Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keep getting redirected from google to other sites


  • This topic is locked This topic is locked
8 replies to this topic

#1 guitarman77

guitarman77

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 28 April 2011 - 05:11 PM

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 14:00:57.29 on Thu 04/28/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.63 [GMT -7:00]
.
AV: Internet Security Suite *Enabled/Updated* {9E9C8459-089D-4114-B06F-411185755D71}
AV: Internet Security Suite *Enabled/Updated* {89290FBE-1808-4041-821A-0B366DF0790D}
FW: Internet Security Suite *Enabled*
FW: Internet Security Suite *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
C:\Program Files\Dell Photo AIO Printer 942\memcard.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\gmer\gmer.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0401.0\npwinext.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0401.0\npwinext.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [LogitechSetup] D:\setup.exe /skip_all_checks /p /start /restart /l:enu
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [UIUCU] c:\docume~1\owner\locals~1\temp\UIUCU.EXE -CLEAN_UP -S
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Dell Photo AIO Printer 942] "c:\program files\dell photo aio printer 942\dlbubmgr.exe"
mRun: [DellMCM] "c:\program files\dell photo aio printer 942\memcard.exe"
mRun: [DLBUCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBUtime.dll,_RunDLLEntry@16
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0401.0\mswinext.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: meretag - c:\documents and settings\owner\local settings\application data\meretag.dll
IFEO: image file execution options - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\s1h69dcl.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40624.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2011-04-28 00:03:57 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-27 23:43:34 -------- dc----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-04-27 03:15:17 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-04-27 03:05:55 -------- dc----w- c:\program files\AVG
2011-04-27 02:56:37 -------- dc----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-04-27 02:51:29 -------- dc----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-04-27 02:08:30 -------- dc----w- c:\program files\AVAST Software
2011-04-27 02:08:30 -------- dc----w- c:\docume~1\alluse~1\applic~1\AVAST Software
2011-04-27 01:48:23 11264 -c--a-w- c:\docume~1\owner\locals~1\applic~1\meretag.dll
2011-04-27 01:44:51 -------- dc----w- c:\docume~1\owner\applic~1\Malwarebytes
2011-04-27 01:44:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-27 01:44:42 -------- dc----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-27 01:44:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-27 01:44:39 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-27 01:15:40 21504 -c--a-w- c:\windows\system32\hidserv.dll
2011-04-27 01:15:40 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-04-14 10:39:02 103864 -c--a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-04-11 21:49:56 -------- dc----w- c:\docume~1\alluse~1\applic~1\aFo28605oGgPn28605
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 -c--a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 -c--a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 -c--a-w- c:\windows\system32\mstscax.dll
.
============= FINISH: 14:03:21.32 ===============

BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:21 PM

Posted 28 April 2011 - 06:09 PM

Hello guitarman77 ! Welcome to BleepingComputer Forums! :welcome:



My name is Georgi and and I will be helping you with your computer problems.



Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.





STEP 1



You will need to uninstall AVG before continuing with the below.
Due to recent changes in how AVG target the tool's internal files, AVG must be uninstalled before running ComboFix.



Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

AVG

Additional instructions can be found here if needed.



If you have difficulty uninstalling the AVG or you've already done it in the past, please download and run the following tool





STEP 2



Please download ComboFix from the link below:


Combofix


Save it to your Desktop <-- Important!!!


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.


When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply





STEP 3





Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Virustotal

When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\documents and settings\owner\local settings\application data\meretag.dll

note, if VT says these files have already been analysed, make sure you click re-analyse file now.

Please post back the results of the scan in your next post.

If Virustotal is busy, try the same at Virscan: http://virscan.org/





STEP 4


You forgot to post the Attach.txt and the GMER log ?



Regards,
Georgi

cXfZ4wS.png


#3 guitarman77

guitarman77
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 28 April 2011 - 06:52 PM

sorry i didn't attach them before, here they are

Attached Files



#4 guitarman77

guitarman77
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 28 April 2011 - 07:58 PM

here is the result of the Virus Total, and I have attached a copy of the combofix.txt

Table
Tabulated
CSV
HTML
BBCode
Show positives only

Antivirus Version Last update Result
AhnLab-V3 2011.04.29.00 2011.04.28 -
AntiVir 7.11.7.79 2011.04.28 TR/Spy.Gen
Antiy-AVL 2.0.3.7 2011.04.29 -
Avast 4.8.1351.0 2011.04.28 -
Avast5 5.0.677.0 2011.04.28 -
AVG 10.0.0.1190 2011.04.28 -
BitDefender 7.2 2011.04.29 -
CAT-QuickHeal 11.00 2011.04.28 -
ClamAV 0.97.0.0 2011.04.28 -
Commtouch 5.3.2.6 2011.04.28 -
Comodo 8509 2011.04.28 -
DrWeb 5.0.2.03300 2011.04.29 -
Emsisoft 5.1.0.5 2011.04.28 -
eSafe 7.0.17.0 2011.04.28 -
eTrust-Vet 36.1.8297 2011.04.28 -
F-Prot 4.6.2.117 2011.04.28 -
F-Secure 9.0.16440.0 2011.04.29 -
Fortinet 4.2.257.0 2011.04.28 -
GData 22 2011.04.29 -
Ikarus T3.1.1.103.0 2011.04.29 -
Jiangmin 13.0.900 2011.04.28 -
K7AntiVirus 9.98.4509 2011.04.28 -
Kaspersky 9.0.0.837 2011.04.29 Trojan-Proxy.Win32.Agent.edh
McAfee 5.400.0.1158 2011.04.29 -
McAfee-GW-Edition 2010.1D 2011.04.28 Heuristic.BehavesLike.Win32.Spyware.J
Microsoft 1.6802 2011.04.28 -
NOD32 6079 2011.04.29 -
Norman 6.07.07 2011.04.28 -
Panda 10.0.3.5 2011.04.28 Trj/CI.A
PCTools 7.0.3.5 2011.04.28 -
Prevx 3.0 2011.04.29 -
Rising 23.55.03.06 2011.04.28 Trojan.Win32.Generic.12868853
Sophos 4.64.0 2011.04.28 -
SUPERAntiSpyware 4.40.0.1006 2011.04.29 -
Symantec 20101.3.2.89 2011.04.29 -
TheHacker 6.7.0.1.184 2011.04.27 -
TrendMicro 9.200.0.1012 2011.04.29 -
TrendMicro-HouseCall 9.200.0.1012 2011.04.29 -
VBA32 3.12.16.0 2011.04.27 -
VIPRE 9149 2011.04.29 -
ViRobot 2011.4.28.4435 2011.04.28 -
VirusBuster 13.6.326.1 2011.04.28 -
MD5: d337a46a86034a435ddea2cb2077ef81
SHA1: 8f7763fc09c982ba2b9be47c842760373054a50b
SHA256: 181dcfd4794e80653457ea9e77fa8d580eae3eda44b69a78c7eaf3858787cbcd
File size: 11264 bytes
Scan date: 2011-04-29 00:48:03 (UTC)

here is the link : http://www.virustotal.com/file-scan/report.html?id=181dcfd4794e80653457ea9e77fa8d580eae3eda44b69a78c7eaf3858787cbcd-1304038083#

Attached Files


Edited by guitarman77, 28 April 2011 - 08:09 PM.


#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:21 PM

Posted 28 April 2011 - 08:59 PM

Hello guitarman77,



We need to execute a CFScript to clean some remnants.

Please do this:


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

2. Open notepad => navigate to format and make sure that wordwrap is unchecked. <--- important !!!

3. Copy/paste the text in the codebox below into it:

KILLALL::
File::
c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
Folder::
c:\documents and settings\All Users\Application Data\aFo28605oGgPn28605
c:\program files\AVG
c:\documents and settings\All Users\Application Data\AVG10
c:\documents and settings\All Users\Application Data\MFAData
c:\program files\Ask.com
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"=-
[-HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
"DisableNotifications"=dword:00000000
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

4. Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

5. Close any open browsers.

6. Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Also reply back to let me know how things are going.



Regards,
Georgi

cXfZ4wS.png


#6 guitarman77

guitarman77
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 28 April 2011 - 09:29 PM

things seems working , I am not getting redirected to other pages anymore.





ComboFix 11-04-28.01 - Owner 04/28/2011 19:05:31.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.258 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
FILE ::
"c:\windows\Tasks\Scheduled Update for Ask Toolbar.job"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\aFo28605oGgPn28605
c:\documents and settings\All Users\Application Data\aFo28605oGgPn28605\aFo28605oGgPn28605
c:\documents and settings\All Users\Application Data\AVG10
c:\documents and settings\All Users\Application Data\AVG10\Cfg\admin.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\krnl.cfg
c:\documents and settings\All Users\Application Data\AVG10\Chjw\9eb482d6b482aff7.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\9eb482d6b482aff7\avgcchff.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\9eb482d6b482aff7\avgcchmf.dat
c:\documents and settings\All Users\Application Data\AVG10\IDS\config\analyzerConfig.xml
c:\documents and settings\All Users\Application Data\AVG10\IDS\config\BehavioralEventProcessors.dat
c:\documents and settings\All Users\Application Data\AVG10\IDS\config\BehavioralEvents.dat
c:\documents and settings\All Users\Application Data\AVG10\IDS\config\Characteristics.dat
c:\documents and settings\All Users\Application Data\AVG10\IDS\config\globalConfig.xml
c:\documents and settings\All Users\Application Data\AVG10\IDS\config\internalList.zip.bak
c:\documents and settings\All Users\Application Data\AVG10\IDS\config\md5Cache.dat
c:\documents and settings\All Users\Application Data\AVG10\IDS\config\quarantinedList.zip
c:\documents and settings\All Users\Application Data\AVG10\IDS\config\quarantinedList.zip.bak
c:\documents and settings\All Users\Application Data\AVG10\IDS\config\registryCoverage.dat
c:\documents and settings\All Users\Application Data\AVG10\IDS\config\Relationships.dat
c:\documents and settings\All Users\Application Data\AVG10\IDS\config\userList.zip
c:\documents and settings\All Users\Application Data\AVG10\IDS\config\userList.zip.bak
c:\documents and settings\All Users\Application Data\AVG10\IDS\download\downloads.xml
c:\documents and settings\All Users\Application Data\AVG10\IDS\download\messages.xml
c:\documents and settings\All Users\Application Data\AVG10\IDS\log\AVGIDSAgent.log
c:\documents and settings\All Users\Application Data\AVG10\IDS\log\AVGIDSAgent_boot.log
c:\documents and settings\All Users\Application Data\AVG10\IDS\log\AVGIDSAgent_graph.log
c:\documents and settings\All Users\Application Data\AVG10\IDS\log\AVGIDSAgent_malware.log
c:\documents and settings\All Users\Application Data\AVG10\IDS\log\AVGIDSAgent_node.log
c:\documents and settings\All Users\Application Data\AVG10\IDS\log\AVGIDSAgent_removed.log
c:\documents and settings\All Users\Application Data\AVG10\IDS\profile\globalLoadable.gdb
c:\documents and settings\All Users\Application Data\AVG10\log\avgcfg.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgcfg.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjw.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjw.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjwsrv.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjwsrv.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgldr.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgldr.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgtdi.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgtdi.log.lock
c:\documents and settings\All Users\Application Data\MFAData
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110427-025129.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110427-025142.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110427-030401.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110427-030413.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110427-031009.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110427-025142.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110427-030413.log
c:\documents and settings\All Users\Application Data\MFAData\mfaurlconf.ini
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\dm_marketing_message-hi.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_LinkScanner.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_Smart-Scanning.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_Social-Networking.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\LinkScanner-style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\LinkScanner.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\OK.png
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\Smart-Scanning.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\SmartScanning-style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\Social-Networking.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\SocialNetworking-style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\dm_marketing_message-en-us.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_LinkScanner.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_Smart-Scanning.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_Social-Networking.html
c:\documents and settings\All Users\Application Data\MFAData\pack\AntiRkx.cab
c:\documents and settings\All Users\Application Data\MFAData\pack\Antivirx.cab
c:\documents and settings\All Users\Application Data\MFAData\pack\avg10infoavi.ctf
c:\documents and settings\All Users\Application Data\MFAData\pack\avg10infooi.ctf
c:\documents and settings\All Users\Application Data\MFAData\pack\avg10infowin.ctf
c:\documents and settings\All Users\Application Data\MFAData\pack\avgmfapx.exe
c:\documents and settings\All Users\Application Data\MFAData\pack\avgmfarx.dll
c:\documents and settings\All Users\Application Data\MFAData\pack\avgntdumpx.exe
c:\documents and settings\All Users\Application Data\MFAData\pack\avgrunasx.exe
c:\documents and settings\All Users\Application Data\MFAData\pack\Avgx86.msi
c:\documents and settings\All Users\Application Data\MFAData\pack\AVIsx.cab
c:\documents and settings\All Users\Application Data\MFAData\pack\basex.cab
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10antirkx1325qz.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10antivirx1325xf.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10avgx1325br.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10avisx1325bd.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10basex1325zi.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10emailsx1325bw.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10guix1325qj.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10idatx1325bu.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10idpx1325sn.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10lng_usx1325ru.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10onlnscx1325tn.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10rdstx1325bq.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10resshldx1325zm.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10srchsrfx1325rb.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10sshttpbx1325re.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10tdidrvx1325fx.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10tuneupx1325ds.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10update2x1325gr.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10updatex1325cs.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10xplx1325ea.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\foi10cnet_lic8dn.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\foi10cnet_mis15ni.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\foi10cnet_mps16ro.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10corex1500qj.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\cnet_mis.mdf
c:\documents and settings\All Users\Application Data\MFAData\pack\cnet_mps.mdf
c:\documents and settings\All Users\Application Data\MFAData\pack\compat.ini
c:\documents and settings\All Users\Application Data\MFAData\pack\COREx.cab
c:\documents and settings\All Users\Application Data\MFAData\pack\COREx86.msi
c:\documents and settings\All Users\Application Data\MFAData\pack\Emailsx.cab
c:\documents and settings\All Users\Application Data\MFAData\pack\GUIx.cab
c:\documents and settings\All Users\Application Data\MFAData\pack\htmlayout.dll
c:\documents and settings\All Users\Application Data\MFAData\pack\idatx.cab
c:\documents and settings\All Users\Application Data\MFAData\pack\IDPx.cab
c:\documents and settings\All Users\Application Data\MFAData\pack\lic.mdf
c:\documents and settings\All Users\Application Data\MFAData\pack\license_cz.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_da.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_es.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_fr.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_ge.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_hu.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_id.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_in.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_it.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_jp.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_ko.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_ms.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_nl.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_pb.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_pl.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_pt.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_ru.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_sc.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_sk.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_sp.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_tr.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_us.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_zh.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\license_zt.htm
c:\documents and settings\All Users\Application Data\MFAData\pack\lng_usx.cab
c:\documents and settings\All Users\Application Data\MFAData\pack\mfaconf.txt
c:\documents and settings\All Users\Application Data\MFAData\pack\mfacz.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfada.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfaes.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfafr.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfage.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfahu.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfaid.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfain.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfait.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfajp.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfako.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfams.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfanl.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfapb.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfapl.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfapt.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfaru.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfasc.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfask.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfasp.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfatr.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfaus.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfavera.txt
c:\documents and settings\All Users\Application Data\MFAData\pack\mfaverx.txt
c:\documents and settings\All Users\Application Data\MFAData\pack\mfazh.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\mfazt.lns
c:\documents and settings\All Users\Application Data\MFAData\pack\OnlnScx.cab
c:\documents and settings\All Users\Application Data\MFAData\pack\ResShldx.cab
c:\documents and settings\All Users\Application Data\MFAData\pack\SrchSrfx.cab
c:\documents and settings\All Users\Application Data\MFAData\pack\SSHttpBx.cab
c:\documents and settings\All Users\Application Data\MFAData\pack\TDIDrvx.cab
c:\documents and settings\All Users\Application Data\MFAData\pack\TuneUpx.cab
c:\documents and settings\All Users\Application Data\MFAData\pack\Update2x.cab
c:\documents and settings\All Users\Application Data\MFAData\pack\Updatex.cab
c:\documents and settings\All Users\Application Data\MFAData\pack\xplx.cab
c:\documents and settings\All Users\Application Data\MFAData\public_installation_log.xml
c:\documents and settings\All Users\Application Data\MFAData\public_installation_log_resume.xml
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\avgmfapx.exe
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\avgmfarx.dll
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\avgntdumpx.exe
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\avgrunasx.exe
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\bins\f10mfa1325b1321fz.bin
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\bins\f10mfa1325yq.bin
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\bins\f10upd1325b1321zo.bin
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\compat.ini
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\htmlayout.dll
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_cz.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_da.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_es.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_fr.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_ge.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_hu.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_id.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_in.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_it.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_jp.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_ko.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_ms.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_nl.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_pb.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_pl.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_pt.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_ru.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_sc.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_sk.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_sp.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_tr.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_us.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_zh.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_zt.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfaconf.txt
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfacz.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfada.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfaes.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfafr.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfage.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfahu.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfaid.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfain.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfait.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfajp.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfako.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfams.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfanl.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfapb.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfapl.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfapt.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfaru.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfasc.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfask.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfasp.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfatr.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfaus.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfavera.txt
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfaverx.txt
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfazh.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfazt.lns
c:\documents and settings\All Users\Application Data\MFAData\state.dat
c:\program files\Ask.com
c:\program files\Ask.com\cobrand.ico
c:\program files\Ask.com\config.xml
c:\program files\Ask.com\favicon.ico
c:\program files\Ask.com\GenericAskToolbar.dll
c:\program files\Ask.com\mupcfg.xml
c:\program files\Ask.com\SaUpdate.exe
c:\program files\Ask.com\UpdateTask.exe
c:\program files\AVG
c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
.
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-29 )))))))))))))))))))))))))))))))
.
.
2011-04-28 00:14 . 2011-04-28 00:14 -------- dc----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2011-04-28 00:03 . 2011-04-28 18:51 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-27 23:43 . 2011-04-28 00:08 -------- dc----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-27 03:15 . 2011-04-27 03:15 -------- dc-h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-04-27 02:08 . 2011-04-27 02:49 -------- dc----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-04-27 02:08 . 2011-04-27 02:08 -------- dc----w- c:\program files\AVAST Software
2011-04-27 01:44 . 2011-04-27 01:44 -------- dc----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-04-27 01:44 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-27 01:44 . 2011-04-27 01:44 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-27 01:44 . 2011-04-27 01:44 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-27 01:44 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-27 01:15 . 2008-04-14 12:41 21504 -c--a-w- c:\windows\system32\hidserv.dll
2011-04-27 01:15 . 2008-04-14 12:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-04-24 20:57 . 2011-04-24 21:01 -------- dc----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-14 10:39 . 2011-04-14 10:39 103864 -c--a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2011-04-12 00:24 . 2011-04-12 00:24 -------- dcsh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2008-04-14 12:00 270848 -c--a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 12:00 186880 -c--a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2010-07-30 18:35 2067456 -c--a-w- c:\windows\system32\mstscax.dll
2011-03-18 17:53 . 2011-04-28 00:14 142296 -c--a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
.
[-] 2010-05-06 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-08-24 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-03-08 17037704]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-07-14 570664]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Dell Photo AIO Printer 942"="c:\program files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2005-02-03 294912]
"DellMCM"="c:\program files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 262144]
"DLBUCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2004-11-09 69632]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-15 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-15 2407184]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe" [2010-02-12 240992]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2010-11-3 66864]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/24/2010 10:18 AM 135664]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [7/30/2010 11:53 AM 20160]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/24/2010 10:18 AM 135664]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 5:00 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2010-07-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
2011-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc05fe18b8b7a.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-24 17:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\s1h69dcl.default\
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-28 19:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBUCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(7636)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Dell Photo AIO Printer 942\dlbubmon.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2011-04-28 19:24:22 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-29 02:24
ComboFix2.txt 2011-04-29 00:33
.
Pre-Run: 71,069,405,184 bytes free
Post-Run: 71,071,555,584 bytes free
.
- - End Of File - - A681C3D5A988C0F159F53BD0A60F6212

Attached Files



#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:21 PM

Posted 28 April 2011 - 09:52 PM

Hi guitarman77,



I am glad to hear that. :)



Did you uninstalled avast too ? I noticed some leftovers from it:

2011-04-27 02:08 . 2011-04-27 02:49 -------- dc----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-04-27 02:08 . 2011-04-27 02:08 -------- dc----w- c:\program files\AVAST Software




If so, please re-download it and re-install it again to avoid reinfection.
=> http://www.avast.com/en-eu/free-antivirus-download



Keep your antivirus software turned on and up-to-date


  • Make sure your antivirus software is turned on and up-to-date.
  • New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note:
  • You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.





I suggest you to uninstall FrostWire as well !

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case FrostWire). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


Also, please take a look here:

How cyber criminals infect victims via P2P with pirated software





Your Adobe Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader X to your PC's desktop.

* Uninstall Adobe Reader 9.4.4 via Start => Control Panel > Add/Remove Programs
* Install the new downloaded updated software.


Note: Note that the McAfee Security scan is prechecked. You may wish to uncheck it before downloading.
Posted Image



Note: Adobe Reader X is a large program and if you prefer a smaller program you can get Foxit Reader 4 x instead.

Foxit Reader 4x offer 5 levels of security. Click Me for more information.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.





Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java SE Runtime Environment 6u24 and save it to your desktop.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.


Java™ 6 Update 22


  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.





Run Scan with Malwarebytes



I see you have Malwarebytes' Anti-Malware installed on your computer.
Please start the application by double-click on it's icon.
Once the program has loaded go to the UPDATE tab and check for updates.
When the update is complete, select the Scanner tab
Select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please save it to a convenient location and post the results in your next reply.





I want to be sure that nothing reappeared.
Please perform the following scan:



We need to run an OTL Custom Scan


  • Please download OTL from the link below:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.Posted Image
    - Under File Scans, change File age to 90
    - Under the Standard Registry box change it to All
    - Check the boxes beside LOP Check and Purity Check.
  • Copy and Paste the following code into the Posted Image textbox.
    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    /md5start
    hlp.dat
    winlogon.exe
    wininit.exe
    explorer.exe
    volsnap.sys
    /md5stop
    
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized



Regards,
Georgi

cXfZ4wS.png


#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:21 PM

Posted 04 May 2011 - 06:21 PM

Hi guitarman77,



It's been several days. Do you still need help on this?
This thread will be closed if you don't respond within 48 hours.



Regards,
Georgi

cXfZ4wS.png


#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:21 PM

Posted 09 May 2011 - 10:13 AM

Due to the lack of feedback, this topic is now closed.
In the event you still have problems, please send a Private Message to any Moderator or the Malware Helper who replied to you here and ask them to reopen this topic within the next 5 days.

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users