Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox Google Redirects (Find Fast Answers, etc)


  • This topic is locked This topic is locked
16 replies to this topic

#1 WhiskeyCop

WhiskeyCop

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 20 August 2011 - 12:15 PM

For some time now I have been receiving redirects while using google and firefox. IE and other search engines do not seem to be affected. I have searched for similar problems on the web, run mbam, etc., but I have not been able to completely remove it. It keeps coming back. Any help would be useful.

Also, I do not know if this is related or not but I get the red shield in the task tray with an info bubble directing me to turn on automatic updates. Windows Security Center show that auto update is off and to turn on auto update. When I click on the button to turn on auto update, WSS states that it cannot change those setting and that I need to do it manually. I have verified that auto update is ON via control panel/auto updates.

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by (Redacted) at 1:25:50 on 2011-08-20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.951 [GMT -5:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programs\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Programs\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Wyse\PocketCloud Windows Companion\PocketCloudService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\MPK\mpk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Programs\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\Wyse\PocketCloud Windows Companion\WyseBrowser.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programs\Eraser\eraser.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\(redacted)\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\mpk\mpk.exe,
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\programs\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\programs\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\programs\spybot - search & destroy\TeaTimer.exe
uRun: [Eraser] c:\programs\eraser\eraser.exe -hide
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AdobeBridge]
uRun: [AirVideoServer] c:\program files\airvideoserver\AirVideoServer.exe
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [avgnt] "c:\programs\avira\antivir desktop\avgnt.exe" /min
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [PocketCloud Location] c:\program files\wyse\pocketcloud windows companion\WyseBrowser.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
StartupFolder: c:\docume~1\(redacted)\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\(redacted)\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\(redacted)\startm~1\programs\startup\itunes.lnk - c:\program files\itunes\iTunes.exe
StartupFolder: c:\docume~1\(redacted)\startm~1\programs\startup\spywar~1.lnk - c:\programs\spywareguard\sgmain.exe
uPolicies-explorer: NoSMHelp = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\programs\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure.bmhcc.org/dana-cached/setup/JuniperSetupSP1.cab
TCP: DhcpNameServer = 10.0.1.1
TCP: Interfaces\{EE3D8277-8686-4376-81CF-30873D79C1A9} : DhcpNameServer = 10.0.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\programs\spywareguard\spywareguard.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\(redacted)\application data\mozilla\firefox\profiles\kp0tg4ga.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/
FF - prefs.js: keyword.URL - hxxp://www.goodsearch.com/search.aspx?keywords=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\(redacted)\application data\mozilla\firefox\profiles\kp0tg4ga.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - plugin: c:\documents and settings\(redacted)\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
.
============= SERVICES / DRIVERS ===============
.
R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [2009-8-11 902592]
R1 avgio;avgio;c:\programs\avira\antivir desktop\avgio.sys [2009-8-11 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\programs\avira\antivir desktop\sched.exe [2009-8-11 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\programs\avira\antivir desktop\avguard.exe [2009-8-11 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-11 56816]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 WysePocketCloud;Wyse PocketCloud;c:\program files\wyse\pocketcloud windows companion\PocketCloudService.exe [2011-3-24 83968]
S2 AudioSrv32;Windows Audio ;c:\windows\system32\kbdfi32.exe --> c:\windows\system32\kbdfi32.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-16 136176]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-8-12 12672]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-16 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-7 41272]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 yeddef;YEDDEF driver;c:\windows\system32\drivers\yeddef.sys --> c:\windows\system32\drivers\yeddef.sys [?]
.
=============== Created Last 30 ================
.
2011-08-20 05:10:07 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-08-20 04:40:11 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-08-20 04:40:10 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-08-20 04:40:10 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-08-20 04:40:10 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-08-20 04:40:10 1846232 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-08-20 04:40:10 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-08-20 04:40:09 785368 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-08-16 05:40:59 -------- d-----w- c:\documents and settings\(redacted)\local settings\application data\Google
2011-08-05 03:15:10 -------- d-----w- c:\windows\system32\vmm32
2011-08-05 02:52:19 5600 ----a-w- c:\windows\system\WINASPI.DLL
2011-08-05 02:52:19 4672 ----a-w- c:\windows\system\WOWPOST.EXE
2011-08-05 02:52:19 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2011-08-05 02:52:19 16877 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2011-08-05 02:52:11 -------- d-----w- C:\Temp
2011-08-05 02:52:06 -------- d-----w- c:\program files\DeadDiskDoctor
2011-08-03 21:48:37 388096 ----a-r- c:\documents and settings\(redacted)\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-08-03 21:48:37 -------- d-----w- c:\program files\Trend Micro
.
==================== Find3M ====================
.
2011-08-17 14:59:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-21 03:58:00 357376 ----a-w- c:\windows\system32\atl32.dll
2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-02 04:19:01 0 ----a-w- c:\documents and settings\(redacted)\application data\8588451.exe
2011-07-02 04:19:01 0 ----a-w- c:\documents and settings\(redacted)\application data\7353760.exe
2011-07-02 04:19:01 0 ----a-w- c:\documents and settings\(redacted)\application data\6985810.exe
2011-07-02 04:19:01 0 ----a-w- c:\documents and settings\(redacted)\application data\4746514.exe
2011-06-23 03:29:24 18816 ----a-w- c:\windows\system32\drivers\dvd43llh.sys
.
============= FINISH: 1:26:37.32 ===============

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:31 PM

Posted 25 August 2011 - 12:20 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/415309 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 WhiskeyCop

WhiskeyCop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 27 August 2011 - 03:02 PM

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by (redacted) at 1:45:15 on 2011-08-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1040 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programs\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Programs\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Wyse\PocketCloud Windows Companion\PocketCloudService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\MPK\mpk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Programs\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Wyse\PocketCloud Windows Companion\WyseBrowser.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programs\Eraser\eraser.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\(redacted)\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files\dvd43\DVD43_Tray.exe
C:\Programs\HandBrake\Handbrake.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\Apple Software Update\SoftwareUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\mpk\mpk.exe,
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\programs\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\programs\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\programs\spybot - search & destroy\TeaTimer.exe
uRun: [Eraser] c:\programs\eraser\eraser.exe -hide
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AdobeBridge]
uRun: [AirVideoServer] c:\program files\airvideoserver\AirVideoServer.exe
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [avgnt] "c:\programs\avira\antivir desktop\avgnt.exe" /min
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PocketCloud Location] c:\program files\wyse\pocketcloud windows companion\WyseBrowser.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
StartupFolder: c:\docume~1\(redacted)\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\(redacted)\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\(redacted)\startm~1\programs\startup\itunes.lnk - c:\program files\itunes\iTunes.exe
StartupFolder: c:\docume~1\(redacted)\startm~1\programs\startup\spywar~1.lnk - c:\programs\spywareguard\sgmain.exe
uPolicies-explorer: NoSMHelp = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\programs\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure.bmhcc.org/dana-cached/setup/JuniperSetupSP1.cab
TCP: DhcpNameServer = 10.0.1.1
TCP: Interfaces\{EE3D8277-8686-4376-81CF-30873D79C1A9} : DhcpNameServer = 10.0.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\programs\spywareguard\spywareguard.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\(redacted)\application data\mozilla\firefox\profiles\kp0tg4ga.default\
FF - prefs.js: browser.search.selectedEngine - YouTube
FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/
FF - prefs.js: keyword.URL - hxxp://www.goodsearch.com/search.aspx?keywords=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\(redacted)\application data\mozilla\firefox\profiles\kp0tg4ga.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - plugin: c:\documents and settings\(redacted)\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
.
============= SERVICES / DRIVERS ===============
.
R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [2009-8-11 902592]
R1 avgio;avgio;c:\programs\avira\antivir desktop\avgio.sys [2009-8-11 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\programs\avira\antivir desktop\sched.exe [2009-8-11 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\programs\avira\antivir desktop\avguard.exe [2009-8-11 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-11 56816]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 WysePocketCloud;Wyse PocketCloud;c:\program files\wyse\pocketcloud windows companion\PocketCloudService.exe [2011-3-24 83968]
S2 AudioSrv32;Windows Audio ;c:\windows\system32\kbdfi32.exe --> c:\windows\system32\kbdfi32.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-16 136176]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-8-12 12672]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-16 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-7 41272]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 yeddef;YEDDEF driver;c:\windows\system32\drivers\yeddef.sys --> c:\windows\system32\drivers\yeddef.sys [?]
.
=============== Created Last 30 ================
.
2011-08-20 05:10:07 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-08-20 04:40:11 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-08-20 04:40:10 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-08-20 04:40:10 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-08-20 04:40:10 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-08-20 04:40:10 1846232 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-08-20 04:40:10 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-08-20 04:40:09 785368 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-08-16 05:40:59 -------- d-----w- c:\documents and settings\(redacted)\local settings\application data\Google
2011-08-05 03:15:10 -------- d-----w- c:\windows\system32\vmm32
2011-08-05 02:52:19 5600 ----a-w- c:\windows\system\WINASPI.DLL
2011-08-05 02:52:19 4672 ----a-w- c:\windows\system\WOWPOST.EXE
2011-08-05 02:52:19 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2011-08-05 02:52:19 16877 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2011-08-05 02:52:11 -------- d-----w- C:\Temp
2011-08-05 02:52:06 -------- d-----w- c:\program files\DeadDiskDoctor
2011-08-03 21:48:37 388096 ----a-r- c:\documents and settings\(redacted)\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-08-03 21:48:37 -------- d-----w- c:\program files\Trend Micro
.
==================== Find3M ====================
.
2011-08-17 14:59:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-21 03:58:00 357376 ----a-w- c:\windows\system32\atl32.dll
2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-02 04:19:01 0 ----a-w- c:\documents and settings\(redacted)\application data\8588451.exe
2011-07-02 04:19:01 0 ----a-w- c:\documents and settings\(redacted)\application data\7353760.exe
2011-07-02 04:19:01 0 ----a-w- c:\documents and settings\(redacted)\application data\6985810.exe
2011-07-02 04:19:01 0 ----a-w- c:\documents and settings\(redacted)\application data\4746514.exe
2011-06-23 03:29:24 18816 ----a-w- c:\windows\system32\drivers\dvd43llh.sys
.
============= FINISH: 1:46:12.82 ===============

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:31 PM

Posted 27 August 2011 - 05:56 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 WhiskeyCop

WhiskeyCop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 27 August 2011 - 10:24 PM

ComboFix 11-08-27.01 - (redacted) 08/27/2011 21:26:23.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1188 [GMT -5:00]
Running from: c:\documents and settings\(redacted)\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\SPL1.tmp
c:\documents and settings\All Users\SPL2.tmp
c:\documents and settings\All Users\SPL214.tmp
c:\documents and settings\All Users\SPL3.tmp
c:\documents and settings\All Users\SPL32A.tmp
c:\documents and settings\All Users\SPL7F8.tmp
c:\documents and settings\All Users\SPLA4D.tmp
c:\documents and settings\(redacted)\Application Data\Mozilla\Firefox\Profiles\fondp29l.default\extensions\{a47b5e49-d56f-449d-aaf6-46f98bf71ef8}
c:\documents and settings\(redacted)\Application Data\Mozilla\Firefox\Profiles\fondp29l.default\extensions\{a47b5e49-d56f-449d-aaf6-46f98bf71ef8}\chrome.manifest
c:\documents and settings\(redacted)\Application Data\Mozilla\Firefox\Profiles\fondp29l.default\extensions\{a47b5e49-d56f-449d-aaf6-46f98bf71ef8}\chrome\xulcache.jar
c:\documents and settings\(redacted)\Application Data\Mozilla\Firefox\Profiles\fondp29l.default\extensions\{a47b5e49-d56f-449d-aaf6-46f98bf71ef8}\defaults\preferences\xulcache.js
c:\documents and settings\(redacted)\Application Data\Mozilla\Firefox\Profiles\fondp29l.default\extensions\{a47b5e49-d56f-449d-aaf6-46f98bf71ef8}\install.rdf
c:\documents and settings\(redacted)\Application Data\4746514.exe
c:\documents and settings\(redacted)\Application Data\6985810.exe
c:\documents and settings\(redacted)\Application Data\7353760.exe
c:\documents and settings\(redacted)\Application Data\8588451.exe
c:\documents and settings\(redacted)\Application Data\Mozilla\Firefox\Profiles\kp0tg4ga.default\extensions\{a47b5e49-d56f-449d-aaf6-46f98bf71ef8}
c:\documents and settings\(redacted)\Application Data\Mozilla\Firefox\Profiles\kp0tg4ga.default\extensions\{a47b5e49-d56f-449d-aaf6-46f98bf71ef8}\chrome.manifest
c:\documents and settings\(redacted)\Application Data\Mozilla\Firefox\Profiles\kp0tg4ga.default\extensions\{a47b5e49-d56f-449d-aaf6-46f98bf71ef8}\chrome\xulcache.jar
c:\documents and settings\(redacted)\Application Data\Mozilla\Firefox\Profiles\kp0tg4ga.default\extensions\{a47b5e49-d56f-449d-aaf6-46f98bf71ef8}\defaults\preferences\xulcache.js
c:\documents and settings\(redacted)\Application Data\Mozilla\Firefox\Profiles\kp0tg4ga.default\extensions\{a47b5e49-d56f-449d-aaf6-46f98bf71ef8}\install.rdf
c:\windows\system32\atl32.dll
c:\windows\system32\comct332.ocx
c:\windows\system32\drivers\etc\hosts.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-28 )))))))))))))))))))))))))))))))
.
.
2011-08-28 02:53 . 2011-08-28 02:53 -------- d-----w- c:\windows\LastGood
2011-08-20 05:10 . 2011-08-12 05:57 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-20 04:40 . 2011-08-12 03:16 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-08-20 04:40 . 2011-08-12 05:57 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-08-20 04:40 . 2011-08-12 05:57 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-08-20 04:40 . 2011-08-12 05:57 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-20 04:40 . 2011-08-12 05:57 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-08-20 04:40 . 2011-08-12 03:16 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-08-20 04:40 . 2011-08-12 05:57 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-08-16 05:40 . 2011-08-17 15:00 -------- d-----w- c:\program files\Google
2011-08-16 05:40 . 2011-08-17 15:00 -------- d-----w- c:\documents and settings\(redacted)\Local Settings\Application Data\Google
2011-08-05 03:15 . 2011-08-05 03:15 -------- d-----w- c:\windows\system32\vmm32
2011-08-05 02:52 . 2002-07-17 21:22 4672 ----a-w- c:\windows\system\WOWPOST.EXE
2011-08-05 02:52 . 2002-07-17 21:22 5600 ----a-w- c:\windows\system\WINASPI.DLL
2011-08-05 02:52 . 2002-07-17 14:20 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2011-08-05 02:52 . 2002-07-17 13:53 16877 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2011-08-05 02:52 . 2011-08-06 02:04 -------- d-----w- C:\Temp
2011-08-05 02:52 . 2011-08-05 03:15 -------- d-----w- c:\program files\DeadDiskDoctor
2011-08-03 21:48 . 2011-08-03 21:48 388096 ----a-r- c:\documents and settings\(redacted)\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-03 21:48 . 2011-08-03 21:48 -------- d-----w- c:\program files\Trend Micro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-17 14:59 . 2011-05-21 23:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-07 00:52 . 2011-06-07 06:12 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52 . 2011-06-07 06:12 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-23 03:29 . 2011-06-23 03:29 18816 ----a-w- c:\windows\system32\drivers\dvd43llh.sys
2011-08-12 05:57 . 2011-08-20 05:10 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\(redacted)\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\(redacted)\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\(redacted)\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\(redacted)\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\programs\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Eraser"="c:\programs\Eraser\eraser.exe" [2009-06-10 334224]
"AirVideoServer"="c:\program files\AirVideoServer\AirVideoServer.exe" [2011-05-09 4944984]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"CTHelper"="CTHELPER.EXE" [2005-11-09 16384]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 18944]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-06-22 4355464]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-06-23 960568]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-06-22 377248]
"avgnt"="c:\programs\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2006-02-24 73728]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"PocketCloud Location"="c:\program files\Wyse\PocketCloud Windows Companion\WyseBrowser.exe" [2011-03-25 399872]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-24 827904]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
.
c:\documents and settings\(redacted)\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\(redacted)\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
iTunes.lnk - c:\program files\iTunes\iTunes.exe [2011-6-7 9776936]
SpywareGuard.lnk - c:\programs\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoNetworkConnections"= 01000000
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlcccoms.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Documents and Settings\\(redacted)\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\RemoteDesktopPlus\\Remote Desktop.exe"=
"c:\\Program Files\\Wyse\\PocketCloud Windows Companion\\WyseBrowser.exe"=
"c:\\Program Files\\GIMP-2.0\\lib\\gimp\\2.0\\plug-ins\\script-fu.exe"=
"c:\\Program Files\\AirPort\\APUtil.exe"=
"c:\\Documents and Settings\\(redacted)\\Desktop\\JailBreak\\tinyumbrella-4.32.01.exe"=
"c:\\Program Files\\AirVideoServer\\AirVideoServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [8/11/2009 8:58 PM 902592]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\programs\Avira\AntiVir Desktop\sched.exe [8/11/2009 11:36 PM 108289]
R2 WysePocketCloud;Wyse PocketCloud;c:\program files\Wyse\PocketCloud Windows Companion\PocketCloudService.exe [3/24/2011 8:49 PM 83968]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [11/14/2010 12:24 AM 19056]
S2 AudioSrv32;Windows Audio ;c:\windows\system32\kbdfi32.exe --> c:\windows\system32\kbdfi32.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/16/2011 12:41 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/16/2011 12:41 AM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/7/2011 1:12 AM 41272]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 2:37 PM 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 yeddef;YEDDEF driver;c:\windows\system32\Drivers\yeddef.sys --> c:\windows\system32\Drivers\yeddef.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-27 c:\windows\Tasks\AdobeAAMUpdater-1.0-XPS400-(redacted).job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-21 09:44]
.
2011-08-27 c:\windows\Tasks\AdobeAAMUpdater-1.0-XPS400-(redacted).job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-21 09:44]
.
2011-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 17:34]
.
2011-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-16 05:40]
.
2011-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-16 05:40]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 10.0.1.1
TCP: Interfaces\{EE3D8277-8686-4376-81CF-30873D79C1A9}: DhcpNameServer = 10.0.1.1
FF - ProfilePath - c:\documents and settings\(redacted)\Application Data\Mozilla\Firefox\Profiles\kp0tg4ga.default\
FF - prefs.js: browser.search.selectedEngine - GoodSearch
FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/
FF - prefs.js: keyword.URL - hxxp://www.goodsearch.com/search.aspx?keywords=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AdobeBridge - (no file)
AddRemove-Aspi Installer - c:\temp\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-27 21:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AirVideoServer = c:\program files\AirVideoServer\AirVideoServer.exe?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3296)
c:\windows\system32\WININET.dll
c:\documents and settings\(redacted)\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\programs\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dlcccoms.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\CTHELPER.EXE
c:\windows\system32\CTXFIHLP.EXE
c:\windows\eHome\ehmsas.exe
c:\windows\SYSTEM32\CTXFISPI.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\msiexec.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\MsiExec.exe
c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
c:\program files\Common Files\Apple\Apple Application Support\distnoted.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-08-27 22:06:55 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-28 03:05
.
Pre-Run: 424,261,099,520 bytes free
Post-Run: 424,209,100,800 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 7D00B02E1690B3C6F9EC4CA3B362D33C

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:31 PM

Posted 27 August 2011 - 10:47 PM

Hi

Please do the following:


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 WhiskeyCop

WhiskeyCop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 28 August 2011 - 12:00 PM

Had a problem running the ESET. Windows decided to install an update during the scan process and restarted/locked up the computer. Will have to run again. Here is the MBAM log.


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7590

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/27/2011 11:12:14 PM
mbam-log-2011-08-27 (23-12-14).txt

Scan type: Quick scan
Objects scanned: 173775
Time elapsed: 4 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Refog Software (Refog.Keylogger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\(redacted)\my documents\downloads\refog_setup_kl_602.exe (PUP.KGBKeylogger) -> Quarantined and deleted successfully.

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:31 PM

Posted 28 August 2011 - 05:47 PM

OK :thumbup2:

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 WhiskeyCop

WhiskeyCop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 28 August 2011 - 11:55 PM

Tried to run ESET again. Says that program has run before on this computer, only certain portions of database need to be downloaded. Starts at 50%. Waits a few minutes, and returns with "unable to download database, check proxy settings?" I do not connect through a proxy. Also tried through IE and same results.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:31 PM

Posted 29 August 2011 - 03:53 AM

Go into add/remove programs and uninstall the ESET download (if it's there)

then clear out your internet browser history and cookies and give it another try


run TFC (Temp File Cleaner)


Download TFC to your desktop
Mirror
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
It's normal after running TFC cleaner that the PC will be slower to boot the first time.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 WhiskeyCop

WhiskeyCop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 29 August 2011 - 05:35 PM

Ran the ESET again. 0 threats found. Gave no option to export log.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:31 PM

Posted 29 August 2011 - 07:33 PM

Please do the following:

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 7 and save it to your desktop.
  • Scroll down to where it says JDK 7 (JDK or JRE)
  • Click the Download JDK button tunderneath
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "Oracle Binary Code License Agreement for Java SE ". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT


Please post a fresh DDS Log and advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 WhiskeyCop

WhiskeyCop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 30 August 2011 - 06:16 PM

Seems to have taken care of the redirects.

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
Run by (redacted) at 17:53:01 on 2011-08-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1240 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programs\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Programs\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre7\bin\jqs.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Wyse\PocketCloud Windows Companion\PocketCloudService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Programs\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Wyse\PocketCloud Windows Companion\WyseBrowser.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
C:\Programs\Eraser\eraser.exe
C:\Program Files\AirVideoServer\AirVideoServer.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\(redacted)\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Programs\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Programs\SpywareGuard\sgbhp.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\programs\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\programs\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
TB: {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - No File
uRun: [SpybotSD TeaTimer] c:\programs\spybot - search & destroy\TeaTimer.exe
uRun: [Eraser] c:\programs\eraser\eraser.exe -hide
uRun: [AirVideoServer] c:\program files\airvideoserver\AirVideoServer.exe
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [avgnt] "c:\programs\avira\antivir desktop\avgnt.exe" /min
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PocketCloud Location] c:\program files\wyse\pocketcloud windows companion\WyseBrowser.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\(redacted)\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\(redacted)\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\(redacted)\startm~1\programs\startup\itunes.lnk - c:\program files\itunes\iTunes.exe
StartupFolder: c:\docume~1\(redacted)\startm~1\programs\startup\spywar~1.lnk - c:\programs\spywareguard\sgmain.exe
uPolicies-explorer: NoSMHelp = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\programs\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure.bmhcc.org/dana-cached/setup/JuniperSetupSP1.cab
TCP: DhcpNameServer = 10.0.1.1
TCP: Interfaces\{EE3D8277-8686-4376-81CF-30873D79C1A9} : DhcpNameServer = 10.0.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\programs\spywareguard\spywareguard.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\(redacted)\application data\mozilla\firefox\profiles\kp0tg4ga.default\
FF - prefs.js: browser.search.selectedEngine - GoodSearch
FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/
FF - prefs.js: keyword.URL - hxxp://www.goodsearch.com/search.aspx?keywords=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\(redacted)\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
.
============= SERVICES / DRIVERS ===============
.
R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [2009-8-11 902592]
R1 avgio;avgio;c:\programs\avira\antivir desktop\avgio.sys [2009-8-11 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\programs\avira\antivir desktop\sched.exe [2009-8-11 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\programs\avira\antivir desktop\avguard.exe [2009-8-11 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-11 56816]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 WysePocketCloud;Wyse PocketCloud;c:\program files\wyse\pocketcloud windows companion\PocketCloudService.exe [2011-3-24 83968]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-11-14 19056]
S2 AudioSrv32;Windows Audio ;c:\windows\system32\kbdfi32.exe --> c:\windows\system32\kbdfi32.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-16 136176]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-8-12 12672]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-16 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-7 41272]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 yeddef;YEDDEF driver;c:\windows\system32\drivers\yeddef.sys --> c:\windows\system32\drivers\yeddef.sys [?]
.
=============== Created Last 30 ================
.
2011-08-30 06:05:29 -------- d-----w- c:\documents and settings\(redacted)\local settings\application data\Sun
2011-08-30 06:03:32 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-30 05:39:23 -------- d-----w- c:\windows\system32\appmgmt
2011-08-29 14:20:48 -------- d-----w- c:\program files\ESET
2011-08-28 02:55:49 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-28 02:55:46 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-28 02:55:42 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-08-28 02:54:14 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-08-28 02:53:32 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-08-28 01:56:45 -------- d-sha-r- C:\cmdcons
2011-08-28 01:54:00 98816 ----a-w- c:\windows\sed.exe
2011-08-28 01:54:00 518144 ----a-w- c:\windows\SWREG.exe
2011-08-28 01:54:00 256000 ----a-w- c:\windows\PEV.exe
2011-08-28 01:54:00 208896 ----a-w- c:\windows\MBR.exe
2011-08-28 01:53:52 -------- d-----w- C:\ComboFix
2011-08-20 05:10:07 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-08-20 04:40:11 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-08-20 04:40:10 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-08-20 04:40:10 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-08-20 04:40:10 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-08-20 04:40:10 1846232 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-08-20 04:40:10 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-08-20 04:40:09 785368 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-08-16 05:40:59 -------- d-----w- c:\documents and settings\(redacted)\local settings\application data\Google
2011-08-05 03:15:10 -------- d-----w- c:\windows\system32\vmm32
2011-08-05 02:52:19 5600 ----a-w- c:\windows\system\WINASPI.DLL
2011-08-05 02:52:19 4672 ----a-w- c:\windows\system\WOWPOST.EXE
2011-08-05 02:52:19 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2011-08-05 02:52:19 16877 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2011-08-05 02:52:11 -------- d-----w- C:\Temp
2011-08-05 02:52:06 -------- d-----w- c:\program files\DeadDiskDoctor
2011-08-03 21:48:37 388096 ----a-r- c:\documents and settings\(redacted)\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-08-03 21:48:37 -------- d-----w- c:\program files\Trend Micro
.
==================== Find3M ====================
.
2011-08-30 06:03:21 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-17 14:59:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-23 03:29:24 18816 ----a-w- c:\windows\system32\drivers\dvd43llh.sys
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 17:54:02.45 ===============

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:31 PM

Posted 30 August 2011 - 08:29 PM

Hi

Just some housekeeping to do now,

Please do the following:


You can delete the DDS and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 WhiskeyCop

WhiskeyCop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 01 September 2011 - 01:32 AM

Thanks for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users