Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Search Engine Redirect Virus [Solved]

Started by knichols05 , May 16 2010 10:47 PM

  • This topic is locked This topic is locked

#31
knichols05
Posted 22 May 2010 - 09:51 AM

knichols05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Hey, sorry but I don't see any button that says "copy to clipboard". My two posts above include everything that site gave me though.
Also, after running the scan I see no extra buttons or anything like that so I'll just post my log.
  • 0

Advertisements

#32
knichols05
Posted 22 May 2010 - 09:57 AM

knichols05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Dr. Web Log:

7da111c732e0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da111c732e0.bup;Probably Trojan.Packed.639;;
7da111c732e0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da11cf741f0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da11cf741f0.bup;Trojan.Siggen.3283;;
7da11cf741f0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da213161c33da0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da213161c33da0.bup;Trojan.Fakealert.12532;;
7da213161c33da0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da213161c3438a0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da213161c3438a0.bup;Trojan.Fakealert.12532;;
7da213161c3438a0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da21a4752e70.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da21a4752e70.bup;Probably Trojan.Packed.1070;;
7da21a4752e70.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da25f20381f0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da25f20381f0.bup;Trojan.Virtumod.5277;;
7da25f20381f0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da35f238cb0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da35f238cb0.bup;Win32.HLLW.Facebook.576;;
7da35f238cb0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da3c451e2800.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da3c451e2800.bup;Win32.HLLW.Facebook.576;;
7da3c451e2800.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5b122d152c20.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5b122d152c20.bup;Trojan.Oficla.38;;
7da5b122d152c20.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5b122d3b2d10.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5b122d3b2d10.bup;Trojan.Siggen1.28786;;
7da5b122d3b2d10.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5b122d3b3bc0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5b122d3b3bc0.bup;Trojan.Siggen1.28786;;
7da5b122d3b3bc0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5b122e512c0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5b122e512c0.bup;Trojan.Siggen1.28786;;
7da5b122e512c0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5b122e513b0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5b122e513b0.bup;Trojan.Siggen1.28786;;
7da5b122e513b0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5b161f1a3e0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5b161f1a3e0.bup;Trojan.DisableSR.8;;
7da5b161f1a3e0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5b1620273c80.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5b1620273c80.bup;Trojan.DisableSR.8;;
7da5b1620273c80.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5b1622203990.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5b1622203990.bup;Trojan.Siggen1.28786;;
7da5b1622203990.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5b1622203e0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5b1622203e0.bup;Trojan.Siggen1.28786;;
7da5b1622203e0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5b162243990.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5b162243990.bup;Trojan.DisableSR.8;;
7da5b162243990.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5b1622600.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5b1622600.bup;Trojan.Fakealert.15431;;
7da5b1622600.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5c026202320.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5c026202320.bup;Trojan.Oficla.38;;
7da5c026202320.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5c026212900.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5c026212900.bup;Trojan.Collector.150;;
7da5c026212900.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5c0262134b0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5c0262134b0.bup;Trojan.MulDrop1.18127;;
7da5c0262134b0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5c02621fa0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5c02621fa0.bup;Trojan.DownLoad1.42497;;
7da5c02621fa0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5c026241770.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5c026241770.bup;Trojan.DownLoad1.42497;;
7da5c026241770.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
mraid35x.sys.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers;BackDoor.Tdss.2459;Cured.;
A0000009.sys;C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP1;BackDoor.Tdss.2459;Cured.;
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;D:\i386\Apps\App17981\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;D:\i386\Apps\App17981\comps\coach;Archive contains infected objects;Moved.;
tssetup.exe\aoltsmon.dll;D:\i386\Apps\App17981\comps\tpspd\tssetup.exe;Probably DLOADER.Trojan;;
tssetup.exe;D:\i386\Apps\App17981\comps\tpspd;Container contains infected objects;Moved.;
A0011035.exe\core.cab\GTDOWNAO_106.ocx;D:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP1\A0011035.exe;Adware.Gdown;;
A0011035.exe;D:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP1;Archive contains infected objects;Moved.;
A0011036.exe\aoltsmon.dll;D:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP1\A0011036.exe;Probably DLOADER.Trojan;;
A0011036.exe;D:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP1;Container contains infected objects;Moved.;
  • 0

#33
maliprog
Posted 23 May 2010 - 03:57 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Let's try disable proxy on your browsers.

Hi knichols05,

Step 1

Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer

Step 2

  • Start Firefox
  • Go to Tools -> Options...
  • Select icon Adwanced
  • Select tab Network and click Setting... button
  • On new dialog box select No proxy and click OK button.
  • Click OK button ones more to close Options dialog box

Step 3

Please try PC and tell me how is your system now?
  • 0

#34
knichols05
Posted 23 May 2010 - 11:22 AM

knichols05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
I have no proxy running in either internet explorer or firefox. If it makes any difference, I'm running in safe mode.
  • 0

#35
maliprog
Posted 23 May 2010 - 10:59 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi knichols05,

Let me remove proxy than...

Step 1

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
FF - prefs.js..network.proxy.backup.ftp: "41.234.203.183"
FF - prefs.js..network.proxy.backup.ftp_port: 80
FF - prefs.js..network.proxy.backup.gopher: "41.234.203.183"
FF - prefs.js..network.proxy.backup.gopher_port: 80
FF - prefs.js..network.proxy.backup.socks: "41.234.203.183"
FF - prefs.js..network.proxy.backup.socks_port: 80
FF - prefs.js..network.proxy.backup.ssl: "41.234.203.183"
FF - prefs.js..network.proxy.backup.ssl_port: 80
FF - prefs.js..network.proxy.ftp: "41.234.203.183"
FF - prefs.js..network.proxy.ftp_port: 80
FF - prefs.js..network.proxy.gopher: "41.234.203.183"
FF - prefs.js..network.proxy.gopher_port: 80
FF - prefs.js..network.proxy.http: "41.234.203.183"
FF - prefs.js..network.proxy.http_port: 80
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "41.234.203.183"
FF - prefs.js..network.proxy.socks_port: 80
FF - prefs.js..network.proxy.ssl: "41.234.203.183"
FF - prefs.js..network.proxy.ssl_port: 80

:Commands
[purity]
[emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the log it produces in your next reply.

Step 2

Please boot Windows in normal mode after the fix above. How is your system doing now?
  • 0

#36
knichols05
Posted 23 May 2010 - 11:32 PM

knichols05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
I'm in normal mode. The computer is running slowly (possibly unrelated) and the screen resolution seems to have changed.
I still am getting redirect errors, which worries me.
Please help!

OTL Log:
All processes killed
========== OTL ==========
Prefs.js: "41.234.203.183" removed from network.proxy.backup.ftp
Prefs.js: 80 removed from network.proxy.backup.ftp_port
Prefs.js: "41.234.203.183" removed from network.proxy.backup.gopher
Prefs.js: 80 removed from network.proxy.backup.gopher_port
Prefs.js: "41.234.203.183" removed from network.proxy.backup.socks
Prefs.js: 80 removed from network.proxy.backup.socks_port
Prefs.js: "41.234.203.183" removed from network.proxy.backup.ssl
Prefs.js: 80 removed from network.proxy.backup.ssl_port
Prefs.js: "41.234.203.183" removed from network.proxy.ftp
Prefs.js: 80 removed from network.proxy.ftp_port
Prefs.js: "41.234.203.183" removed from network.proxy.gopher
Prefs.js: 80 removed from network.proxy.gopher_port
Prefs.js: "41.234.203.183" removed from network.proxy.http
Prefs.js: 80 removed from network.proxy.http_port
Prefs.js: true removed from network.proxy.share_proxy_settings
Prefs.js: "41.234.203.183" removed from network.proxy.socks
Prefs.js: 80 removed from network.proxy.socks_port
Prefs.js: "41.234.203.183" removed from network.proxy.ssl
Prefs.js: 80 removed from network.proxy.ssl_port
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: Administrator.BOROOM
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Owner
->Temp folder emptied: 1190842 bytes
->Temporary Internet Files folder emptied: 45370093 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 88906042 bytes
->Flash cache emptied: 3186 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7168 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 129.00 mb


OTL by OldTimer - Version 3.2.4.1 log created on 05242010_002225

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
  • 0

#37
maliprog
Posted 23 May 2010 - 11:37 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts

I still am getting redirect errors, which worries me.


Don't worry, we will remove them :). Please can you copy me these errors? When does them appear?
  • 0

#38
knichols05
Posted 23 May 2010 - 11:39 PM

knichols05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
When I click on a link in google it sends me to a random, unrelated site.
  • 0

#39
maliprog
Posted 23 May 2010 - 11:52 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
I taught that you actually start getting window with errors :) .
  • 0

#40
knichols05
Posted 23 May 2010 - 11:54 PM

knichols05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
haha, nope. I phrased it wrong, my bad.
  • 0

Advertisements

#41
knichols05
Posted 24 May 2010 - 12:05 AM

knichols05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Do you think anything from this topic would be helpful:
http://www.geekstogo...ts-t267407.html
  • 0

#42
maliprog
Posted 24 May 2010 - 01:46 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi knichols05,

You don't have "regular" infection and we must work around the bush. Just do not take any steps by yourself.

Step 1

Delete your version of Combofix (right click on it and choose Delete).

Download new version of ComboFix from here:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#43
knichols05
Posted 24 May 2010 - 03:32 PM

knichols05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Don't worry, I won't do anything on my own.
Combofix found and replaced the same file from before, I think.

Combofix Log:

ComboFix 10-05-24.03 - Owner 05/24/2010 16:06:10.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.205 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\feed.txt
c:\windows\system32\hlp.dat

c:\windows\system32\ws2_32.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 )))))))))))))))))))))))))))))))
.

2010-05-24 20:21 . 2010-05-24 20:29 -------- d-----w- c:\windows\ie8updates
2010-05-24 20:18 . 2010-05-24 20:18 -------- d-----w- c:\windows\LastGood.Tmp
2010-05-24 05:33 . 2010-02-25 06:24 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-05-24 05:33 . 2010-02-25 06:24 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-05-24 05:33 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-05-24 05:33 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-05-24 05:32 . 2010-02-25 06:24 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-05-24 05:29 . 2010-05-24 05:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-05-21 23:17 . 2010-05-21 23:40 -------- d-----w- c:\documents and settings\Owner\DoctorWeb
2010-05-21 22:50 . 2010-05-21 22:50 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-05-21 22:49 . 2010-05-21 22:49 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-05-21 22:38 . 2010-05-21 22:39 -------- dc-h--w- c:\windows\ie8
2010-05-18 00:24 . 2010-05-18 00:24 -------- d-----w- C:\_OTL
2010-05-17 05:54 . 2010-05-17 05:54 293376 ----a-w- C:\b5ke6xil.exe
2010-05-17 04:40 . 2010-05-17 04:40 -------- d-----w- c:\program files\ESET
2010-05-13 00:07 . 2010-05-13 00:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-12 02:01 . 2010-05-12 02:01 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-24 05:31 . 2010-05-13 21:13 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-19 20:30 . 2010-01-15 23:44 17280 ----a-w- c:\windows\system32\drivers\mraid35x.sys
2010-05-17 04:35 . 2010-05-13 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-05-17 04:03 . 2010-05-13 20:31 -------- d-----w- c:\program files\Security Task Manager
2010-05-17 00:08 . 2010-01-17 03:31 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-05-15 22:29 . 2010-01-16 00:34 -------- d-----w- c:\program files\McAfee
2010-05-13 21:45 . 2010-05-13 21:45 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_62766A54CB96B6647A4A21CFAB84387D.dll
2010-05-13 21:11 . 2010-05-13 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-13 21:11 . 2010-05-13 21:11 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-13 20:49 . 2010-05-13 20:49 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-13 20:49 . 2010-05-13 20:49 -------- d-----w- c:\program files\Trend Micro
2010-05-13 20:31 . 2010-05-13 20:31 6926 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040110900063D11C8EF10054038389C.dll
2010-05-13 04:22 . 2010-01-31 03:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 20:39 . 2010-01-31 03:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-01-31 03:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 06:15 . 2010-01-15 23:47 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2006-05-07 00:24 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 12:31 . 2006-05-07 00:24 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

------- Sigcheck -------

[-] 2005-03-03 . 86EAE2E27368E0199B948A32124FC4CD . 577024 . . [5.1.2600.2622] . . c:\windows\system32\user32.dll

[-] 2004-08-04 . 2D34087CD4A677F0B288086C5B94D94C . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-13 1121792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"RTHDCPL"="RTHDCPL.EXE" [2009-12-26 18789408]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-05-13 5937984]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/19/2010 5:20 PM 1691480]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [1/15/2010 6:59 PM 69692]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/30/2010 10:26 PM 38224]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/13/2010 3:30 PM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-05-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-16 18:22]

2010-05-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-16 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\0job8ssk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-24 16:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1391852389-3871174453-2281058850-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebfbaa8***yf*********]
"BaseClass"="Drive"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1928)
c:\windows\system32\WININET.dll
c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-05-24 16:25:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-24 21:25
ComboFix2.txt 2010-05-20 23:39
ComboFix3.txt 2010-05-18 03:08
ComboFix4.txt 2010-05-14 05:10

Pre-Run: 127,200,722,944 bytes free
Post-Run: 127,161,921,536 bytes free

- - End Of File - - 7C1512C00313CD41F0723D7AD0AE4A16
  • 0

#44
maliprog
Posted 25 May 2010 - 02:26 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi knichols05,

Please answer me:

Do you have access to another (clean) PC with internet connection?
Do you have blank CD to write some files on it from another PC?
  • 0

#45
knichols05
Posted 25 May 2010 - 02:37 PM

knichols05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
I can get to another PC but I don't have any blank cds.
Have you figured out the problem?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP