Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Search Engine Redirect Virus [Solved]

Started by knichols05 , May 16 2010 10:47 PM

  • This topic is locked This topic is locked

#46
maliprog
Posted 25 May 2010 - 03:36 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi knichols05,

Of course we do but sometimes infection defend it self :). Let's try something different...

Step 1

Download two files attached to this post on Desktop and unpack them to this location

C:\WINDOWS\system32\dllcache


Step 2

Delete your version of Combofix (right click on it and choose Delete).

Download new version of ComboFix from here:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.



  • 0

Advertisements

#47
knichols05
Posted 25 May 2010 - 03:54 PM

knichols05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Heres my result from combofix:

ComboFix 10-05-25.02 - Owner 05/25/2010 16:57:43.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.202 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ws2_32.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-04-25 to 2010-05-25 )))))))))))))))))))))))))))))))
.

2010-05-25 21:54 . 1999-05-06 03:22 73728 ----a-w- c:\windows\system32\dllcache\WS2_32.DLL
2010-05-25 21:52 . 2010-05-26 00:29 577024 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-05-24 20:21 . 2010-05-24 20:29 -------- d-----w- c:\windows\ie8updates
2010-05-24 05:33 . 2010-02-25 06:24 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-05-24 05:33 . 2010-02-25 06:24 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-05-24 05:33 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-05-24 05:33 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-05-24 05:32 . 2010-02-25 06:24 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-05-24 05:29 . 2010-05-24 05:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-05-21 23:17 . 2010-05-21 23:40 -------- d-----w- c:\documents and settings\Owner\DoctorWeb
2010-05-21 22:50 . 2010-05-21 22:50 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-05-21 22:49 . 2010-05-21 22:49 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-05-21 22:38 . 2010-05-21 22:39 -------- dc-h--w- c:\windows\ie8
2010-05-18 00:24 . 2010-05-18 00:24 -------- d-----w- C:\_OTL
2010-05-17 05:54 . 2010-05-17 05:54 293376 ----a-w- C:\b5ke6xil.exe
2010-05-17 04:40 . 2010-05-17 04:40 -------- d-----w- c:\program files\ESET
2010-05-17 04:03 . 2010-05-17 04:03 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Help
2010-05-15 00:09 . 2010-05-15 00:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-05-13 21:45 . 2010-05-13 21:45 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_62766A54CB96B6647A4A21CFAB84387D.dll
2010-05-13 21:13 . 2010-05-25 20:27 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-13 21:11 . 2010-05-13 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-13 21:11 . 2010-05-13 21:11 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-13 20:49 . 2010-05-13 20:49 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-13 20:49 . 2010-05-13 20:49 -------- d-----w- c:\program files\Trend Micro
2010-05-13 20:31 . 2010-05-13 20:31 6926 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040110900063D11C8EF10054038389C.dll
2010-05-13 00:07 . 2010-05-13 00:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-12 02:01 . 2010-05-12 02:01 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-19 20:30 . 2010-01-15 23:44 17280 ----a-w- c:\windows\system32\drivers\mraid35x.sys
2010-05-17 04:35 . 2010-05-13 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-05-17 04:03 . 2010-05-13 20:31 -------- d-----w- c:\program files\Security Task Manager
2010-05-17 00:08 . 2010-01-17 03:31 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-05-15 22:29 . 2010-01-16 00:34 -------- d-----w- c:\program files\McAfee
2010-05-13 20:31 . 2010-05-13 20:31 42 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D510002.dll
2010-05-13 04:22 . 2010-01-31 03:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 20:39 . 2010-01-31 03:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-01-31 03:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 06:15 . 2010-01-15 23:47 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2006-05-07 00:24 916480 ----a-w- c:\windows\system32\wininet.dll
.

------- Sigcheck -------

[7] 2010-05-26 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\user32.dll
[-] 2005-03-03 . 86EAE2E27368E0199B948A32124FC4CD . 577024 . . [5.1.2600.2622] . . c:\windows\system32\user32.dll

[-] 2004-08-04 . 2D34087CD4A677F0B288086C5B94D94C . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll
[-] 1999-05-06 03:22 . B703D3E8C5602F26BDAEDEB1824E949A . 73728 . . [4.10.2222] . . c:\windows\system32\dllcache\WS2_32.DLL
.
((((((((((((((((((((((((((((( SnapShot@2010-05-18_03.03.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-01-31 17:46 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
+ 2010-01-31 17:46 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
+ 2006-07-01 02:31 . 2009-01-07 23:21 26144 c:\windows\system32\spupdsvc.exe
+ 2010-01-16 00:35 . 2009-01-07 23:20 16928 c:\windows\system32\spmsg.dll
+ 2006-05-07 00:24 . 2009-03-08 09:31 46592 c:\windows\system32\pngfilt.dll
+ 2009-01-07 23:20 . 2009-01-07 23:20 23552 c:\windows\system32\normaliz.dll
+ 2009-01-07 23:20 . 2009-01-07 23:20 24576 c:\windows\system32\nlsdl.dll
+ 2010-01-15 23:44 . 2009-03-08 09:31 48128 c:\windows\system32\mshtmler.dll
+ 2006-05-07 00:24 . 2009-03-08 09:31 66560 c:\windows\system32\mshtmled.dll
+ 2010-01-15 23:44 . 2009-03-08 09:31 45568 c:\windows\system32\mshta.exe
+ 2009-03-08 09:31 . 2009-03-08 09:31 13312 c:\windows\system32\msfeedssync.exe
+ 2009-03-08 09:31 . 2010-02-25 06:24 55296 c:\windows\system32\msfeedsbs.dll
+ 2010-01-15 23:44 . 2009-03-08 09:34 43008 c:\windows\system32\licmgr10.dll
+ 2006-05-07 00:24 . 2010-02-25 06:24 25600 c:\windows\system32\jsproxy.dll
+ 2006-05-07 00:24 . 2009-03-08 09:32 94720 c:\windows\system32\inseng.dll
+ 2010-01-15 23:42 . 2009-03-08 09:31 34816 c:\windows\system32\imgutil.dll
+ 2009-03-08 09:32 . 2009-03-08 09:32 36864 c:\windows\system32\ieudinit.exe
+ 2010-01-15 23:42 . 2009-03-08 09:32 71680 c:\windows\system32\iesetup.dll
+ 2010-01-15 23:42 . 2009-03-08 09:32 55808 c:\windows\system32\iernonce.dll
+ 2009-01-07 23:20 . 2009-01-07 23:20 26112 c:\windows\system32\idndl.dll
+ 2009-03-08 09:31 . 2009-03-08 09:31 59904 c:\windows\system32\icardie.dll
+ 2009-12-22 05:35 . 2009-03-08 09:31 46592 c:\windows\system32\dllcache\pngfilt.dll
+ 2009-03-08 09:31 . 2009-03-08 09:31 48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2009-12-22 05:35 . 2009-03-08 09:31 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-03-08 09:31 . 2009-03-08 09:31 45568 c:\windows\system32\dllcache\mshta.exe
+ 2009-03-08 09:34 . 2009-03-08 09:34 43008 c:\windows\system32\dllcache\licmgr10.dll
+ 2009-12-22 05:35 . 2010-02-25 06:24 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-12-22 05:35 . 2009-03-08 09:32 94720 c:\windows\system32\dllcache\inseng.dll
+ 2009-03-08 09:31 . 2009-03-08 09:31 34816 c:\windows\system32\dllcache\imgutil.dll
+ 2009-03-08 09:32 . 2009-03-08 09:32 71680 c:\windows\system32\dllcache\iesetup.dll
+ 2009-03-08 09:32 . 2009-03-08 09:32 55808 c:\windows\system32\dllcache\iernonce.dll
+ 2009-03-08 09:24 . 2009-03-08 09:24 68608 c:\windows\system32\dllcache\hmmapi.dll
+ 2009-03-08 09:33 . 2009-03-08 09:33 18944 c:\windows\system32\dllcache\corpol.dll
+ 2009-03-08 09:32 . 2009-03-08 09:32 72704 c:\windows\system32\dllcache\admparse.dll
+ 2010-01-15 23:39 . 2009-03-08 09:33 18944 c:\windows\system32\corpol.dll
