
2010-12-19 00:28:20 50688 ------w- c:\windows\system32\tspkg.dll
2010-12-19 00:28:14 208896 ------w- c:\windows\system32\dllcache\unregmp2.exe
2010-12-17 22:57:47 64512 ----a-w- c:\windows\_detmp.2
2010-12-17 22:35:30 -------- d-----w- c:\windows\system32\appmgmt
2010-12-15 16:27:24 -------- d-----w- c:\windows\pss
2010-12-15 15:12:43 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-12-15 15:12:35 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-12-15 15:11:41 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-12-15 15:09:09 293376 ------w- c:\windows\system32\browserchoice.exe
2010-12-14 15:19:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-14 15:19:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-14 13:56:28 -------- d-----w- c:\docume~1\davee~1\applic~1\AVG10
2010-12-14 13:34:13 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-14 13:31:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-14 13:27:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-14 13:27:14 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-12-14 13:23:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34:12 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34:12 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34:12 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34:12 17408 ------w- c:\windows\system32\corpol.dll
2010-11-03 12:25:54 389120 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 9:59:11.89 ===============

Attached Files



#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:55 PM

Posted 26 December 2010 - 02:33 PM

Good evening. :)

The ESET detections may or may not be false positives. As you know how you came by the files, i'll leave you to decide on their trustworthiness and you can delete them or not as you see fit - that's the trouble with Limewire, you can never be totally sure of what you are downloading.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following steps will serve as a spring clean for your PC. Not all of them will be of benefit to your PC as this is a general post, but the overall effect should be positive.

1) Go to Start > Control Panel > Add/Remove Programs and remove any programs that you no longer use and then reboot your PC.

2) Download TFC by OldTimer from here and save it to your Desktop.
  • You will need to close all open programs and save any work as TFC will require a reboot.
  • Double-click TFC.exe to run it. (Note: If you are using Vista, right-click the file and select Run As Administrator from the menu that appears).
  • Click the Start button to begin. Depending on how often you clean temp files, execution time could be anywhere from a few seconds to a minute or two - just sit back and enjoy the view.
  • Once it has finished it should reboot your PC all by itself. If it does not, please manually reboot.
  • Once rebooted your PC will run like a Cray supercomputer, or at least have less junk on the hard drive - OT's not a miracle worker you know!
  • Please note that this tool will empty the Recycle Bin as part of it's actions. If you have anything in there that you haven't finished with, move it first.

3) Double click My Computer.
Right click the disc drive you wish to check.
Click Properties.
In the Properties dialog box, click the Tools Tab.
Under Error-checking, click the Check Now button.
In the "Check Disc Local Disk (C:)" dialog box, check both Automatically fix file system errors and Scan for and attempt recovery of bad sectors, and then click Start.

This will look for and attempt to repair any errors that your hard drive has.

4) Defragment your hard drive. A tutorial for disc defragmentation is available here.

I happen to prefer a third-party defrag tool to the one that Windows offers. You can read about it, and find a linky, here - it's free too!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your log doesn't appear to show a third-party software firewall installed - if you have one, and i've missed it, please ignore this.
If you are relying the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
If you are using a wireless router that comes with a NAT hardware firewall, this also doesn't monitor outgoing connections.

There are a few free firewalls available, of which the following are just three (all of which i've used at one time or another) :

Comodo Firewall Pro, available here.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

It is important to note that you should only have one firewall installed at a time, but you can download them all to your Desktop and install each in turn to see which one you prefer.

Understanding and Using Firewalls: http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: ComboFix /Uninstall
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.
It's a little old, but still contains some good ideas.

So long, and thanks for all the fish.

 

 


#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:55 PM

Posted 30 December 2010 - 06:34 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users