Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with sirefef.b, google keeps redirecting


  • This topic is locked This topic is locked
23 replies to this topic

#1 Fullsusser

Fullsusser

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 07 July 2011 - 12:47 PM

I hope someone can help.

The problem I am having is that Google Chrome no longer works, instead it just freezes. Firefox and IE are working but I keep being redirected to strange web pages such as www.thriftstorecowboys.net. I can browse the web using firefox but to get to the page I want I have to try several times and click back and forward.

I opened a dodgy file which infected my computer with Fakesysdef, Rowindal.A and sirefef.b - I have used malwarebytes, superantispyware, spybotSD and windows security essentials to remove the malware but I am still experiencing the problems as describe above.

I have followed the instructions on the forum here: Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help and attached my DDS and GMER logs.

Thanks.

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:08 AM

Posted 09 July 2011 - 01:53 PM

Please post the DDS Log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Fullsusser

Fullsusser
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 09 July 2011 - 02:23 PM

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Andy at 18:02:54 on 2011-07-07
Microsoft Windows 7 Professional 6.1.7601.1.1252.44.1033.18.3067.1802 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\EgisTec\VITAKEY\CompPtcVUI.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\EgisTec\VITAKEY\BASVC.exe
C:\Program Files\Realtek Semiconductor Corp\Realtek USB 2.0 Card Reader\reset.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k bthsvcs
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\EgisTec\VITAKEY\PdtWzd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\EgisTec\VITAKEY\PwdBank.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskhost.exe
C:\Users\Andy\Downloads\gmer\gmer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\users\andy\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [VitaKeyPdtWzd] c:\program files\egistec\vitakey\PdtWzd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {10954C80-4F0F-11d3-B17C-00C0DFE39736} - c:\program files\egistec\vitakey\PwdBank.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://snap.ofqual.gov.uk/InternalSite/WhlCompMgr.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vexcast.com/download/vexcast.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{C2091AFF-E242-498B-B890-6D0576386222} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{C2091AFF-E242-498B-B890-6D0576386222}\2456C6B696E6F5E4B2F5143434134434 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{C2091AFF-E242-498B-B890-6D0576386222}\350756564645F6573686730383441373 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{C2091AFF-E242-498B-B890-6D0576386222}\6596277696E6F52427F616462616E646 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{C2091AFF-E242-498B-B890-6D0576386222}\6796277696E6022627F616462616E646 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{C2091AFF-E242-498B-B890-6D0576386222}\C496675626F687D224347383 : DhcpNameServer = 192.168.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = c:\program files\egistec\vitakey\PwdFilter
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\andy\appdata\roaming\mozilla\firefox\profiles\rsaxqmod.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/webhp?hl=en
FF - component: c:\users\andy\appdata\roaming\mozilla\firefox\profiles\rsaxqmod.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\andy\appdata\roaming\mozilla\firefox\profiles\rsaxqmod.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\users\andy\appdata\local\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\users\andy\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - Ext: Update Service: updater@foxstart.com - c:\program files\mozilla firefox\extensions\updater@foxstart.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Ext: InvisibleHand: canitbecheaper@trafficbroker.co.uk - %profile%\extensions\canitbecheaper@trafficbroker.co.uk
.
============= SERVICES / DRIVERS ===============
.
R0 FPWinIo;FPWinIo;c:\windows\system32\drivers\FPWinIo.sys [2009-11-6 66856]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 165264]
R1 MpKsl80ec1be2;MpKsl80ec1be2;c:\programdata\microsoft\microsoft antimalware\definition updates\{35895193-04ca-46a6-aa98-2c753ef0bed2}\MpKsl80ec1be2.sys [2011-7-7 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-4-27 61440]
R2 FPSensor;EgisTec-Corp Fingerprint Reader Driver (FPSensor.sys);c:\windows\system32\drivers\FPSensor.sys [2009-8-28 29744]
R2 IGBASVC;EgisTec Service;c:\program files\egistec\vitakey\BASVC.exe [2008-8-29 2187048]
R2 resetWinService;Reset Reader;c:\program files\realtek semiconductor corp\realtek usb 2.0 card reader\reset.exe [2009-11-6 70656]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-5-6 1153368]
R2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\microsoft forefront uag\endpoint components\3.1.0\uagqecsvc.exe [2010-7-16 150928]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-8-21 66592]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-3-21 362600]
R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2009-11-6 13976]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-10 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 DMService;Microsoft Forefront UAG Endpoint Component Manager;c:\windows\downloaded program files\dm.0\DMService.exe [2010-12-12 468368]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-5-2 39272]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-10 135664]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 43392]
S3 NxpCap;CTX capture service;c:\windows\system32\drivers\NxpCap.sys [2008-9-25 1332576]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2009-12-2 16472]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-2 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-9 1343400]
.
=============== Created Last 30 ================
.
2011-07-07 16:36:19 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{35895193-04ca-46a6-aa98-2c753ef0bed2}\MpKsl80ec1be2.sys
2011-07-06 22:08:17 -------- d-----w- c:\users\andy\appdata\roaming\Malwarebytes
2011-07-06 22:08:08 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 22:08:06 -------- d-----w- c:\programdata\Malwarebytes
2011-07-06 22:08:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-06 20:56:40 7074640 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{35895193-04ca-46a6-aa98-2c753ef0bed2}\mpengine.dll
2011-06-28 21:18:36 427520 ----a-w- c:\windows\system32\SearchIndexer.exe
2011-06-28 21:18:36 337408 ----a-w- c:\windows\system32\mssph.dll
2011-06-28 21:18:36 164352 ----a-w- c:\windows\system32\SearchProtocolHost.exe
2011-06-28 21:18:36 1549312 ----a-w- c:\windows\system32\tquery.dll
2011-06-28 21:18:36 1401344 ----a-w- c:\windows\system32\mssrch.dll
2011-06-28 21:18:35 86528 ----a-w- c:\windows\system32\SearchFilterHost.exe
2011-06-28 21:18:35 666624 ----a-w- c:\windows\system32\mssvp.dll
2011-06-28 21:18:35 59392 ----a-w- c:\windows\system32\msscntrs.dll
2011-06-28 21:18:35 197120 ----a-w- c:\windows\system32\mssphtb.dll
2011-06-28 21:17:48 293376 ----a-w- c:\windows\system32\umpnpmgr.dll
2011-06-28 21:17:48 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-06-20 17:49:55 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-20 17:49:54 141104 ----a-w- c:\program files\internet explorer\sqmapi.dll
2011-06-20 17:49:53 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-19 16:34:23 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-19 16:34:23 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-19 16:34:23 114688 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-19 16:34:22 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-19 16:34:22 1290624 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-19 16:34:21 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-19 16:34:20 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-19 16:34:19 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-19 16:34:19 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-19 16:34:18 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
==================== Find3M ====================
.
2011-05-04 03:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-02 12:38:26 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-04-09 06:02:25 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-04-09 06:02:25 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 05:56:38 123904 ----a-w- c:\windows\system32\poqexec.exe
.
============= FINISH: 18:08:53.95 ===============

Attached Files

  • Attached File  DDS.txt   15.34KB   0 downloads

Edited by Fullsusser, 09 July 2011 - 02:24 PM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:08 AM

Posted 09 July 2011 - 04:00 PM

Hi,

Please do the following

Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Fullsusser

Fullsusser
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 09 July 2011 - 06:02 PM

ComboFix 11-07-09.02 - Andy 09/07/2011 22:42:42.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.44.1033.18.3067.1692 [GMT 1:00]
Running from: c:\users\Andy\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Repair
c:\windows\Downloaded Program Files\DM.0
c:\windows\Downloaded Program Files\DM.0\DMService.exe
c:\windows\Downloaded Program Files\DM.0\WhlMgr.dll
c:\windows\system32\Nagasoft
c:\windows\system32\Nagasoft\Codecs\asyncflt.ax
c:\windows\system32\Nagasoft\Codecs\atrc.dll
c:\windows\system32\Nagasoft\Codecs\cook.dll
c:\windows\system32\Nagasoft\Codecs\drvc.dll
c:\windows\system32\Nagasoft\Codecs\raac.dll
c:\windows\system32\Nagasoft\Codecs\RealMediaSplitter.ax
c:\windows\system32\Nagasoft\Codecs\WMFDemux.dll
c:\windows\system32\Nagasoft\GifShower.dll
c:\windows\system32\Nagasoft\vjocx.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_DMService
-------\Service_vvdsvc
-------\Service_DMService
-------\Service_vvdsvc
.
.
((((((((((((((((((((((((( Files Created from 2011-06-09 to 2011-07-09 )))))))))))))))))))))))))))))))
.
.
2011-07-09 22:15 . 2011-07-09 22:34 -------- d-----w- c:\users\Andy\AppData\Local\temp
2011-07-09 22:15 . 2011-07-09 22:15 -------- d-----w- c:\users\Mcx1-ANDY-LAPTOP\AppData\Local\temp
2011-07-09 22:15 . 2011-07-09 22:15 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-07-09 22:15 . 2011-07-09 22:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-09 21:31 . 2011-07-09 21:32 -------- d-----w- C:\32788R22FWJFW
2011-07-09 10:31 . 2011-07-09 10:31 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-07-09 10:29 . 2011-07-09 10:31 -------- d-----w- c:\programdata\Hitman Pro
2011-07-09 08:07 . 2011-07-09 08:07 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1C4786DB-0D03-4F79-B752-EDBD0A6970EF}\MpKsl999b38b0.sys
2011-07-09 08:06 . 2011-06-07 07:55 7074640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1C4786DB-0D03-4F79-B752-EDBD0A6970EF}\mpengine.dll
2011-07-06 22:08 . 2011-07-06 22:08 -------- d-----w- c:\users\Andy\AppData\Roaming\Malwarebytes
2011-07-06 22:08 . 2011-05-29 08:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 22:08 . 2011-07-06 22:08 -------- d-----w- c:\programdata\Malwarebytes
2011-07-06 22:08 . 2011-07-06 22:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-03 20:12 . 2011-07-03 20:12 -------- d-----w- c:\program files\Common Files\Java
2011-06-28 21:18 . 2011-05-04 04:34 1549312 ----a-w- c:\windows\system32\tquery.dll
2011-06-28 21:18 . 2011-05-04 04:32 337408 ----a-w- c:\windows\system32\mssph.dll
2011-06-28 21:18 . 2011-05-04 04:32 1401344 ----a-w- c:\windows\system32\mssrch.dll
2011-06-28 21:18 . 2011-05-04 04:28 427520 ----a-w- c:\windows\system32\SearchIndexer.exe
2011-06-28 21:18 . 2011-05-04 04:28 164352 ----a-w- c:\windows\system32\SearchProtocolHost.exe
2011-06-28 21:18 . 2011-05-04 04:32 666624 ----a-w- c:\windows\system32\mssvp.dll
2011-06-28 21:18 . 2011-05-04 04:32 197120 ----a-w- c:\windows\system32\mssphtb.dll
2011-06-28 21:18 . 2011-05-04 04:32 59392 ----a-w- c:\windows\system32\msscntrs.dll
2011-06-28 21:18 . 2011-05-04 04:28 86528 ----a-w- c:\windows\system32\SearchFilterHost.exe
2011-06-28 21:17 . 2011-05-24 10:44 293376 ----a-w- c:\windows\system32\umpnpmgr.dll
2011-06-28 21:17 . 2011-04-22 19:14 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-06-20 17:49 . 2011-04-22 23:25 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-20 17:49 . 2011-04-25 15:29 141104 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2011-06-20 17:49 . 2011-04-22 23:35 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-19 16:34 . 2011-04-29 02:46 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-19 16:34 . 2011-04-29 02:46 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-19 16:34 . 2011-04-29 02:46 114688 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-19 16:34 . 2011-04-25 04:31 1290624 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-19 16:34 . 2011-04-25 02:18 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-19 16:34 . 2011-02-25 05:34 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-19 16:34 . 2011-05-03 04:30 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-19 16:34 . 2011-04-27 02:17 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-19 16:34 . 2011-04-27 02:17 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-19 16:34 . 2011-04-27 02:17 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-23 20:59 . 2009-11-07 00:34 2588952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2011-06-23 20:59 . 2010-05-19 20:47 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2011-06-19 16:36 . 2009-11-17 22:44 2588952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2011-06-19 16:36 . 2010-05-18 20:41 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2011-06-07 07:55 . 2009-11-09 19:27 7074640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-05-04 03:52 . 2011-05-24 22:10 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-02 12:38 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-05-02 12:29 . 2011-05-02 12:29 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-05-02 12:29 . 2011-05-02 12:29 161792 ----a-w- c:\windows\system32\msls31.dll
2011-05-02 12:29 . 2011-05-02 12:29 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-05-02 12:29 . 2011-05-02 12:29 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-05-02 12:29 . 2011-05-02 12:29 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-05-02 12:29 . 2011-05-02 12:29 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-05-02 12:29 . 2011-05-02 12:29 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-05-02 12:29 . 2011-05-02 12:29 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-05-02 12:29 . 2011-05-02 12:29 367104 ----a-w- c:\windows\system32\html.iec
2011-05-02 12:29 . 2011-05-02 12:29 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-05-02 12:29 . 2011-05-02 12:29 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-05-02 12:29 . 2011-05-02 12:29 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-05-02 12:29 . 2011-05-02 12:29 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-05-02 12:29 . 2011-05-02 12:29 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-05-02 12:29 . 2011-05-02 12:29 152064 ----a-w- c:\windows\system32\wextract.exe
2011-05-02 12:29 . 2011-05-02 12:29 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-05-02 12:29 . 2011-05-02 12:29 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-05-02 12:29 . 2011-05-02 12:29 11776 ----a-w- c:\windows\system32\mshta.exe
2011-05-02 12:29 . 2011-05-02 12:29 101888 ----a-w- c:\windows\system32\admparse.dll
2011-05-02 12:15 . 2010-06-24 10:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-05-01 08:57 . 2009-11-26 20:45 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2011-04-14 17:30 . 2011-04-14 17:30 40960 ----a-r- c:\users\Andy\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2011-04-14 17:30 . 2011-04-14 17:30 40960 ----a-r- c:\users\Andy\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-19 13793824]
"VitaKeyPdtWzd"="c:\program files\EgisTec\VITAKEY\PdtWzd.exe" [2009-11-07 2303784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ c:\program files\EgisTec\VITAKEY\PwdFilter
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 10:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2009-07-20 19:21 7625248 ------w- c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-04-27 16:27 2020592 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2011-03-31 17:43 399736 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 135664]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 135664]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 NxpCap;CTX capture service;c:\windows\system32\DRIVERS\NxpCap.sys [2008-09-25 1332576]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2009-09-28 16472]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-09 1343400]
S0 FPWinIo;FPWinIo;c:\windows\system32\DRIVERS\FPWinIo.sys [2009-11-06 66856]
S1 MpKsl999b38b0;MpKsl999b38b0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1C4786DB-0D03-4F79-B752-EDBD0A6970EF}\MpKsl999b38b0.sys [2011-07-09 28752]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-04-27 61440]
S2 FPSensor;EgisTec-Corp Fingerprint Reader Driver (FPSensor.sys);c:\windows\system32\Drivers\FPSensor.sys [2009-08-28 29744]
S2 IGBASVC;EgisTec Service;c:\program files\EgisTec\VITAKEY\BASVC.exe [2009-11-07 2187048]
S2 resetWinService;Reset Reader;c:\program files\Realtek Semiconductor Corp\Realtek USB 2.0 Card Reader\reset.exe [2008-10-29 70656]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe [2010-09-15 150928]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 45736]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-08-21 66592]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-03-21 362600]
S3 X10Hid;X10 Hid Device;c:\windows\system32\Drivers\x10hid.sys [2006-11-17 13976]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 00:22]
.
2011-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 00:22]
.
2011-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1784453967-3813315197-3478826860-1001Core.job
- c:\users\Andy\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-29 22:32]
.
2011-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1784453967-3813315197-3478826860-1001UA.job
- c:\users\Andy\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-29 22:32]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\rsaxqmod.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/webhp?hl=en
FF - Ext: Update Service: updater@foxstart.com - c:\program files\Mozilla Firefox\extensions\updater@foxstart.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Ext: InvisibleHand: canitbecheaper@trafficbroker.co.uk - %profile%\extensions\canitbecheaper@trafficbroker.co.uk
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-vkupsbxl - c:\users\Andy\AppData\Local\koghnrgyr\wufyoretssd.exe
AddRemove-Active WebCam - c:\program files\Active WebCam\PY_UNINSTAL.EXE SOFTWARE\PySoft\Act_WebCam
AddRemove-Akamai - c:\program files\common files\akamai\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1784453967-3813315197-3478826860-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B9072A54-93DB-17E5-C15D-1EE1ED126095}*]
"oaldlaabelibdkiggejoemkapoppek"=hex:6a,61,69,65,6e,6a,6f,70,63,61,65,6f,6a,67,
67,70,67,6d,6b,66,00,00
"nafdfdofglfdonacigndenondaee"=hex:6a,61,69,65,6e,6a,6f,70,63,61,65,6f,6a,67,
67,70,67,6d,6b,66,00,00
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(564)
c:\program files\EgisTec\VITAKEY\PwdFilter.DLL
.
- - - - - - - > 'Explorer.exe'(4928)
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\nvvsvc.exe
c:\program files\EgisTec\VITAKEY\CompPtcVUI.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\progra~1\COMMON~1\X10\Common\x10nets.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\EgisTec\VITAKEY\PwdBank.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\DllHost.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2011-07-09 23:50:12 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-09 22:49
.
Pre-Run: 129,929,039,872 bytes free
Post-Run: 129,684,148,224 bytes free
.
- - End Of File - - 1091E3D783947C581CD743358249CAA1

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:08 AM

Posted 09 July 2011 - 06:54 PM

Hi,

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Fullsusser

Fullsusser
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 10 July 2011 - 06:29 AM

Hi

This is the result of the ESET scan:

C:\Users\Andy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\2f89814a-7b2f9785 multiple threats
C:\Users\Andy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\377af0b-560bd768 multiple threats
C:\Users\Andy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\15bee2db-706ca1fd multiple threats
C:\Users\Andy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\5473416c-4665d9bc probably a variant of Win32/Agent.JZWSLAJ trojan
C:\Users\Andy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\4cafbd48-18cd0887 multiple threats

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:08 AM

Posted 10 July 2011 - 07:59 PM

was the MBAM scan clean?

How is the computer running>

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Fullsusser

Fullsusser
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 11 July 2011 - 05:12 AM

Apologies, I thought I'd posted the MBAM scan results. Yes, the MBAM report indicated that nothing was found.

The computer itself is running fine other than internet browsers - Google Chrome is not working at all, Firefox and IE are working but are slow and will redirect me to random sites if I click on any results from a Google or other search. Clicking on favourites, copying and pasting links into the address bar or typing urls into the address bar does work but is slow.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:08 AM

Posted 11 July 2011 - 06:55 AM

Hi,

Please do the following:

  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Fullsusser

Fullsusser
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 11 July 2011 - 01:48 PM

aswMBR version 0.9.7.705 Copyright© 2011 AVAST Software
Run date: 2011-07-11 19:26:49
-----------------------------
19:26:49.769 OS Version: Windows 6.1.7601 Service Pack 1
19:26:49.769 Number of processors: 2 586 0x1706
19:26:49.770 ComputerName: ANDY-LAPTOP UserName: Andy
19:26:50.912 Initialize success
19:27:50.942 AVAST engine defs: 11071100
19:28:02.095 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
19:28:02.098 Disk 0 Vendor: WDC_WD3200BEVT-22ZCT0 11.01A11 Size: 305245MB BusType: 11
19:28:04.101 Disk 0 MBR read successfully
19:28:04.104 Disk 0 MBR scan
19:28:04.107 Disk 0 Windows 7 default MBR code
19:28:06.111 Disk 0 scanning sectors +625139712
19:28:06.151 Disk 0 scanning C:\Windows\system32\drivers
19:28:22.862 Service scanning
19:28:24.225 Disk 0 trace - called modules:
19:28:24.253 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x865e2f16]<<
19:28:24.258 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x865ce030]
19:28:24.263 3 CLASSPNP.SYS[835d459e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x860e9030]
19:28:24.267 \Driver\atapi[0x860dd4d8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x865e2f16
19:28:27.041 AVAST engine scan C:\Windows
19:46:13.072 Disk 0 MBR has been saved successfully to "C:\Users\Andy\Desktop\MBR.dat"
19:46:13.083 The log file has been saved successfully to "C:\Users\Andy\Desktop\aswMBR.txt"
20:05:59.839 AVAST engine scan C:\Users\Andy
20:25:34.475 AVAST engine scan C:\ProgramData
20:26:51.853 Scan finished successfully
20:27:58.278 Disk 0 MBR has been saved successfully to "C:\Users\Andy\Desktop\MBR.dat"
20:27:58.368 The log file has been saved successfully to "C:\Users\Andy\Desktop\aswMBR.txt"

Attached Files

  • Attached File  MBR.zip   558bytes   0 downloads

Edited by Fullsusser, 11 July 2011 - 02:28 PM.


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:08 AM

Posted 11 July 2011 - 02:35 PM

Hi

Please do the following:

Re-Run aswMBR

Click Scan

On completion of the scan

Click the FIXMBR Button


Save the log as before and post in your next reply

Let me know if you are still being redirected.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Fullsusser

Fullsusser
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 12 July 2011 - 02:43 AM

aswMBR version 0.9.7.705 Copyright© 2011 AVAST Software
Run date: 2011-07-11 22:50:10
-----------------------------
22:50:10.998 OS Version: Windows 6.1.7601 Service Pack 1
22:50:10.998 Number of processors: 2 586 0x1706
22:50:10.999 ComputerName: ANDY-LAPTOP UserName: Andy
22:50:12.609 Initialize success
22:50:16.467 AVAST engine defs: 11071100
22:50:20.465 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
22:50:20.468 Disk 0 Vendor: WDC_WD3200BEVT-22ZCT0 11.01A11 Size: 305245MB BusType: 11
22:50:22.645 Disk 0 MBR read successfully
22:50:22.649 Disk 0 MBR scan
22:50:22.652 Disk 0 Windows 7 default MBR code
22:50:24.718 Disk 0 scanning sectors +625139712
22:50:24.883 Disk 0 scanning C:\Windows\system32\drivers
22:51:21.899 Service scanning
22:51:22.957 Disk 0 trace - called modules:
22:51:23.070 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x865e2f16]<<
22:51:23.074 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x865ce030]
22:51:23.079 3 CLASSPNP.SYS[835d459e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x860e9030]
22:51:23.084 \Driver\atapi[0x860dd4d8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x865e2f16
22:51:24.990 AVAST engine scan C:\Windows
00:42:57.032 AVAST engine scan C:\Users\Andy
01:12:10.793 AVAST engine scan C:\ProgramData
01:14:43.533 Scan finished successfully
08:42:41.907 Disk 0 Windows 601 MBR fixed successfully
08:43:06.302 Disk 0 MBR has been saved successfully to "C:\Users\Andy\Desktop\MBR.dat"
08:43:06.383 The log file has been saved successfully to "C:\Users\Andy\Desktop\aswMBR.txt"

I'm still being redirected.

Thanks

Attached Files

  • Attached File  MBR.zip   558bytes   0 downloads


#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:08 AM

Posted 12 July 2011 - 08:32 AM

Please download and run FixTDSS from Symantec

Download FixTDSS.exe to your desktop > follow the prompts to run it


http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 Fullsusser

Fullsusser
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 12 July 2011 - 12:27 PM

That seems to have fixed it, Chrome is now working again and other browsers are no longer redirecting from Google.

Thank you for your help. I really appreciate it




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users