Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect, Rundll errors, Malwarebytes errors


  • This topic is locked This topic is locked
16 replies to this topic

#1 00Samm

00Samm

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 27 December 2010 - 05:27 PM

I contracted the System Tool 2011 virus about a week ago, and I think I successfully removed it by using Temp File Cleaner by OldTimer and then running Malwarebytes Anti-Malware. Immediately after I solved that issue, I started seeing the Google redirect issue, where search result links were redirected to a handful of other sites intermittently. I've tried to detect and remove whatever is causing the issue with MBAM, Ad-Aware, and TDSSKiller. I thought the TDSSKiller actually did it, as the problem stopped for a while after I ran it last night, but it was back again this afternoon, so I ran MBAM again, which turned up three infected objects, and now my system is supposedly all clean again.

In addition to the Google redirect, two rundll errors have been popping up on start-up, the errors report that wespgr.dll and ujavozer.dll are both missing.

I'm also getting the following error whenever I exit MBAM: "The instruction at "0x6109b271" referenced memory at "0x00000004". The memory could not be "read". Click on OK to terminate the program"

In addition, I'm getting a failure to initialize error when I start up the Sims 3 Launcher, which from what I've found is usually caused by a registry issue.

The first DDS log is below, and I've attached the Attach.txt DDS log and GMER ark.txt log as well.

DDS (Ver_10-12-12.02) - NTFSx86
Run by Sam at 16:08:20.35 on Mon 12/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2492 [GMT -6:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Sam\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
F:\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
F:\xampp\mysql\bin\mysqld.exe
F:\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sam\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [Google Update] "c:\documents and settings\sam\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Wvapadava] rundll32.exe "c:\windows\wespgr.dll",Startup
mRun: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [NielsenOnline] c:\program files\netratingsnetsight\netsight\NielsenOnline.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Ptujamumokekega] rundll32.exe "c:\windows\ujavozer.dll",Startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sam\applic~1\mozilla\firefox\profiles\lbz5fqf7.default\
FF - prefs.js: browser.search.defaulturl - https;//%LOCALE%.add-ons.mozilla.com%LOCALE%/firefox/%VERSION%/search-engines/
FF - component: c:\documents and settings\sam\application data\mozilla\firefox\profiles\lbz5fqf7.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - component: c:\documents and settings\sam\application data\mozilla\firefox\profiles\lbz5fqf7.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\documents and settings\sam\application data\mozilla\firefox\profiles\lbz5fqf7.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\documents and settings\sam\application data\mozilla\firefox\profiles\lbz5fqf7.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\program files\netratingsnetsight\netsight\meter1\ffaddon\components\nsgkff36_meter1.dll
FF - plugin: c:\documents and settings\sam\application data\mozilla\firefox\profiles\lbz5fqf7.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\documents and settings\sam\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: ErrorHelp Search: bugs@bug.gd - %profile%\extensions\bugs@bug.gd
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Locationbar²: locationbar2@design-noir.de - %profile%\extensions\locationbar2@design-noir.de
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Source Viewer Tab: viewsourceintab@piro.sakura.ne.jp - %profile%\extensions\viewsourceintab@piro.sakura.ne.jp
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: ErrorZilla Plus: {03651b2d-eb7d-4be7-af1b-dc0cd162dd54} - %profile%\extensions\{03651b2d-eb7d-4be7-af1b-dc0cd162dd54}
FF - Ext: Firesizer: {04426594-bce6-4705-b811-bcdba2fd9c7b} - %profile%\extensions\{04426594-bce6-4705-b811-bcdba2fd9c7b}
FF - Ext: GoogleEnhancer: {21e48e29-f574-4619-b65d-0f00eea92e5b} - %profile%\extensions\{21e48e29-f574-4619-b65d-0f00eea92e5b}
FF - Ext: Extended Copy Menu: {2E18002D-DF43-4c65-9FDA-40D02F066D9E} - %profile%\extensions\{2E18002D-DF43-4c65-9FDA-40D02F066D9E}
FF - Ext: Html Validator: {3b56bcc7-54e5-44a2-9b44-66c3ef58c13e} - %profile%\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}
FF - Ext: FoxyTunes: {463F6CA5-EE3C-4be1-B7E6-7FEE11953374} - %profile%\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
FF - Ext: Stylish: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} - %profile%\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
FF - Ext: ColorZilla: {6AC85730-7D0F-4de0-B3FA-21142DD85326} - %profile%\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: gTranslate: {aff87fa2-a58e-4edd-b852-0a20203c1e17} - %profile%\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
FF - Ext: JSView: {cf15270e-cf08-4def-b4ea-6a5ac23f3bca} - %profile%\extensions\{cf15270e-cf08-4def-b4ea-6a5ac23f3bca}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: PhotoXpress: photoxpresssearch@photoxpress.com - %profile%\extensions\photoxpresssearch@photoxpress.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Nielsen: {D908A1CC-54B4-4af9-9BB4-964F5BD3CDB7} - c:\program files\netratingsnetsight\netsight\meter1\FFAddon
FF - Ext: XULRunner: {D28AD1A7-8F09-434B-9B10-3572E6DFBFCF} - c:\documents and settings\sam\local settings\application data\{D28AD1A7-8F09-434B-9B10-3572E6DFBFCF}

============= SERVICES / DRIVERS ===============

R0 Achernar;Achernar - SCSI Command Filter Drivers;c:\windows\system32\drivers\Achernar.sys [2010-12-1 18432]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-8 64288]
R0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys [2010-6-8 24192]
R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [2010-6-8 15360]
R2 Apache2.2;Apache2.2;f:\xampp\apache\bin\apache.exe [2008-12-9 24636]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1389400]
R3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [2009-1-1 1310720]
R3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [2010-6-8 10368]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15264]
R3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys [2010-6-8 9088]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-1-18 30192]

=============== Created Last 30 ================

2010-12-27 21:10:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-27 21:10:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-27 21:10:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-21 02:41:27 -------- d-----w- c:\program files\ESET
2010-12-21 00:43:59 -------- d-----w- c:\program files\iPod
2010-12-19 22:52:23 0 ----a-w- c:\windows\Ccuzo.bin
2010-12-19 22:52:21 -------- d-----w- c:\docume~1\sam\locals~1\applic~1\{D28AD1A7-8F09-434B-9B10-3572E6DFBFCF}
2010-12-19 22:49:46 45568 ----a-w- c:\windows\system32\test.exe
2010-12-09 01:35:17 -------- d-----w- c:\docume~1\sam\locals~1\applic~1\Sunbelt Software
2010-12-09 01:34:57 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-08 23:30:51 -------- d-----w- c:\program files\BitTorrent
2010-12-07 22:25:00 12800 ----a-w- c:\program files\mozilla firefox\plugins\npwachk.dll
2010-12-01 17:16:50 -------- d-----w- c:\docume~1\sam\locals~1\applic~1\NewSoft
2010-12-01 17:16:03 18432 ----a-w- c:\windows\system32\drivers\Achernar.sys
2010-12-01 17:15:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\Newsoft
2010-12-01 17:15:47 122880 ----a-w- c:\windows\system32\Nsvideo.dll
2010-12-01 17:15:32 -------- d-----w- c:\program files\NewSoft
2010-12-01 17:15:32 -------- d-----w- c:\program files\common files\NewSoft
2010-12-01 17:15:20 753664 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iKernel.dll
2010-12-01 17:15:20 69714 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\ctor.dll
2010-12-01 17:15:20 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\DotNetInstaller.exe
2010-12-01 17:15:20 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\setup.dll
2010-12-01 17:15:20 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iscript.dll
2010-12-01 17:15:20 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iGdi.dll
2010-12-01 17:15:20 184320 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iuser.dll
2010-11-29 23:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2010-12-03 09:05:33 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-13 00:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 22:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

============= FINISH: 16:08:33.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:13 AM