- 2010-05-18 02:54 . 2010-05-18 02:54 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-25 00:57 . 2010-05-25 18:24 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-05-07 00:40 . 2010-05-18 02:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-05-07 00:40 . 2010-05-25 18:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-05-25 00:57 . 2010-05-25 18:24 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-01-15 23:39 . 2009-03-08 09:32 72704 c:\windows\system32\admparse.dll
+ 2010-05-24 20:25 . 2009-03-08 09:33 12288 c:\windows\ie8updates\KB980182-IE8\xpshims.dll
+ 2010-05-24 20:25 . 2009-03-08 09:31 55296 c:\windows\ie8updates\KB980182-IE8\msfeedsbs.dll
+ 2010-05-24 20:25 . 2009-03-08 09:33 25600 c:\windows\ie8updates\KB980182-IE8\jsproxy.dll
+ 2010-05-21 22:38 . 2004-08-04 19:00 37888 c:\windows\ie8\url.dll
+ 2010-05-21 22:39 . 2009-03-08 19:23 58464 c:\windows\ie8\spuninst\iecustom.dll
+ 2010-05-21 22:38 . 2010-02-26 06:05 39424 c:\windows\ie8\pngfilt.dll
+ 2010-05-21 22:38 . 2004-08-04 19:00 96256 c:\windows\ie8\occache.dll
+ 2010-05-21 22:38 . 2004-08-04 19:00 56832 c:\windows\ie8\mshtmler.dll
+ 2010-05-21 22:38 . 2004-08-04 19:00 29184 c:\windows\ie8\mshta.exe
+ 2010-05-21 22:38 . 2004-08-04 19:00 22016 c:\windows\ie8\licmgr10.dll
+ 2010-05-21 22:38 . 2010-02-26 06:05 16384 c:\windows\ie8\jsproxy.dll
+ 2010-05-21 22:38 . 2010-02-26 06:05 96256 c:\windows\ie8\inseng.dll
+ 2010-05-21 22:38 . 2004-08-04 19:00 35840 c:\windows\ie8\imgutil.dll
+ 2010-05-21 22:38 . 2004-08-04 19:00 93184 c:\windows\ie8\iexplore.exe
+ 2010-05-21 22:38 . 2004-08-04 19:00 62976 c:\windows\ie8\iesetup.dll
+ 2010-05-21 22:38 . 2004-08-04 19:00 48640 c:\windows\ie8\iernonce.dll
+ 2010-05-21 22:38 . 2010-02-26 06:05 81920 c:\windows\ie8\ieencode.dll
+ 2010-05-21 22:38 . 2004-08-04 19:00 34304 c:\windows\ie8\ie4uinit.exe
+ 2010-05-21 22:38 . 2004-08-04 19:00 38912 c:\windows\ie8\hmmapi.dll
+ 2010-05-21 22:38 . 2004-08-04 19:00 35328 c:\windows\ie8\corpol.dll
+ 2010-05-21 22:38 . 2004-08-04 19:00 99840 c:\windows\ie8\advpack.dll
+ 2010-05-21 22:38 . 2004-08-04 19:00 61440 c:\windows\ie8\admparse.dll
+ 2009-01-07 23:21 . 2009-01-07 23:21 121856 c:\windows\system32\xmllite.dll
+ 2009-03-08 09:34 . 2009-03-08 09:34 208384 c:\windows\system32\WinFXDocObj.exe
+ 2010-01-15 23:47 . 2009-03-08 09:34 236544 c:\windows\system32\webcheck.dll
+ 2010-01-15 23:47 . 2009-03-08 09:34 105984 c:\windows\system32\url.dll
+ 2010-01-15 23:45 . 2010-02-25 06:24 206848 c:\windows\system32\occache.dll
+ 2006-05-07 00:24 . 2010-02-25 06:24 611840 c:\windows\system32\mstime.dll
+ 2006-05-07 00:24 . 2009-03-08 09:34 193536 c:\windows\system32\msrating.dll
+ 2010-01-15 23:44 . 2009-03-08 09:22 156160 c:\windows\system32\msls31.dll
+ 2009-03-08 09:32 . 2010-02-25 06:24 594432 c:\windows\system32\msfeeds.dll
+ 2009-01-07 23:20 . 2009-01-07 23:20 265720 c:\windows\system32\msdbg2.dll
+ 2006-05-07 00:24 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
+ 2009-03-08 09:22 . 2009-03-08 09:22 164352 c:\windows\system32\ieui.dll
+ 2006-05-07 00:24 . 2010-02-25 06:24 184320 c:\windows\system32\iepeers.dll
+ 2010-01-15 23:42 . 2010-02-25 06:24 387584 c:\windows\system32\iedkcs32.dll
+ 2009-03-08 09:11 . 2009-03-08 09:11 445952 c:\windows\system32\ieapfltr.dll
+ 2010-01-15 23:42 . 2009-03-08 09:32 163840 c:\windows\system32\ieakui.dll
+ 2010-01-15 23:42 . 2009-03-08 09:33 229376 c:\windows\system32\ieaksie.dll
+ 2010-01-15 23:42 . 2009-03-08 09:33 125952 c:\windows\system32\ieakeng.dll
+ 2010-01-15 23:42 . 2010-02-24 09:54 173056 c:\windows\system32\ie4uinit.exe
+ 2006-05-07 00:24 . 2009-03-08 09:31 216064 c:\windows\system32\dxtrans.dll
+ 2006-05-07 00:24 . 2009-03-08 09:31 348160 c:\windows\system32\dxtmsft.dll
+ 2009-12-22 05:35 . 2010-02-25 06:24 916480 c:\windows\system32\dllcache\wininet.dll
+ 2009-03-08 09:34 . 2009-03-08 09:34 236544 c:\windows\system32\dllcache\webcheck.dll
+ 2009-03-08 09:33 . 2009-03-08 09:33 759296 c:\windows\system32\dllcache\VGX.dll
+ 2007-12-18 14:40 . 2010-03-10 06:15 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2009-03-08 09:34 . 2009-03-08 09:34 105984 c:\windows\system32\dllcache\url.dll
+ 2009-01-07 23:20 . 2009-01-07 23:20 134144 c:\windows\system32\dllcache\sqmapi.dll
+ 2009-03-08 09:34 . 2010-02-25 06:24 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-12-22 05:35 . 2010-02-25 06:24 611840 c:\windows\system32\dllcache\mstime.dll
+ 2009-12-22 05:35 . 2009-03-08 09:34 193536 c:\windows\system32\dllcache\msrating.dll
+ 2009-03-08 09:22 . 2009-03-08 09:22 156160 c:\windows\system32\dllcache\msls31.dll
+ 2007-12-18 14:40 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
+ 2010-01-15 23:42 . 2009-03-08 19:09 638816 c:\windows\system32\dllcache\iexplore.exe
+ 2009-12-22 05:35 . 2010-02-25 06:24 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2009-03-08 19:09 . 2010-02-25 06:24 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-03-08 09:32 . 2009-03-08 09:32 163840 c:\windows\system32\dllcache\ieakui.dll
+ 2009-03-08 09:33 . 2009-03-08 09:33 229376 c:\windows\system32\dllcache\ieaksie.dll
+ 2009-03-08 09:33 . 2009-03-08 09:33 125952 c:\windows\system32\dllcache\ieakeng.dll
+ 2009-03-08 09:32 . 2010-02-24 09:54 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-12-22 05:35 . 2009-03-08 09:31 216064 c:\windows\system32\dllcache\dxtrans.dll
+ 2009-12-22 05:35 . 2009-03-08 09:31 348160 c:\windows\system32\dllcache\dxtmsft.dll
+ 2009-03-08 09:32 . 2009-03-08 09:32 128512 c:\windows\system32\dllcache\advpack.dll
+ 2010-05-24 05:29 . 2010-05-25 00:56 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2010-01-15 23:39 . 2009-03-08 09:32 128512 c:\windows\system32\advpack.dll
+ 2010-05-24 20:28 . 2009-03-08 09:33 420352 c:\windows\ie8updates\KB981332-IE8\vbscript.dll
+ 2010-05-24 20:28 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\spuninst\updspapi.dll
+ 2010-05-24 20:28 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst\spuninst.exe
+ 2010-05-24 20:25 . 2009-03-08 09:34 914944 c:\windows\ie8updates\KB980182-IE8\wininet.dll
+ 2010-05-24 20:25 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB980182-IE8\spuninst\updspapi.dll
+ 2010-05-24 20:25 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB980182-IE8\spuninst\spuninst.exe
+ 2010-05-24 20:25 . 2009-03-08 09:34 109568 c:\windows\ie8updates\KB980182-IE8\occache.dll
+ 2010-05-24 20:25 . 2009-03-08 09:32 611840 c:\windows\ie8updates\KB980182-IE8\mstime.dll
+ 2010-05-24 20:25 . 2009-03-08 09:32 594432 c:\windows\ie8updates\KB980182-IE8\msfeeds.dll
+ 2010-05-24 20:25 . 2009-03-08 09:33 246784 c:\windows\ie8updates\KB980182-IE8\ieproxy.dll
+ 2010-05-24 20:25 . 2009-03-08 09:31 183808 c:\windows\ie8updates\KB980182-IE8\iepeers.dll
+ 2010-05-24 20:25 . 2009-03-08 19:09 391536 c:\windows\ie8updates\KB980182-IE8\iedkcs32.dll
+ 2010-05-24 20:25 . 2009-03-08 09:32 173056 c:\windows\ie8updates\KB980182-IE8\ie4uinit.exe
