Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google keeps redirecting


  • This topic is locked This topic is locked
6 replies to this topic

#1 ItalianDiva

ItalianDiva

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 20 July 2011 - 02:48 PM

Hi,

I am having some sort of virus/maleware problem with my computer. I am not getting any pop-ups or anything identifying the name of the virus, but Google links get redirected to other sites and my printer was previously disabled. I was able to get the printer working again by going through some of the steps on your site, but the Google issue is still present and also the computer sometimes starts playing what sounds like audio commercials. This happens even when nothing is open on the computer or after all windows have been closed. I have no idea where the audio is coming from. I am attaching the requested info below.

Thank you so much!

DDS (Ver_2011-07-14.01) - NTFS_x86
Internet Explorer: 7.0.5730.11
Run by Valued Customer at 8:49:48 on 2011-07-15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.104 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\BrmfBAgS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Silver Bullet Technology\Logging\Logging Service\SBTLogService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\D-Link\Wireless G WNA-1330\AIRPLUS.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: FCToolbarURLSearchHook Class: {da879c19-9088-418b-a63a-2e6fb294eaf0} - c:\program files\aadvantage eshoppingsm toolbar\Helper.dll
uURLSearchHooks: <No Name>: - LocalServer32 - <no file>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
BHO: {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - <orphaned>
BHO: Freecause Toolbar BHO: {5712A6BB-B6C8-4E52-A152-1BA741C9A6A2} - c:\program files\aadvantage eshoppingsm toolbar\Toolbar.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AAdvantage eShoppingSM Toolbar: {85741F1D-ED47-4DCF-9109-07D10213C4D0} - c:\program files\aadvantage eshoppingsm toolbar\Toolbar.dll
TB: AAdvantage eShoppingSM Toolbar: {85741F1D-ED47-4DCF-9109-07D10213C4D0} - c:\program files\aadvantage eshoppingsm toolbar\Toolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl04g\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\valued~1\startm~1\programs\startup\palmon~1.lnk - c:\program files\palmone\register.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\datavi~1.lnk - c:\program files\common files\dataviz\DvzIncMsgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\wireless g wna-1330\AIRPLUS.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: cbbank.com
Trusted Zone: paychex.com
Trusted Zone: paychex.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Greenback Bayou by pogo - hxxp://game1.pogo.com/applet-8.0.3.36/greenback/greenback-en_US.cab
DPF: Harvest Mania by pogo - hxxp://game1.pogo.com/applet-6.8.2.23/harvest/harvest-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Tri-Peaks by pogo - hxxp://game1.pogo.com/applet-6.7.0.32/peaks/peaks-en_US.cab
DPF: Word Whomp by pogo - hxxp://game1.pogo.com/applet-8.0.7.27/wordwhomp2/whomp2-en_US.cab
DPF: Word Whomp Whackdown by pogo - hxxp://game1.pogo.com/applet-8.0.3.36/whackdown/whackdown-en_US.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxps://secure.cbbank.com/WebCaptureWeb/alternatiff_licensed.cab
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} - hxxp://www.worldwinner.com/games/v48/brickout/brickout.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} - hxxps://eservices.paychex.com/secure/Reserved.ReportViewerWebControl.axd?ReportSession=l540kt55sh1bx4453t24mt55&Culture=1033&CultureOverrides=True&UICulture=9&UICultureOverrides=True&ReportStack=1&ControlID=ef4e98a303e14a729285a54a085562d7&OpType=PrintCab&Arch=X86
DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - hxxp://www.worldwinner.com/games/v63/bjattack/bja.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.road.com/oralmasp/download/mgaxctrl.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} - hxxp://www.worldwinner.com/games/v49/luxor/luxor.cab
DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} - hxxp://www.worldwinner.com/games/v42/tilecity/tilecity.cab
DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://ak.imgag.com/imgag/cp/install/Crusher.cab
DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} - hxxp://www.worldwinner.com/games/v43/paint/paint.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CB97291A-6603-466A-AA11-80C2EB74CB10} - hxxps://install.cox.net/CoxSelfInstall/CoxSelfInstallAx10.ocx
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
DPF: {D208D580-5E06-4C0A-8FC3-C179FEDB5B0E} - hxxps://secure.cbbank.com/WebCaptureWeb/setupZiptrc.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{EE999C20-6BC9-4E38-8A68-072C21BF73B1} : DHCPNameServer = 192.168.0.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: ipp - <Clsid value has no data>
Handler: msdaipp - <Clsid value has no data>
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\program files\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
IFEO: Your Image File Name Here without a path - ntsd -d
.
============= SERVICES / DRIVERS ===============
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 165264]
R1 MpKsl9988c68f;MpKsl9988c68f;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e05459bd-a7ea-470b-a2e3-a215ed97736a}\MpKsl9988c68f.sys [2011-7-14 28752]
R2 SBT Log;SBT Log;c:\program files\common files\silver bullet technology\logging\logging service\SBTLogService.exe [2008-2-6 53248]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-3 24652]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2007-12-19 2944]
