Jump to content

Andy J

Members
 View Profile  See their activity

  • Posts

    8

  • Joined

  • Last visited

Reputation

0 Neutral
  1. Andy J
    Thanks- it did not reboot, actually did not appear to be disabled as re-enable took about a second. Seems to be fine, though. Thanks again.
  2. Andy J
    Thanks a ton for the help- you're the best! Do I need to do anything with defogger (reenable?) or just delete the program? Thanks again! Andy
  3. Andy J
    Hi- took awhile to get the DB to update correctly but finally successful. No items were in trusted zone to remove. Here's MBAM followed by Kaspersky logs: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4462 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.11 8/23/2010 7:32:18 AM mbam-log-2010-08-23 (07-32-18).txt Scan type: Quick scan Objects scanned: 144211 Time elapsed: 7 minute(s), 11 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Tuesday, August 24, 2010 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Monday, August 23, 2010 17:34:23 Records in database: 4137930 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ Scan statistics: Objects scanned: 104415 Threats found: 2 Infected objects found: 5 Suspicious objects found: 0 Scan duration: 04:28:35 File name / Threat / Threats count C:\hp\bin\wbug\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\mouclass.sys.vir Infected: Virus.Win32.TDSS.b 1 C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP395\A0044319.sys Infected: Virus.Win32.TDSS.b 1 D:\I386\APPS\APP15968\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1 D:\I386\APPS\APP15968\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1 Selected area has been scanned.
  4. Andy J
    That worked. Rebooted part way thru due to "rootkit activity." Here's the log: ComboFix 10-08-22.05 - Compaq_Administrator 08/22/2010 22:55:58.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.33 [GMT -4:00] Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Compaq_Administrator\Favorites\Vacuum tube audio, tips on repairing, books,H.H. Scott, Fisher, Marantz..url c:\program files\version.txt D:\Autorun.inf Infected copy of c:\windows\system32\drivers\mouclass.sys was found and disinfected Restored copy from - Kitty had a snack . ((((((((((((((((((((((((( Files Created from 2010-07-23 to 2010-08-23 ))))))))))))))))))))))))))))))) . 2010-08-22 17:52 . 2010-08-22 17:52 -------- d-----w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Help 2010-08-22 16:57 . 2010-08-22 16:57 -------- d-----w- c:\program files\7-Zip 2010-08-16 13:04 . 2010-08-16 13:04 503808 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6c08bd56-n\msvcp71.dll 2010-08-16 13:04 . 2010-08-16 13:04 61440 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-78ae6bd3-n\decora-sse.dll 2010-08-16 13:04 . 2010-08-16 13:04 499712 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6c08bd56-n\jmc.dll 2010-08-16 13:04 . 2010-08-16 13:04 348160 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6c08bd56-n\msvcr71.dll 2010-08-16 13:04 . 2010-08-16 13:04 12800 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-78ae6bd3-n\decora-d3d.dll 2010-08-16 13:02 . 2010-08-16 13:01 423656 ----a-w- c:\windows\system32\deployJava1.dll 2010-08-15 04:40 . 2010-08-15 04:40 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes 2010-08-15 04:39 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-08-15 04:39 . 2010-08-15 04:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-08-15 04:39 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-08-15 04:39 . 2010-08-15 04:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-07-27 12:18 . 2010-07-27 12:21 -------- d-----w- c:\program files\Common Files\Adobe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-08-22 20:20 . 2007-05-27 16:59 -------- d-----w- c:\program files\Windows Media Connect 2 2010-08-22 16:36 . 2007-03-03 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2010-08-16 13:06 . 2006-08-14 22:32 -------- d-----w- c:\program files\Java 2010-08-16 13:03 . 2006-08-14 22:32 -------- d-----w- c:\program files\Common Files\Java 2010-08-15 00:06 . 2007-11-16 14:59 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-08-15 00:06 . 2007-11-16 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-08-12 13:24 . 2007-10-07 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-07-25 14:02 . 2008-06-03 11:26 -------- d-----w- c:\program files\McAfee 2010-07-15 19:18 . 2008-06-03 11:27 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys 2010-06-30 12:31 . 2004-08-10 04:00 149504 ----a-w- c:\windows\system32\schannel.dll 2010-06-24 12:15 . 2004-08-10 04:00 832512 ----a-w- c:\windows\system32\wininet.dll 2010-06-24 12:15 . 2004-08-10 04:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-06-24 12:15 . 2004-08-10 04:00 17408 ------w- c:\windows\system32\corpol.dll 2010-06-23 13:44 . 2004-08-10 04:00 1851904 ----a-w- c:\windows\system32\win32k.sys 2010-06-21 15:27 . 2004-08-10 04:00 354304 ------w- c:\windows\system32\drivers\srv.sys 2010-06-17 14:03 . 2004-08-10 04:00 80384 ------w- c:\windows\system32\iccvid.dll 2010-06-14 14:31 . 2004-08-10 04:00 744448 ------w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe 2010-06-14 07:41 . 2004-08-10 04:00 1172480 ----a-w- c:\windows\system32\msxml3.dll 2009-10-03 18:33 . 2009-10-03 18:33 5 ----a-w- c:\program files\eula.txt 2007-11-16 14:56 . 2007-11-16 14:56 7467056 -c--a-w- c:\program files\spybotsd15.exe 2007-07-14 14:28 . 2007-07-14 14:28 5007104 -c--a-w- c:\program files\GoogleVideoPlayerSetup.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-20 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584] "ftutil2"="ftutil2.dll" [2004-06-07 106496] "RTHDCPL"="RTHDCPL.EXE" [2006-06-14 16239616] "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360] "nwiz"="nwiz.exe" [2006-05-09 1519616] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568] "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-14 180269] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832] c:\documents and settings\All Users\Start Menu\Programs\Startup\ hp psc 1000 series.lnk - c:\program files\HP\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456] hpoddt01.exe.lnk - c:\program files\HP\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672] c:\documents and settings\Default User\Start Menu\Programs\Startup\ Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-14 27136] PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-14 27136] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\DISC\\DISCover.exe"= "c:\\Program Files\\DISC\\DiscStreamHub.exe"= "c:\\Program Files\\DISC\\myFTP.exe"= "c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2010 3:18 PM 135664] . Contents of the 'Scheduled Tasks' folder 2010-05-07 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2007-07-15 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8173054393.job - c:\program files\HP\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52] 2010-08-23 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-03 14:02] 2010-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 19:17] 2010-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 19:17] 2010-08-15 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2008-06-03 16:22] 2010-03-01 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2008-06-03 16:22] . . ------- Supplementary Scan ------- . uStart Page = hxxp://ebay.com/ uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 Trusted Zone: trymedia.com TCP: {345C8BDE-7365-4521-AA56-B5ABDB0FF4AA} = 208.67.220.220,208.67.222.222 FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\4uu31qp8.default\ FF - prefs.js: browser.startup.homepage - hxxp://ebay.com/ FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe HKLM-Run-PCDrProfiler - (no file) HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-08-22 23:03 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2010-08-22 23:07:31 ComboFix-quarantined-files.txt 2010-08-23 03:07 Pre-Run: 169,757,675,520 bytes free Post-Run: 170,115,534,848 bytes free - - End Of File - - 2E47918C5BBAC8847ACB2AF3E3C20C4C
  5. Andy J
    Same thing happened. McAfee reads all aspects disabled. No log found. Scan runs for about a minute, then machine reboots.
  6. Andy J
    Hi- MS Recovery Console loaded OK. Started scan and computer did a spontaneous restart (been getting a few of these today). Shoudl I try running again?
  7. Andy J
    Hi- MB found a few nasties (and my computer speeded up considerably-- thanks a lot!) but google redirect persists. Followed instructions and am posting logs. Here's DDS, followed by latest MB log. attach.txt & ark.txt are attached. Appreciate sharing your wisdom!: DDS (Ver_10-03-17.01) - NTFSx86 Run by Compaq_Administrator at 14:43:58.32 on Sat 08/21/2010 Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_21 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.162 [GMT -4:00] AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\HP\Digital Imaging\bin\hpohmr08.exe C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\arservice.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINDOWS\system32\nvsvc32.exe svchost.exe C:\Program Files\Outlook Express\msimn.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\system32\dllhost.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter c:\windows\system\hpsysdrv.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\DISC\DISCover.exe C:\Program Files\DISC\DiscUpdMgr.exe C:\Program Files\DISC\DiscStreamHub.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Compaq_Administrator\My Documents\Downloads\Defogger.exe C:\Documents and Settings\Compaq_Administrator\My Documents\Downloads\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://ebay.com/ uSearch Page = hxxp://www.google.com uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1 mRun: [ehTray] c:\windows\ehome\ehtray.exe mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode mRun: [RTHDCPL] RTHDCPL.EXE mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE mRun: [<NO NAME>] mRun: [PCDrProfiler] mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hp\digital imaging\bin\hpohmr08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hp\digital imaging\bin\hpotdd01.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000 IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL Trusted Zone: trymedia.com DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176236698390 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - TCP: NameServer = 208.67.220.220,208.67.222.222 TCP: {345C8BDE-7365-4521-AA56-B5ABDB0FF4AA} = 208.67.220.220,208.67.222.222 SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\4uu31qp8.default\ FF - prefs.js: browser.startup.homepage - hxxp://ebay.com/ FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-3 214664] R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-3 359952] R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328] R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-6-3 144704] R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-3 606736] R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-3 79816] R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-3 35272] R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-3 40552] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-10 135664] S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-3 34248] =============== Created Last 30 ================ 2010-08-21 18:40:08 0 ----a-w- c:\documents and settings\compaq_administrator\defogger_reenable 2010-08-16 13:02:34 423656 ----a-w- c:\windows\system32\deployJava1.dll 2010-08-15 04:40:01 0 d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes 2010-08-15 04:39:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-08-15 04:39:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-08-15 04:39:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-08-15 04:39:34 0 d-----w- c:\program files\Malwarebytes' Anti-Malware ==================== Find3M ==================== 2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll 2010-07-15 19:18:22 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys 2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll 2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll 2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys 2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys 2010-06-23 12:06:51 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe 2010-06-23 12:06:51 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe 2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys 2010-06-18 13:36:12 3558912 ----a-w- c:\windows\system32\dllcache\moviemk.exe 2010-06-17 15:12:57 634656 ----a-w- c:\windows\system32\dllcache\iexplore.exe 2010-06-17 15:11:25 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll 2010-06-17 14:03:00 80384 ------w- c:\windows\system32\iccvid.dll 2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe 2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll 2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll 2009-10-03 18:33:15 5 ----a-w- c:\program files\eula.txt 2009-10-03 18:32:51 14 ----a-w- c:\program files\version.txt 2007-11-16 14:56:51 7467056 -c--a-w- c:\program files\spybotsd15.exe 2007-07-14 14:28:50 5007104 -c--a-w- c:\program files\GoogleVideoPlayerSetup.exe 2008-09-30 14:41:02 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008093020081001\index.dat ============= FINISH: 14:47:54.82 =============== Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4462 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.11 8/22/2010 12:49:50 PM mbam-log-2010-08-22 (12-49-50).txt Scan type: Quick scan Objects scanned: 146413 Time elapsed: 14 minute(s), 40 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ark.zip Attach.zip
  8. Andy J
    Hi- Ran MB and found a few issues but google redirect persisted. Began following the "I'm infected- What do I do now?" instructions and realized I needed a compression program and had not registered hereto use forum. Stopped the GMER scan and completed these which resulted in a spontaneous restart so I'm not sure just where I am now in the process. Should I take it from the top again? Have already run the most up to date MB scan (post restart) with zero infections detected. Appreciate any assistance getting at this problem. Thanks. Andy
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.