Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

ad.yieldmanager.com infection - Help needed [RESOLVED]

Started by Clareman , Apr 19 2008 12:11 PM

  • This topic is locked This topic is locked

#1
Clareman
Posted 19 April 2008 - 12:11 PM

Clareman

    New Member

  • Member
  • Pip
  • 3 posts
Hi,

My PC started to develop a behavior consistent with a ad.yieldmanager.com infection. Some sites are redirected, several pop-ups with security warnings, etc. I'm running McAfee SecurityCenter 8.0 with signatures updated, plus Ad-Aware and Windows Defender.

I am attaching a HJT logfile taken with my PC in safe mode.

I will appreciate any help on how to clean this pesky malware.

Thanks,
Clareman

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:59:22, on 19/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MSC\mcshell.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcvsshld.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ie/ig/dell?hl=en&client=dell-row&channel=ie&ibd=5070327
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.ie...html?channel=ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ie...html?channel=ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.ie...html?channel=ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ie/ig/dell?hl=en&client=dell-row&channel=ie&ibd=5070327
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on AIJ] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P38 "Auto EPSON Stylus CX6600 Series on AIJ" /O11 "\\AIJ\EPSON" /M "Stylus CX6600"
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 "EPSON Stylus CX6600 Series" /O5 "LPT1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 "EPSON Stylus CX6600 Series" /M "Stylus CX6600" /EF "HKCU"
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: DigiGuide TV Guide.lnk = C:\Program Files\DigiGuide TV Guide\Client.exe
O4 - Startup: PopTray.lnk = C:\Program Files\PopTray\PopTray.exe
O4 - Global Startup: AutoMailer Freeware.lnk = C:\Program Files\AutoMailer Freeware\automail.exe
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\Mozy\mozystat.exe
O4 - Global Startup: Yahoo! Autosync.lnk = C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Pictures - {C7486E80-B111-4768-995E-23CF307346FC} - C:\Program Files\UnH Solutions\Flash and Pics Control\FPCButton.dll (HKCU)
O9 - Extra button: (no name) - {FD424F56-B38D-4190-94D1-C2B4E91C9A17} - C:\Program Files\UnH Solutions\Flash and Pics Control\FlashPicsControl.exe (HKCU)
O9 - Extra 'Tools' menuitem: Flash and Pics Control - {FD424F56-B38D-4190-94D1-C2B4E91C9A17} - C:\Program Files\UnH Solutions\Flash and Pics Control\FlashPicsControl.exe (HKCU)
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro....iler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritag...EngineQuery.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1175805985859
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtec...tall/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: McAfee Application Installer Cleanup (0003411208538502) (0003411208538502mcinstcleanup) - Unknown owner - C:\DOCUME~1\Yaacov\LOCALS~1\Temp\000341~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\Mozy\mozybackup.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 10818 bytes
  • 0

Advertisements

#2
greyknight17
Posted 23 April 2008 - 11:04 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Clareman and welcome to GTG.

Will this computer run in Normal Mode?

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
Clareman
Posted 23 April 2008 - 05:19 PM

Clareman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hi Greyknight and thanks for your help,

> Will this computer run in Normal Mode?

Yes, it runs normally in Normal mode. The HJT was produced with Safe mode though (for no particular reason). Do you need another one under Normal mode?

> Double-click combofix.exe & follow the prompts.

See below. It triggered some scary messages from my antivirus program - McAfee Security Centre - about registry changes and a false positive for the Av-Test.txt file (EICAR false positive), and after generating the log file it froze my PC so I had to reboot. A bit of a scare, but everything seems to be working fine. Here is the log:

ComboFix 08-04-22.5 - Yaacov 2008-04-23 23:54:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1344 [GMT 1:00]
Running from: C:\Documents and Settings\Yaacov\My Documents\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-20 09:43 . 2008-04-21 21:19 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-19 23:30 . 2008-04-20 09:55 <DIR> d-------- C:\Program Files\SpywareGuard
2008-04-19 21:29 . 2008-04-19 21:23 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-19 21:12 . 2008-04-19 21:12 <DIR> d-------- C:\Program Files\CleanUp!
2008-04-19 20:38 . 2008-04-19 20:38 <DIR> d-------- C:\fsaua.data
2008-04-19 14:23 . 2008-04-19 23:20 <DIR> d-------- C:\Program Files\Panda Security
2008-04-19 14:01 . 2008-04-19 14:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-19 09:56 . 2008-04-19 09:56 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-19 00:17 . 2008-04-19 00:17 61,224 --a------ C:\Documents and Settings\Yaacov\GoToAssistDownloadHelper.exe
2008-04-18 23:32 . 2008-04-18 23:32 <DIR> d-------- C:\Documents and Settings\Yaacov\Application Data\McAfee
2008-04-18 18:08 . 2008-04-20 20:02 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-04-18 18:08 . 2008-04-18 18:08 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-18 18:08 . 2008-04-18 18:08 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-18 18:08 . 2008-04-23 23:51 <DIR> d-------- C:\Documents and Settings\Yaacov\Application Data\SiteAdvisor
2008-04-18 18:08 . 2008-04-19 00:00 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-04-18 18:08 . 2008-04-18 18:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-18 18:08 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-04-18 18:08 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-04-18 18:08 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-04-18 18:08 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-04-18 18:08 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-04-18 18:08 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-04-17 21:34 . 2008-04-17 21:34 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2008-04-16 23:44 . 2008-04-16 23:44 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-06 11:48 . 2008-04-06 11:48 <DIR> d-------- C:\Program Files\iPod
2008-04-05 15:54 . 2008-04-23 23:58 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-04-04 16:57 . 2007-12-29 17:08 <DIR> d--h----- C:\Documents and Settings\FS\Application Data\Gtek
2008-04-04 16:57 . 2007-11-27 14:38 <DIR> d-------- C:\Documents and Settings\FS\Application Data\ATI
2008-04-04 16:57 . 2008-04-04 16:57 <DIR> d-------- C:\Documents and Settings\FS
2008-04-04 16:57 . 2008-04-23 23:54 1,024 --ah----- C:\Documents and Settings\FS\ntuser.dat.LOG
2008-03-31 22:25 . 2008-03-31 22:25 831,488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 22:25 . 2008-03-31 22:25 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 22:25 . 2008-03-31 22:25 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 22:25 . 2008-03-31 22:25 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 22:25 . 2008-03-31 22:25 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2008-03-31 22:25 . 2008-03-31 22:25 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-30 14:12 . 2008-03-30 14:12 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-24 20:45 . 2008-03-24 20:45 630,784 --a------ C:\WINDOWS\system32\divxdec.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 22:40 --------- d-----w C:\Program Files\DigiGuide TV Guide
2008-04-22 06:22 --------- d-----w C:\Documents and Settings\Yaacov\Application Data\Azureus
2008-04-21 20:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 10:05 --------- d-----w C:\Documents and Settings\Yaacov\Application Data\UpdateStar
2008-04-19 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-04-18 22:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-18 21:29 --------- d-----w C:\Program Files\Azureus
2008-04-18 17:08 --------- d-----w C:\Program Files\McAfee
2008-04-18 17:03 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-18 16:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-16 23:05 --------- d-----w C:\Program Files\Winamp
2008-04-16 22:44 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-04-16 22:44 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-04-16 22:44 --------- d-----w C:\Program Files\Common Files\Real
2008-04-16 21:51 --------- d-----w C:\Documents and Settings\Yaacov\Application Data\DVD Flick
2008-04-09 22:48 --------- d-----w C:\Program Files\DivX
2008-04-06 10:58 --------- d-----w C:\Documents and Settings\Yaacov\Application Data\Any Video Converter
2008-04-06 10:48 --------- d-----w C:\Program Files\iTunes
2008-04-06 10:47 --------- d-----w C:\Program Files\QuickTime
2008-04-05 19:12 148 ----a-w C:\map.bat
2008-04-04 23:15 --------- d-----w C:\Program Files\eMule
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-13 09:47 --------- d-----w C:\Documents and Settings\Yaacov\Application Data\PushSyncData
2008-03-13 09:47 --------- d-----w C:\Documents and Settings\Yaacov\Application Data\AutoSync for Yahoo
2008-03-13 09:46 --------- d-----w C:\Program Files\Yahoo!
2008-03-13 09:46 --------- d-----w C:\Program Files\Common Files\Intellisync
2008-03-12 15:50 --------- d-----w C:\Program Files\Millennia
2008-03-12 15:50 --------- d-----w C:\Documents and Settings\Yaacov\Application Data\Millennia
2008-03-11 23:25 --------- d-----w C:\Program Files\Picasa2
2008-03-08 18:29 43,698 ----a-w C:\WINDOWS\system32\xvid-uninstall.exe
2008-03-08 18:29 --------- d-----w C:\Program Files\Gabest
2008-03-08 18:29 --------- d-----w C:\Program Files\AviSynth 2.5
2008-03-08 18:29 --------- d-----w C:\Program Files\AutoGK
2008-03-08 15:15 --------- d-----w C:\Program Files\Any Video Converter
2008-03-08 15:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-06 00:01 --------- d-----w C:\Program Files\Dell Support Center
2008-03-06 00:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-03-05 23:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-03-01 17:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-27 14:42 --------- d-----w C:\Program Files\DVD Flick
2008-02-26 05:51 2,863,616 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-02-26 05:51 2,863,616 ----a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
2008-02-26 03:12 372,736 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-02-26 03:10 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-02-26 03:10 299,520 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-02-26 03:02 172,032 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-02-26 03:02 126,976 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-02-26 03:01 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-02-26 03:01 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-02-26 03:01 126,976 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-02-26 03:00 520,192 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-02-26 02:59 9,797,632 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-02-26 02:58 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-02-26 02:49 3,176,480 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-02-26 02:41 1,755,264 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-02-26 02:29 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-02-26 02:25 393,216 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-02-26 02:23 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-02-26 02:22 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-02-26 02:21 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-02-26 02:19 167,936 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-02-26 02:16 520,192 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-02-25 20:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2008-02-24 20:58 --------- d-----w C:\Program Files\Sony
2008-02-24 20:07 --------- d-----w C:\Documents and Settings\Yaacov\Application Data\Sony Corporation
2008-02-24 19:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-24 19:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Corporation
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-18 08:38 479 ----a-w C:\backup1.bat
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-01-29 11:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2007-12-04 18:40 59,656 ----a-w C:\Documents and Settings\Yaacov\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@={747E722C-CB46-4A9D-BDFE-192AAD5099B1}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@={EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4A9D-BDFE-192AAD5099B1}]
2008-01-05 00:47 2389296 --a------ C:\Program Files\Mozy\mozyshell.dll

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}]
2008-01-05 00:47 2389296 --a------ C:\Program Files\Mozy\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25 1961984]
"EPSON Stylus CX6600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.exe" [2004-03-01 04:00 98304]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 02:23 443968]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 10:20 282624 C:\WINDOWS\stsystra.exe]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 14:49 1121280]
"Auto EPSON Stylus CX6600 Series on AIJ"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.exe" [2004-03-01 04:00 98304]
"EPSON Stylus CX6600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.exe" [2004-03-01 04:00 98304]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 13:01 1037736]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 12:13 988584]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 22:57 36640]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 02:23 443968]

C:\Documents and Settings\Yaacov\Start Menu\Programs\Startup\
DigiGuide TV Guide.lnk - C:\Program Files\DigiGuide TV Guide\Client.exe [2007-08-25 15:01:57 180224]
PopTray.lnk - C:\Program Files\PopTray\PopTray.exe [2006-09-16 14:01:16 1666048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoMailer Freeware.lnk - C:\Program Files\AutoMailer Freeware\automail.exe [2004-06-15 16:15:29 970752]
MozyHome Status.lnk - C:\Program Files\Mozy\mozystat.exe [2007-07-27 20:54:11 1877296]
Yahoo! Autosync.lnk - C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe [2007-08-21 15:28:52 391680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i263_32.drv
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"msacm.imc"= imc32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"C:\\Program Files\\Storage System Console\\ServerDiscover.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 mozyFilter;mozyFilter;C:\WINDOWS\system32\DRIVERS\mozy.sys [2008-01-05 00:47]
S2 0003411208538502mcinstcleanup;McAfee Application Installer Cleanup (0003411208538502);C:\DOCUME~1\Yaacov\LOCALS~1\Temp\000341~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 iScsiPrt;iScsiPort Driver;C:\WINDOWS\system32\DRIVERS\msiscsi.sys [2007-08-13 13:15]

*Newly Created Service* - CATCHME
*Newly Created Service* - PGFILTER
.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 00:45:28 C:\WINDOWS\Tasks\backup_dell9200.job"
- C:\backup_dell9200.bat
"2008-04-18 17:08:18 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-18 17:08:17 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-04-19 23:01:29 C:\WINDOWS\Tasks\Monthly.job"
- C:\Daily\Monthly.cmd
"2008-04-23 22:40:17 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-23 22:40:48 C:\WINDOWS\Tasks\User_Feed_Synchronization-{6D0C36CF-B3F1-4EE8-BCA8-E9C34B4A31DA}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 23:58:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus CX6600 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 "EPSON Stylus CX6600 Series" /M "Stylus CX6600" /EF "HKCU"????????????????????????????????????????p???W?D~0?A~????*?A~??A~??????C~?????????????????0U???A~????????????????????T???????????W?D~??A~??????A~??A~?/U???????????A~???????????????????????????????|?????????/U???????????????C~s?A~??A~-?B~????????????R???????????&???????$???????????4????YB~????????????????????????????????T????YB~????????????+S??????????????X?C~????????????j?C~????????8???????????`??

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-23 23:59:06
ComboFix-quarantined-files.txt 2008-04-23 22:58:58

Pre-Run: 198,749,851,648 bytes free
Post-Run: 198,998,290,432 bytes free

261 --- E O F --- 2008-04-23 22:41:52
  • 0

#4
greyknight17
Posted 23 April 2008 - 08:21 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Don't see much here that might be causing problems.

Is it consistently happening to certain sites? Can you post the sites where you are being redirected? Also, where are they redirecting you to (site address)? For the popups that you get, are you sure it's not built into the site itself? What sites do you visit that have this issue and what are the popups related to?

Uninstall Kontiki via the Add/Remove Programs panel.

Do you know what C:\map.bat is for? If not, right click on that file and choose Edit. Copy and paste the contents of that file here. Same applies for C:\backup1.bat

Also, do you know what these two backup jobs are for?
"2008-04-22 00:45:28 C:\WINDOWS\Tasks\backup_dell9200.job"
- C:\backup_dell9200.bat

"2008-04-19 23:01:29 C:\WINDOWS\Tasks\Monthly.job"
- C:\Daily\Monthly.cmd

What's inside this folder? -> C:\fsaua.data
  • 0

#5
Clareman
Posted 24 April 2008 - 01:08 AM

Clareman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hi,

> Don't see much here that might be causing problems.

In fact, it's been a couple of days since it stopped completely.

> Is it consistently happening to certain sites?

It happened mostly with mail.yahoo.com and redirected to a "page can't be found", after the message "The current Web page is trying to open a site in your Trusted sites list. Do you want to allow this? ad.yieldmanager.com"... Maybe it was not an infection after all?

> Uninstall Kontiki via the Add/Remove Programs panel.

This must be residual of Sky Anytime (TV over Broadband), which I removed via Control Panel a while ago. I see no entry for Kontiki in the Control Panel.

> C:\map.bat is for? (backup1.bat, backup_dell9200.job, Monthly.job, Monthly.cmd)

Yes, all are processes I use/used for automated batch activity. I recognise all of them.

> What's inside this folder? -> C:\fsaua.data

It's empty. This is a residual folder from F-Secure (one of the online scans I run trying to determine if I have an inspection)

With no incidents during the last couple of days and your comments about my PC being clean, I am happy to close this thread. If it happens again, I will open a new one referring to this post.

Thanks for your great advice!

Clareman
  • 0

#6
greyknight17
Posted 24 April 2008 - 07:08 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem Clareman. Glad the issue is now resolved.

If you want, check in your browser to see if ad.yieldmanager.com or some other similar address is listed in your trusted zone. It could also be another program that's trying to stop this. If you have other security programs, they may interfere with this.

If you want, you may also run this temp folder and cookies cleaning tool:

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
  • 0

#7
greyknight17
Posted 24 April 2008 - 07:09 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP