Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect with Google, MSN, sometimes ask.com!


  • This topic is locked This topic is locked
10 replies to this topic

#1 soozabelle

soozabelle

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 31 December 2011 - 04:18 PM

I keep getting redirected when i do internet searches on MSN and Google, I've also been redirected a few times on ask.com. I've been trying to remove it for awhile with no luck. Here's what I've done so far:
1. Ckecked LAN settings
2. Made sure DNS settings are not changed
3. reset Windows Host file
4. Checked add-ons
5. ran TDS killer
6. Scanned with Malwarebyes and Spyware S and D (Both said there were no problems.)
7. Used CC Cleaner
8. reset router to factory settings.
9. Ran GMER (will add in next post)

I posted in another topic and they said to repost here-- if you want to check my original post: http://www.bleepingcomputer.com/forums/topic433744.html/page__pid__2521925#entry2521925

Thanks so much for any help!

BC AdBot (Login to Remove)

 


#2 soozabelle

soozabelle
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 31 December 2011 - 04:20 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by pc at 16:00:42 on 2011-12-31
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2999.1990 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\WUDFHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\wuauclt.exe
C:\Users\pc\Downloads\Defogger.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [EPSON Stylus CX5000 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibva.exe /fu "c:\windows\temp\E_S30AC.tmp" /EF "HKCU"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Reader Library Launcher] c:\program files\sony\reader\data\bin\launcher\Reader Library Launcher.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{6734EEF5-7834-4405-9E80-9321633D81F5} : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{6734EEF5-7834-4405-9E80-9321633D81F5}\2427F677E6541676C656 : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{6734EEF5-7834-4405-9E80-9321633D81F5}\2427F677E6541676C656D27657563747 : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{E3EAB699-2D5E-4FBC-B2F9-6B2477A15D72} : DhcpNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-16 366152]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-12-1 1153368]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2010-1-20 23136]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-4-23 132480]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-4-23 232960]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-31 22216]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-12-19 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-12-19 136176]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-7-13 1343400]
.
=============== Created Last 30 ================
.
2011-12-26 16:41:23 -------- d-----w- c:\programdata\Leapfrog
2011-12-26 16:41:23 -------- d-----w- c:\program files\LeapFrog
2011-12-22 06:13:54 -------- d-----w- c:\users\pc\appdata\local\{052670E4-A41F-4FE5-BAEC-46875595582F}
2011-12-22 06:13:43 -------- d-----w- c:\users\pc\appdata\local\{0B7BB8CE-4CB4-486F-8B86-BAF9E06D4F62}
2011-12-21 05:17:38 98816 ----a-w- c:\windows\sed.exe
2011-12-21 05:17:38 518144 ----a-w- c:\windows\SWREG.exe
2011-12-21 05:17:38 256000 ----a-w- c:\windows\PEV.exe
2011-12-21 05:17:38 208896 ----a-w- c:\windows\MBR.exe
2011-12-21 05:17:28 -------- d-s---w- C:\ComboFix
2011-12-21 04:53:21 -------- d-----w- c:\program files\CCleaner
2011-12-20 14:58:35 -------- d-----w- c:\users\pc\appdata\local\{26416A18-6ACD-47DE-A713-3CFC56D772FB}
2011-12-20 14:58:25 -------- d-----w- c:\users\pc\appdata\local\{B604576B-F183-4B0C-AD58-D5ED8BDB6C52}
2011-12-19 17:06:27 -------- d-----w- c:\users\pc\appdata\local\Google
2011-12-14 13:26:53 2340352 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 13:26:50 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-14 13:26:47 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 13:26:45 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 13:26:44 3957104 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-14 13:26:44 3901808 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-13 19:11:45 -------- d-----w- c:\users\pc\appdata\local\{29B9E9DD-FA27-46D4-8817-1C2A6E967E75}
2011-12-13 19:11:35 -------- d-----w- c:\users\pc\appdata\local\{A453B395-32BA-46F9-B8F0-95FD5548A760}
2011-12-13 12:21:53 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{ffcf40e3-3d3a-48bc-aa0b-556c1207fcaa}\mpengine.dll
2011-12-09 15:03:55 -------- d-----w- c:\users\pc\appdata\local\{348B1265-F8DC-4ECA-B288-8DD8BD1025A7}
2011-12-09 15:03:45 -------- d-----w- c:\users\pc\appdata\local\{FB8E3550-1649-4219-89DA-12A888063BC0}
2011-12-09 15:03:45 -------- d-----w- c:\users\pc\appdata\local\{A67C76B9-CD6F-4FBF-B3AA-62644DFFD1FC}
2011-12-01 22:03:15 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-01 22:03:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
.
==================== Find3M ====================
.
2011-12-26 16:44:53 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 16:01:40.44 ===============

Attached Files



#3 soozabelle

soozabelle
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 31 December 2011 - 04:47 PM

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-31 16:46:47
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK3265GSX rev.GJ004E
Running: c76fqqmh.exe; Driver: C:\Users\pc\AppData\Local\Temp\pxldapoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A7E5D9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AA3092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text netbt.sys 90ABA000 59 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text netbt.sys 90ABA03C 36 Bytes [EB, E8, FE, C0, 8A, D3, 8B, ...]
.text netbt.sys 90ABA062 18 Bytes [FF, 56, 18, 8B, CF, FF, 15, ...]
.text netbt.sys 90ABA076 28 Bytes [01, 88, 45, 0F, 8A, 46, 0F, ...]
.text netbt.sys 90ABA093 96 Bytes [00, 00, EB, 09, 83, 66, 18, ...]
.text ...
? C:\Windows\System32\DRIVERS\netbt.sys suspicious PE modification
? C:\Users\pc\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[820] ntdll.dll!NtProtectVirtualMemory 773751C0 5 Bytes JMP 008F000A
.text C:\Windows\system32\svchost.exe[820] ntdll.dll!NtWriteVirtualMemory 77375D40 5 Bytes JMP 00A0000A
.text C:\Windows\system32\svchost.exe[820] ntdll.dll!KiUserExceptionDispatcher 77376298 5 Bytes JMP 008E000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2240] USER32.dll!EnableWindow 765FA72E 5 Bytes JMP 6EA39A14 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2240] USER32.dll!DialogBoxIndirectParamW 76624AA7 5 Bytes JMP 6EB862BE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2240] USER32.dll!DialogBoxParamW 7662564A 5 Bytes JMP 6E99170B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2240] USER32.dll!DialogBoxParamA 7663CF6A 5 Bytes JMP 6EB86259 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2240] USER32.dll!DialogBoxIndirectParamA 7663D29C 5 Bytes JMP 6EB86323 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2240] USER32.dll!MessageBoxIndirectA 7664E8C9 5 Bytes JMP 6EB861E0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2240] USER32.dll!MessageBoxIndirectW 7664E9C3 5 Bytes JMP 6EB86167 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2240] USER32.dll!MessageBoxExA 7664EA29 5 Bytes JMP 6EB86103 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2240] USER32.dll!MessageBoxExW 7664EA4D 5 Bytes JMP 6EB8609F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] kernel32.dll!CreateThread 7591279D 5 Bytes JMP 6E9F7303 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!CreateDialogParamW 765F9BFF 5 Bytes JMP 6EB86628 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!EnableWindow 765FA72E 5 Bytes JMP 6EA39A14 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!GetAsyncKeyState 765FC09A 5 Bytes JMP 6E9DDD8D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!UnhookWindowsHookEx 765FCC7B 5 Bytes JMP 6EA7EB74 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!CallNextHookEx 765FCC8F 5 Bytes JMP 6EA57BB7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!DefWindowProcA 765FE0E4 7 Bytes JMP 6E9F952D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!CreateWindowExA 765FE18A 5 Bytes JMP 6EA03363 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!CreateWindowExW 76600E51 5 Bytes JMP 6EA5FF8F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!SetWindowsHookExW 7660210A 5 Bytes JMP 6EA32194 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!GetKeyState 76604FDA 5 Bytes JMP 6E9DDC67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!IsDialogMessageW 76606F06 5 Bytes JMP 6EB86D82 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!DefWindowProcW 7660724B 7 Bytes JMP 6EA57C1A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!CreateDialogParamA 76613E79 5 Bytes JMP 6EB865F0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!IsDialogMessage 7661407A 5 Bytes JMP 6EB86D5A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!CreateDialogIndirectParamA 76619110 5 Bytes JMP 6EB86660 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!CreateDialogIndirectParamW 766208AD 5 Bytes JMP 6EB86698 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!DialogBoxIndirectParamW 76624AA7 5 Bytes JMP 6EB862BE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!EndDialog 7662555C 5 Bytes JMP 6EB8702E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!DialogBoxParamW 7662564A 5 Bytes JMP 6E99170B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!SetKeyboardState 76626B52 5 Bytes JMP 6EB87649 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!SendInput 76627055 5 Bytes JMP 6EB875F1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!SetCursorPos 7663C1D8 5 Bytes JMP 6EB876CA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!DialogBoxParamA 7663CF6A 5 Bytes JMP 6EB86259 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!DialogBoxIndirectParamA 7663D29C 5 Bytes JMP 6EB86323 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!MessageBoxIndirectA 7664E8C9 5 Bytes JMP 6EB861E0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!MessageBoxIndirectW 7664E9C3 5 Bytes JMP 6EB86167 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!MessageBoxExA 7664EA29 5 Bytes JMP 6EB86103 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!MessageBoxExW 7664EA4D 5 Bytes JMP 6EB8609F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!keybd_event 7664EC9B 5 Bytes JMP 6EB875AE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] SHELL32.dll!SHChangeNotification_Lock + 45BA 7675B440 4 Bytes [CF, 01, FF, 70]
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] SHELL32.dll!SHChangeNotification_Lock + 45C2 7675B448 8 Bytes [E0, 61, FE, 70, 79, F7, FE, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] ole32.dll!OleLoadFromStream 75A55BF6 5 Bytes JMP 6EB86A8C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Windows\System32\ping.exe[3620] ntdll.dll!NtCreateProcess 77374940 5 Bytes JMP 005A000A
.text C:\Windows\System32\ping.exe[3620] ntdll.dll!NtCreateProcessEx 77374950 5 Bytes JMP 005F000A
.text C:\Windows\System32\ping.exe[3620] ntdll.dll!NtCreateUserProcess 77374A20 5 Bytes JMP 0060000A
.text C:\Windows\System32\ping.exe[3620] ntdll.dll!NtProtectVirtualMemory 773751C0 5 Bytes JMP 0043000A
.text C:\Windows\System32\ping.exe[3620] ntdll.dll!NtWriteVirtualMemory 77375D40 5 Bytes JMP 0056000A
.text C:\Windows\System32\ping.exe[3620] ntdll.dll!KiUserExceptionDispatcher 77376298 5 Bytes JMP 000B000A
.text C:\Windows\System32\ping.exe[3620] USER32.dll!GetCursorPos 765FC198 5 Bytes JMP 0094000A
.text C:\Windows\System32\ping.exe[3620] USER32.dll!GetForegroundWindow 7660565D 5 Bytes JMP 0096000A
.text C:\Windows\System32\ping.exe[3620] USER32.dll!WindowFromPoint 76626D0C 5 Bytes JMP 0095000A
.text C:\Windows\System32\ping.exe[3620] ole32.dll!CoCreateInstance 75AA590C 5 Bytes JMP 0093000A

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000046 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) 90A9F000-90AB9000 (106496 bytes)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@NewClientID 135

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB52760$\2838521640 0 bytes
File C:\Windows\$NtUninstallKB52760$\2838521640\@ 2048 bytes
File C:\Windows\$NtUninstallKB52760$\2838521640\bckfg.tmp 849 bytes
File C:\Windows\$NtUninstallKB52760$\2838521640\cfg.ini 208 bytes
File C:\Windows\$NtUninstallKB52760$\2838521640\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB52760$\2838521640\keywords 209 bytes
File C:\Windows\$NtUninstallKB52760$\2838521640\kwrd.dll 223744 bytes
File C:\Windows\$NtUninstallKB52760$\2838521640\L 0 bytes
File C:\Windows\$NtUninstallKB52760$\2838521640\L\xadqgnnk 187904 bytes
File C:\Windows\$NtUninstallKB52760$\2838521640\lsflt7.ver 5176 bytes
File C:\Windows\$NtUninstallKB52760$\2838521640\U 0 bytes
File C:\Windows\$NtUninstallKB52760$\2838521640\U\00000001.@ 2048 bytes
File C:\Windows\$NtUninstallKB52760$\2838521640\U\00000002.@ 224768 bytes
File C:\Windows\$NtUninstallKB52760$\2838521640\U\00000004.@ 1024 bytes
File C:\Windows\$NtUninstallKB52760$\2838521640\U\80000000.@ 11264 bytes
File C:\Windows\$NtUninstallKB52760$\2838521640\U\80000004.@ 12800 bytes
File C:\Windows\$NtUninstallKB52760$\2838521640\U\80000032.@ 77312 bytes
File C:\Windows\$NtUninstallKB52760$\4033401065 0 bytes
File C:\Windows\Temp\Cookies\F23XWFQ4.txt 0 bytes
File C:\Windows\Temp\Cookies\30JA9JB9.txt 0 bytes
File C:\Windows\Temp\Cookies\T0XVFV25.txt 0 bytes
File C:\Windows\Temp\Cookies\NPS39R5M.txt 515 bytes
File C:\Windows\Temp\Cookies\NRXURGCJ.txt 102 bytes
File C:\Windows\Temp\Cookies\DXQYGAS9.txt 796 bytes
File C:\Windows\Temp\Cookies\46OGCQG9.txt 1077 bytes
File C:\Windows\Temp\Cookies\A7Y5X67N.txt 248 bytes
File C:\Windows\Temp\Cookies\L0WUDSSN.txt 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\6L4IV3P5\0RkUiIEJFK_888578294[1].htm 1452 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\AMQE4PTP\fw-nonplayer-banner[1].htm 1302 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\AMQE4PTP\fw-nonplayer-banner[2].htm 1311 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\AMQE4PTP\fw-nonplayer-banner[3].htm 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\MDJN6GTD 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\MDJN6GTD\26270-2[1].js 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\MDJN6GTD\brightroll[1].bid 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\MDJN6GTD\crossdomain[1].xml 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\MDJN6GTD\desktop.ini 67 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\MDJN6GTD\dref=http%253A%252F%252Fwww.mevio[1].js 1720 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\MDJN6GTD\dref=http%253A%252F%252Fwww.mevio[2].js 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\MDJN6GTD\fw-nonplayer-banner[1].htm 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\MDJN6GTD\fw-nonplayer-banner[2].htm 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\MDJN6GTD\iframe[1].htm 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\MDJN6GTD\log[1].gif 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\RAMKCXJX 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\RAMKCXJX\10.1_lawnmower_728x90[1].swf 39149 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\RAMKCXJX\17910-139840-40814-3[1].htm 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\RAMKCXJX\26270-2[1].js 1861 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\RAMKCXJX\634adb39facc8e80782480edc38e578b7d9a4f72[1].jpg 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\RAMKCXJX\control[1].xml 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\RAMKCXJX\crossdomain[1].xml 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\RAMKCXJX\desktop.ini 67 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\RAMKCXJX\dref=http%253A%252F%252Fwww.mevio[1].js 1716 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\RAMKCXJX\dref=http%253A%252F%252Fwww.mevio[2].js 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\WUWZHTQX\get[1].png 287 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\ZH1HCTN3\get[1].png 739 bytes

---- EOF - GMER 1.0.15 ----

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:21 PM

Posted 06 January 2012 - 11:53 AM

Hi,

please run ComboFix next:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:21 PM

Posted 12 January 2012 - 09:00 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 AM

Posted 12 January 2012 - 05:04 PM

This topic has been re-opened at the request of the person who originally posted.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 soozabelle

soozabelle
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 12 January 2012 - 05:51 PM

ComboFix 12-01-12.04 - pc 01/12/2012 17:33:55.1.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2999.2251 [GMT -5:00]
Running from: c:\users\pc\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\pc\g2mdlhlpx.exe
c:\windows\$NtUninstallKB52760$\2838521640\@
c:\windows\$NtUninstallKB52760$\2838521640\bckfg.tmp
c:\windows\$NtUninstallKB52760$\2838521640\cfg.ini
c:\windows\$NtUninstallKB52760$\2838521640\Desktop.ini
c:\windows\$NtUninstallKB52760$\2838521640\keywords
c:\windows\$NtUninstallKB52760$\2838521640\kwrd.dll
c:\windows\$NtUninstallKB52760$\2838521640\L\xadqgnnk
c:\windows\$NtUninstallKB52760$\2838521640\lsflt7.ver
c:\windows\$NtUninstallKB52760$\2838521640\U\00000001.@
c:\windows\$NtUninstallKB52760$\2838521640\U\00000002.@
c:\windows\$NtUninstallKB52760$\2838521640\U\00000004.@
c:\windows\$NtUninstallKB52760$\2838521640\U\80000000.@
c:\windows\$NtUninstallKB52760$\2838521640\U\80000004.@
c:\windows\$NtUninstallKB52760$\2838521640\U\80000032.@
c:\windows\$NtUninstallKB52760$\4033401065
c:\windows\$NtUninstallKB52760$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-12-12 to 2012-01-12 )))))))))))))))))))))))))))))))
.
.
2012-01-12 22:42 . 2012-01-12 22:42 -------- d-----w- c:\users\pc\AppData\Local\temp
2012-01-12 22:42 . 2012-01-12 22:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-12 22:30 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-12-26 16:41 . 2011-12-26 16:43 -------- d-----w- c:\program files\LeapFrog
2011-12-26 16:41 . 2011-12-26 16:41 -------- d-----w- c:\programdata\Leapfrog
2011-12-21 04:53 . 2011-12-21 04:53 -------- d-----w- c:\program files\CCleaner
2011-12-19 17:06 . 2011-12-19 17:06 -------- d-----w- c:\users\pc\AppData\Local\Google
2011-12-19 17:06 . 2011-12-19 17:06 -------- d-----w- c:\program files\Google
2011-12-18 14:14 . 2011-12-18 14:14 -------- d-----w- c:\windows\Sun
2011-12-14 13:26 . 2011-11-24 04:23 2340352 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 13:26 . 2011-11-05 04:30 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-14 13:26 . 2011-10-15 05:48 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 13:26 . 2011-10-26 04:25 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 13:26 . 2011-10-26 04:42 3901808 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-14 13:26 . 2011-10-26 04:42 3957104 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-26 16:44 . 2011-07-11 18:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24 . 2011-09-01 03:43 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-21 10:47 . 2011-12-13 12:21 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FFCF40E3-3D3A-48BC-AA0B-556C1207FCAA}\mpengine.dll
2011-11-07 15:30 . 2011-03-28 23:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-23 175640]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-23 169496]
"Reader Library Launcher"="c:\program files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe" [2010-07-13 906648]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-24 981680]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-12-19 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-12-19 136176]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-07-14 1343400]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2010-01-20 23136]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-04-23 132480]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-04-23 232960]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-19 17:06]
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-19 17:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,
57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:4c,95,53,a0,16,bd,cc,01
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\taskhost.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conhost.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-01-12 17:47:27 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-12 22:47
.
Pre-Run: 264,001,757,184 bytes free
Post-Run: 263,885,283,328 bytes free
.
- - End Of File - - 9B778A1BD0A85819030A849324981534

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:21 PM

Posted 12 January 2012 - 06:00 PM

Hi,

how is the PC doing?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 soozabelle

soozabelle
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 13 January 2012 - 11:54 PM

I think it's fixed! (Knock on wood...) :) Thanks for the help!

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:21 PM

Posted 14 January 2012 - 08:32 AM

Cool! Please run a scan with Eset to check for leftovers:
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Also run a scan with gmer again, please.

Edited by myrti, 14 January 2012 - 10:21 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:21 PM

Posted 29 January 2012 - 09:07 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users