+ 2010-05-24 20:29 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2010-05-24 20:29 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2010-05-24 20:29 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
+ 2010-05-24 20:21 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2010-05-24 20:21 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2010-05-24 20:21 . 2009-03-08 09:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2010-05-21 22:38 . 2010-02-26 06:05 668672 c:\windows\ie8\wininet.dll
+ 2010-05-21 22:38 . 2004-08-04 19:00 276480 c:\windows\ie8\webcheck.dll
+ 2010-05-21 22:38 . 2004-08-04 19:00 848384 c:\windows\ie8\vgx.dll
+ 2010-05-21 22:38 . 2010-03-10 08:02 417792 c:\windows\ie8\vbscript.dll
+ 2010-05-21 22:38 . 2010-02-26 06:05 628224 c:\windows\ie8\urlmon.dll
+ 2010-05-21 22:39 . 2009-01-07 23:21 382496 c:\windows\ie8\spuninst\updspapi.dll
+ 2010-05-21 22:39 . 2009-01-07 23:20 231456 c:\windows\ie8\spuninst\spuninst.exe
+ 2010-05-21 22:38 . 2010-02-26 06:05 532480 c:\windows\ie8\mstime.dll
+ 2010-05-21 22:38 . 2010-02-26 06:05 146432 c:\windows\ie8\msrating.dll
+ 2010-05-21 22:38 . 2004-08-04 19:00 146432 c:\windows\ie8\msls31.dll
+ 2010-05-21 22:38 . 2010-02-26 06:05 449024 c:\windows\ie8\mshtmled.dll
+ 2010-05-21 22:38 . 2009-08-21 09:46 450560 c:\windows\ie8\jscript.dll
+ 2010-05-21 22:38 . 2010-02-26 06:05 251904 c:\windows\ie8\iepeers.dll
+ 2010-05-21 22:38 . 2004-08-04 19:00 323584 c:\windows\ie8\iedkcs32.dll
+ 2010-05-21 22:38 . 2004-08-04 19:00 221184 c:\windows\ie8\ieakui.dll
+ 2010-05-21 22:38 . 2004-08-04 19:00 216576 c:\windows\ie8\ieaksie.dll
+ 2010-05-21 22:38 . 2004-08-04 19:00 139264 c:\windows\ie8\ieakeng.dll
+ 2010-05-21 22:38 . 2010-02-26 06:05 205312 c:\windows\ie8\dxtrans.dll
+ 2010-05-21 22:38 . 2010-02-26 06:05 357888 c:\windows\ie8\dxtmsft.dll
+ 2006-05-07 00:24 . 2010-02-25 06:24 1209344 c:\windows\system32\urlmon.dll
+ 2006-05-07 00:24 . 2010-02-25 06:24 5944832 c:\windows\system32\mshtml.dll
+ 2009-03-08 09:32 . 2010-02-25 06:24 1985536 c:\windows\system32\iertutil.dll
+ 2009-02-07 02:07 . 2009-02-07 02:07 3698584 c:\windows\system32\ieapfltr.dat
+ 2009-12-22 05:35 . 2010-02-25 06:24 1209344 c:\windows\system32\dllcache\urlmon.dll
+ 2009-12-22 05:35 . 2010-02-25 06:24 5944832 c:\windows\system32\dllcache\mshtml.dll
+ 2010-05-24 20:25 . 2009-03-08 09:34 1206784 c:\windows\ie8updates\KB980182-IE8\urlmon.dll
+ 2010-05-24 20:25 . 2009-03-08 09:41 5937152 c:\windows\ie8updates\KB980182-IE8\mshtml.dll
+ 2010-05-24 20:25 . 2009-03-08 09:32 1985024 c:\windows\ie8updates\KB980182-IE8\iertutil.dll
+ 2010-05-21 22:38 . 2010-02-26 19:35 3073024 c:\windows\ie8\mshtml.dll
+ 2009-03-08 09:39 . 2010-02-25 16:54 11070976 c:\windows\system32\ieframe.dll
+ 2010-02-25 16:54 . 2010-02-25 16:54 11070976 c:\windows\system32\dllcache\ieframe.dll
+ 2010-05-24 20:25 . 2009-03-08 09:39 11063808 c:\windows\ie8updates\KB980182-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-13 1121792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"RTHDCPL"="RTHDCPL.EXE" [2009-12-26 18789408]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-05-13 5937984]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/19/2010 5:20 PM 1691480]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [1/15/2010 6:59 PM 69692]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/30/2010 10:26 PM 38224]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/13/2010 3:30 PM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-05-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-16 18:22]

2010-05-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-16 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\0job8ssk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-25 17:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1391852389-3871174453-2281058850-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebfbaa8***yf*********]
"BaseClass"="Drive"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2924)
c:\windows\system32\WININET.dll
c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-05-25 17:05:08
ComboFix-quarantined-files.txt 2010-05-25 22:05
ComboFix2.txt 2010-05-24 21:25
ComboFix3.txt 2010-05-20 23:39
ComboFix4.txt 2010-05-18 03:08
ComboFix5.txt 2010-05-25 21:56

Pre-Run: 126,528,548,864 bytes free
Post-Run: 126,984,175,616 bytes free

- - End Of File - - F28FB554FF802E19F718292714D7B128

Edited by knichols05, 25 May 2010 - 04:15 PM.

  • 0

#48
maliprog
Posted 26 May 2010 - 12:36 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi knichols05,

Let's try replace infected system files. Please follow my steps in order they posted.

Step 1

Download ZIP file attached to this post (files.zip) on Desktop and unpack two files inside it (user32.dll and ws2_32.dll) to this location

C:\WINDOWS\system32\dllcache


Replace files already located there.

Step 2

Restart in safe mode:

  • If the computer is running, shut down Windows, and then turn off the power
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.

While you are in safemod

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::

FCopy::
c:\windows\system32\dllcache\user32.dll | c:\windows\system32\user32.dll
c:\windows\system32\dllcache\WS2_32.DLL | c:\windows\system32\ws2_32.dll

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



  • 0

#49
knichols05
Posted 26 May 2010 - 10:12 PM

knichols05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
ComboFix Log:

ComboFix 10-05-26.01 - Owner 05/26/2010 15:57:39.5.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.283 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\user32.dll --> c:\windows\system32\user32.dll
c:\windows\system32\dllcache\WS2_32.DLL --> c:\windows\system32\ws2_32.dll
.
((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))
.

2010-05-25 21:54 . 2004-08-04 05:56 82944 ------w- c:\windows\system32\dllcache\ws2_32.dll
2010-05-25 21:52 . 2005-03-03 01:19 577024 ------w- c:\windows\system32\dllcache\user32.dll
2010-05-24 20:21 . 2010-05-24 20:29 -------- d-----w- c:\windows\ie8updates
2010-05-24 05:33 . 2010-02-25 06:24 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-05-24 05:33 . 2010-02-25 06:24 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-05-24 05:33 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-05-24 05:33 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-05-24 05:32 . 2010-02-25 06:24 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-05-24 05:29 . 2010-05-24 05:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-05-21 23:17 . 2010-05-21 23:40 -------- d-----w- c:\documents and settings\Owner\DoctorWeb
2010-05-21 22:50 . 2010-05-21 22:50 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-05-21 22:49 . 2010-05-21 22:49 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-05-21 22:38 . 2010-05-21 22:39 -------- dc-h--w- c:\windows\ie8
2010-05-18 00:24 . 2010-05-18 00:24 -------- d-----w- C:\_OTL
2010-05-17 05:54 . 2010-05-17 05:54 293376 ----a-w- C:\b5ke6xil.exe
2010-05-17 04:40 . 2010-05-17 04:40 -------- d-----w- c:\program files\ESET
2010-05-17 04:03 . 2010-05-17 04:03 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Help
2010-05-15 00:09 . 2010-05-15 00:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-05-13 21:45 . 2010-05-13 21:45 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_62766A54CB96B6647A4A21CFAB84387D.dll
2010-05-13 21:13 . 2010-05-25 20:27 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-13 21:11 . 2010-05-13 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-13 21:11 . 2010-05-13 21:11 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-13 20:49 . 2010-05-13 20:49 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-13 20:49 . 2010-05-13 20:49 -------- d-----w- c:\program files\Trend Micro
2010-05-13 20:31 . 2010-05-13 20:31 6926 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040110900063D11C8EF10054038389C.dll
2010-05-13 00:07 . 2010-05-13 00:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-12 02:01 . 2010-05-12 02:01 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-19 20:30 . 2010-01-15 23:44 17280 ----a-w- c:\windows\system32\drivers\mraid35x.sys
2010-05-17 04:35 . 2010-05-13 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-05-17 04:03 . 2010-05-13 20:31 -------- d-----w- c:\program files\Security Task Manager
2010-05-17 00:08 . 2010-01-17 03:31 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-05-15 22:29 . 2010-01-16 00:34 -------- d-----w- c:\program files\McAfee
2010-05-13 20:31 . 2010-05-13 20:31 42 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D510002.dll
2010-05-13 04:22 . 2010-01-31 03:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 20:39 . 2010-01-31 03:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-01-31 03:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 06:15 . 2010-01-15 23:47 420352 ----a-w- c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-05-25_22.02.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-05-25 00:57 . 2010-05-25 18:24 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-25 00:57 . 2010-05-26 20:36 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-05-07 00:40 . 2010-05-26 20:36 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-05-07 00:40 . 2010-05-25 18:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-05-25 22:46 . 2010-05-26 20:36 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-05-25 00:57 . 2010-05-25 18:24 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-13 1121792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"RTHDCPL"="RTHDCPL.EXE" [2009-12-26 18789408]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-05-13 5937984]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/19/2010 5:20 PM 1691480]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [1/15/2010 6:59 PM 69692]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/30/2010 10:26 PM 38224]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/13/2010 3:30 PM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-16 18:22]

