Tigger- Kapersky scan

[FirefoxForNow]

Hello.

This is a continuation of a previous thread located here

http://www.malwarebytes.org/forums/index.php?showtopic=11604

I flaked out for a while and the thread was closed. My fault- your previous proficiency and eliminating the major problems and personal frustration with kaspersky delayed my response.

I haven't installed/uninstalled any software since last post. No symptoms have appeared/disappeared. I can post a fresh HJT log if you wish.

The Kapersky prompts didn't coordinate perfectly with your instructions but I think I worked it out and ran the scan as you asked. It's possible that I am just crummy at interpreting your instructions (my bad)

Here's the results- seems that something was found. Long scan time! Again, sorry for the flakeyness. You have been very successful and proficient at disinfecting my machine so far- I'd be bummed to loose your help now.

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Tuesday, March 3, 2009

Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Wednesday, March 04, 2009 01:14:06

Records in database: 1866833

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

I:\

Scan statistics:

Files scanned: 89601

Threat name: 2

Infected objects: 2

Suspicious objects: 0

Duration of the scan: 01:08:17

File name / Threat name / Threats count

C:\Qoobox\Quarantine\C\WINDOWS\system32\998.exe.vir Infected: Trojan.Win32.Monder.bdnr 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Infected: Trojan-Dropper.Win32.Agent.ahob 1

The selected area was scanned.

[Tigger93]

Hi again.

Sorry about the instructions. They probably very well do need updating, its been a while since I've looked over then.

Can you please delete the c:\qoobox folder.

Then let's get a new copy of Combofix and we can see whats going on from there.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1

Link 2

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

[FirefoxForNow]

Tigger-

Thanks for responding despite the hiatus. Deleted the qoobox folder and downloaded a new Combofix file. Ran scan.

Your help is appreciated.

ComboFix 09-03-03.01 - Marcus 2009-03-04 17:48:48.6 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1806 [GMT -8:00]

Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 )))))))))))))))))))))))))))))))

.

2009-02-24 15:20 . 2009-02-24 15:20 <DIR> d-------- c:\program files\Common Files\Adobe AIR

2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD

2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro

2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-24 23:19 --------- d-----w c:\program files\Common Files\Adobe

2009-02-24 07:36 --------- d-----w c:\program files\HP

2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-21 05:20 --------- d-----w c:\program files\LucasArts

2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-20 00:49 --------- d-----w c:\program files\Creative

2009-02-20 00:47 --------- d-----w c:\program files\GemMaster

2009-02-19 09:04 410,984 ----a-w c:\windows\system32\deploytk.dll

2009-02-19 09:04 --------- d-----w c:\program files\Java

2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent

2009-02-19 08:17 --------- d-----w c:\program files\uTorrent

2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-10 22:00 1,033,728 ----a-w c:\windows\system32\dllcache\explorer.exe

2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe

2009-01-24 04:09 --------- d-----w c:\program files\Activision

2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll

2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys

2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys

2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys

2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3XP.sys

2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3.sys

2005-03-01 19:16 212,992 -c--a-w c:\windows\inf\WG311v3\CopyWHQLDriver.exe

2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]

"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]

"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]

"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264]

NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"%windir%\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"12345:UDP"= 12345:UDP:dc++

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-14 58048]

S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2006-09-01 666624]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.dell4me.com/myway

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.com

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-04 17:51:23

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)

c:\windows\system32\MrvGINA.dll

- - - - - - - > 'lsass.exe'(924)

c:\windows\system32\EntApi.dll

.

Completion time: 2009-03-04 17:53:07

ComboFix-quarantined-files.txt 2009-03-05 01:53:04

ComboFix2.txt 2009-02-24 20:34:34

Pre-Run: 17,573,416,960 bytes free

Post-Run: 17,623,048,192 bytes free

128 --- E O F --- 2009-02-24 22:53:47

[Tigger93]

Really stumped. Kaspersky and Combofix, as before, are showing clean.

Download GMER from here:

1. Unzip it to the desktop.
   
2. Open the program and click on the Rootkit tab.
   
3. Make sure all the boxes on the right of the screen are checked, EXCEPT for Show All.
   
4. Click on Scan.
   
5. When the scan has run click Copy and paste the results (if any) into this thread.
   

[FirefoxForNow]

GMER found some stuff.

The System volume info system restore thing sounds familiar... I think that McAfee reported a system volume info infection around a month ago. Possible infected restore points?

Thanks for the prompt responses.

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-03-04 22:39:34

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xB9ED9AC8]

SSDT sptd.sys ZwEnumerateKey [0xB9ED9C22]

SSDT sptd.sys ZwEnumerateValueKey [0xB9ED9F9A]

SSDT sptd.sys ZwOpenKey [0xB9ED998E]

SSDT sptd.sys ZwQueryKey [0xB9EDA064]

SSDT sptd.sys ZwQueryValueKey [0xB9ED9EFC]

SSDT sptd.sys ZwSetValueKey [0xB9EDA0EC]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.

? C:\WINDOWS\System32\Drivers\SPTD8701.SYS The process cannot access the file because it is being used by another process.

.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 B8FA54F0 16 Bytes [ FA, B2, 91, 10, AD, 3B, 4F, ... ]

.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 B8FA5501 31 Bytes [ 40, FA, B8, C6, 8C, 8F, B5, ... ]

? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [b9ED5AD2] sptd.sys

IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [b9ED5C0E] sptd.sys

IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [b9ED5B96] sptd.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [b9ED676C] sptd.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [b9ED6642] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8AC0EBF8

Device \FileSystem\Udfs \UdfsCdRom 8A9AF8E8

Device \FileSystem\Udfs \UdfsCdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Udfs \UdfsDisk 8A9AF8E8

Device \FileSystem\Udfs \UdfsDisk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \Driver\NetBT \Device\NetBT_Tcpip_{585841F7-1DD4-4AC7-A6D6-364A1534A3BF} 89D47748

AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)

Device \Driver\dmio \Device\DmControl\DmIoDaemon 8ABC1410

Device \Driver\dmio \Device\DmControl\DmConfig 8ABC1410

Device \Driver\dmio \Device\DmControl\DmPnP 8ABC1410

Device \Driver\dmio \Device\DmControl\DmInfo 8ABC1410

Device \Driver\00000073 \Device\00000053 sptd.sys

AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)

Device \Driver\prodrv06 \Device\ProDrv06 E1EC23F8

Device \Driver\Ftdisk \Device\HarddiskVolume1 8ABC16C8

Device \Driver\Ftdisk \Device\HarddiskVolume2 8ABC16C8

Device \Driver\Cdrom \Device\CdRom0 8A9E6830

Device \FileSystem\Rdbss \Device\FsWrap 89D333C0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\Ftdisk \Device\HarddiskVolume3 8ABC16C8

Device \Driver\prohlp02 \Device\ProHlp02 E189D338

Device \Driver\NetBT \Device\NetBt_Wins_Export 89D47748

Device \Driver\NetBT \Device\NetbiosSmb 89D47748

AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)

Device \Driver\Disk \Device\Harddisk0\DR0 8AC0EE30

AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{45DA8E86-FDFA-4A7D-B4F1-16F25E484B3B} 89D47748

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89D31548

Device \FileSystem\MRxSmb \Device\LanmanRedirector 89D31548

Device \FileSystem\Npfs \Device\NamedPipe 8A52E258

Device \Driver\Ftdisk \Device\FtControl 8ABC16C8

Device \FileSystem\Msfs \Device\Mailslot 89D989F8

Device \Driver\dtscsi \Device\Scsi\dtscsi1 8A8D09F8

Device \FileSystem\Fastfat \Fat 89D3E840

Device \FileSystem\Fastfat \Fat AC54D297

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 1353520082

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1871465379

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1571322080

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x18 0x90 0xB8 0xA0 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA4 0xD2 0xA5 0x3A ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xEB 0xAE 0x27 0xA4 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x64 0xDC 0x93 0x47 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xBB 0xCE 0x6F 0x4C ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xF3 0xE4 0x4B 0x74 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x18 0x90 0xB8 0xA0 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA4 0xD2 0xA5 0x3A ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xEB 0xAE 0x27 0xA4 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x64 0xDC 0x93 0x47 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xBB 0xCE 0x6F 0x4C ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xF3 0xE4 0x4B 0x74 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x18 0x90 0xB8 0xA0 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA4 0xD2 0xA5 0x3A ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xEB 0xAE 0x27 0xA4 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x64 0xDC 0x93 0x47 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xBB 0xCE 0x6F 0x4C ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xF3 0xE4 0x4B 0x74 ...

---- Files - GMER 1.0.14 ----

ADS C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP46\A0004733.exe:mian.nest.9.10 18944 bytes executable

---- EOF - GMER 1.0.14 ----

[Tigger93]

Clean again. I really don't think you are infected with anything. Can point out what McAfee is detecting if anything.

You can clear out system restore, won't help any other than removing the alert from McAfee.

[FirefoxForNow]

I guess my main question at this point then is... how do I go about dealing with the re-route issue with Firefox web searches? should I just try reinstalling firefox? might deleting the old system restore points help with this firefox redirect issue?

Thanks again

[Tigger93]

Do you have a router by chance?

[FirefoxForNow]

Yes, I am behind a cable router.

[Tigger93]

Well never mind then. If you had I wireless router, I was going to suggest resetting it. You may be able to do the same here, however I don't know if that would change anything.

Let's try this. You say you get them in Firefox but not in IE?

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

Double-click GooredFix.exe on your Desktop to run it.

• Select "2. Fix Goored" by typing 2 and pressing Enter.
  
• Make sure all instances of Firefox are closed at this point.
  
• Type y at the prompt and press Enter again.
  
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
  

Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

[FirefoxForNow]

Hello- sorry I've been a couple of days without replying.

Finally had some free time to deal with it- the GooredFix seems to have worked- the firefox redirect problem is gone. Excellent!

Log is below. I imagine that it already took care of everything but I thought I'd check if there is anything further that should be done...

Thanks again for all your help- you have been very cooperative and effective. If I ever need any future help, I'll be sure to come here. Gracias, and may you continue to be victorious in all your future malware battles.

GooredFix v1.92 by jpshortstuff

Log created at 20:11 on 11/03/2009 running Option #2 (Marcus)

Firefox version 3.0.7 (en-US)

=====Goored Deletions=====

C:\Program Files\Mozilla Firefox\extensions\{DC850E77-604F-498A-BF47-A171D66E9AA1}

->Backing up folder... Done.

->Emptying folder... Done.

->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]

"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]

"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]

"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"