Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with yourprofitclub / adrotator


  • This topic is locked This topic is locked
10 replies to this topic

#1 KayJayDK

KayJayDK

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 24 February 2011 - 04:38 PM

I got this annoying ad-rotator on my system. It keeps redirecting my Firefox browser to ads with the header "Ad served by Yourprofitclub". It doesn't seem to affect Google Chrome and I don't use IE at all.
I have tried other sites and thus installed and run several AV programs and running the AVs recommended on this site (Housecall, CureIt, SUPERAntiSpyware, MalwareBytes' Anti-Malware) didn't find any further infections. The ads keep appearing though, hence this post.

This is my DDS log

DDS (Ver_10-12-12.02) - NTFSx86
Run by Karsten at 22:13:09,42 on 24-02-2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.45.1030.18.2047.1380 [GMT 1:00]

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Karsten\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Karsten\AppData\Local\Google\Chrome\Application\chrome.exe
S:\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uURLSearchHooks: H - No File
BHO: Shareaza Web Download Hook: {0eedb912-c5fa-486f-8334-57288578c627} - c:\program files\shareaza\RazaWebHook32.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [vmware-tray] "c:\program files\vmware\vmware workstation\vmware-tray.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download with &Shareaza - c:\program files\shareaza\RazaWebHook32.dll/3000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
Trusted Zone: danid.dk
Trusted Zone: danid.dk
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: {779DE05B-48A9-4FAA-831E-CB219FBFF437} = 208.67.222.222,208.67.220.220
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\karsten\appdata\roaming\mozilla\firefox\profiles\5mbt5t41.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\mozilla firefox\extensions\{7a72882f-9ab7-fe7d-7859-d301a8427a1d}\components\9a870092.dll
FF - component: c:\users\karsten\appdata\roaming\mozilla\firefox\profiles\5mbt5t41.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\users\karsten\appdata\roaming\mozilla\firefox\profiles\5mbt5t41.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\users\karsten\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\karsten\appdata\roaming\mozilla\firefox\profiles\5mbt5t41.default\extensions\{3d72f2d1-ec9f-47d8-af1f-e9f027fca20c}\plugins\npBootstrapOnline.dll
FF - plugin: c:\users\karsten\appdata\roaming\mozilla\firefox\profiles\5mbt5t41.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\users\karsten\appdata\roaming\mozilla\firefox\profiles\5mbt5t41.default\extensions\2020player@2020technologies.com\plugins\NP2020Player.dll
FF - plugin: c:\users\karsten\appdata\roaming\mozilla\firefox\profiles\5mbt5t41.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: z: {7a72882f-9ab7-fe7d-7859-d301a8427a1d} - c:\program files\mozilla firefox\extensions\{7a72882f-9ab7-fe7d-7859-d301a8427a1d}
FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
FF - Ext: Svensk ordlista: sv@dictionaries.addons.mozilla.org - %profile%\extensions\sv@dictionaries.addons.mozilla.org
FF - Ext: TinEye Reverse Image Search: tineye@ideeinc.com - %profile%\extensions\tineye@ideeinc.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
FF - Ext: Worksmedia kiosk: {3D72F2D1-EC9F-47d8-AF1F-E9F027FCA20C} - %profile%\extensions\{3D72F2D1-EC9F-47d8-AF1F-E9F027FCA20C}
FF - Ext: 20-20 3D Viewer: 2020Player@2020Technologies.com - %profile%\extensions\2020Player@2020Technologies.com
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-11-11 539248]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
R3 yukonw7;NDIS6.2-miniportdriver til Marvell Yukon Ethernet-controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 MCEIR;%MCEIR.SvcDesc%;c:\windows\system32\drivers\MCEIR.sys [2009-12-30 16256]
S3 RTL8167;Realtek 8167 NT-driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-14 135664]
S4 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-7-6 173352]