R3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2007-12-19 3168]
R3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2007-12-19 39552]
R3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2007-12-19 61440]
S1 MpKsl159bc894;MpKsl159bc894;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{00bf02c4-9e27-4eb2-b770-acdeb7327cf7}\mpksl159bc894.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{00bf02c4-9e27-4eb2-b770-acdeb7327cf7}\MpKsl159bc894.sys [?]
S1 MpKsl29141190;MpKsl29141190;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{83c8dd5e-68b8-43bd-8792-725ff73cbfa8}\mpksl29141190.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{83c8dd5e-68b8-43bd-8792-725ff73cbfa8}\MpKsl29141190.sys [?]
S1 MpKsl2969aa93;MpKsl2969aa93;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d8872f2b-b84e-482c-aa99-57d8cf9502e3}\mpksl2969aa93.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d8872f2b-b84e-482c-aa99-57d8cf9502e3}\MpKsl2969aa93.sys [?]
S1 MpKsl34232c97;MpKsl34232c97;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{303f3232-6138-4315-8734-e59a3ce8d1bc}\mpksl34232c97.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{303f3232-6138-4315-8734-e59a3ce8d1bc}\MpKsl34232c97.sys [?]
S1 MpKsl4f4260f1;MpKsl4f4260f1;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{78bde117-16ba-4349-bb59-eec7dbb0758b}\mpksl4f4260f1.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{78bde117-16ba-4349-bb59-eec7dbb0758b}\MpKsl4f4260f1.sys [?]
S1 MpKsl7181f524;MpKsl7181f524;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{83c8dd5e-68b8-43bd-8792-725ff73cbfa8}\mpksl7181f524.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{83c8dd5e-68b8-43bd-8792-725ff73cbfa8}\MpKsl7181f524.sys [?]
S1 MpKsl7bce4910;MpKsl7bce4910;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a3457d79-db59-4ad0-ad5b-a4b72e983f82}\mpksl7bce4910.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a3457d79-db59-4ad0-ad5b-a4b72e983f82}\MpKsl7bce4910.sys [?]
S1 MpKsl82f24221;MpKsl82f24221;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c1dc10bd-0293-4925-8bee-60baaab678ca}\mpksl82f24221.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c1dc10bd-0293-4925-8bee-60baaab678ca}\MpKsl82f24221.sys [?]
S1 MpKsl94f6f4b5;MpKsl94f6f4b5;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d8872f2b-b84e-482c-aa99-57d8cf9502e3}\mpksl94f6f4b5.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d8872f2b-b84e-482c-aa99-57d8cf9502e3}\MpKsl94f6f4b5.sys [?]
S1 MpKslbd37dce9;MpKslbd37dce9;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{05503ffc-cf6b-4016-8359-26a0c003dd6a}\mpkslbd37dce9.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{05503ffc-cf6b-4016-8359-26a0c003dd6a}\MpKslbd37dce9.sys [?]
S1 MpKslbfd35579;MpKslbfd35579;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{32fd20b5-95f7-46f5-8377-e43aa391fffd}\mpkslbfd35579.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{32fd20b5-95f7-46f5-8377-e43aa391fffd}\MpKslbfd35579.sys [?]
S1 MpKslcfab35cb;MpKslcfab35cb;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5c36efa9-d769-418d-8817-be9546e92736}\mpkslcfab35cb.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5c36efa9-d769-418d-8817-be9546e92736}\MpKslcfab35cb.sys [?]
S1 MpKsle694f553;MpKsle694f553;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0d880edc-895f-4068-ac9d-3857259818b0}\mpksle694f553.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0d880edc-895f-4068-ac9d-3857259818b0}\MpKsle694f553.sys [?]
S3 XIRLINK;Veo PC Camera;c:\windows\system32\drivers\ucdnt.sys [2006-6-25 899884]
.
=============== File Associations ===============
.
ShellExec: FRONTPG.EXE: edit=c:\progra~1\micros~4\office10\FRONTPG.EXE
.
=============== Created Last 30 ================
.
2011-07-15 14:41:36 -------- d-sha-r- C:\cmdcons
2011-07-15 14:36:47 98816 ----a-w- c:\windows\sed.exe
2011-07-15 14:36:47 256000 ----a-w- c:\windows\PEV.exe
2011-07-15 14:36:47 208896 ----a-w- c:\windows\MBR.exe
2011-07-15 06:40:47 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e05459bd-a7ea-470b-a2e3-a215ed97736a}\MpKsl9988c68f.sys
2011-07-15 06:39:34 7074640 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e05459bd-a7ea-470b-a2e3-a215ed97736a}\mpengine.dll
2011-07-14 18:25:21 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-04 11:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 09:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07:50 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 15:51:58 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51:57 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51:57 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01:21 389120 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST340016A rev.3.19 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82F3CECC]<<
c:\docume~1\valued~1\locals~1\temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x826de879; SUB DWORD [EBP-0x4], 0x826de135; PUSH EDI; CALL 0xffffffffffffdf2c; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x82F7EAB8]
3 CLASSPNP[0xF8716FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000076[0x82F8BF18]
5 ACPI[0xF866D620] -> nt!IofCallDriver[0x804E37D5] -> [0x82F9FD98]
[0x82FA5C18] -> IRP_MJ_CREATE -> 0x82F3CECC
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST340016A_______________________________3.19____#4833445331564343202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x82F3CAF1
user & kernel MBR OK
sectors 78165358 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 8:50:09.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 20 July 2011 - 10:14 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 ItalianDiva