Posted 27 December 2010 - 06:28 PM

Hello 00Samm,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Spybot S&D or Ad-Aware are no longer recommended
  • mvps.org is no longer recommending Spybot S&D or Ad-Aware due to poor testing results. See here - (scroll down and read under Freeware Antispyware Products)
  • Further, most people don't understand Spybot's TeaTimer or how to use it and that feature can cause more problems than it's worth. TeaTimer monitors changes to certain critical keys in Windows registry but does not indicate if the change is normal or a modification made by a malware infection. The user must have an understanding of the registry and how TeaTimer works in order to make informed decisions to allow or deny the detected changes. Additionally, TeaTimer may conflict with other security tools which do a much better job of protecting your computer and even prevent disinfection of malware by those tools.
  • More effective alternatives are Malwarebytes Anti-Malware and SUPERAntiSpyware Free.


2.
Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 00Samm

00Samm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 27 December 2010 - 07:07 PM

Thank you so much for your assistance! I still get the two rundll errors on start-up, but the MBAM error appears to be gone, and I haven't had any search results redirected so far. However, I'm having an issue posting the ComboFix log. In my C:\ drive, there is a ComboFix, but it's not a text file. As far as I can tell my computer seems to think that it's a folder. Double clicking on it takes me to C:\ComboFix, which shows all my drives and the Documents folders the same as the "My Computer" window would. If I try to go into Notepad and open it via the file menu, it tells me access is denied, and since Windows thinks it's a folder, I'm unable to simply reassign the file type.

I re-read your first set of instructions to ensure I had done everything correctly, specifically when it came to disabling Ad-Aware. I think the post you referred me to must have a different version of Ad-Aware, as the layout is not the same. But after some searching, it seems I did miss unchecking the Processes Protection and the AntiVirus Engine boxes (I still can't find a check box for the Spyware Heuristics). Would this cause the issue with the log file?

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:13 AM

Posted 27 December 2010 - 10:06 PM

Hello,

Any protection left on during Combofix could cause a problem.


Please download SystemLook from jpshortstuff and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Double-click the SystemLook and copy/paste the following into the box
    :filefind
    *Combofix*
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 00Samm

00Samm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 27 December 2010 - 10:33 PM

Here's the SystemLook log:

SystemLook 04.09.10 by jpshortstuff
Log created at 21:24 on 27/12/2010 by Sam
Administrator - Elevation successful

========== filefind ==========

Searching for "*Combofix*"
C:\ComboFix\ComboFix-Download.cfxxe -ra---- 141312 bytes [23:36 27/12/2010] [14:00 31/08/2000] CE222401FC3C1BC17E70BCFFF25507F3
C:\ComboFix\ComboFix.txt --a---- 311 bytes [23:39 27/12/2010] [23:41 27/12/2010] B8D9529D458DCB0054AE9716EA5844A8
C:\ComboFix\ndis_combofix.dat --a---- 283 bytes [23:36 27/12/2010] [22:12 24/12/2009] 182239E94CE631D096BD17DFCA1E7E76
C:\Documents and Settings\Sam\Desktop\ComboFix.exe -ra---- 3998686 bytes [23:33 27/12/2010] [23:33 27/12/2010] 6CFAB6BE1481BDFEFDDA6579834CB88E

-= EOF =-

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:13 AM

Posted 28 December 2010 - 04:38 AM

Hello,


The Combofix log should be here::

C:\ComboFix\ComboFix.txt

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 00Samm

00Samm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 28 December 2010 - 08:34 AM

Combofix.txt is below, it appears the ad-aware interfered:

ComboFix 10-12-26.01 - Sam 12/27/2010 17:39:45.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2705 [GMT -6:00]
Running from: C:\Documents and Settings\Sam\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:13 AM

Posted 28 December 2010 - 12:19 PM

Hello,

Please go ahead and run combo fix again and see if it gives you a report this time.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 00Samm

00Samm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 28 December 2010 - 08:36 PM

The ComboFix log is below, it seems to have run successfully this time. But it appears that running it also caused a shortcut to Internet Explorer to appear on my desktop and set IE as my default browser (my default browser was Firefox). Not a huge deal, of course, I just don't know if it's normal or not. Thanks again for your help, and I apologize for creating extra work by not properly disabling Ad-Aware the first time.

