Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

urlseek.vmn.net


  • This topic is locked This topic is locked
14 replies to this topic

#1 eterniawolf

eterniawolf

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 28 July 2011 - 04:58 PM

Hi, so every time I start Chrome I get the message:

"404. Thatís an error.
The requested URL /search.php was not found on this server. Thatís all we know."

And it briefly flashes in the tab with "Welcome to urlseek.vmn.net!", but once it loads with that error messages the tab changes to "Error 404 (Not Found)!!1" It's starting to get really annoying because I basically can't use Google in Google Chrome. At first, I didn't think anything of it until I decided to search of "urlseek.vmn.net" and discovered it was malware. I should have known that but I didn't think anything of it.

So yeah. I've tried using Malwarebytes as I always do whenever there is a problem on my computer, and nothing showed up.

Here's the requested DDS and GMER logs. Can someone please help me get rid of this annoying redirecting problem? I've tried getting rid of this thing myself, but I give up. I'm tired of searching and searching and finding nothing that helps, so I came here.

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by kay at 14:09:33 on 2011-07-28
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.86 [GMT -4:00]
.
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Documents and Settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe
C:\Program Files\iTunes\iTunesHelper.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\kay\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\kay\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\kay\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\kay\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\kay\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\kay\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: IMVU Inc Toolbar: {90b49673-5506-483e-b92b-ca0265bd9ca8} - c:\program files\imvu_inc\prxtbIMVU.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: IMVU Inc Toolbar: {90b49673-5506-483e-b92b-ca0265bd9ca8} - c:\program files\imvu_inc\prxtbIMVU.dll
BHO: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
TB: IMVU Inc Toolbar: {90b49673-5506-483e-b92b-ca0265bd9ca8} - c:\program files\imvu_inc\prxtbIMVU.dll
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [Panda Security URL Filtering] "c:\documents and settings\all users\application data\panda security url filtering\Panda_URL_Filtering.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\kay\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306978336250
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{E507FEE7-93AB-4070-8F0B-8EB4D9C071F2} : DhcpNameServer = 192.168.2.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\kay\application data\mozilla\firefox\profiles\0id089jz.default\
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=
FF - plugin: c:\documents and settings\kay\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2011-4-28 129992]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2011-4-28 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2011-7-5 143752]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2011-4-28 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2011-4-28 111688]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2011-4-28 112456]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2011-7-23 3032360]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2006-4-12 169472]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2011-7-23 15144]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-07-28 05:17:42 -------- d-sha-r- C:\cmdcons
2011-07-23 18:46:00 -------- d-----w- c:\documents and settings\kay\application data\WTablet
2011-07-23 18:45:28 3708200 ------w- c:\windows\system32\PenTablet.cpl
2011-07-23 18:45:16 11440 ----a-w- c:\windows\system32\drivers\WacomVKHid.sys
2011-07-23 18:44:45 13480 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2011-07-23 18:44:45 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
2011-07-23 18:44:34 15144 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
2011-07-23 18:44:33 -------- d-----w- c:\windows\system32\WTablet
2011-07-23 18:44:30 181544 ------w- c:\windows\system32\Wintab32.dll
2011-07-23 18:44:29 128296 ------w- c:\windows\system32\Pen_Tablet.dll
2011-07-23 18:44:26 3032360 ------w- c:\windows\system32\Pen_Tablet.exe
2011-07-23 18:44:21 -------- d-----w- c:\program files\Tablet
2011-07-22 04:30:51 -------- d-----w- c:\program files\iPod
2011-07-22 04:26:19 -------- d-----w- c:\program files\Bonjour
2011-07-22 01:14:49 -------- d-----w- c:\windows\system32\GroupPolicy
2011-07-12 15:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 18:47:41 -------- d-----w- c:\windows\pss
2011-07-08 18:13:24 -------- d-----w- c:\program files\Conduit
2011-07-08 18:13:19 -------- d-----w- c:\documents and settings\kay\local settings\application data\IMVU_Inc
2011-07-08 18:13:18 -------- d-----w- c:\program files\IMVU_Inc
2011-07-08 18:13:18 -------- d-----w- c:\documents and settings\kay\local settings\application data\Conduit
2011-07-05 18:28:16 -------- d-----w- c:\documents and settings\kay\local settings\application data\DOSBox
2011-07-05 18:27:49 -------- d-----w- c:\program files\DOSBox-0.74
2011-07-05 10:12:43 143752 ----a-w- c:\windows\system32\drivers\PSINAflt.sys
2011-07-05 01:52:55 -------- d-----w- c:\documents and settings\kay\application data\Adobe Mini Bridge CS5.1
2011-07-05 01:52:46 -------- d-----w- c:\documents and settings\kay\application data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2011-06-30 20:47:40 -------- d-----w- c:\documents and settings\kay\application data\SYSTEMAX Software Development
2011-06-30 20:47:40 -------- d-----w- c:\documents and settings\all users\application data\SYSTEMAX Software Development
2011-06-29 18:15:39 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
.
==================== Find3M ====================
.
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-23 16:29:13 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 23:28:42 218624 ----a-w- c:\windows\system32\uxtheme.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-06-01 18:41:21 0 ----a-w- c:\windows\ativpsrm.bin
2011-06-01 18:03:40 315392 ----a-w- c:\windows\HideWin.exe
2011-05-10 12:06:08 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-10 12:06:08 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-04 08:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 14:10:39.46 ===============