=============== File Associations ===============

.txt=Notepad++_file

=============== Created Last 30 ================

2011-02-24 21:08:08 -------- d-----w- c:\users\karsten\appdata\local\VMware
2011-02-24 14:18:36 -------- d-----w- c:\users\karsten\DoctorWeb
2011-02-24 13:40:32 -------- d-----w- c:\program files\ESET
2011-02-24 12:44:50 334448 ----a-w- c:\windows\system32\vmnetdhcp.exe
2011-02-24 12:44:46 404080 ----a-w- c:\windows\system32\vmnat.exe
2011-02-24 12:44:45 26352 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2011-02-24 12:44:38 760432 ----a-w- c:\windows\system32\vnetlib.dll
2011-02-24 12:44:18 24688 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2011-02-24 12:43:26 -------- d-----w- c:\program files\common files\VMware
2011-02-24 12:42:28 -------- d-----w- c:\program files\VMware
2011-02-24 00:30:46 -------- d-----w- c:\users\karsten\appdata\local\Adobe
2011-02-23 08:03:36 -------- d-----w- c:\users\karsten\appdata\roaming\SUPERAntiSpyware.com
2011-02-23 08:03:36 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-02-23 08:03:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-23 00:05:56 125932 ----a-w- c:\windows\system32\c6f07716.exe
2011-02-23 00:05:55 2603520 ----a-w- c:\program files\mozilla firefox\extensions\{7a72882f-9ab7-fe7d-7859-d301a8427a1d}\components\9a870092.dll
2011-02-23 00:01:58 -------- d-----w- c:\users\karsten\appdata\roaming\QuickScan
2011-02-22 23:39:44 -------- d-----w- c:\users\karsten\appdata\roaming\Malwarebytes
2011-02-22 23:39:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-22 23:39:34 -------- d-----w- c:\progra~2\Malwarebytes
2011-02-22 23:39:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-22 23:39:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-22 22:09:19 704000 ----a-w- c:\windows\system32\dns343nascoins.dll
2011-02-22 15:44:15 -------- d-----w- c:\program files\ILLUSION
2011-02-21 20:08:15 -------- d-----w- c:\users\karsten\appdata\local\CCP
2011-02-21 09:01:34 -------- d-----w- c:\users\karsten\appdata\local\ElevatedDiagnostics
2011-02-20 21:34:20 -------- d-----w- c:\users\karsten\appdata\roaming\My Streaming Media
2011-02-20 21:28:07 -------- d-----w- c:\users\karsten\appdata\roaming\Replay Media Catcher 4
2011-02-20 21:27:25 125932 ----a-w- c:\windows\system32\4bd4b8ea.exe
2011-02-20 21:27:21 2603520 ----a-w- c:\program files\mozilla firefox\extensions\{675eba94-03cf-5dda-6b53-ce37c7e7437c}\components\9ce6ba5e.dll
2011-02-20 21:27:03 74744 ----a-w- c:\windows\system32\fwngnvjjzecs.exe
2011-02-20 15:54:40 -------- d-----w- c:\users\karsten\appdata\local\mdnslib
2011-02-20 15:44:38 -------- d-----w- c:\users\karsten\appdata\local\Jaksta_Pty_Ltd
2011-02-20 15:42:51 -------- d-----w- c:\program files\Applian Technologies
2011-02-20 15:22:52 -------- d-----w- c:\users\karsten\appdata\roaming\mkvtoolnix
2011-02-20 15:12:19 -------- d-----w- c:\users\karsten\appdata\roaming\DAEMON Tools Lite
2011-02-20 14:56:45 -------- d-----w- c:\users\karsten\appdata\roaming\Doctor Who
2011-02-20 14:55:21 -------- d-----w- c:\users\karsten\appdata\local\Doctor Who
2011-02-20 14:51:40 -------- d-----w- c:\users\karsten\appdata\local\EA Games
2011-02-20 12:21:32 -------- d-----w- c:\program files\Activision
2011-02-20 12:18:15 -------- d-----w- c:\program files\VueScan
2011-02-20 12:05:55 -------- d-----w- c:\program files\EA Games
2011-02-20 11:24:10 -------- d-----w- c:\users\karsten\appdata\local\{B3C44983-12A7-4477-AC89-E19399EF393E}
2011-02-20 11:23:55 -------- d-----w- c:\users\karsten\Tracing
2011-02-20 10:18:41 3181568 ----a-w- c:\windows\system32\mf.dll
2011-02-20 10:18:41 196608 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-02-20 10:18:40 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL
2011-02-20 10:16:52 -------- d-----w- c:\users\karsten\appdata\local\Windows Live
2011-02-20 09:23:09 -------- d-----w- c:\program files\uTorrent
2011-02-20 09:19:20 -------- d-----w- c:\users\karsten\appdata\local\Shareaza
2011-02-19 21:45:21 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{c40df3e5-3030-4a39-8175-63521b5071dd}\mpengine.dll
2011-02-19 21:42:55 -------- d-sh--w- C:\$RECYCLE.BIN
2011-02-19 21:16:26 -------- d-----w- c:\users\karsten\appdata\local\MPTagThat
2011-02-19 21:14:35 -------- d-----w- c:\users\karsten\appdata\roaming\Brother
2011-02-19 20:46:00 -------- d-----w- c:\users\karsten\appdata\local\Google
2011-02-19 20:16:25 -------- d-----w- c:\users\karsten\appdata\roaming\ACD Systems
2011-02-19 20:03:41 -------- d-----w- c:\users\karsten\appdata\local\Thunderbird
2011-02-19 19:50:31 -------- d-----w- c:\users\karsten\appdata\local\Mozilla
2011-02-19 19:49:43 -------- d-sh--we c:\users\karsten\appdata\local\Temporary Internet Files
2011-02-19 19:49:43 -------- d-sh--we c:\users\karsten\appdata\local\Oversigt
2011-02-19 19:49:43 -------- d-sh--we c:\users\karsten\appdata\local\Application Data
2011-02-19 19:49:42 -------- d-----w- c:\users\karsten\appdata\local\Temp
2011-02-19 19:49:42 -------- d-----w- c:\users\karsten\appdata\local\Microsoft
2011-02-09 22:51:33 1289536 ----a-w- c:\windows\system32\ntdll.dll
2011-02-09 22:51:32 3957120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-02-09 22:51:32 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-02-09 22:51:31 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-02-09 22:51:29 2329088 ----a-w- c:\windows\system32\win32k.sys
2011-02-09 22:51:28 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-09 22:51:28 294400 ----a-w- c:\windows\system32\atmfd.dll
2011-01-30 13:57:00 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll

==================== Find3M ====================

2011-02-02 16:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-18 05:32:22 981504 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 05:29:40 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 05:29:31 541184 ----a-w- c:\windows\system32\kerberos.dll
2010-12-18 04:20:55 386048 ----a-w- c:\windows\system32\html.iec
2010-12-18 03:47:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb

============= FINISH: 22:14:03,65 ===============

Attached Files


Edited by KayJayDK, 25 February 2011 - 03:35 AM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:55 AM

Posted 28 February 2011 - 04:15 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.


Regards,
Georgi :hello:

cXfZ4wS.png


#3 KayJayDK

KayJayDK
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 01 March 2011 - 03:09 PM

I do have a DVD with Windows 7 Ultimate available... not the one I originally installed from but another version of it (SP1).
Nothing much has changed since the original post. I have tried Firefox once and it still redirected so I switched to Chrome which does not show any strange behavior.

Here is the new DDS log:




DDS (Ver_10-12-12.02) - NTFSx86
Run by Karsten at 19:29:51,28 on 01-03-2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.45.1030.18.2047.1320 [GMT 1:00]

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\vmnat.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\explorer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\Shareaza\MediaLibraryBuilder.exe
C:\Windows\system32\taskhost.exe
C:\Users\Karsten\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Karsten\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Users\Karsten\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\VMware\VMware Workstation\vmware.exe
C:\Users\Karsten\AppData\Local\Google\Chrome\Application\chrome.exe
S:\Downloads\dds (1).scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uURLSearchHooks: H - No File
BHO: Shareaza Web Download Hook: {0eedb912-c5fa-486f-8334-57288578c627} - c:\program files\shareaza\RazaWebHook32.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [C:!Users!Karsten!AppData!Local!Google!Chrome!User Data_service_run] "c:\users\karsten\appdata\local\google\chrome\application\chrome.exe" --type=service
mRun: [vmware-tray] "c:\program files\vmware\vmware workstation\vmware-tray.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download with &Shareaza - c:\program files\shareaza\RazaWebHook32.dll/3000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
Trusted Zone: danid.dk
Trusted Zone: danid.dk
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: {779DE05B-48A9-4FAA-831E-CB219FBFF437} = 208.67.222.222,208.67.220.220
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\karsten\appdata\roaming\mozilla\firefox\profiles\5mbt5t41.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\mozilla firefox\extensions\{7a72882f-9ab7-fe7d-7859-d301a8427a1d}\components\9a870092.dll
FF - component: c:\users\karsten\appdata\roaming\mozilla\firefox\profiles\5mbt5t41.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\users\karsten\appdata\roaming\mozilla\firefox\profiles\5mbt5t41.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\users\karsten\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\karsten\appdata\roaming\mozilla\firefox\profiles\5mbt5t41.default\extensions\{3d72f2d1-ec9f-47d8-af1f-e9f027fca20c}\plugins\npBootstrapOnline.dll
FF - plugin: c:\users\karsten\appdata\roaming\mozilla\firefox\profiles\5mbt5t41.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\users\karsten\appdata\roaming\mozilla\firefox\profiles\5mbt5t41.default\extensions\2020player@2020technologies.com\plugins\NP2020Player.dll
FF - plugin: c:\users\karsten\appdata\roaming\mozilla\firefox\profiles\5mbt5t41.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: z: {7a72882f-9ab7-fe7d-7859-d301a8427a1d} - c:\program files\mozilla firefox\extensions\{7a72882f-9ab7-fe7d-7859-d301a8427a1d}
FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
FF - Ext: Svensk ordlista: sv@dictionaries.addons.mozilla.org - %profile%\extensions\sv@dictionaries.addons.mozilla.org
FF - Ext: TinEye Reverse Image Search: tineye@ideeinc.com - %profile%\extensions\tineye@ideeinc.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
FF - Ext: Worksmedia kiosk: {3D72F2D1-EC9F-47d8-AF1F-E9F027FCA20C} - %profile%\extensions\{3D72F2D1-EC9F-47d8-AF1F-E9F027FCA20C}
FF - Ext: 20-20 3D Viewer: 2020Player@2020Technologies.com - %profile%\extensions\2020Player@2020Technologies.com
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-6-17 20080]
R3 yukonw7;NDIS6.2-miniportdriver til Marvell Yukon Ethernet-controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 MCEIR;%MCEIR.SvcDesc%;c:\windows\system32\drivers\MCEIR.sys [2009-12-30 16256]
S3 RTL8167;Realtek 8167 NT-driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-14 135664]
S4 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-7-6 173352]

=============== File Associations ===============

.txt=Notepad++_file

=============== Created Last 30 ================

2011-02-28 10:24:17 -------- d-----w- c:\windows\system32\RT 7 Lite
2011-02-28 10:24:16 -------- d-----w- c:\program files\Rockers Team
2011-02-27 23:41:48 -------- dc----w- c:\users\karsten\appdata\local\MigWiz
2011-02-26 21:40:30 -------- d-----w- c:\users\karsten\appdata\local\ACD Systems
2011-02-24 21:08:08 -------- d-----w- c:\users\karsten\appdata\local\VMware
2011-02-24 14:18:36 -------- d-----w- c:\users\karsten\DoctorWeb
2011-02-24 13:40:32 -------- d-----w- c:\program files\ESET
2011-02-24 12:44:50 334448 ----a-w- c:\windows\system32\vmnetdhcp.exe
2011-02-24 12:44:46 404080 ----a-w- c:\windows\system32\vmnat.exe
2011-02-24 12:44:45 26352 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2011-02-24 12:44:38 760432 ----a-w- c:\windows\system32\vnetlib.dll
2011-02-24 12:44:18 24688 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2011-02-24 12:43:26 -------- d-----w- c:\program files\common files\VMware
2011-02-24 12:42:28 -------- d-----w- c:\program files\VMware
2011-02-24 00:30:46 -------- d-----w- c:\users\karsten\appdata\local\Adobe
2011-02-23 08:03:36 -------- d-----w- c:\users\karsten\appdata\roaming\SUPERAntiSpyware.com
2011-02-23 08:03:36 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-02-23 08:03:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-23 00:05:56 125932 ----a-w- c:\windows\system32\c6f07716.exe
2011-02-23 00:05:55 2603520 ----a-w- c:\program files\mozilla firefox\extensions\{7a72882f-9ab7-fe7d-7859-d301a8427a1d}\components\9a870092.dll
2011-02-23 00:01:58 -------- d-----w- c:\users\karsten\appdata\roaming\QuickScan
2011-02-22 23:39:44 -------- d-----w- c:\users\karsten\appdata\roaming\Malwarebytes
2011-02-22 23:39:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-22 23:39:34 -------- d-----w- c:\progra~2\Malwarebytes
2011-02-22 23:39:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-22 23:39:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-22 22:09:19 704000 ----a-w- c:\windows\system32\dns343nascoins.dll
2011-02-21 20:08:15 -------- d-----w- c:\users\karsten\appdata\local\CCP
2011-02-21 09:01:34 -------- d-----w- c:\users\karsten\appdata\local\ElevatedDiagnostics
2011-02-20 21:34:20 -------- d-----w- c:\users\karsten\appdata\roaming\My Streaming Media
2011-02-20 21:28:07 -------- d-----w- c:\users\karsten\appdata\roaming\Replay Media Catcher 4
2011-02-20 21:27:25 125932 ----a-w- c:\windows\system32\4bd4b8ea.exe
2011-02-20 21:27:21 2603520 ----a-w- c:\program files\mozilla firefox\extensions\{675eba94-03cf-5dda-6b53-ce37c7e7437c}\components\9ce6ba5e.dll
2011-02-20 21:27:03 74744 ----a-w- c:\windows\system32\fwngnvjjzecs.exe
2011-02-20 15:54:40 -------- d-----w- c:\users\karsten\appdata\local\mdnslib
2011-02-20 15:44:38 -------- d-----w- c:\users\karsten\appdata\local\Jaksta_Pty_Ltd
2011-02-20 15:42:51 -------- d-----w- c:\program files\Applian Technologies
2011-02-20 15:22:52 -------- d-----w- c:\users\karsten\appdata\roaming\mkvtoolnix
2011-02-20 15:12:19 -------- d-----w- c:\users\karsten\appdata\roaming\DAEMON Tools Lite
2011-02-20 14:56:45 -------- d-----w- c:\users\karsten\appdata\roaming\Doctor Who
2011-02-20 14:55:21 -------- d-----w- c:\users\karsten\appdata\local\Doctor Who
2011-02-20 14:51:40 -------- d-----w- c:\users\karsten\appdata\local\EA Games
2011-02-20 12:21:32 -------- d-----w- c:\program files\Activision
2011-02-20 12:18:15 -------- d-----w- c:\program files\VueScan
2011-02-20 11:24:10 -------- d-----w- c:\users\karsten\appdata\local\{B3C44983-12A7-4477-AC89-E19399EF393E}
2011-02-20 11:23:55 -------- d-----w- c:\users\karsten\Tracing
2011-02-20 10:18:41 3181568 ----a-w- c:\windows\system32\mf.dll
2011-02-20 10:18:41 196608 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-02-20 10:18:40 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL
2011-02-20 10:16:52 -------- d-----w- c:\users\karsten\appdata\local\Windows Live
2011-02-20 09:23:09 -------- d-----w- c:\program files\uTorrent
2011-02-20 09:19:20 -------- d-----w- c:\users\karsten\appdata\local\Shareaza
2011-02-19 21:45:21 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{c40df3e5-3030-4a39-8175-63521b5071dd}\mpengine.dll
2011-02-19 21:42:55 -------- d-sh--w- C:\$RECYCLE.BIN
2011-02-19 21:16:26 -------- d-----w- c:\users\karsten\appdata\local\MPTagThat
2011-02-19 21:14:35 -------- d-----w- c:\users\karsten\appdata\roaming\Brother
2011-02-19 20:46:00 -------- d-----w- c:\users\karsten\appdata\local\Google
2011-02-19 20:16:25 -------- d-----w- c:\users\karsten\appdata\roaming\ACD Systems
2011-02-19 20:03:41 -------- d-----w- c:\users\karsten\appdata\local\Thunderbird
2011-02-19 19:50:31 -------- d-----w- c:\users\karsten\appdata\local\Mozilla
2011-02-19 19:49:43 -------- d-sh--we c:\users\karsten\appdata\local\Temporary Internet Files
2011-02-19 19:49:43 -------- d-sh--we c:\users\karsten\appdata\local\Oversigt
2011-02-19 19:49:43 -------- d-sh--we c:\users\karsten\appdata\local\Application Data
2011-02-19 19:49:42 -------- d-----w- c:\users\karsten\appdata\local\Temp
2011-02-19 19:49:42 -------- d-----w- c:\users\karsten\appdata\local\Microsoft
2011-02-09 22:51:33 1289536 ----a-w- c:\windows\system32\ntdll.dll
2011-02-09 22:51:32 3957120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-02-09 22:51:32 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-02-09 22:51:31 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-02-09 22:51:29 2329088 ----a-w- c:\windows\system32\win32k.sys
2011-02-09 22:51:28 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-09 22:51:28 294400 ----a-w- c:\windows\system32\atmfd.dll

==================== Find3M ====================

2011-02-02 16:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-18 05:32:22 981504 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 05:29:40 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 05:29:31 541184 ----a-w- c:\windows\system32\kerberos.dll
2010-12-18 04:20:55 386048 ----a-w- c:\windows\system32\html.iec
2010-12-18 03:47:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb

============= FINISH: 19:31:47,39 ===============

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:55 AM

Posted 01 March 2011 - 06:29 PM

Hi KayJayDK and :welcome:

I will be handling your log to help you get cleaned up.
Please give me some time to look it over and I will get back to you as soon as possible.



Regards,
Georgi :hello:

cXfZ4wS.png


#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:55 AM

Posted 02 March 2011 - 11:57 AM

Hello KayJayDK ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.





I suggest you to uninstall uTorrent and Shareaza as well !

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case uTorrent and Shareaza). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


Also, please take a look here:

How cyber criminals infect victims via P2P with pirated software





Disable Windows Defender as it could interfere with the fix.


Disable Windows Defender


  • Run Windows Defender from Start Menu.
  • Click on Tools button.
  • Then click on Options link under Tools and Settings section.
  • Scroll down the Real-Time Protection page, and uncheck "Use real-time protection (recommended)".
  • Then please navigate to "Administrator" page and uncheck "Use this program".
  • Click on Save button.





Check these files to VirusTotal



Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Virustotal

When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\c6f07716.exe

note, if VT says these files have already been analysed, make sure you click re-analyse file now.

Please post back the results of the scan in your next post.

If Virustotal is busy, try the same at Virscan: http://virscan.org/



Please repeat these steps for the following files as well:



c:\windows\system32\4bd4b8ea.exe
c:\windows\system32\fwngnvjjzecs.exe
c:\program files\mozilla firefox\extensions\{7a72882f-9ab7-fe7d-7859-d301a8427a1d}\components\9a870092.dll




:exclame: IMPORTANT NOTE: :exclame: :exclame:

Can you stay disconnected from the Internet during the cleaning process unless for the steps that require you to update or download a program mentioned in my instructions?
This is important since you don't have any antivirus installed on your computer to avoid re-infection.
When we are done with the cleaning process I'll let you know to install any antivirus you like and to reconnect the computer to the internet permanently...but not yet.




Regards,
Georgi

cXfZ4wS.png


#6 KayJayDK

KayJayDK
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 04 March 2011 - 10:15 AM

File name: c6f07716.exe
Submission date: 2011-03-04 14:59:33 (UTC)
Current status: finished
Result: 3/ 43 (7.0%)
VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.03.04.03 2011.03.04 -
AntiVir 7.11.4.67 2011.03.04 -
Antiy-AVL 2.0.3.7 2011.03.04 -
Avast 4.8.1351.0 2011.02.23 -
Avast5 5.0.677.0 2011.03.04 -
AVG 10.0.0.1190 2011.03.04 -
BitDefender 7.2 2011.03.04 -
CAT-QuickHeal 11.00 2011.03.04 -
ClamAV 0.96.4.0 2011.03.04 Adware.YPC
Commtouch 5.2.11.5 2011.03.04 -
Comodo 7868 2011.03.04 -
DrWeb 5.0.2.03300 2011.03.04 -
Emsisoft 5.1.0.2 2011.03.04 -
eSafe 7.0.17.0 2011.03.03 -
eTrust-Vet 36.1.8197 2011.03.04 -
F-Prot 4.6.2.117 2011.03.04 -
F-Secure 9.0.16440.0 2011.03.04 -
Fortinet 4.2.254.0 2011.03.04 -
GData 21 2011.03.04 -
Ikarus T3.1.1.97.0 2011.03.04 -
Jiangmin 13.0.900 2011.03.04 -
K7AntiVirus 9.91.4021 2011.03.04 -
Kaspersky 7.0.0.125 2011.03.04 -
McAfee 5.400.0.1158 2011.03.04 -
McAfee-GW-Edition 2010.1C 2011.03.04 -
Microsoft 1.6603 2011.03.04 -
NOD32 5925 2011.03.04 -
Norman 6.07.03 2011.03.04 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.03 -
PCTools 7.0.3.5 2011.03.04 -
Prevx 3.0 2011.03.04 High Risk Cloaked Malware
Rising 23.47.04.05 2011.03.04 -
Sophos 4.63.0 2011.03.04 -
SUPERAntiSpyware 4.40.0.1006 2011.03.04 -
Symantec 20101.3.0.103 2011.03.04 WS.Reputation.1
TheHacker 6.7.0.1.143 2011.03.02 -
TrendMicro 9.200.0.1012 2011.03.04 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.04 -
VBA32 3.12.14.3 2011.03.02 -
VIPRE 8600 2011.03.04 -
ViRobot 2011.3.4.4340 2011.03.04 -
VirusBuster 13.6.234.0 2011.03.04 -
Additional informationShow all
MD5 : 2d52fd09ebf7c76ce856157f27dc0b86
SHA1 : ef6e5401fdede9f6f649553ea592349aaa0e6534
SHA256: 06387d5f75270b0824b65f521771ac982897f6c81da9bfeb284382568b5a81ca



File name: 4bd4b8ea.exe
Submission date: 2011-03-04 14:37:04 (UTC)
Current status: finished
Result: 3 /42 (7.1%)
VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.03.04.03 2011.03.04 -
AntiVir 7.11.4.67 2011.03.04 -
Antiy-AVL 2.0.3.7 2011.03.04 -
Avast 4.8.1351.0 2011.02.23 -
Avast5 5.0.677.0 2011.03.04 -
AVG 10.0.0.1190 2011.03.04 -
BitDefender 7.2 2011.03.04 -
CAT-QuickHeal 11.00 2011.03.04 -
ClamAV 0.96.4.0 2011.03.04 Adware.YPC
Commtouch 5.2.11.5 2011.03.04 -
Comodo 7868 2011.03.04 -
Emsisoft 5.1.0.2 2011.03.04 -
eSafe 7.0.17.0 2011.03.03 -
eTrust-Vet 36.1.8197 2011.03.04 -
F-Prot 4.6.2.117 2011.03.04 -
F-Secure 9.0.16440.0 2011.03.04 -
Fortinet 4.2.254.0 2011.03.04 -
GData 21 2011.03.04 -
Ikarus T3.1.1.97.0 2011.03.04 -
Jiangmin 13.0.900 2011.03.04 -
K7AntiVirus 9.91.4021 2011.03.04 -
Kaspersky 7.0.0.125 2011.03.04 -
McAfee 5.400.0.1158 2011.03.04 -
McAfee-GW-Edition 2010.1C 2011.03.04 -
Microsoft 1.6603 2011.03.04 -
NOD32 5925 2011.03.04 -
Norman 6.07.03 2011.03.04 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.03 -
PCTools 7.0.3.5 2011.03.04 -
Prevx 3.0 2011.03.04 High Risk Cloaked Malware
Rising 23.47.04.05 2011.03.04 -
Sophos 4.63.0 2011.03.04 -
SUPERAntiSpyware 4.40.0.1006 2011.03.04 -
Symantec 20101.3.0.103 2011.03.04 WS.Reputation.1
TheHacker 6.7.0.1.143 2011.03.02 -
TrendMicro 9.200.0.1012 2011.03.04 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.04 -
VBA32 3.12.14.3 2011.03.02 -
VIPRE 8600 2011.03.04 -
ViRobot 2011.3.4.4340 2011.03.04 -
VirusBuster 13.6.234.0 2011.03.04 -
Additional informationShow all
MD5 : 2d52fd09ebf7c76ce856157f27dc0b86
SHA1 : ef6e5401fdede9f6f649553ea592349aaa0e6534
SHA256: 06387d5f75270b0824b65f521771ac982897f6c81da9bfeb284382568b5a81ca



File name: fwngnvjjzecs.exe
Submission date: 2011-03-04 14:41:08 (UTC)
Current status: finished
Result: 2 /43 (4.7%)
VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.03.04.03 2011.03.04 -
AntiVir 7.11.4.67 2011.03.04 -
Antiy-AVL 2.0.3.7 2011.03.04 -
Avast 4.8.1351.0 2011.02.23 -
Avast5 5.0.677.0 2011.03.04 -
AVG 10.0.0.1190 2011.03.04 -
BitDefender 7.2 2011.03.04 -
CAT-QuickHeal 11.00 2011.03.04 -
ClamAV 0.96.4.0 2011.03.04 -
Commtouch 5.2.11.5 2011.03.04 -
Comodo 7868 2011.03.04 -
DrWeb 5.0.2.03300 2011.03.04 -
Emsisoft 5.1.0.2 2011.03.04 -
eSafe 7.0.17.0 2011.03.03 -
eTrust-Vet 36.1.8197 2011.03.04 -
F-Prot 4.6.2.117 2011.03.04 -
F-Secure 9.0.16440.0 2011.03.04 -
Fortinet 4.2.254.0 2011.03.04 -
GData 21 2011.03.04 -
Ikarus T3.1.1.97.0 2011.03.04 -
Jiangmin 13.0.900 2011.03.04 -
K7AntiVirus 9.91.4021 2011.03.04 -
Kaspersky 7.0.0.125 2011.03.04 -
McAfee 5.400.0.1158 2011.03.04 -
McAfee-GW-Edition 2010.1C 2011.03.04 -
Microsoft 1.6603 2011.03.04 -
NOD32 5925 2011.03.04 -
Norman 6.07.03 2011.03.04 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.03 -
PCTools 7.0.3.5 2011.03.04 -
Prevx 3.0 2011.03.04 High Risk Cloaked Malware
Rising 23.47.04.05 2011.03.04 -
Sophos 4.63.0 2011.03.04 -
SUPERAntiSpyware 4.40.0.1006 2011.03.04 -
Symantec 20101.3.0.103 2011.03.04 WS.Reputation.1
TheHacker 6.7.0.1.143 2011.03.02 -
TrendMicro 9.200.0.1012 2011.03.04 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.04 -
VBA32 3.12.14.3 2011.03.02 -
VIPRE 8600 2011.03.04 -
ViRobot 2011.3.4.4340 2011.03.04 -
VirusBuster 13.6.234.0 2011.03.04 -
Additional informationShow all
MD5 : e6bfd6dcb65cabf1bd03b5ae31d529ce
SHA1 : da6232ca01e8fe07393120e88da3f8adf3e9d6de
SHA256: 16bbe67043eb08710f36483d84f9c43bb1134a515a316cdd6bdec9948035f493



File name: 9a870092.dll
Submission date: 2011-03-04 14:46:09 (UTC)
Current status: finished
Result: 8/ 43 (18.6%)
VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.03.04.03 2011.03.04 -
AntiVir 7.11.4.67 2011.03.04 -
Antiy-AVL 2.0.3.7 2011.03.04 AdWare/Win32.EZula.gen
Avast 4.8.1351.0 2011.02.23 -
Avast5 5.0.677.0 2011.03.04 -
AVG 10.0.0.1190 2011.03.04 Generic4.BBQY
BitDefender 7.2 2011.03.04 -
CAT-QuickHeal 11.00 2011.03.04 -
ClamAV 0.96.4.0 2011.03.04 -
Commtouch 5.2.11.5 2011.03.04 -
Comodo 7868 2011.03.04 -
DrWeb 5.0.2.03300 2011.03.04 -
Emsisoft 5.1.0.2 2011.03.04 Riskware.AdWare.Win32.EZula!IK
eSafe 7.0.17.0 2011.03.03 -
eTrust-Vet 36.1.8197 2011.03.04 -
F-Prot 4.6.2.117 2011.03.04 -
F-Secure 9.0.16440.0 2011.03.04 -
Fortinet 4.2.254.0 2011.03.04 -
GData 21 2011.03.04 -
Ikarus T3.1.1.97.0 2011.03.04 not-a-virus:AdWare.Win32.EZula
Jiangmin 13.0.900 2011.03.04 -
K7AntiVirus 9.91.4021 2011.03.04 -
Kaspersky 7.0.0.125 2011.03.04 not-a-virus:AdWare.Win32.EZula.kyc
McAfee 5.400.0.1158 2011.03.04 -
McAfee-GW-Edition 2010.1C 2011.03.04 -
Microsoft 1.6603 2011.03.04 -
NOD32 5925 2011.03.04 -
Norman 6.07.03 2011.03.04 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.03 Trj/CI.A
PCTools 7.0.3.5 2011.03.04 -
Prevx 3.0 2011.03.04 -
Rising 23.47.04.05 2011.03.04 -
Sophos 4.63.0 2011.03.04 -
SUPERAntiSpyware 4.40.0.1006 2011.03.04 -
Symantec 20101.3.0.103 2011.03.04 WS.Reputation.1
TheHacker 6.7.0.1.143 2011.03.02 -
TrendMicro 9.200.0.1012 2011.03.04 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.04 -
VBA32 3.12.14.3 2011.03.02 AdWare.Win32.EZula.kyc
VIPRE 8600 2011.03.04 -
ViRobot 2011.3.4.4340 2011.03.04 -
VirusBuster 13.6.234.0 2011.03.04 -
Additional informationShow all
MD5 : 30bb6c7088eea18a17afdff40210ed67
SHA1 : 7143fd8242b1e6bc815c527c3278a136c8824ad2
SHA256: 0d361de443bea657ce0423fa3ac3056146a72da3dec68ea83b496e3115858cdc

#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:55 AM

Posted 05 March 2011 - 05:20 AM

Hi KayJayDK, :)



STEP 1



Please download ComboFix from the link below:

Combofix

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply



STEP 2


  • Please download regsearch.zip and save it to your desktop.
  • Right click on regsearch.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Once done, check (tick) the Show extracted files box and click Finish.
  • Double click on regsearch.exe to run it.
  • Copy and paste 7a72882f-9ab7-fe7d-7859-d301a8427a1d under Enter search strings (case independent) and click OK...
  • When done, RegSearch.txt will open. Please post the contents of this file in your next reply. This file can also be found on your desktop or wherever regsearch is extracted to.



Regards,
Georgi

Edited by B-boy/StyLe/, 05 March 2011 - 05:21 AM.

cXfZ4wS.png


#8 KayJayDK

KayJayDK
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 05 March 2011 - 01:11 PM

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.6.0

; Results at 05-03-2011 19:10:33 for strings:
; '7a72882f-9ab7-fe7d-7859-d301a8427a1d'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_USERS\S-1-5-21-2837618011-1906746500-1455243700-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths]
"url3"="C:\\Program Files\\Mozilla Firefox\\extensions\\{7a72882f-9ab7-fe7d-7859-d301a8427a1d}\\components"

; End Of The Log...

Attached Files



#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:55 AM

Posted 06 March 2011 - 10:18 AM

Hi KayJayDK, :)



STEP 1



We need to execute a CFScript to clean some remnants.


Please do this:

1. Please delete your copy of Combofix and download a fresh one from here.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

2. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/topic381340.html

KILLALL::
Collect::
c:\windows\system32\c6f07716.exe
c:\windows\system32\4bd4b8ea.exe
c:\windows\system32\fwngnvjjzecs.exe
c:\program files\Mozilla Firefox\extensions\{7a72882f-9ab7-fe7d-7859-d301a8427a1d}\components\9a870092.dll
DirLook::
c:\users\karsten\appdata\local\{B3C44983-12A7-4477-AC89-E19399EF393E}
DDS::
uURLSearchHooks: H - No File
Firefox::
FF - ProfilePath - c:\users\Karsten\AppData\Roaming\Mozilla\Firefox\Profiles\5mbt5t41.default\
FF - component: c:\program files\mozilla firefox\extensions\{7a72882f-9ab7-fe7d-7859-d301a8427a1d}\components\9a870092.dll
FF - Ext: z: {7a72882f-9ab7-fe7d-7859-d301a8427a1d} - c:\program files\Mozilla Firefox\extensions\{7a72882f-9ab7-fe7d-7859-d301a8427a1d}

Save this as CFScript.txt, in the same location as ComboFix.exe

3. Close any open browsers.

Posted Image

4. Refering to the picture above, drag CFScript into ComboFix.exe

5. When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.

  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Successful".


**NOTE**
  • IF for some reason Combofix fails to upload anything you will see that message:

    Posted Image
  • Please double-click this file: C:\CF-Submit.htm and follow the instructions there to upload that zipped file.

6. When Combifix finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Also reply back to let me know how things are going.



Regards,
Georgi

cXfZ4wS.png


#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:55 AM

Posted 10 March 2011 - 06:50 AM

Hi KayJayDK,


Are you still with me ?
Please reply back or the topic will be closed within 48 hours.
Thanks !



Regards,
Georgi

cXfZ4wS.png


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:55 AM

Posted 13 March 2011 - 09:46 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users