ComboFix 10-12-26.01 - Sam 12/28/2010 19:23:07.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2691 [GMT -6:00]
Running from: c:\documents and settings\Sam\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Sam\Application Data\Adobe\AdobeUpdate .exe
c:\documents and settings\Sam\Application Data\Adobe\plugs
c:\documents and settings\Sam\Local Settings\Application Data\{D28AD1A7-8F09-434B-9B10-3572E6DFBFCF}
c:\documents and settings\Sam\Local Settings\Application Data\{D28AD1A7-8F09-434B-9B10-3572E6DFBFCF}\chrome.manifest
c:\documents and settings\Sam\Local Settings\Application Data\{D28AD1A7-8F09-434B-9B10-3572E6DFBFCF}\chrome\content\_cfg.js
c:\documents and settings\Sam\Local Settings\Application Data\{D28AD1A7-8F09-434B-9B10-3572E6DFBFCF}\chrome\content\overlay.xul
c:\documents and settings\Sam\Local Settings\Application Data\{D28AD1A7-8F09-434B-9B10-3572E6DFBFCF}\install.rdf
c:\windows\system32\test.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS
-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-29 )))))))))))))))))))))))))))))))
.

2010-12-27 21:10 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-27 21:10 . 2010-12-27 21:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-27 21:10 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-21 15:39 . 2010-12-21 15:39 -------- d-----w- c:\program files\Common Files\Java
2010-12-21 02:41 . 2010-12-21 02:41 -------- d-----w- c:\program files\ESET
2010-12-21 00:43 . 2010-12-21 00:43 -------- d-----w- c:\program files\iPod
2010-12-20 01:12 . 2010-12-20 01:12 -------- d-----w- c:\documents and settings\Administrator
2010-12-19 22:52 . 2010-12-20 23:16 0 ----a-w- c:\windows\Ccuzo.bin
2010-12-19 22:48 . 2010-12-19 22:48 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-12-09 01:35 . 2010-12-09 01:35 -------- d-----w- c:\documents and settings\Sam\Local Settings\Application Data\Sunbelt Software
2010-12-09 01:34 . 2010-12-27 23:30 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-08 23:30 . 2010-12-08 23:30 -------- d-----w- c:\program files\BitTorrent
2010-12-07 22:25 . 2010-12-07 22:25 12800 ----a-w- c:\program files\Mozilla Firefox\plugins\npwachk.dll
2010-12-01 17:16 . 2010-12-01 17:16 -------- d-----w- c:\documents and settings\Sam\Local Settings\Application Data\NewSoft
2010-12-01 17:16 . 2007-02-05 17:15 18432 ----a-w- c:\windows\system32\drivers\Achernar.sys
2010-12-01 17:15 . 2010-12-01 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Newsoft
2010-12-01 17:15 . 2001-11-12 16:44 122880 ----a-w- c:\windows\system32\Nsvideo.dll
2010-12-01 17:15 . 2010-12-19 20:28 -------- d-----w- c:\program files\Common Files\NewSoft
2010-12-01 17:15 . 2010-12-01 17:15 -------- d-----w- c:\program files\NewSoft
2010-12-01 17:15 . 2010-12-01 17:15 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2010-12-01 17:15 . 2010-12-01 17:15 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2010-12-01 17:15 . 2005-04-04 05:02 753664 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2010-12-01 17:15 . 2005-04-04 05:02 69714 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2010-12-01 17:15 . 2005-04-04 05:01 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2010-12-01 17:15 . 2005-04-04 05:00 184320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2010-12-01 17:15 . 2005-04-04 04:59 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-27 02:15 . 2008-04-14 04:06 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2010-12-09 01:37 . 2010-04-08 22:23 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-03 09:05 . 2010-04-08 22:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-12-03 09:05 . 2010-05-13 18:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-13 00:53 . 2010-06-03 14:11 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 22:34 . 2009-04-17 02:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-28 23:29 . 2010-01-19 00:26 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-05-06 1262888]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-07 323392]
"Google Update"="c:\documents and settings\Sam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-04 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-08 8523776]
"nwiz"="nwiz.exe" [2008-01-08 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-08 81920]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-12-07 74752]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-28 30192]
"NielsenOnline"="c:\program files\NetRatingsNetSight\NetSight\NielsenOnline.exe" [2009-10-30 47456]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-1-1 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"f:\\xampp\\apache\\bin\\apache.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"f:\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"d:\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:https
"3306:TCP"= 3306:TCP:mysql