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-28 17:50:55
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9160310AS rev.0303
Running: gmer.exe; Driver: C:\DOCUME~1\kay\LOCALS~1\Temp\axrdapob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\PSINProc.sys (PSINProc Filter Driver for XP32/Panda Security, S.L.) ZwTerminateProcess [0xA5D77416]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6D81000, 0x19DA46, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[2396] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2396] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01360001
.text C:\Program Files\Mozilla Firefox\firefox.exe[2396] WS2_32.dll!WSALookupServiceNextW 71AB3181 6 Bytes JMP 71A50F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2396] WS2_32.dll!WSALookupServiceEnd 71AB350E 6 Bytes JMP 71A20F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2396] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2396] WS2_32.dll!send 71AB4C27 6 Bytes JMP 719F0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2396] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 71960F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2396] WS2_32.dll!recv 71AB676F 6 Bytes JMP 719C0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2396] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 71990F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2396] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 6 Bytes JMP 71930F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3272] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 1068EDA6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3272] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 1068ED38 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3272] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 104A5451 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3272] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104A5A99 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

Just thought I'd include the MBAM log as well that showed nothing:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7232

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/28/2011 12:09:32 AM
mbam-log-2011-07-28 (00-09-31).txt

Scan type: Full scan (C:\|)
Objects scanned: 251128
Time elapsed: 2 hour(s), 7 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



BC AdBot (Login to Remove)

 


#2 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 PM

Posted 29 July 2011 - 10:52 AM

**In any case where you happen to be busy or unable to give us a reply, we would be grateful if you keep us informed in advance and we will be more than happy to wait. Failure to do so we will have your thread closed in THREE(3) days. :)


Hello there, eterniawolf

:welcome:

I'm Conspire, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Read the entire procedure
  • It is important to perform ALL actions in sequence.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with me till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

IMPORTANT NOTE : Please do not delete anything unless instructed to. Remember to backup all your important data(if possible) before moving on.

---------------------------------------------------------------------------------------------------

I'd like to have another log for review.

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image

---------------------------------------------------------------------------------------------------
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#3 eterniawolf

eterniawolf
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 29 July 2011 - 01:10 PM

Hi Conspire, thanks for taking the time to help me. :)

Here's the log you requested:

aswMBR version 0.9.8.977 Copyright© 2011 AVAST Software
Run date: 2011-07-29 13:00:00
-----------------------------
13:00:00.609 OS Version: Windows 5.1.2600 Service Pack 3
13:00:00.609 Number of processors: 1 586 0x7F02
13:00:00.609 ComputerName: ETERNIA UserName: kay
13:00:01.843 Initialize success
13:26:18.765 AVAST engine defs: 11072900
13:31:38.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:31:38.500 Disk 0 Vendor: ST9160310AS 0303 Size: 152627MB BusType: 3
13:31:38.531 Disk 0 MBR read successfully
13:31:38.531 Disk 0 MBR scan
13:31:38.593 Disk 0 Windows XP default MBR code
13:31:38.593 Disk 0 scanning sectors +312580096
13:31:38.718 Disk 0 scanning C:\WINDOWS\system32\drivers
13:31:54.734 Service scanning
13:31:55.968 Modules scanning
13:32:09.343 Disk 0 trace - called modules:
13:32:09.375 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
13:32:09.375 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83136ab8]
13:32:09.375 3 CLASSPNP.SYS[f75d2fd7] -> nt!IofCallDriver -> \Device\0000006d[0x831ae570]
13:32:09.734 5 ACPI.sys[f7469620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x831ae688]
13:32:14.984 AVAST engine scan C:\WINDOWS
13:32:51.125 AVAST engine scan C:\WINDOWS\system32
13:35:23.796 AVAST engine scan C:\WINDOWS\system32\drivers
13:35:45.000 AVAST engine scan C:\Documents and Settings\kay
13:54:16.656 AVAST engine scan C:\Documents and Settings\All Users
13:57:08.015 Scan finished successfully
14:07:23.250 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\kay\Desktop\MBR.dat"
14:07:23.265 The log file has been saved successfully to "C:\Documents and Settings\kay\Desktop\aswMBR.txt"

#4 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 PM

Posted 29 July 2011 - 11:12 PM

Hello there,

***Read through this entire procedure and if you have any questions, please ask them before you begin. Copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. Do take note that if you could not run any tools requested, carry on with the next instruction(if any) and let us know.


You're welcome :)

Please read through these instructions to familarize yourself with what to expect when this tool runs

Refer to the ComboFix User's Guide

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

    **********************************************
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Edited by Conspire, 29 July 2011 - 11:14 PM.

Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#5 eterniawolf

eterniawolf
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 30 July 2011 - 02:31 PM

Here's the the contents of the file ComboFix.txt located in my C:\ drive.