2010-05-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-16 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\0job8ssk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-26 16:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1391852389-3871174453-2281058850-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebfbaa8***yf*********]
"BaseClass"="Drive"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(200)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(928)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
.
Completion time: 2010-05-26 16:14:08
ComboFix-quarantined-files.txt 2010-05-26 21:13
ComboFix2.txt 2010-05-25 22:05
ComboFix3.txt 2010-05-24 21:25
ComboFix4.txt 2010-05-20 23:39
ComboFix5.txt 2010-05-26 20:54

Pre-Run: 126,972,497,920 bytes free
Post-Run: 126,931,402,752 bytes free

- - End Of File - - ED74FFFF30A20E5F43ADC681F98F4DBA
  • 0

#50
maliprog
Posted 26 May 2010 - 11:04 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi knichols05,

I see that fix went fine. How is your system now?
  • 0

#51
knichols05
Posted 27 May 2010 - 07:15 PM

knichols05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
I actually haven't been getting redirects for awhile and I think everything seems fine.
Anything else I should do?
  • 0

#52
maliprog
Posted 28 May 2010 - 01:56 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi knichols05,

Just to be sure...

Posted ImageMalwarebytes' Anti-Malware a.k.a. MBAM - Download Free Version (freeware) - Homepage
Why? Malwarebytes' Anti-Malware is very good at removing the zlob trojan, virtumonde, and most other current infections. This single tool has replaced multiple tools that have been required in the past.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, confirm a check mark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. The rogue application should now be gone.

When completed, a log will open in Notepad. If you need to create a new topic, please paste this log with it.

Note: Some infections will prevent MBAM from running. If MBAM won't run, try renaming the file mbam-setup.exe to a random name, and then try again.

Extra Note: Do not run a full scan with MBAM. It is not required or needed, and in fact makes our job tougher.
  • 0

#53
knichols05
Posted 28 May 2010 - 11:15 PM

knichols05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4153

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

5/28/2010 11:46:09 PM
mbam-log-2010-05-28 (23-46-09).txt

Scan type: Quick scan
Objects scanned: 128605
Time elapsed: 18 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#54
maliprog
Posted 29 May 2010 - 10:09 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi knichols05,

I'm glad we fix up your computer. We need to clean up your PC from programs we used.

Please download OTC by OldTimer from here

  • Double-click OTC to run it. (Vista users, please right click on OTC and select "Run as an Administrator")
  • Click on the CleanUP! button and follow the prompts.
  • You will be asked to reboot the machine to finish the Cleanup process, choose Yes
  • After the reboot all the tools we used should be gone


Here are some recomendations you should follow to minimize infection risk in the future:

1. Your system need one antivirus software. Chose one that suits your needs best. Here are some FREEWARE recomendations:

Avira AntiVir Personal - Free
AVG Free

2. Your system need one firewall software. Chose one that suits your needs best. Here are some FREEWARE recomendations.

ZoneAlarm Pro
Ashampoo Firewall

3. Intall AntiSpyware. You need to have only one realtime antispyware solution running on your system.


4. Enable Windows Update
  • Click Start, click Run, type sysdm.cpl, and then press ENTER.
  • Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them option.
  • Click OK button

5. Delete Temp files

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

6. Make Backups of Important Files

Please read this article Home Computer Data Backup.


7. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendors patch installed.

You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.
  • 0

#55
knichols05
Posted 29 May 2010 - 11:59 AM

knichols05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Alright, I'll start on that list asap.
Thank you so much for all your help.
Also, I need to uninstall mcafee before I download anything else right?
  • 0

Advertisements

#56
maliprog
Posted 30 May 2010 - 12:43 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi knichols05,

Don't unistall McAfee. This is just the list of programs that you could use if you don't have any antivirus or antispyware. You have to have only one antivirus and antispyware solution installed on your PC.
  • 0

#57
knichols05
Posted 30 May 2010 - 03:02 PM

knichols05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
I understand, but I got the file while I had McAfee si I'm not sure I have much faith in it.
  • 0

#58
maliprog
Posted 30 May 2010 - 11:00 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi knichols05,

That's up to you to decide :) . Stay safe!
  • 0

#59
Essexboy
Posted 03 June 2010 - 12:51 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP