Jump to content

truckyxp

Members
  • Posts

    4
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Hello, I hope this info helps. On 2-2-10 my computer running XP Home edition, IE7, sp2, got infected with something that redirects all browsers on the profile I was using. That profile did not have admin privileges. This system has been used by friends and family for years with out any virus protection. Several of the profiles had 100's of virus's, trojans, and everything else. I have run Malaware and Hitman Pro which cleaned everything it detected in each profile. But I still had the google redirect on the profile that I was using when it got infected. I then installed IE8 which did not help. I'm new to the forum so it took awhile to find the "I'm infected-What do I do now" I went thru the steps described and have included logs requested. Hoping you can help please. Malwarebytes' Anti-Malware 1.44 Database version: 3686 Windows 5.1.2600 Service Pack 2 Internet Explorer 7.0.5730.13 2/8/2010 6:00:15 PM mbam-log-2010-02-08 (18-00-15).txt Scan type: Quick Scan Objects scanned: 182106 Time elapsed: 27 minute(s), 41 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Avira AntiVir Personal Report file date: Thursday, February 11, 2010 17:31 Scanning for 1748777 virus strains and unwanted programs. Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 2) [5.1.2600] Boot mode : Normally booted Username : rock star!!!!!!!!!!! Computer name : YOUR-03667082DE Version information: BUILD.DAT : 9.0.0.415 21609 Bytes 11/8/2009 10:00:00 AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 17:26:33 AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24 LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49 LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52 VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 13:35:52 VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 23:20:50 VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 23:22:02 VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 23:22:30 VBASE004.VDF : 7.10.3.76 2048 Bytes 1/26/2010 23:22:31 VBASE005.VDF : 7.10.3.77 2048 Bytes 1/26/2010 23:22:37 VBASE006.VDF : 7.10.3.78 2048 Bytes 1/26/2010 23:22:37 VBASE007.VDF : 7.10.3.79 2048 Bytes 1/26/2010 23:22:38 VBASE008.VDF : 7.10.3.80 2048 Bytes 1/26/2010 23:22:38 VBASE009.VDF : 7.10.3.81 2048 Bytes 1/26/2010 23:22:39 VBASE010.VDF : 7.10.3.82 2048 Bytes 1/26/2010 23:22:40 VBASE011.VDF : 7.10.3.83 2048 Bytes 1/26/2010 23:22:40 VBASE012.VDF : 7.10.3.84 2048 Bytes 1/26/2010 23:22:41 VBASE013.VDF : 7.10.3.85 2048 Bytes 1/26/2010 23:22:41 VBASE014.VDF : 7.10.3.122 172544 Bytes 1/29/2010 23:22:47 VBASE015.VDF : 7.10.3.149 79872 Bytes 2/1/2010 23:22:49 VBASE016.VDF : 7.10.3.174 68608 Bytes 2/3/2010 23:22:52 VBASE017.VDF : 7.10.3.199 76800 Bytes 2/4/2010 23:22:57 VBASE018.VDF : 7.10.3.222 64512 Bytes 2/5/2010 23:22:58 VBASE019.VDF : 7.10.3.243 75776 Bytes 2/8/2010 23:23:00 VBASE020.VDF : 7.10.4.6 81920 Bytes 2/9/2010 23:23:03 VBASE021.VDF : 7.10.4.30 78848 Bytes 2/11/2010 23:23:05 VBASE022.VDF : 7.10.4.31 2048 Bytes 2/11/2010 23:23:05 VBASE023.VDF : 7.10.4.32 2048 Bytes 2/11/2010 23:23:06 VBASE024.VDF : 7.10.4.33 2048 Bytes 2/11/2010 23:23:06 VBASE025.VDF : 7.10.4.34 2048 Bytes 2/11/2010 23:23:07 VBASE026.VDF : 7.10.4.35 2048 Bytes 2/11/2010 23:23:07 VBASE027.VDF : 7.10.4.36 2048 Bytes 2/11/2010 23:23:08 VBASE028.VDF : 7.10.4.37 2048 Bytes 2/11/2010 23:23:08 VBASE029.VDF : 7.10.4.38 2048 Bytes 2/11/2010 23:23:09 VBASE030.VDF : 7.10.4.39 2048 Bytes 2/11/2010 23:23:09 VBASE031.VDF : 7.10.4.41 26624 Bytes 2/11/2010 23:23:10 Engineversion : 8.2.1.160 AEVDF.DLL : 8.1.1.3 106868 Bytes 2/11/2010 23:24:06 AESCRIPT.DLL : 8.1.3.13 823674 Bytes 2/11/2010 23:24:04 AESCN.DLL : 8.1.4.0 127348 Bytes 2/11/2010 23:23:54 AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 13:38:44 AERDL.DLL : 8.1.3.4 479605 Bytes 2/11/2010 23:23:52 AEPACK.DLL : 8.2.0.5 422262 Bytes 2/11/2010 23:23:42 AEOFFICE.DLL : 8.1.0.38 196987 Bytes 11/8/2009 13:38:38 AEHEUR.DLL : 8.1.1.5 2326901 Bytes 2/11/2010 23:23:37 AEHELP.DLL : 8.1.10.0 237942 Bytes 2/11/2010 23:23:19 AEGEN.DLL : 8.1.1.86 369012 Bytes 2/11/2010 23:23:17 AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 13:38:26 AECORE.DLL : 8.1.11.1 184694 Bytes 2/11/2010 23:23:13 AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 13:38:20 AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59 AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 21:14:02 AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28 AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09 AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41 AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08 SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49 SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33 NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10 RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:39:58 RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 18:25:47 Configuration settings for the scan: Jobname.............................: Complete system scan Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: C:, D:, Process scan........................: on Scan registry.......................: on Search for rootkits.................: on Integrity checking of system files..: off Scan all files......................: All files Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR, Start of the scan: Thursday, February 11, 2010 17:31 Starting search for hidden objects. '65085' objects were checked, '0' hidden objects were found. The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'notepad.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'iexplore.exe' - '1' Module(s) have been scanned Scan process 'iexplore.exe' - '1' Module(s) have been scanned Scan process 'iPodService.exe' - '1' Module(s) have been scanned Scan process 'hptskmgr.exe' - '1' Module(s) have been scanned Scan process 'Photags AutoDetect.exe' - '1' Module(s) have been scanned Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned Scan process 'WinCinemaMgr.exe' - '1' Module(s) have been scanned Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned Scan process 'QTTask.exe' - '1' Module(s) have been scanned Scan process 'lxbtbmon.exe' - '1' Module(s) have been scanned Scan process 'lxbtbmgr.exe' - '1' Module(s) have been scanned Scan process 'ALCXMNTR.EXE' - '1' Module(s) have been scanned Scan process 'hpztsb10.exe' - '1' Module(s) have been scanned Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned Scan process 'kbd.exe' - '1' Module(s) have been scanned Scan process 'hphmon06.exe' - '1' Module(s) have been scanned Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned Scan process 'jusched.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'MDM.EXE' - '1' Module(s) have been scanned Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 45 processes with 45 modules were scanned Starting master boot sector scan: Master boot sector HD0 [iNFO] No virus was found! Master boot sector HD1 [iNFO] No virus was found! Master boot sector HD2 [iNFO] No virus was found! Master boot sector HD3 [iNFO] No virus was found! Master boot sector HD4 [iNFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [iNFO] No virus was found! Boot sector 'D:\' [iNFO] No virus was found! Starting to scan executable files (registry). The registry was scanned ( '83' files ). Starting the file scan: Begin scan in 'C:\' <+> C:\hiberfil.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\pagefile.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\Documents and Settings\All Users\Application Data\WildTangent\Game Console - WildGames\Downloads\en-us\Installers\gemshop-setup.exe [0] Archive type: NSIS --> [ProgramFilesDir]/WildGames/Gem Shop/FullSetupGamesClient-wildgames.exe [1] Archive type: NSIS --> ProgramFilesDir/LogoAnimation.swf [WARNING] No further files can be extracted from this archive. The archive will be closed [WARNING] No further files can be extracted from this archive. The archive will be closed C:\Documents and Settings\All Users\Application Data\WildTangent\Game Console - WildGames\Downloads\en-us\Installers\SetupGamesClient.exe_cache [0] Archive type: NSIS --> ProgramFilesDir/GameConsole-wt.exe [WARNING] No further files can be extracted from this archive. The archive will be closed [WARNING] No further files can be extracted from this archive. The archive will be closed C:\Documents and Settings\HP_Owner\loaded.exe [WARNING] The file could not be opened! C:\Documents and Settings\HP_Owner\Local Settings\Temp\3.1.55.0-EasyShrx.Dll [WARNING] The file could not be opened! C:\Documents and Settings\HP_Owner\Local Settings\Temp\AutoRun.exe [WARNING] The file could not be opened! C:\Documents and Settings\HP_Owner\Local Settings\Temp\AutoRunGUI.dll [WARNING] The file could not be opened! C:\Documents and Settings\HP_Owner\Local Settings\Temp\exec.exe [WARNING] The file could not be opened! C:\Documents and Settings\HP_Owner\Local Settings\Temp\IadHide5.dll [WARNING] The file could not be opened! C:\Documents and Settings\HP_Owner\Local Settings\Temp\io.dll [WARNING] The file could not be opened! C:\Documents and Settings\HP_Owner\Local Settings\Temp\msnsearch.exe [WARNING] The file could not be opened! C:\Documents and Settings\HP_Owner\Local Settings\Temp\NullsoftHelper.dll [WARNING] The file could not be opened! C:\Documents and Settings\HP_Owner\Local Settings\Temp\PleaseWait.exe [WARNING] The file could not be opened! C:\Documents and Settings\HP_Owner\Local Settings\Temp\UDC6_0001_D19M2808\installer.exe [DETECTION] Contains recognition pattern of the ADSPY/Drop.Dct.21.C adware or spyware C:\Documents and Settings\HP_Owner\Local Settings\Temp\USDR6_0001_D08M0404\installer.exe [DETECTION] Contains recognition pattern of the ADSPY/WinFixer.C adware or spyware C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\61KRYN0P\tp[1].htm [DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus C:\Documents and Settings\MOMMIE\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-486c9904-22c143f2.class [DETECTION] Contains recognition pattern of the JAVA/OpenStream.BH Java virus C:\Documents and Settings\Shawn the COWBOY!!!!\Local Settings\TempIadHide3.dll [WARNING] The file could not be opened! C:\hp\bin\KillIt.exe [DETECTION] Contains recognition pattern of the APPL/KillApp.A application C:\hp\bin\KillWind.exe [DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application C:\Program Files\Common Files\Companion Wizard\compwiz.exe [0] Archive type: RSRC --> Object [DETECTION] Contains recognition pattern of the ADSPY/Companion.A.1 adware or spyware C:\Program Files\Common Files\Companion Wizard\WapCHK.dll [DETECTION] Contains recognition pattern of the ADSPY/Companion.A.1 adware or spyware C:\Program Files\Cosmi\Games 4 Kids\KILLBEES\KILLBEES.EXE [DETECTION] Contains recognition pattern of the JOKE/KillerBee joke C:\Program Files\Cosmi\Games 4 Kids\METEOR\METEOR.EXE [DETECTION] Contains recognition pattern of the JOKE/KillerBee joke C:\Program Files\Cosmi\Games 4 Kids\SPACEGRD\SPACEGRD.EXE [DETECTION] Contains recognition pattern of the JOKE/KillerBee joke C:\Program Files\Magic Ball 2\Magic Ball 2.exe [DETECTION] This file has been compressed using unusual runtime compression (PCK/Armadillo). Please verify the origin of this file. C:\Program Files\Online Services\NetscapeOnline\NSsetup.exe [DETECTION] Is the TR/PSW.Stealer.724081 Trojan C:\Program Files\Online Services\PeoplePC\Utilities\AtlBrowser.exe [DETECTION] Contains recognition pattern of the DIAL/90112 dialer C:\WINDOWS\Downloaded Program Files\gdnUS250.exe [DETECTION] Is the TR/Dldr.Small.ayl.0 Trojan C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnUS250.exe [DETECTION] Is the TR/Dldr.Small.ayl.0 Trojan C:\WINDOWS\Downloaded Program Files\CONFLICT.2\gdnUS250.exe [DETECTION] Is the TR/Small.Crypted.Gen Trojan C:\WINDOWS\Downloaded Program Files\CONFLICT.3\gdnUS250.exe [DETECTION] Is the TR/Small.Crypted.Gen Trojan C:\WINDOWS\Downloaded Program Files\CONFLICT.4\gdnUS250.exe [DETECTION] Is the TR/Small.Crypted.Gen Trojan C:\WINDOWS\system32\cfgbkendy.dll [WARNING] The file could not be opened! Begin scan in 'D:\' <HP_RECOVERY> Beginning disinfection: C:\Documents and Settings\HP_Owner\Local Settings\Temp\UDC6_0001_D19M2808\installer.exe [DETECTION] Contains recognition pattern of the ADSPY/Drop.Dct.21.C adware or spyware [NOTE] The file was moved to '4be7a6a8.qua'! C:\Documents and Settings\HP_Owner\Local Settings\Temp\USDR6_0001_D08M0404\installer.exe [DETECTION] Contains recognition pattern of the ADSPY/WinFixer.C adware or spyware [NOTE] The file was moved to '4a926051.qua'! C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\61KRYN0P\tp[1].htm [DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus [NOTE] The file was moved to '4bcfa6aa.qua'! C:\Documents and Settings\MOMMIE\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-486c9904-22c143f2.class [DETECTION] Contains recognition pattern of the JAVA/OpenStream.BH Java virus [NOTE] The file was moved to '4bdaa6a7.qua'! C:\hp\bin\KillIt.exe [DETECTION] Contains recognition pattern of the APPL/KillApp.A application [NOTE] The file was moved to '4be0a6a3.qua'! C:\hp\bin\KillWind.exe [DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application [NOTE] The file was moved to '4be0a6a4.qua'! C:\Program Files\Common Files\Companion Wizard\compwiz.exe [NOTE] The file was moved to '4be1a6aa.qua'! C:\Program Files\Common Files\Companion Wizard\WapCHK.dll [DETECTION] Contains recognition pattern of the ADSPY/Companion.A.1 adware or spyware [NOTE] ADSPY/Companion.A.1:[HKEY_CLASSES_ROOT\CLSID\{B2A3156E-3332-4b47-AF5A-5B121503514F}\InprocServer32]:<@>=sz:WapCHK.dll [NOTE] ADSPY/Companion.A.1:[HKEY_CLASSES_ROOT\TypeLib\{1234890A-5E6E-4867-8136-CA6F1456B235}\1.0\0\win32]:<@>=sz:WapCHK.dll [NOTE] The file was moved to '4be4a69c.qua'! C:\Program Files\Cosmi\Games 4 Kids\KILLBEES\KILLBEES.EXE [DETECTION] Contains recognition pattern of the JOKE/KillerBee joke [NOTE] The file was moved to '4bc0a684.qua'! C:\Program Files\Cosmi\Games 4 Kids\METEOR\METEOR.EXE [DETECTION] Contains recognition pattern of the JOKE/KillerBee joke [NOTE] The file was moved to '4bc8a680.qua'! C:\Program Files\Cosmi\Games 4 Kids\SPACEGRD\SPACEGRD.EXE [DETECTION] Contains recognition pattern of the JOKE/KillerBee joke [NOTE] The file was moved to '4bb5a68b.qua'! C:\Program Files\Magic Ball 2\Magic Ball 2.exe [DETECTION] This file has been compressed using unusual runtime compression (PCK/Armadillo). Please verify the origin of this file. [NOTE] The file was moved to '4bdba69d.qua'! C:\Program Files\Online Services\NetscapeOnline\NSsetup.exe [DETECTION] Is the TR/PSW.Stealer.724081 Trojan [NOTE] The file was moved to '4be7a68f.qua'! C:\Program Files\Online Services\PeoplePC\Utilities\AtlBrowser.exe [DETECTION] Contains recognition pattern of the DIAL/90112 dialer [NOTE] The file was moved to '4be0a6b1.qua'! C:\WINDOWS\Downloaded Program Files\gdnUS250.exe [DETECTION] Is the TR/Dldr.Small.ayl.0 Trojan [NOTE] The file was moved to '4be2a6a1.qua'! C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnUS250.exe [DETECTION] Is the TR/Dldr.Small.ayl.0 Trojan [NOTE] The file was moved to '4a9dc9a2.qua'! C:\WINDOWS\Downloaded Program Files\CONFLICT.2\gdnUS250.exe [DETECTION] Is the TR/Small.Crypted.Gen Trojan [NOTE] The file was moved to '4cb8c9d2.qua'! C:\WINDOWS\Downloaded Program Files\CONFLICT.3\gdnUS250.exe [DETECTION] Is the TR/Small.Crypted.Gen Trojan [NOTE] The file was moved to '4cbc2832.qua'! C:\WINDOWS\Downloaded Program Files\CONFLICT.4\gdnUS250.exe [DETECTION] Is the TR/Small.Crypted.Gen Trojan [NOTE] The file was moved to '4cbd30fa.qua'! End of the scan: Thursday, February 11, 2010 18:52 Used time: 1:18:48 Hour(s) The scan has been done completely. 14168 Scanned directories 840253 Files were scanned 19 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 19 Files were moved to quarantine 0 Files were renamed 14 Files cannot be scanned 840220 Files not concerned 15669 Archives were scanned 18 Warnings 21 Notes 65085 Objects were scanned with rootkit scan 0 Hidden objects were found defogger_disable by jpshortstuff (29.01.10.1) Log created at 19:15 on 11/02/2010 (rock star!!!!!!!!!!!) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=- DDS (Ver_09-12-01.01) - NTFSx86 Run by rock star!!!!!!!!!!! at 19:28:03.57 on Thu 02/11/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.383.69 [GMT -6:00] AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\Explorer.EXE C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\hphmon06.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\AGRSMMSG.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe C:\Program Files\Lexmark 5200 series\lxbtbmon.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe C:\Program Files\PhoTags Express\Photags AutoDetect.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\rock star!!!!!!!!!!!\Desktop\dds.com ============== Pseudo HJT Report =============== uStart Page = hxxp://www.facebook.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://eqash.net/fr/?id=us27 mSearchAssistant = hxxp://www.google.com/ie BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\compan~1\installs\cpn\ycomp5_5_7_0.dll BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll BHO: 1 (0x1) - No File TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll TB: &Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\compan~1\installs\cpn\ycomp5_5_7_0.dll TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" mRun: [sunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe mRun: [HPHmon06] c:\windows\system32\hphmon06.exe mRun: [KBD] c:\hp\kbd\KBD.EXE mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE mRun: [VTTimer] VTTimer.exe mRun: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent mRun: [AGRSMMSG] AGRSMMSG.exe mRun: [PS2] c:\windows\system32\ps2.exe mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe" mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe mRun: [DSS] c:\windows\bbstore\dss\DSSAGENT.EXE mRun: [AlcxMonitor] ALCXMNTR.EXE mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe mRun: [rock] rock.exe mRun: [Lexmark 5200 series] "c:\program files\lexmark 5200 series\lxbtbmgr.exe" mRun: [LXBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBTtime.dll,_RunDLLEntry@16 mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s mRun: [ultimate Defender] "c:\program files\ultimate defender\App.exe" hide mRun: [sDR6_Check] "c:\program files\common files\drivecleaner 2006 free\udcsdr.exe" mRun: [PAS_Check] "c:\program files\common files\drivecleaner 2006 free\udcpas.exe" mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wincin~1.lnk - c:\program files\sandisk\common\bin\WinCinemaMgr.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photag~1.lnk - c:\program files\photags express\Photags AutoDetect.exe IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000 IE: Open in new background tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/229?09a25232a3cc4dd0ab1d833e4971d942 IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/230?09a25232a3cc4dd0ab1d833e4971d942 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0521.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265159937671 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} - hxxp://www.eomniform.com/OF5/nsplugins/OFMailX.cab DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab47946.cab DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.38.34/ttinst.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll Notify: igfxcui - igfxsrvc.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-11 11608] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-2-11 108289] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-2-11 185089] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-11 55656] R3 DLKRTS;D-Link DFE-530TX+ PCI Adapter;c:\windows\system32\drivers\DLKRTS.SYS [2006-6-4 45568] R3 PxHelper;PxHelper;c:\windows\system32\drivers\PxHelper.sys [2006-4-28 15776] S1 vspf;vspf;\??\c:\windows\system32\drivers\vspf5.sys --> c:\windows\system32\drivers\vspf5.sys [?] S1 vspf_hk;vspf_hk;\??\c:\windows\system32\drivers\vspf_hk5.sys --> c:\windows\system32\drivers\vspf_hk5.sys [?] =============== Created Last 30 ================ 2010-02-12 01:15:11 0 ----a-w- c:\documents and settings\rock star!!!!!!!!!!!\defogger_reenable 2010-02-11 23:14:43 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2010-02-11 23:14:39 0 d-----w- c:\program files\Avira 2010-02-11 23:14:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira 2010-02-11 13:11:29 0 d-sh--w- c:\documents and settings\rock star!!!!!!!!!!!\PrivacIE 2010-02-11 13:10:55 0 d-sh--w- c:\documents and settings\rock star!!!!!!!!!!!\IETldCache 2010-02-10 21:28:05 0 dc-h--w- c:\windows\ie8 2010-02-09 15:52:42 0 d-----w- c:\windows\system32\NtmsData 2010-02-08 02:38:22 12872 ----a-w- c:\windows\system32\bootdelete.exe 2010-02-07 17:37:16 0 d-----w- c:\docume~1\rockst~1\applic~1\Malwarebytes 2010-02-03 22:33:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-02-03 22:33:34 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-02-03 22:33:34 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-02-02 21:21:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-02-02 20:32:39 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2010-02-02 20:32:24 0 d-----w- c:\program files\Hitman Pro 3.5 2010-02-02 20:32:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro 2010-02-02 17:53:47 917504 ----a-w- c:\windows\system32\FLASH.OCX 2010-02-02 15:50:28 119296 --sha-r- c:\windows\system32\cfgbkendy.dll 2010-02-01 02:26:16 59264 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys 2010-02-01 02:26:16 59264 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys 2010-01-21 23:28:08 0 d-----w- c:\program files\iPod 2010-01-21 23:27:44 0 d-----w- c:\program files\iTunes ==================== Find3M ==================== 2009-12-18 16:34:39 0 ----a-w- c:\docume~1\rockst~1\applic~1\wklnhst.dat ============= FINISH: 19:28:32.42 =============== Attach.zip
  2. Am I still infected? I have constant google redirect and can download Avira AntiVir Personal, but can not install. Says files are corrupt. Here is a clean malawarebytes log. What can I do? Please help. Malwarebytes' Anti-Malware 1.44 Database version: 3686 Windows 5.1.2600 Service Pack 2 Internet Explorer 8.0.6001.18702 2/10/2010 8:53:36 PM mbam-log-2010-02-10 (20-53-36).txt Scan type: Full Scan (C:\|) Objects scanned: 229097 Time elapsed: 23 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  3. Hi, am running xp home, sp2, ie8. Have cleaned system with malawarebyte's and ran hitmanpro. Both found multiple (100's) trojans, spyware, and misc. crap. All seems to be clean, but the browsers still redirect. Could you please help me clean this redirect thing up?
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.