ItalianDiva
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 23 July 2011 - 03:36 PM

ComboFix 11-07-23.04 - Valued Customer 07/23/2011 12:48:07.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.256 [GMT -7:00]
Running from: c:\documents and settings\Valued Customer\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\drivers\ftdisk.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2011-06-23 to 2011-07-23 )))))))))))))))))))))))))))))))
.
.
2011-07-23 19:16 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1D81905C-186A-4DA5-A804-F8075725DC7F}\mpengine.dll
2011-07-22 13:56 . 2011-07-22 13:56 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FCTB000062125
2011-07-19 19:53 . 2011-07-19 19:53 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\ScanSoft
2011-07-14 18:25 . 2011-07-14 18:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-13 10:48 . 2011-07-13 10:48 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2011-07-13 10:48 . 2011-07-13 10:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-13 03:39 . 2010-01-04 10:41 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-06-02 14:02 . 2002-09-03 13:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-04 11:52 . 2010-05-01 15:28 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 09:25 . 2007-11-13 03:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2006-05-16 00:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2002-09-03 13:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2002-09-03 13:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2002-09-03 13:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2002-09-03 13:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 15:51 . 2002-09-03 13:00 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51 . 2006-05-16 17:22 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51 . 2002-09-03 13:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51 . 2002-09-03 13:00 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01 . 2006-05-16 17:22 389120 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-15_15.11.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-23 19:43 . 2011-07-23 19:43 16384 c:\windows\Temp\Perflib_Perfdata_b8.dat
+ 2011-07-17 23:29 . 2011-07-17 23:29 27314 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KVF7P5D0\www.transunion[1].com
+ 2011-07-17 19:09 . 2011-07-18 01:55 98304 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-07-17 23:29 . 2011-07-17 23:29 32768 c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
+ 2011-07-17 19:09 . 2011-07-18 01:55 131072 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012011071720110718\index.dat
+ 2006-05-16 00:05 . 2011-07-18 01:55 262144 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-05-16 00:05 . 2011-07-18 01:55 5013504 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{da879c19-9088-418b-a63a-2e6fb294eaf0}"= "c:\program files\AAdvantage eShoppingSM Toolbar\Helper.dll" [2010-06-12 243200]
.
[HKEY_CLASSES_ROOT\clsid\{da879c19-9088-418b-a63a-2e6fb294eaf0}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{26582F40-76E8-4A2A-B30C-26832801B787}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5712A6BB-B6C8-4E52-A152-1BA741C9A6A2}]
2010-06-12 13:49 1547776 ----a-w- c:\program files\AAdvantage eShoppingSM Toolbar\Toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{85741F1D-ED47-4DCF-9109-07D10213C4D0}"= "c:\program files\AAdvantage eShoppingSM Toolbar\Toolbar.dll" [2010-06-12 1547776]
.
[HKEY_CLASSES_ROOT\clsid\{85741f1d-ed47-4dcf-9109-07d10213c4d0}]
[HKEY_CLASSES_ROOT\FCTB000062125.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{5E8947F8-3769-4215-877F-BEA00225DC12}]
[HKEY_CLASSES_ROOT\FCTB000062125.IEToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{85741F1D-ED47-4DCF-9109-07D10213C4D0}"= "c:\program files\AAdvantage eShoppingSM Toolbar\Toolbar.dll" [2010-06-12 1547776]
.
[HKEY_CLASSES_ROOT\clsid\{85741f1d-ed47-4dcf-9109-07d10213c4d0}]
[HKEY_CLASSES_ROOT\FCTB000062125.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{5E8947F8-3769-4215-877F-BEA00225DC12}]
[HKEY_CLASSES_ROOT\FCTB000062125.IEToolbar]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-12 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-08 864256]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-13 304568]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
.
c:\documents and settings\Valued Customer\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2006-7-12 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-6 83360]
Wireless Connection Manager.lnk - c:\program files\D-Link\Wireless G WNA-1330\AIRPLUS.exe [2010-6-14 2859008]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\AAdvantage eShoppingSM Toolbar\\TroubleShooter.exe"=
"c:\\Program Files\\AAdvantage eShoppingSM Toolbar\\ToolbarUpdate.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [7/14/2010 12:51 PM 65584]
R2 SBT Log;SBT Log;c:\program files\Common Files\Silver Bullet Technology\Logging\Logging Service\SBTLogService.exe [2/6/2008 2:02 PM 53248]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/3/2008 7:09 PM 24652]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [12/19/2007 8:28 PM 2944]
R3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [12/19/2007 8:29 PM 3168]
R3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [12/19/2007 8:28 PM 39552]
R3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [12/19/2007 8:28 PM 61440]
S1 MpKsl159bc894;MpKsl159bc894;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{00BF02C4-9E27-4EB2-B770-ACDEB7327CF7}\MpKsl159bc894.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{00BF02C4-9E27-4EB2-B770-ACDEB7327CF7}\MpKsl159bc894.sys [?]
S1 MpKsl29141190;MpKsl29141190;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{83C8DD5E-68B8-43BD-8792-725FF73CBFA8}\MpKsl29141190.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{83C8DD5E-68B8-43BD-8792-725FF73CBFA8}\MpKsl29141190.sys [?]
S1 MpKsl2969aa93;MpKsl2969aa93;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D8872F2B-B84E-482C-AA99-57D8CF9502E3}\MpKsl2969aa93.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D8872F2B-B84E-482C-AA99-57D8CF9502E3}\MpKsl2969aa93.sys [?]
S1 MpKsl34232c97;MpKsl34232c97;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{303F3232-6138-4315-8734-E59A3CE8D1BC}\MpKsl34232c97.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{303F3232-6138-4315-8734-E59A3CE8D1BC}\MpKsl34232c97.sys [?]
S1 MpKsl4f4260f1;MpKsl4f4260f1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{78BDE117-16BA-4349-BB59-EEC7DBB0758B}\MpKsl4f4260f1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{78BDE117-16BA-4349-BB59-EEC7DBB0758B}\MpKsl4f4260f1.sys [?]
S1 MpKsl7181f524;MpKsl7181f524;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{83C8DD5E-68B8-43BD-8792-725FF73CBFA8}\MpKsl7181f524.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{83C8DD5E-68B8-43BD-8792-725FF73CBFA8}\MpKsl7181f524.sys [?]
S1 MpKsl7bce4910;MpKsl7bce4910;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A3457D79-DB59-4AD0-AD5B-A4B72E983F82}\MpKsl7bce4910.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A3457D79-DB59-4AD0-AD5B-A4B72E983F82}\MpKsl7bce4910.sys [?]
S1 MpKsl82f24221;MpKsl82f24221;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C1DC10BD-0293-4925-8BEE-60BAAAB678CA}\MpKsl82f24221.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C1DC10BD-0293-4925-8BEE-60BAAAB678CA}\MpKsl82f24221.sys [?]
S1 MpKsl94f6f4b5;MpKsl94f6f4b5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D8872F2B-B84E-482C-AA99-57D8CF9502E3}\MpKsl94f6f4b5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D8872F2B-B84E-482C-AA99-57D8CF9502E3}\MpKsl94f6f4b5.sys [?]
S1 MpKslb998abb5;MpKslb998abb5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4CE94C89-51F0-4D0F-97A0-334DAEDF06E8}\MpKslb998abb5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4CE94C89-51F0-4D0F-97A0-334DAEDF06E8}\MpKslb998abb5.sys [?]
S1 MpKslbd37dce9;MpKslbd37dce9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{05503FFC-CF6B-4016-8359-26A0C003DD6A}\MpKslbd37dce9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{05503FFC-CF6B-4016-8359-26A0C003DD6A}\MpKslbd37dce9.sys [?]
S1 MpKslbfd35579;MpKslbfd35579;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{32FD20B5-95F7-46F5-8377-E43AA391FFFD}\MpKslbfd35579.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{32FD20B5-95F7-46F5-8377-E43AA391FFFD}\MpKslbfd35579.sys [?]
S1 MpKslcfab35cb;MpKslcfab35cb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5C36EFA9-D769-418D-8817-BE9546E92736}\MpKslcfab35cb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5C36EFA9-D769-418D-8817-BE9546E92736}\MpKslcfab35cb.sys [?]
S1 MpKsle694f553;MpKsle694f553;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0D880EDC-895F-4068-AC9D-3857259818B0}\MpKsle694f553.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0D880EDC-895F-4068-AC9D-3857259818B0}\MpKsle694f553.sys [?]
S3 XIRLINK;Veo PC Camera;c:\windows\system32\drivers\ucdnt.sys [6/25/2006 8:47 PM 899884]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-07-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 20:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: cbbank.com
Trusted Zone: cbbank.com\secure
Trusted Zone: cbbank.com\support
Trusted Zone: emangrove.com\online5
Trusted Zone: paychex.com
Trusted Zone: paychex.com\previewhostingservice
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Greenback Bayou by pogo - hxxp://game1.pogo.com/applet-8.0.3.36/greenback/greenback-en_US.cab
DPF: Harvest Mania by pogo - hxxp://game1.pogo.com/applet-6.8.2.23/harvest/harvest-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Tri-Peaks by pogo - hxxp://game1.pogo.com/applet-6.7.0.32/peaks/peaks-en_US.cab
DPF: Word Whomp by pogo - hxxp://game1.pogo.com/applet-8.0.7.27/wordwhomp2/whomp2-en_US.cab
DPF: Word Whomp Whackdown by pogo - hxxp://game1.pogo.com/applet-8.0.3.36/whackdown/whackdown-en_US.cab
DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} - hxxps://eservices.paychex.com/secure/Reserved.ReportViewerWebControl.axd?ReportSession=l540kt55sh1bx4453t24mt55&Culture=1033&CultureOverrides=True&UICulture=9&UICultureOverrides=True&ReportStack=1&ControlID=ef4e98a303e14a729285a54a085562d7&OpType=PrintCab&Arch=X86
DPF: {D208D580-5E06-4C0A-8FC3-C179FEDB5B0E} - hxxps://secure.cbbank.com/WebCaptureWeb/setupZiptrc.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-23 13:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-07-23 13:12:38
ComboFix-quarantined-files.txt 2011-07-23 20:12
ComboFix2.txt 2011-07-15 15:36
ComboFix3.txt 2011-07-15 15:17
.
Pre-Run: 15,173,419,008 bytes free
Post-Run: 15,249,735,680 bytes free
.
- - End Of File - - 2CB6E87F5A4C2B43626E30C7F384404B

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 23 July 2011 - 08:49 PM

ItalianDiva:

How is your computer running now? Please do this next:

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Posted Image Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes copy and paste the results into your next reply.
Please include the following in your next post:
  • How is the computer running now?
  • MBAM log
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 ItalianDiva

ItalianDiva
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 29 July 2011 - 03:34 PM

The computer seems to be doing better, although it is painfully slow. The Google issue is corrected now. MBAM did not find anything, but ESET found two infected files. The logs are below:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7284

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

7/26/2011 1:47:42 PM
mbam-log-2011-07-26 (13-47-41).txt

Scan type: Full scan (C:\|)
Objects scanned: 220314
Time elapsed: 2 hour(s), 38 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESET:
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ftdisk.sys.vir Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{DEE75939-84A1-4E14-A6AE-86EE3D12EC5C}\RP1558\A0092922.sys Win32/Olmarik.ZC trojan

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 29 July 2011 - 08:23 PM

ItalianDiva:

Your logs are looking good. Those ESET detections are already in quarantine and will be removed when we uninstall ComboFix. Now I have an update and some very important cleanup for you to take care of. When you finish take a look at this thread if it still seems slow.

Posted Image Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 05 August 2011 - 06:53 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users