Jump to content

brainst0rm

Members
  • Posts

    5
  • Joined

  • Last visited

Everything posted by brainst0rm

  1. Hey kahdah, Thank you so much for helping me. Also, I noticed in the TDSSKiller Log that: 09:12:17:781 2924 Memory objects infected / cured / cured on reboot: 1 / 0 / 0 09:12:17:781 2924 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 09:12:17:781 2924 File objects infected / cured / cured on reboot: 1 / 0 / 1 Does that imply I still have an infected object that cannot be cured? Or should I not worry about that?
  2. Okay, I did all of the steps in the previous post. Nothing was found. I think the TDSSKiller solved the issue. Should I do anything else? Thanks for your awesome help by the way. My MBAM Log: Malwarebytes' Anti-Malware 1.44 Database version: 3883 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 3/18/2010 11:00:11 AM mbam-log-2010-03-18 (11-00-11).txt Scan type: Quick Scan Objects scanned: 119800 Time elapsed: 9 minute(s), 54 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) =========================================================== My ESET log: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=5de5e72dcca56345bf52539295e4e8c9 # end=stopped # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-03-18 06:30:18 # local_time=2010-03-18 11:30:18 (-0800, Pacific Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=7538 # found=0 # cleaned=0 # scan_time=1442 esets_scanner_update returned -1 esets_gle=53251 # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=5de5e72dcca56345bf52539295e4e8c9 # end=stopped # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-03-18 08:38:24 # local_time=2010-03-18 01:38:24 (-0800, Pacific Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=44846 # found=0 # cleaned=0 # scan_time=7627 esets_scanner_update returned -1 esets_gle=53251 # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=5de5e72dcca56345bf52539295e4e8c9 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-03-19 12:01:19 # local_time=2010-03-18 05:01:19 (-0800, Pacific Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=69343 # found=0 # cleaned=0 # scan_time=11580
  3. Hey, thanks for helping me out. This backdoor trojan sounds scary. I did everything in the previous post. Here are my two logs. My TDSSKiller Log: 09:10:28:984 2924 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20 09:10:28:984 2924 ================================================================================ 09:10:28:984 2924 SystemInfo: 09:10:28:984 2924 OS Version: 5.1.2600 ServicePack: 3.0 09:10:28:984 2924 Product type: Workstation 09:10:28:984 2924 ComputerName: YOUR-4105E587B6 09:10:28:984 2924 UserName: Owner 09:10:28:984 2924 Windows directory: C:\WINDOWS 09:10:29:000 2924 Processor architecture: Intel x86 09:10:29:000 2924 Number of processors: 1 09:10:29:000 2924 Page size: 0x1000 09:10:29:062 2924 Boot type: Normal boot 09:10:29:062 2924 ================================================================================ 09:10:29:062 2924 UnloadDriverW: NtUnloadDriver error 2 09:10:29:062 2924 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2 09:10:29:218 2924 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system 09:10:29:218 2924 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 09:10:29:218 2924 wfopen_ex: Trying to KLMD file open 09:10:29:218 2924 wfopen_ex: File opened ok (Flags 2) 09:10:29:218 2924 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software 09:10:29:218 2924 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 09:10:29:218 2924 wfopen_ex: Trying to KLMD file open 09:10:29:218 2924 wfopen_ex: File opened ok (Flags 2) 09:10:29:218 2924 Initialize success 09:10:29:218 2924 09:10:29:218 2924 Scanning Services ... 09:10:29:812 2924 GetAdvancedServicesInfo: Raw services enum returned 342 services 09:10:29:812 2924 09:10:29:812 2924 Scanning Kernel memory ... 09:10:29:812 2924 Devices to scan: 3 09:10:29:812 2924 09:10:29:812 2924 Driver Name: Disk 09:10:29:812 2924 IRP_MJ_CREATE : F7622BB0 09:10:29:812 2924 IRP_MJ_CREATE_NAMED_PIPE : 804F355A 09:10:29:812 2924 IRP_MJ_CLOSE : F7622BB0 09:10:29:812 2924 IRP_MJ_READ : F761CD1F 09:10:29:812 2924 IRP_MJ_WRITE : F761CD1F 09:10:29:812 2924 IRP_MJ_QUERY_INFORMATION : 804F355A 09:10:29:812 2924 IRP_MJ_SET_INFORMATION : 804F355A 09:10:29:812 2924 IRP_MJ_QUERY_EA : 804F355A 09:10:29:812 2924 IRP_MJ_SET_EA : 804F355A 09:10:29:812 2924 IRP_MJ_FLUSH_BUFFERS : F761D2E2 09:10:29:812 2924 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A 09:10:29:812 2924 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A 09:10:29:812 2924 IRP_MJ_DIRECTORY_CONTROL : 804F355A 09:10:29:812 2924 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A 09:10:29:812 2924 IRP_MJ_DEVICE_CONTROL : F761D3BB 09:10:29:812 2924 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7620F28 09:10:29:812 2924 IRP_MJ_SHUTDOWN : F761D2E2 09:10:29:812 2924 IRP_MJ_LOCK_CONTROL : 804F355A 09:10:29:812 2924 IRP_MJ_CLEANUP : 804F355A 09:10:29:812 2924 IRP_MJ_CREATE_MAILSLOT : 804F355A 09:10:29:812 2924 IRP_MJ_QUERY_SECURITY : 804F355A 09:10:29:812 2924 IRP_MJ_SET_SECURITY : 804F355A 09:10:29:812 2924 IRP_MJ_POWER : F761EC82 09:10:29:812 2924 IRP_MJ_SYSTEM_CONTROL : F762399E 09:10:29:812 2924 IRP_MJ_DEVICE_CHANGE : 804F355A 09:10:29:812 2924 IRP_MJ_QUERY_QUOTA : 804F355A 09:10:29:812 2924 IRP_MJ_SET_QUOTA : 804F355A 09:10:29:828 2924 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1 09:10:29:828 2924 09:10:29:828 2924 Driver Name: Disk 09:10:29:828 2924 IRP_MJ_CREATE : F7622BB0 09:10:29:828 2924 IRP_MJ_CREATE_NAMED_PIPE : 804F355A 09:10:29:828 2924 IRP_MJ_CLOSE : F7622BB0 09:10:29:828 2924 IRP_MJ_READ : F761CD1F 09:10:29:828 2924 IRP_MJ_WRITE : F761CD1F 09:10:29:828 2924 IRP_MJ_QUERY_INFORMATION : 804F355A 09:10:29:828 2924 IRP_MJ_SET_INFORMATION : 804F355A 09:10:29:828 2924 IRP_MJ_QUERY_EA : 804F355A 09:10:29:828 2924 IRP_MJ_SET_EA : 804F355A 09:10:29:828 2924 IRP_MJ_FLUSH_BUFFERS : F761D2E2 09:10:29:828 2924 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A 09:10:29:828 2924 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A 09:10:29:828 2924 IRP_MJ_DIRECTORY_CONTROL : 804F355A 09:10:29:828 2924 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A 09:10:29:828 2924 IRP_MJ_DEVICE_CONTROL : F761D3BB 09:10:29:828 2924 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7620F28 09:10:29:828 2924 IRP_MJ_SHUTDOWN : F761D2E2 09:10:29:828 2924 IRP_MJ_LOCK_CONTROL : 804F355A 09:10:29:828 2924 IRP_MJ_CLEANUP : 804F355A 09:10:29:828 2924 IRP_MJ_CREATE_MAILSLOT : 804F355A 09:10:29:828 2924 IRP_MJ_QUERY_SECURITY : 804F355A 09:10:29:828 2924 IRP_MJ_SET_SECURITY : 804F355A 09:10:29:828 2924 IRP_MJ_POWER : F761EC82 09:10:29:828 2924 IRP_MJ_SYSTEM_CONTROL : F762399E 09:10:29:828 2924 IRP_MJ_DEVICE_CHANGE : 804F355A 09:10:29:828 2924 IRP_MJ_QUERY_QUOTA : 804F355A 09:10:29:828 2924 IRP_MJ_SET_QUOTA : 804F355A 09:10:29:859 2924 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1 09:10:29:859 2924 09:10:29:859 2924 Driver Name: atapi 09:10:29:859 2924 IRP_MJ_CREATE : 864BBCA1 09:10:29:859 2924 IRP_MJ_CREATE_NAMED_PIPE : 864BBCA1 09:10:29:859 2924 IRP_MJ_CLOSE : 864BBCA1 09:10:29:859 2924 IRP_MJ_READ : 864BBCA1 09:10:29:859 2924 IRP_MJ_WRITE : 864BBCA1 09:10:29:859 2924 IRP_MJ_QUERY_INFORMATION : 864BBCA1 09:10:29:859 2924 IRP_MJ_SET_INFORMATION : 864BBCA1 09:10:29:859 2924 IRP_MJ_QUERY_EA : 864BBCA1 09:10:29:859 2924 IRP_MJ_SET_EA : 864BBCA1 09:10:29:859 2924 IRP_MJ_FLUSH_BUFFERS : 864BBCA1 09:10:29:859 2924 IRP_MJ_QUERY_VOLUME_INFORMATION : 864BBCA1 09:10:29:859 2924 IRP_MJ_SET_VOLUME_INFORMATION : 864BBCA1 09:10:29:859 2924 IRP_MJ_DIRECTORY_CONTROL : 864BBCA1 09:10:29:859 2924 IRP_MJ_FILE_SYSTEM_CONTROL : 864BBCA1 09:10:29:859 2924 IRP_MJ_DEVICE_CONTROL : 864BBCA1 09:10:29:859 2924 IRP_MJ_INTERNAL_DEVICE_CONTROL : 864BBCA1 09:10:29:859 2924 IRP_MJ_SHUTDOWN : 864BBCA1 09:10:29:859 2924 IRP_MJ_LOCK_CONTROL : 864BBCA1 09:10:29:859 2924 IRP_MJ_CLEANUP : 864BBCA1 09:10:29:859 2924 IRP_MJ_CREATE_MAILSLOT : 864BBCA1 09:10:29:859 2924 IRP_MJ_QUERY_SECURITY : 864BBCA1 09:10:29:859 2924 IRP_MJ_SET_SECURITY : 864BBCA1 09:10:29:859 2924 IRP_MJ_POWER : 864BBCA1 09:10:29:859 2924 IRP_MJ_SYSTEM_CONTROL : 864BBCA1 09:10:29:859 2924 IRP_MJ_DEVICE_CHANGE : 864BBCA1 09:10:29:859 2924 IRP_MJ_QUERY_QUOTA : 864BBCA1 09:10:29:859 2924 IRP_MJ_SET_QUOTA : 864BBCA1 09:10:29:859 2924 Driver "atapi" infected by TDSS rootkit! 09:10:29:859 2924 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1 09:10:29:859 2924 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 09:10:29:875 2924 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys 09:10:29:875 2924 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3 09:12:15:375 2924 vfvi6 09:12:15:625 2924 !dsvbh1 09:12:17:750 2924 dsvbh2 09:12:17:750 2924 fdfb2 09:12:17:750 2924 Backup copy found, using it.. 09:12:17:765 2924 will be cured on next reboot 09:12:17:765 2924 Reboot required for cure complete.. 09:12:17:781 2924 Cure on reboot scheduled successfully 09:12:17:781 2924 09:12:17:781 2924 Completed 09:12:17:781 2924 09:12:17:781 2924 Results: 09:12:17:781 2924 Memory objects infected / cured / cured on reboot: 1 / 0 / 0 09:12:17:781 2924 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 09:12:17:781 2924 File objects infected / cured / cured on reboot: 1 / 0 / 1 09:12:17:781 2924 09:12:17:781 2924 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system 09:12:17:781 2924 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software 09:12:17:781 2924 UnloadDriverW: NtUnloadDriver error 1 09:12:17:781 2924 KLMD_Unload: UnloadDriverW(klmd21) error 1 09:12:17:781 2924 KLMD(ARK) unloaded successfully ==================================================================== My ComboFix Log: ComboFix 10-03-17.07 - Owner 03/18/2010 9:37.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.581 [GMT -7:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycler\S-1-5-21-1708537768-308236825-839522115-1003 c:\recycler\S-1-5-21-3288127050-197847358-126776011-1003 . ((((((((((((((((((((((((( Files Created from 2010-02-18 to 2010-03-18 ))))))))))))))))))))))))))))))) . 2010-03-16 07:01 . 2010-03-16 07:01 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2010-03-16 07:01 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-16 07:01 . 2010-03-16 07:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-03-16 07:01 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-16 07:01 . 2010-03-16 07:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-03-16 03:31 . 2010-03-16 03:31 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy) 2010-03-16 03:31 . 2010-03-16 03:31 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy) 2010-03-16 03:31 . 2010-03-16 03:31 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy) 2010-03-16 03:31 . 2010-03-16 03:31 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy) 2010-03-16 03:06 . 2010-03-16 03:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-03-15 08:47 . 2010-03-15 08:47 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-03-10 03:21 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-18 16:15 . 2004-08-04 00:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-03-17 08:06 . 2006-07-16 22:32 -------- d-----w- c:\program files\Warcraft III 2010-03-17 06:01 . 2009-09-20 17:33 -------- d-----w- c:\program files\CCleaner 2010-03-17 05:58 . 2007-03-04 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-03-16 05:26 . 2007-03-04 22:35 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-03-11 10:48 . 2006-07-16 22:36 91509 -c--a-w- c:\windows\War3Unin.dat 2010-01-27 08:03 . 2009-10-27 07:17 1510 ----a-w- c:\windows\Sketchpad Preferences.dat 2009-12-31 16:50 . 2004-08-04 08:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-21 19:14 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-04 67128] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-22 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-22 126976] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720] "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 233534] "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952] "hpWirelessAssistant"="c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-01-21 790528] "EPSON Stylus CX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-03-10 28160] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-08-01 271672] "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216] "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392] c:\documents and settings\All Users\Start Menu\Programs\Startup\ BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-29 569405] Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-3-4 67128] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-9-20 438272] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] 2008-10-21 17:09 50472 ----a-w- c:\program files\AIM6\aim6.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] 2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] 2006-03-30 23:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"= "c:\\Program Files\\Warcraft III\\war3.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\LittleFighter2\\LF2_v1.9c\\lf2.exe"= R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/16/2010 12:01 AM 236368] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 8:14 PM 24652] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/16/2010 12:01 AM 19160] S2 pciinfo;HP Pci Information;\??\c:\docume~1\Owner\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\Owner\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 2:10 PM 32512] --- Other Services/Drivers In Memory --- *NewlyCreated* - KLMDB *Deregistered* - klmdb HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp . Contents of the 'Scheduled Tasks' folder 2010-02-20 c:\windows\Tasks\1-Click Maintenance.job - c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 05:51] 2010-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 20:15] . . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000 IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\0qaug6fq.default\ FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - prefs.js: network.proxy.type - 4 FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . - - - - ORPHANS REMOVED - - - - HKCU-Run-Aim6 - (no file) HKU-Default-Run-DWQueuedReporting - c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe SafeBoot-klmdb.sys ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-18 09:41 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?2?3?6??P???? ?,?B?????????????hLC? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3616) c:\windows\system32\WININET.dll c:\program files\Logitech\SetPoint\lgscroll.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . Completion time: 2010-03-18 09:43:43 ComboFix-quarantined-files.txt 2010-03-18 16:43 Pre-Run: 69,785,174,016 bytes free Post-Run: 69,777,117,184 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - 4F635BE59856CEEE6E43EDB8B63DFEFD
  4. I believe I have an undetected malware running because I continuously keep getting random popups and redirecting in google on firefox. I have Malwarebytes helping me out, but popups still get through. Can I please get help on my situation? Thanks. I followed instructions from http://forums.malwarebytes.org/index.php?showtopic=9573. My Malwarebytes' Anti-Malware log: Malwarebytes' Anti-Malware 1.44 Database version: 3874 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 3/16/2010 11:30:34 PM mbam-log-2010-03-16 (23-30-34).txt Scan type: Quick Scan Objects scanned: 2 Time elapsed: 5 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ========================================= My DDS Log: DDS (Ver_10-03-17.01) - NTFSx86 Run by Owner at 17:42:35.10 on Wed 03/17/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_01 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.312 [GMT -7:00] AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe C:\WINDOWS\system32\igfxtray.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HPQ\SHARED\HPQWMI.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Owner\My Documents\Downloads\Defogger.exe C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop uSearchURL,(Default) = hxxp://www.google.com/keyword/%s mSearchAssistant = hxxp://www.google.com/ie BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Aim6] uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe mRun: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" mRun: [EPSON Stylus CX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800" mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k mRun: [<NO NAME>] mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe" mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000 IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll Notify: igfxcui - igfxsrvc.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\0qaug6fq.default\ FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - prefs.js: network.proxy.type - 4 FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-3-16 236368] R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-2-17 104000] R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2006-11-30 144960] R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2006-11-30 54872] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-3-16 19160] R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-2-17 72264] R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-2-17 34152] R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-2-17 168776] S2 pciinfo;HP Pci Information;\??\c:\docume~1\owner\locals~1\temp\hpispz\hpdom\pciinfo.sys --> c:\docume~1\owner\locals~1\temp\hpispz\hpdom\pciinfo.sys [?] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512] =============== Created Last 30 ================ 2010-03-18 00:41:20 0 ----a-w- c:\documents and settings\owner\defogger_reenable 2010-03-16 07:01:11 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes 2010-03-16 07:01:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-16 07:01:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-16 07:01:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-03-16 07:01:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-03-16 03:31:57 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy) 2010-03-16 03:31:57 0 d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy) 2010-03-16 03:31:57 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy) 2010-03-16 03:31:56 0 d-----w- c:\program files\SDHelper (Spybot - Search & Destroy) 2010-03-10 03:21:23 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe ==================== Find3M ==================== 2010-03-15 10:31:35 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-03-15 10:31:35 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys 2010-03-11 10:48:11 91509 -c--a-w- c:\windows\War3Unin.dat 2010-01-27 08:03:27 1510 ----a-w- c:\windows\Sketchpad Preferences.dat 2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys 2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe ============= FINISH: 17:44:16.76 =============== Attach.zip
  5. Hey Malware experts, I'm new to the forum. I believe I have an undetected malware running because I continuously keep getting random popups and redirecting in google on firefox. I have Malwarebytes helping me out, but popups still get through. I have searched numerous threads and I came this far by downloading/running HijackThis to give you my current position. Can I please get help on this situation? Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:46:58 AM, on 3/17/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HPQ\SHARED\HPQWMI.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Documents and Settings\Owner\My Documents\Downloads\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800" O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 10662 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.