ComboFix 11-07-29.03 - kay 07/30/2011 14:44:38.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.403 [GMT -4:00]
Running from: c:\documents and settings\kay\Desktop\ComboFix.exe
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-30 )))))))))))))))))))))))))))))))
.
.
2011-07-23 18:46 . 2011-07-30 18:27 -------- d-----w- c:\documents and settings\kay\Application Data\WTablet
2011-07-23 18:45 . 2008-05-01 22:31 3708200 ------w- c:\windows\system32\PenTablet.cpl
2011-07-23 18:45 . 2007-02-16 00:11 11440 ----a-w- c:\windows\system32\drivers\WacomVKHid.sys
2011-07-23 18:44 . 2008-01-15 20:11 13480 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2011-07-23 18:44 . 2007-02-16 19:12 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
2011-07-23 18:44 . 2008-03-17 20:14 15144 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
2011-07-23 18:44 . 2011-07-23 18:44 -------- d-----w- c:\windows\system32\WTablet
2011-07-23 18:44 . 2008-05-01 22:23 181544 ------w- c:\windows\system32\Wintab32.dll
2011-07-23 18:44 . 2008-05-01 22:33 128296 ------w- c:\windows\system32\Pen_Tablet.dll
2011-07-23 18:44 . 2008-05-01 22:40 3032360 ------w- c:\windows\system32\Pen_Tablet.exe
2011-07-23 18:44 . 2011-07-23 18:45 -------- d-----w- c:\program files\Tablet
2011-07-22 04:30 . 2011-07-22 04:30 -------- d-----w- c:\program files\iPod
2011-07-22 04:26 . 2011-07-22 04:26 -------- d-----w- c:\program files\Bonjour
2011-07-22 01:14 . 2011-07-22 01:14 -------- d-----w- c:\windows\system32\GroupPolicy
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 18:13 . 2011-07-08 18:13 -------- d-----w- c:\program files\Conduit
2011-07-08 18:13 . 2011-07-08 18:13 -------- d-----w- c:\documents and settings\kay\Local Settings\Application Data\IMVU_Inc
2011-07-08 18:13 . 2011-07-08 18:13 -------- d-----w- c:\documents and settings\kay\Local Settings\Application Data\Conduit
2011-07-08 18:13 . 2011-07-08 18:13 -------- d-----w- c:\program files\IMVU_Inc
2011-07-05 18:28 . 2011-07-05 18:28 -------- d-----w- c:\documents and settings\kay\Local Settings\Application Data\DOSBox
2011-07-05 18:27 . 2011-07-05 18:54 -------- d-----w- c:\program files\DOSBox-0.74
2011-07-05 10:12 . 2011-07-05 10:12 143752 ----a-w- c:\windows\system32\drivers\PSINAflt.sys
2011-07-05 01:52 . 2011-07-05 01:52 -------- d-----w- c:\documents and settings\kay\Application Data\Adobe Mini Bridge CS5.1
2011-07-05 01:52 . 2011-07-05 01:52 -------- d-----w- c:\documents and settings\kay\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2011-07-02 01:07 . 2011-07-02 01:07 -------- d-----w- c:\documents and settings\kay\Application Data\ImgBurn
2011-07-02 00:43 . 2011-07-02 00:43 -------- d-----w- c:\program files\ImgBurn
2011-06-30 20:47 . 2011-06-30 20:47 -------- d-----w- c:\documents and settings\kay\Application Data\SYSTEMAX Software Development
2011-06-30 20:47 . 2011-06-30 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SYSTEMAX Software Development
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 23:52 . 2011-06-01 20:54 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2011-06-01 20:54 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-23 16:29 . 2011-06-01 20:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-13 17:50 . 2011-06-13 17:50 45056 ----a-r- c:\documents and settings\kay\Application Data\Microsoft\Installer\{680B6877-75C2-4CEF-866D-7DBE26DBB772}\_597EDA5447AC_4DEE_A5F8_88EF195E1F22.exe
2011-06-02 23:28 . 2006-02-28 12:00 218624 ----a-w- c:\windows\system32\uxtheme.dll
2011-06-02 14:02 . 2006-02-28 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-06-01 18:03 . 2011-06-01 18:03 315392 ----a-w- c:\windows\HideWin.exe
2011-05-10 12:06 . 2011-06-16 17:52 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-10 12:06 . 2011-06-16 17:52 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-04 08:52 . 2011-06-03 19:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2011-06-03 19:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2011-06-01 17:15 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-24 16:47 . 2011-06-01 19:51 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{90b49673-5506-483e-b92b-ca0265bd9ca8}"= "c:\program files\IMVU_Inc\prxtbIMVU.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{90b49673-5506-483e-b92b-ca0265bd9ca8}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90b49673-5506-483e-b92b-ca0265bd9ca8}]
2011-01-17 20:54 175912 ----a-w- c:\program files\IMVU_Inc\prxtbIMVU.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]
2011-05-13 13:25 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2011-05-13 86696]
"{90b49673-5506-483e-b92b-ca0265bd9ca8}"= "c:\program files\IMVU_Inc\prxtbIMVU.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]
.
[HKEY_CLASSES_ROOT\clsid\{90b49673-5506-483e-b92b-ca0265bd9ca8}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-14 16806912]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-18 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-04-28 439616]
"Panda Security URL Filtering"="c:\documents and settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe" [2011-04-27 231592]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2011-03-15 21:42 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-03 17:50 136176 ----atw- c:\documents and settings\kay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 14:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [4/28/2011 1:57 PM 129992]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/28/2011 1:58 PM 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [7/5/2011 6:12 AM 143752]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/28/2011 1:57 PM 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/28/2011 1:57 PM 111688]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [4/28/2011 1:57 PM 112456]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [7/23/2011 2:44 PM 3032360]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\13.tmp --> c:\windows\system32\13.tmp [?]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [4/12/2006 2:43 PM 169472]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [7/23/2011 2:44 PM 15144]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
2011-07-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-583907252-1957994488-839522115-1003Core.job
- c:\documents and settings\kay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-03 17:50]
.
2011-07-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-583907252-1957994488-839522115-1003UA.job
- c:\documents and settings\kay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-03 17:50]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\kay\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\kay\Application Data\Mozilla\Firefox\Profiles\0id089jz.default\
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-30 14:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\13.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(808)
c:\windows\system32\WININET.dll
c:\documents and settings\All Users\Application Data\Panda Security URL Filtering\panda_url_filtering.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-07-30 14:55:55
ComboFix-quarantined-files.txt 2011-07-30 18:55
.
Pre-Run: 105,671,467,008 bytes free
Post-Run: 105,760,387,072 bytes free
.
- - End Of File - - C1C91E18ABDB9FEC954721C19F6BC50F

Edited by eterniawolf, 30 July 2011 - 02:34 PM.


#6 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 PM

Posted 31 July 2011 - 04:26 AM

Hi,

Follow these steps to display hidden files and folders.

  • Open Folder Options by clicking the Start button Posted Image, clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.
  • Click the View tab.
  • Under Advanced settings, click Show hidden files and folders
  • Click OK. (Remember to Hide files and folders once done)

Please go to one of the below sites to scan the following files:
Virus Total (Recommended)
jotti.org
VirScan


click on Browse, and upload the following file for analysis:
c:\windows\HideWin.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results link(for Virus Total) here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

===================================================

Please follow all previous instructions regarding security programs.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

File::
c:\windows\system32\13.tmp

Driver::
MEMSWEEP2

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]


In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Posted Image

===================================================

On your next reply please post :
File scanner report
Combofix log


Let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#7 eterniawolf

eterniawolf
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 31 July 2011 - 01:56 PM

Sorry if this is becoming annoying. Apparently this thing is stubborn or something. This is why I gave up trying to figure out how to get rid of it on my own and came here, lol. Luckily it's only effecting Chrome and not IE or Firefox, but it's still annoying since I like using Chrome. :(

Here's the Virus Total results:

File name: HideWin.exe
Submission date: 2011-07-31 17:57:25 (UTC)
Current status: finished
Result: 0/ 43 (0.0%)

Antivirus Version Last update Result
AhnLab-V3 2011.08.01.00 2011.07.31 -
AntiVir 7.11.12.171 2011.07.31 -
Antiy-AVL 2.0.3.7 2011.07.31 -
Avast 4.8.1351.0 2011.07.31 -
Avast5 5.0.677.0 2011.07.31 -
AVG 10.0.0.1190 2011.07.31 -
BitDefender 7.2 2011.07.31 -
CAT-QuickHeal 11.00 2011.07.31 -
ClamAV 0.97.0.0 2011.07.30 -
Commtouch 5.3.2.6 2011.07.31 -
Comodo 9581 2011.07.31 -
DrWeb 5.0.2.03300 2011.07.31 -
Emsisoft 5.1.0.8 2011.07.31 -
eSafe 7.0.17.0 2011.07.31 -
eTrust-Vet 36.1.8472 2011.07.29 -
F-Prot 4.6.2.117 2011.07.31 -
F-Secure 9.0.16440.0 2011.07.29 -
Fortinet 4.2.257.0 2011.07.31 -
GData 22 2011.07.31 -
Ikarus T3.1.1.104.0 2011.07.31 -
Jiangmin 13.0.900 2011.07.31 -
K7AntiVirus 9.109.4961 2011.07.29 -
Kaspersky 9.0.0.837 2011.07.31 -
McAfee 5.400.0.1158 2011.07.31 -
McAfee-GW-Edition 2010.1D 2011.07.31 -
Microsoft 1.7104 2011.07.31 -
NOD32 6338 2011.07.31 -
Norman 6.07.10 2011.07.31 -
nProtect 2011-07-31.01 2011.07.31 -
Panda 10.0.3.5 2011.07.31 -
PCTools 8.0.0.5 2011.07.31 -
Prevx 3.0 2011.07.31 -
Rising 23.68.04.03 2011.07.29 -
Sophos 4.67.0 2011.07.31 -
SUPERAntiSpyware 4.40.0.1006 2011.07.30 -
Symantec 20111.1.0.186 2011.07.31 -
TheHacker 6.7.0.1.266 2011.07.31 -
TrendMicro 9.200.0.1012 2011.07.31 -
TrendMicro-HouseCall 9.200.0.1012 2011.07.31 -
VBA32 3.12.16.4 2011.07.29 -
VIPRE 10020 2011.07.31 -
ViRobot 2011.7.30.4597 2011.07.30 -
VirusBuster 14.0.147.1 2011.07.31 -