R0 Achernar;Achernar - SCSI Command Filter Drivers;c:\windows\system32\drivers\Achernar.sys [12/1/2010 11:16 AM 18432]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/8/2010 4:23 PM 64288]
R0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys [6/8/2010 6:54 PM 24192]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/5/2010 12:10 PM 691696]
R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [6/8/2010 6:55 PM 15360]
R2 Apache2.2;Apache2.2;f:\xampp\apache\bin\apache.exe [12/9/2008 5:10 PM 24636]
R3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [1/1/2009 7:38 PM 1310720]
R3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [6/8/2010 6:55 PM 10368]
R3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys [6/8/2010 6:54 PM 9088]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/18/2010 6:26 PM 30192]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 3:05 AM 1389400]
.
Contents of the 'Scheduled Tasks' folder

2010-12-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:05]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1935655697-682003330-1003Core.job
- c:\documents and settings\Sam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-04 03:48]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1935655697-682003330-1003UA.job
- c:\documents and settings\Sam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-04 03:48]

2009-01-08 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2007-08-31 19:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Sam\Application Data\Mozilla\Firefox\Profiles\lbz5fqf7.default\
FF - prefs.js: browser.search.defaulturl - https;//%LOCALE%.add-ons.mozilla.com%LOCALE%/firefox/%VERSION%/search-engines/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: ErrorHelp Search: bugs@bug.gd - %profile%\extensions\bugs@bug.gd
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Locationbar²: locationbar2@design-noir.de - %profile%\extensions\locationbar2@design-noir.de
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Source Viewer Tab: viewsourceintab@piro.sakura.ne.jp - %profile%\extensions\viewsourceintab@piro.sakura.ne.jp
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: ErrorZilla Plus: {03651b2d-eb7d-4be7-af1b-dc0cd162dd54} - %profile%\extensions\{03651b2d-eb7d-4be7-af1b-dc0cd162dd54}
FF - Ext: Firesizer: {04426594-bce6-4705-b811-bcdba2fd9c7b} - %profile%\extensions\{04426594-bce6-4705-b811-bcdba2fd9c7b}
FF - Ext: GoogleEnhancer: {21e48e29-f574-4619-b65d-0f00eea92e5b} - %profile%\extensions\{21e48e29-f574-4619-b65d-0f00eea92e5b}
FF - Ext: Extended Copy Menu: {2E18002D-DF43-4c65-9FDA-40D02F066D9E} - %profile%\extensions\{2E18002D-DF43-4c65-9FDA-40D02F066D9E}
FF - Ext: Html Validator: {3b56bcc7-54e5-44a2-9b44-66c3ef58c13e} - %profile%\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}
FF - Ext: FoxyTunes: {463F6CA5-EE3C-4be1-B7E6-7FEE11953374} - %profile%\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
FF - Ext: Stylish: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} - %profile%\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
FF - Ext: ColorZilla: {6AC85730-7D0F-4de0-B3FA-21142DD85326} - %profile%\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: gTranslate: {aff87fa2-a58e-4edd-b852-0a20203c1e17} - %profile%\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
FF - Ext: JSView: {cf15270e-cf08-4def-b4ea-6a5ac23f3bca} - %profile%\extensions\{cf15270e-cf08-4def-b4ea-6a5ac23f3bca}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: PhotoXpress: photoxpresssearch@photoxpress.com - %profile%\extensions\photoxpresssearch@photoxpress.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Nielsen: {D908A1CC-54B4-4af9-9BB4-964F5BD3CDB7} - c:\program files\NetRatingsNetSight\NetSight\meter1\FFAddon
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-Wvapadava - c:\windows\wespgr.dll
HKLM-Run-C6501Sound - c6501.cpl
HKLM-Run-Ptujamumokekega - c:\windows\ujavozer.dll
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-28 19:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3292)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
f:\xampp\mysql\bin\mysqld.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\RunDll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\documents and settings\Sam\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-12-28 19:29:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-29 01:29

Pre-Run: 93,239,345,152 bytes free
Post-Run: 93,133,524,992 bytes free

- - End Of File - - 61EB221DE4A1CA54A1C9BB2274C0C382

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:13 AM

Posted 28 December 2010 - 10:39 PM

Hello,

Looks like we got the main infection. We still have a little leftovers to clean up and final checking.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\Ccuzo.bin

Folder::
c:\program files\Winamp Toolbar

Domains::

DDS::
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"=-
[-HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[-KEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

3.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
Posted Image
You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.


Things to include in your next reply::
Combofix.txt
MBAM log
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 00Samm

00Samm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 29 December 2010 - 08:11 PM

I got the error upon exit with MBAM again, but I'm not getting any more search result redirection.

Here are the logs:

ComboFix 10-12-26.01 - Sam 12/29/2010 14:02:10.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2768 [GMT -6:00]
Running from: c:\documents and settings\Sam\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sam\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

FILE ::
"c:\windows\Ccuzo.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
c:\program files\Winamp Toolbar
c:\program files\Winamp Toolbar\apopup.dll
c:\program files\Winamp Toolbar\install.log
c:\program files\Winamp Toolbar\msvcr71.dll
c:\program files\Winamp Toolbar\uninstall.exe
c:\program files\Winamp Toolbar\winamptb.dll
c:\program files\Winamp Toolbar\winampTbServer.exe
c:\program files\Winamp Toolbar\winamptbServerPS.dll
c:\program files\Winamp Toolbar\xprt5.dll
c:\windows\Ccuzo.bin

.
((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-29 )))))))))))))))))))))))))))))))
.

2010-12-27 21:10 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-27 21:10 . 2010-12-27 21:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-27 21:10 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-21 15:39 . 2010-12-21 15:39 -------- d-----w- c:\program files\Common Files\Java
2010-12-21 02:41 . 2010-12-21 02:41 -------- d-----w- c:\program files\ESET
2010-12-21 00:43 . 2010-12-21 00:43 -------- d-----w- c:\program files\iPod
2010-12-20 01:12 . 2010-12-20 01:12 -------- d-----w- c:\documents and settings\Administrator
2010-12-19 22:48 . 2010-12-19 22:48 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-12-09 01:35 . 2010-12-09 01:35 -------- d-----w- c:\documents and settings\Sam\Local Settings\Application Data\Sunbelt Software
2010-12-09 01:34 . 2010-12-27 23:30 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-08 23:30 . 2010-12-08 23:30 -------- d-----w- c:\program files\BitTorrent
2010-12-07 22:25 . 2010-12-07 22:25 12800 ----a-w- c:\program files\Mozilla Firefox\plugins\npwachk.dll
2010-12-01 17:16 . 2010-12-01 17:16 -------- d-----w- c:\documents and settings\Sam\Local Settings\Application Data\NewSoft
2010-12-01 17:16 . 2007-02-05 17:15 18432 ----a-w- c:\windows\system32\drivers\Achernar.sys
2010-12-01 17:15 . 2010-12-01 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Newsoft
2010-12-01 17:15 . 2001-11-12 16:44 122880 ----a-w- c:\windows\system32\Nsvideo.dll
2010-12-01 17:15 . 2010-12-19 20:28 -------- d-----w- c:\program files\Common Files\NewSoft
2010-12-01 17:15 . 2010-12-01 17:15 -------- d-----w- c:\program files\NewSoft
2010-12-01 17:15 . 2010-12-01 17:15 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2010-12-01 17:15 . 2010-12-01 17:15 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2010-12-01 17:15 . 2005-04-04 05:02 753664 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2010-12-01 17:15 . 2005-04-04 05:02 69714 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2010-12-01 17:15 . 2005-04-04 05:01 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2010-12-01 17:15 . 2005-04-04 05:00 184320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2010-12-01 17:15 . 2005-04-04 04:59 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-27 02:15 . 2008-04-14 04:06 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2010-12-09 01:37 . 2010-04-08 22:23 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-03 09:05 . 2010-04-08 22:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-12-03 09:05 . 2010-05-13 18:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-13 00:53 . 2010-06-03 14:11 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 22:34 . 2009-04-17 02:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-28 23:29 . 2010-01-19 00:26 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-07 323392]
"Google Update"="c:\documents and settings\Sam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-04 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-08 8523776]
"nwiz"="nwiz.exe" [2008-01-08 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-08 81920]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-12-07 74752]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-28 30192]
"NielsenOnline"="c:\program files\NetRatingsNetSight\NetSight\NielsenOnline.exe" [2009-10-30 47456]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-1-1 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"f:\\xampp\\apache\\bin\\apache.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"f:\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"d:\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:https
"3306:TCP"= 3306:TCP:mysql

R0 Achernar;Achernar - SCSI Command Filter Drivers;c:\windows\system32\drivers\Achernar.sys [12/1/2010 11:16 AM 18432]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/8/2010 4:23 PM 64288]
R0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys [6/8/2010 6:54 PM 24192]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/5/2010 12:10 PM 691696]
R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [6/8/2010 6:55 PM 15360]
R2 Apache2.2;Apache2.2;f:\xampp\apache\bin\apache.exe [12/9/2008 5:10 PM 24636]
R3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [1/1/2009 7:38 PM 1310720]
R3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [6/8/2010 6:55 PM 10368]
R3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys [6/8/2010 6:54 PM 9088]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/18/2010 6:26 PM 30192]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 3:05 AM 1389400]
.
Contents of the 'Scheduled Tasks' folder

2010-12-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:05]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1935655697-682003330-1003Core.job
- c:\documents and settings\Sam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-04 03:48]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1935655697-682003330-1003UA.job
- c:\documents and settings\Sam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-04 03:48]

2009-01-08 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2007-08-31 19:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Sam\Application Data\Mozilla\Firefox\Profiles\lbz5fqf7.default\
FF - prefs.js: browser.search.defaulturl - https;//%LOCALE%.add-ons.mozilla.com%LOCALE%/firefox/%VERSION%/search-engines/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: ErrorHelp Search: bugs@bug.gd - %profile%\extensions\bugs@bug.gd
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Locationbar²: locationbar2@design-noir.de - %profile%\extensions\locationbar2@design-noir.de
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Source Viewer Tab: viewsourceintab@piro.sakura.ne.jp - %profile%\extensions\viewsourceintab@piro.sakura.ne.jp
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: ErrorZilla Plus: {03651b2d-eb7d-4be7-af1b-dc0cd162dd54} - %profile%\extensions\{03651b2d-eb7d-4be7-af1b-dc0cd162dd54}
FF - Ext: Firesizer: {04426594-bce6-4705-b811-bcdba2fd9c7b} - %profile%\extensions\{04426594-bce6-4705-b811-bcdba2fd9c7b}
FF - Ext: GoogleEnhancer: {21e48e29-f574-4619-b65d-0f00eea92e5b} - %profile%\extensions\{21e48e29-f574-4619-b65d-0f00eea92e5b}
FF - Ext: Extended Copy Menu: {2E18002D-DF43-4c65-9FDA-40D02F066D9E} - %profile%\extensions\{2E18002D-DF43-4c65-9FDA-40D02F066D9E}
FF - Ext: Html Validator: {3b56bcc7-54e5-44a2-9b44-66c3ef58c13e} - %profile%\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}
FF - Ext: FoxyTunes: {463F6CA5-EE3C-4be1-B7E6-7FEE11953374} - %profile%\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
FF - Ext: Stylish: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} - %profile%\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
FF - Ext: ColorZilla: {6AC85730-7D0F-4de0-B3FA-21142DD85326} - %profile%\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: gTranslate: {aff87fa2-a58e-4edd-b852-0a20203c1e17} - %profile%\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
FF - Ext: JSView: {cf15270e-cf08-4def-b4ea-6a5ac23f3bca} - %profile%\extensions\{cf15270e-cf08-4def-b4ea-6a5ac23f3bca}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: PhotoXpress: photoxpresssearch@photoxpress.com - %profile%\extensions\photoxpresssearch@photoxpress.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Nielsen: {D908A1CC-54B4-4af9-9BB4-964F5BD3CDB7} - c:\program files\NetRatingsNetSight\NetSight\meter1\FFAddon
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Winamp Toolbar - c:\program files\Winamp Toolbar\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-29 14:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-12-29 14:06:13
ComboFix-quarantined-files.txt 2010-12-29 20:06

Pre-Run: 93,125,345,280 bytes free
Post-Run: 93,115,068,416 bytes free

- - End Of File - - 59E57A3124E72E5008B4009E28D3A416

------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5418

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/29/2010 2:10:40 PM
mbam-log-2010-12-29 (14-10-40).txt

Scan type: Quick scan
Objects scanned: 156346
Time elapsed: 1 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

------------------------------------------------------------------

ESET Log:

C:\System Volume Information\_restore{4E01DDBB-729E-4F1D-9289-09782D19501D}\RP1\A0001015.exe a variant of Win32/Cimag.FG trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{4E01DDBB-729E-4F1D-9289-09782D19501D}\RP1\A0001590.dll a variant of Win32/Cimag.FG trojan cleaned by deleting - quarantined

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:13 AM

Posted 29 December 2010 - 08:22 PM

Hello,


We can run a couple of Utilities to see if we can fix that error. I seems it a hardware issue but lets see if we can get it resolved. Do you have a Windows XP installation disc?


1.
We need to repair some of windows' internal registration settings
  • Please download Dial-A-Fix from one of the following mirrors:
  • Extract the zip file to your desktop.
  • Double click Dial-a-Fix.exe to start the program.
  • Press the green double checkmark box (Looks like this: Posted Image)
  • UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section. The prep section should then look like this:
    Posted Image
  • When the window looks like this, press the GO button in the bottom of the window.
    Posted Image
  • Exit/Close Dial-A-Fix

2.
We need to check your hard disk for errors.

To check the volume for errors:
  • Click start and then My Computer.
  • Right click the drive C and select Properties.
  • Under Tools tab press Check Now...
  • Put a check mark in both items and press start.
  • If you get a message click Yes to schedule the disk check and click OK and then restart your computer to start the disk check. Please be patient and let the system run. In some cases it might take a couple of hours and you don't have to sit there the whole time.
*NOTE: This scan could take along time to complete, but let it finish.


How is the machine running now?
Do you have a Windows XP Disc?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 00Samm

00Samm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 31 December 2010 - 08:45 AM

I apologize for the wait. I've run the two programs, but so far, I've been unable to locate my Windows XP disc. I'm still getting the error upon exit with MBAM.

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:13 AM

Posted 31 December 2010 - 12:56 PM

Hello,

Can you please post the error that your getting. How is your machine running besides the MBAM error. You may try to UNinstall MBAM then reinstall it see if that helps.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 00Samm

00Samm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 01 January 2011 - 05:53 PM

This is the error I get whenever I exit MBAM: "The instruction at "0x6109b271" referenced memory at "0x00000004". The memory could not be "read". Click on OK to terminate the program". I've tried uninstalling and re-installing, but the error persists. The program seems to run just fine, though, and so long as it's not indicative of a lurking virus or what-have-you, I'm not terribly concerned.

Aside from the MBAM error, the only other issue I'm having is with the Sims 3 Launcher, which gives this error on launch: "The application failed to initialize properly. Please ensure you are not attempting to run the application on multiple Windows accounts simultaneously. If the problem still persists, please reinstall the application." However, the program still launches and appears to work fine, so again, as long as it's not a sign of malware, I'm not too concerned if I'm not able to fix it.

Thank you again for all of your help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users