Here's the ComboFix.txt log:

ComboFix 11-07-31.04 - kay 07/31/2011 14:19:25.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.389 [GMT -4:00]
Running from: c:\documents and settings\kay\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kay\Desktop\CFScript.txt
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
* Created a new restore point
.
FILE ::
"c:\windows\system32\13.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-31 )))))))))))))))))))))))))))))))
.
.
2011-07-28 22:27 . 2011-07-28 22:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\IMVU_Inc
2011-07-28 22:27 . 2011-07-28 22:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2011-07-28 19:24 . 2011-07-28 19:24 -------- d-----w- c:\program files\Sophos
2011-07-28 18:34 . 2011-07-28 18:34 2 --shatr- c:\windows\winstart.bat
2011-07-28 18:34 . 2011-05-18 14:53 12808 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2011-07-28 18:33 . 2011-07-28 19:02 -------- d-----w- c:\program files\UnHackMe
2011-07-23 18:46 . 2011-07-31 18:29 -------- d-----w- c:\documents and settings\kay\Application Data\WTablet
2011-07-23 18:45 . 2008-05-01 22:31 3708200 ------w- c:\windows\system32\PenTablet.cpl
2011-07-23 18:45 . 2007-02-16 00:11 11440 ----a-w- c:\windows\system32\drivers\WacomVKHid.sys
2011-07-23 18:44 . 2008-01-15 20:11 13480 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2011-07-23 18:44 . 2007-02-16 19:12 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
2011-07-23 18:44 . 2008-03-17 20:14 15144 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
2011-07-23 18:44 . 2011-07-23 18:44 -------- d-----w- c:\windows\system32\WTablet
2011-07-23 18:44 . 2008-05-01 22:23 181544 ------w- c:\windows\system32\Wintab32.dll
2011-07-23 18:44 . 2008-05-01 22:33 128296 ------w- c:\windows\system32\Pen_Tablet.dll
2011-07-23 18:44 . 2008-05-01 22:40 3032360 ------w- c:\windows\system32\Pen_Tablet.exe
2011-07-23 18:44 . 2011-07-23 18:45 -------- d-----w- c:\program files\Tablet
2011-07-22 04:30 . 2011-07-22 04:30 -------- d-----w- c:\program files\iPod
2011-07-22 04:26 . 2011-07-22 04:26 -------- d-----w- c:\program files\Bonjour
2011-07-22 01:14 . 2011-07-22 01:14 -------- d-----w- c:\windows\system32\GroupPolicy
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 18:13 . 2011-07-08 18:13 -------- d-----w- c:\program files\Conduit
2011-07-08 18:13 . 2011-07-08 18:13 -------- d-----w- c:\documents and settings\kay\Local Settings\Application Data\IMVU_Inc
2011-07-08 18:13 . 2011-07-08 18:13 -------- d-----w- c:\documents and settings\kay\Local Settings\Application Data\Conduit
2011-07-08 18:13 . 2011-07-08 18:13 -------- d-----w- c:\program files\IMVU_Inc
2011-07-05 18:28 . 2011-07-05 18:28 -------- d-----w- c:\documents and settings\kay\Local Settings\Application Data\DOSBox
2011-07-05 18:27 . 2011-07-05 18:54 -------- d-----w- c:\program files\DOSBox-0.74
2011-07-05 10:12 . 2011-07-05 10:12 143752 ----a-w- c:\windows\system32\drivers\PSINAflt.sys
2011-07-05 01:52 . 2011-07-05 01:52 -------- d-----w- c:\documents and settings\kay\Application Data\Adobe Mini Bridge CS5.1
2011-07-05 01:52 . 2011-07-05 01:52 -------- d-----w- c:\documents and settings\kay\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2011-07-02 01:07 . 2011-07-02 01:07 -------- d-----w- c:\documents and settings\kay\Application Data\ImgBurn
2011-07-02 00:43 . 2011-07-02 00:43 -------- d-----w- c:\program files\ImgBurn
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 23:52 . 2011-06-01 20:54 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2011-06-01 20:54 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-23 16:29 . 2011-06-01 20:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-13 17:50 . 2011-06-13 17:50 45056 ----a-r- c:\documents and settings\kay\Application Data\Microsoft\Installer\{680B6877-75C2-4CEF-866D-7DBE26DBB772}\_597EDA5447AC_4DEE_A5F8_88EF195E1F22.exe
2011-06-02 23:28 . 2006-02-28 12:00 218624 ----a-w- c:\windows\system32\uxtheme.dll
2011-06-02 14:02 . 2006-02-28 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-06-01 18:03 . 2011-06-01 18:03 315392 ----a-w- c:\windows\HideWin.exe
2011-05-10 12:06 . 2011-06-16 17:52 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-10 12:06 . 2011-06-16 17:52 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-04 08:52 . 2011-06-03 19:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2011-06-03 19:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-24 16:47 . 2011-06-01 19:51 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{90b49673-5506-483e-b92b-ca0265bd9ca8}"= "c:\program files\IMVU_Inc\prxtbIMVU.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{90b49673-5506-483e-b92b-ca0265bd9ca8}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90b49673-5506-483e-b92b-ca0265bd9ca8}]
2011-01-17 20:54 175912 ----a-w- c:\program files\IMVU_Inc\prxtbIMVU.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]
2011-05-13 13:25 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2011-05-13 86696]
"{90b49673-5506-483e-b92b-ca0265bd9ca8}"= "c:\program files\IMVU_Inc\prxtbIMVU.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]
.
[HKEY_CLASSES_ROOT\clsid\{90b49673-5506-483e-b92b-ca0265bd9ca8}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-14 16806912]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-18 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-04-28 439616]
"Panda Security URL Filtering"="c:\documents and settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe" [2011-04-27 231592]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2011-03-15 21:42 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-03 17:50 136176 ----atw- c:\documents and settings\kay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 14:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [4/28/2011 1:57 PM 129992]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/28/2011 1:58 PM 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [7/5/2011 6:12 AM 143752]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/28/2011 1:57 PM 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/28/2011 1:57 PM 111688]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [4/28/2011 1:57 PM 112456]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [7/23/2011 2:44 PM 3032360]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [4/12/2006 2:43 PM 169472]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [7/23/2011 2:44 PM 15144]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
2011-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-583907252-1957994488-839522115-1003Core.job
- c:\documents and settings\kay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-03 17:50]
.
2011-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-583907252-1957994488-839522115-1003UA.job
- c:\documents and settings\kay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-03 17:50]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\kay\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\kay\Application Data\Mozilla\Firefox\Profiles\0id089jz.default\
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-31 14:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(908)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2592)
c:\windows\system32\WININET.dll
c:\documents and settings\All Users\Application Data\Panda Security URL Filtering\panda_url_filtering.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2011-07-31 14:35:16 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-31 18:35
ComboFix2.txt 2011-07-30 18:55
.
Pre-Run: 105,703,890,944 bytes free
Post-Run: 105,610,661,888 bytes free
.
- - End Of File - - 90EC6FDD7D941895B86B592BB1C30A9F

#8 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 PM

Posted 31 July 2011 - 09:45 PM

If it's only Chrome... :rolleyes:

I need you to make a batch file.

Open a new Notepad session

  • Click the Start button, click Run
  • In the run box type notepad
  • Click OK
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
@Echo on
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

In the notepad

Click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "flush.bat"
Click Save


You should now have a file on your desktop with an icon like this Posted Image

Double click on flush.bat & allow it to run. A small black screen may briefly flash on and off, that normal.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#9 eterniawolf

eterniawolf
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 01 August 2011 - 12:20 PM

Sorry, I should have stated that it was only effecting Chrome. I should also add that urlseek only seems to be redirecting Google.com and no other sites to my knowledge.

I made the flush.bat file and ran it as instructed, but Chrome is still redirecting Google.com to urlseek.vmn.net. I even tried uninstalling Chrome just now and reinstalling it, and it's still there! This is becoming a headache. :(

I do appreciate the help you've been giving me, Conspire. Thanks for being so patient with this. :)

Edited by eterniawolf, 01 August 2011 - 12:34 PM.


#10 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 PM

Posted 02 August 2011 - 01:30 AM

No worries, we will get this sorted out eventually. :wink:

I will be back for further instructions when I have the time. I promise it will be soon and won't take more than 24 hours.

Thanks for waiting.

Edited by Conspire, 02 August 2011 - 01:30 AM.

Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#11 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 PM

Posted 02 August 2011 - 04:32 AM

We will uninstall Chrome again but in a different way this time. Once done, reboot and make a reinstall. I suspect the configuration is messed up as a result of this malware. Download the freeware version will do.

Download Revo Uninstaller
  • Double click the installation file on the desktop to run the installer.
  • Let it install to the default location.
  • Double click the new Revo Uninstaller Icon on the desktop to start the program.
You will now see a list of installed programs that Revo Uninstaller can remove.
  • Locate the program you are uninstalling Google Chrome
  • Right Click the Icon then choose Uninstall.
  • Click yes to the warning and choose the Uninstall Mode
  • Choose the Advanced option and then click Next.
  • This will launch the programs built in uninstaller. Be patient it can take several seconds.
  • Once the uninstaller is done click Next.
  • Revo Uninstaller will now scan for leftover information. Be patient it can take several seconds.
  • Once this scan is done click Next.
  • You will then be presented of the leftover entries found by Revo Uninstaller
  • Look at ALL of the entries to ensure they relate to the uninstall.
  • Next click Select All > Delete to remove the entries.
  • Click Next.
  • If there are any program file folders left over you will be presented with a list to be removed.
  • Again look at ALL of the entries to ensure they are related to the uninstall.
  • Click Select All > Delete to remove the entries.
  • Click Finish to go back to the uninstall list.
  • Close the program

Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#12 eterniawolf

eterniawolf
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 02 August 2011 - 10:38 AM

Thanks Conspire! That got rid of urlseek and I can now get on Google.com again!

#13 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 PM

Posted 02 August 2011 - 10:24 PM

Glad to hear that! :thumbup2:

You may now delete the rest of the tools we used previously.

Follow these steps to uninstall Combofix
  • Click START then RUN
  • Now copy/paste the code into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.
Combofix /Uninstall
Posted Image

===================================================

Thank you for your patience, and performing all of the procedures requested. I would also like to take this opportunity to apologize for any delay that may have occurred.

--------------------------------------------------------------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.


Passwords
It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
Strong passwords: How to create and use them and consider a password keeper, to keep all your passwords safe.


SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:
To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an add-on available for both Firefox and IE.

  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
  • Download Host.zip and Save it to your Desktop.
  • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
  • Follow the prompts and click 'Finish'.
  • This will open the newly created hosts folder on your Desktop.
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  • Once updated you should see another prompt that the task was completed.
Follow this list and keep your antivirus program and antispyware programs updated and scan with them on a regular basis. By doing so, your potential for being infected again will reduce dramatically.

Hopefully this should take care of your problems! Good luck.

Do you have any questions or problems to ask? Please do not hesitate to do so.

**Please respond this one more time to ensure it is resolved and close this topic.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#14 eterniawolf

eterniawolf
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 03 August 2011 - 12:12 AM

Replying to say everything's all clear! Thanks for all your help, Conspire. I really appreciate it.

I will definitely make use of that list you provided. There are a few things listed there I didn't know about.

This thread can be closed now! :thumbsup:

#15 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 PM

Posted 03 August 2011 - 12:44 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users