Jump to content

Google search getting redirected


Recommended Posts

Hello,

When i click on google searches in firefox, it takes to unrelated sites. I have scanned with paid version of MBAM and it always brings up 4 to 12 infections, i clean them up, but the problem persists, here are the HJL and MBAM log, appreciate your help

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:42:47 AM, on 3/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\EZBackitup\EZBkuptray.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Perfect Keyboard\PK32.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\RemoteView\RemoteView.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.ebay.com/aboutme/diageminc

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O1 - Hosts: 66.249.138.103 store.allurecollectiongiftcard.com

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Wdipiqivuxeg] rundll32.exe "C:\WINDOWS\Fxiyef.dat",e

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [Xpipaq] rundll32.exe "C:\WINDOWS\iluxocige.dll",e

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1

O4 - HKCU\..\Run: [EZBack-it-up Tray Scheduler] C:\Program Files\EZBackitup\EZBkuptray.exe

O4 - Startup: Shortcut to PK32.lnk = C:\Program Files\Perfect Keyboard\PK32.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games

Link to post
Share on other sites

  • Staff

Hi,

First of all, please update MalwareBytes, because the databaseversion is outdated.

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a full scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Thanks for your post,

-updated MBAM

- did a full scan

- remove all items (some needed reboot so immediately restarted the computer

Here are the latest HJT and MBAM logs

Malwarebytes' Anti-Malware 1.34

Database version: 1836

Windows 5.1.2600 Service Pack 3

3/11/2009 1:25:56 PM

mbam-log-2009-03-11 (13-25-56).txt

Scan type: Full Scan (C:\|)

Objects scanned: 255103

Time elapsed: 2 hour(s), 37 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xpipaq (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP392\A0183099.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP392\A0183100.dll (Trojan.Adclicker) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP392\A0183101.dll (Trojan.Adclicker) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP392\A0183102.dll (Trojan.Adclicker) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP392\A0183110.dll (Trojan.Adclicker) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP394\A0183707.dll (Trojan.Pakes) -> Quarantined and deleted successfully.

C:\WINDOWS\enuxatabivepas.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:29:15 PM, on 3/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\EZBackitup\EZBkuptray.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Perfect Keyboard\PK32.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\RemoteView\RemoteView.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.ebay.com/aboutme/diageminc

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O1 - Hosts: 66.249.138.103 store.allurecollectiongiftcard.com

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Wdipiqivuxeg] rundll32.exe "C:\WINDOWS\Fxiyef.dat",e

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1

O4 - HKCU\..\Run: [EZBack-it-up Tray Scheduler] C:\Program Files\EZBackitup\EZBkuptray.exe

O4 - Startup: Shortcut to PK32.lnk = C:\Program Files\Perfect Keyboard\PK32.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

thanks for your help here is the combofix log report

ComboFix 09-03-10.03 - Amit 2009-03-12 9:16:35.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.676 [GMT -8:00]

Running from: c:\documents and settings\Amit\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\LocalService\Application Data\twain_32

c:\documents and settings\LocalService\Application Data\twain_32\user.ds

c:\windows\patch.exe

c:\windows\system32\comrepl.exe

c:\windows\system32\drivers\mrxdavv.sys

c:\windows\system32\init32.exe

c:\windows\system32\kwave.sys

c:\windows\system32\uniq.tll

c:\windows\system32\win32hlp.cnf

c:\windows\winhelp.ini

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.

((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))

.

2012-12-12 04:12 . 2012-12-12 04:12 1,221,464 --------- c:\windows\SYSTEM32\IMMC.EXE

2012-12-12 04:12 . 2012-12-12 04:12 65,536 --------- c:\windows\SYSTEM32\MSRTEDIT.DLL

2009-03-11 16:26 . 2009-03-11 16:26 1,374 --a------ c:\windows\imsins.BAK

2009-03-11 15:14 . 2009-03-11 15:14 133,120 --a------ c:\windows\ohudupayaza.dll

2009-02-26 11:26 . 2009-02-26 11:26 <DIR> d-------- c:\program files\BannerDesignerPro

2009-02-26 10:13 . 2009-02-26 10:13 <DIR> d-------- c:\program files\EZBackitup

2009-02-25 14:17 . 2009-02-25 14:17 <DIR> d-------- c:\program files\CCleaner

2009-02-25 13:52 . 2009-02-25 13:52 <DIR> d-------- c:\documents and settings\Administrator.AMITNEWCOMP\Application Data\Malwarebytes

2009-02-25 13:45 . 2004-05-10 14:37 <DIR> d-------- c:\documents and settings\Administrator.AMITNEWCOMP\Application Data\Symantec

2009-02-25 13:45 . 2004-05-10 14:40 <DIR> d-------- c:\documents and settings\Administrator.AMITNEWCOMP\Application Data\Sonic

2009-02-25 13:45 . 2004-05-10 14:36 <DIR> d-------- c:\documents and settings\Administrator.AMITNEWCOMP\Application Data\Jasc Software Inc

2009-02-25 13:45 . 2009-02-25 13:45 <DIR> d-------- c:\documents and settings\Administrator.AMITNEWCOMP

2009-02-25 13:43 . 2009-02-25 13:43 <DIR> d-------- c:\documents and settings\Amit\Application Data\Malwarebytes

2009-02-25 13:43 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys

2009-02-25 13:43 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys

2009-02-25 13:16 . 2009-02-25 13:43 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-25 13:16 . 2009-02-25 13:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-25 11:54 . 2009-02-25 12:02 7 --a------ c:\windows\SYSTEM32\nar.bin

2009-02-25 11:52 . 2009-02-25 13:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro

2009-02-25 11:51 . 2009-03-10 09:42 <DIR> d-------- c:\program files\Trend Micro

2009-02-25 11:12 . 2009-02-25 11:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Lavasoft

2009-02-25 11:07 . 2004-05-10 14:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec

2009-02-25 11:07 . 2004-05-10 14:40 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic

2009-02-25 11:07 . 2004-05-10 14:36 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc

2009-02-25 11:07 . 2009-02-25 11:07 <DIR> d-------- c:\documents and settings\Administrator

2009-02-25 10:55 . 2009-02-25 10:55 8,768 --a------ c:\windows\SYSTEM32\DRIVERS\wATV03nt.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-11 22:45 --------- d-----w c:\program files\AOL Toolbar

2009-03-09 16:18 --------- d-----w c:\documents and settings\Amit\Application Data\Corel

2009-03-06 23:18 --------- d-----w c:\program files\America Online 8.0

2009-02-10 17:33 --------- d-----w c:\documents and settings\Amit\Application Data\AdobeUM

2009-01-30 22:35 --------- d-----w c:\program files\America Online 7.0

2009-01-29 22:43 --------- d-----w c:\documents and settings\Amit\Application Data\Galaxy Ship

2009-01-28 18:02 60,744 ----a-w c:\documents and settings\Amit\g2mdlhlpx.exe

2009-01-19 22:15 --------- d-----w c:\program files\EFTP

2009-01-19 17:38 --------- d-----w c:\documents and settings\All Users\Application Data\AOL

2006-04-21 16:50 630,784 ----a-w c:\documents and settings\Amit\chatlnk.exe

2008-08-04 23:24 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008080420080805\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"EZBack-it-up Tray Scheduler"="c:\program files\EZBackitup\EZBkuptray.exe" [2004-06-03 631808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

"Wdipiqivuxeg"="c:\windows\Fxiyef.dat" [2008-12-04 39936]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-02-11 399504]

"Xpipaq"="c:\windows\ohudupayaza.dll" [2009-03-11 133120]

c:\documents and settings\Amit\Start Menu\Programs\Startup\

Shortcut to PK32.lnk - c:\program files\Perfect Keyboard\PK32.EXE [2004-06-05 647168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-21 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2003-10-31 11:01 8704 c:\windows\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.iv50"= c:\windows\ir50_32.dll

"vidc.mpg4"= c:\windows\mpg4c32.dll

"vidc.mpg2"= c:\windows\mpg4c32.dll

"vidc.mpg3"= c:\windows\mpg4c32.dll

"vidc.GEOX"= c:\windows\GeoCodec.dll

"vidc.MJPG"= m3jpeg32.dll

"vidc.dmb1"= m3jpeg32.dll

"vidc.mp42"= c:\windows\Mpg4c32.dll

"vidc.mp43"= c:\windows\Mpg4c32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wATV03nt.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk

backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk

backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

--a------ 2008-10-01 12:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

--------- 2003-08-05 22:04 114741 c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]

--------- 2003-08-13 07:27 28672 c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

--a------ 2006-03-10 14:22 48280 c:\program files\Common Files\AOL\1129563433\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

--a------ 2006-03-20 16:34 213936 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

--a------ 2006-03-20 16:34 213936 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

--a------ 2006-03-20 16:34 86960 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

--a------ 2003-10-06 07:05 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--------- 2002-11-07 23:22 4243456 c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

--------- 2003-08-26 16:47 204800 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

--a------ 2003-08-19 00:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]

--------- 2002-11-07 23:22 770117 c:\windows\SYSTEM32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--------- 2002-11-07 23:22 315392 c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"AdobeActiveFileMonitor5.0"=2 (0x2)

"NTService1"=2 (0x2)

"iPod Service"=3 (0x3)

"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\America Online 8.0\\waol.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\WinAw32.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=

"c:\\RemoteView\\BcastTcp.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 MSSQL$SHIPWORKS;MSSQL$SHIPWORKS;c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe -sSHIPWORKS --> c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe -sSHIPWORKS [?]

R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [2009-02-25 15504]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-02-25 179856]

S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]

S3 Irisifrtr;Irisifrtr; [x]

S3 SQLAgent$SHIPWORKS;SQLAgent$SHIPWORKS;c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlagent.EXE -i SHIPWORKS --> c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlagent.EXE -i SHIPWORKS [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{055ca751-c600-11d8-aba1-00038a000015}]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe

\Shell\Explore\command - N:\system.exe

\Shell\Open\command - N:\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc1ca6a0-6f4d-11db-aec5-00038a000015}]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe

\Shell\Explore\command - L:\system.exe

\Shell\Open\command - L:\system.exe

.

Contents of the 'Scheduled Tasks' folder

2004-06-05 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 16:12]

.

- - - - ORPHANS REMOVED - - - -

Notify-ddccd - (no file)

SafeBoot-eeekp.sys

MSConfigStartUp-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

MSConfigStartUp-MaxtorOneTouch - c:\program files\Maxtor\OneTouch\utils\Onetouch.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://members.ebay.com/aboutme/diageminc

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

DPF: {E84E5574-FAE4-4EE2-877D-092AFF688F21} - hxxp://192.168.0.200/cab/RPB.cab

FF - ProfilePath - c:\documents and settings\Amit\Application Data\Mozilla\Firefox\Profiles\default.5b1\

FF - prefs.js: browser.startup.homepage - hxxp://members.ebay.com/ws/eBayISAPI.dll?ViewUserPage&userid=diageminc

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-12 09:20:51

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe

c:\windows\SYSTEM32\nvsvc32.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\windows\SYSTEM32\wdfmgr.exe

c:\windows\wanmpsvc.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\SYSTEM32\rundll32.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\SYSTEM32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-03-12 9:26:20 - machine was rebooted

ComboFix-quarantined-files.txt 2009-03-12 17:26:17

Pre-Run: 36,248,784,896 bytes free

Post-Run: 36,636,332,032 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

243 --- E O F --- 2009-03-12 00:26:15

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

  • Staff

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Collect::[8]

c:\windows\ohudupayaza.dll

c:\windows\Fxiyef.dat

Driver::

Irisifrtr

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Wdipiqivuxeg"=-

"Xpipaq"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000000

"UpdatesDisableNotify"=dword:00000000

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"=dword:00000001

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{055ca751-c600-11d8-aba1-00038a000015}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc1ca6a0-6f4d-11db-aec5-00038a000015}]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again.

Then, please visit this site:

http://www.bleepingcomputer.com/submit-malware.php?channel=8

Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)

Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

Here is the combofix text, there is no zip file in Quarantine folder

ComboFix 09-03-10.03 - Amit 2009-03-12 9:48:09.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.691 [GMT -8:00]

Running from: c:\documents and settings\Amit\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Amit\Desktop\CFScript.txt

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\mrxdavv.sys

c:\windows\system32\kwave.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_Irisifrtr

((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))

.

2012-12-12 04:12 . 2012-12-12 04:12 1,221,464 --------- c:\windows\SYSTEM32\IMMC.EXE

2012-12-12 04:12 . 2012-12-12 04:12 65,536 --------- c:\windows\SYSTEM32\MSRTEDIT.DLL

2009-03-11 16:26 . 2009-03-11 16:26 1,374 --a------ c:\windows\imsins.BAK

2009-02-26 11:26 . 2009-02-26 11:26 <DIR> d-------- c:\program files\BannerDesignerPro

2009-02-26 10:13 . 2009-02-26 10:13 <DIR> d-------- c:\program files\EZBackitup

2009-02-25 14:17 . 2009-02-25 14:17 <DIR> d-------- c:\program files\CCleaner

2009-02-25 13:52 . 2009-02-25 13:52 <DIR> d-------- c:\documents and settings\Administrator.AMITNEWCOMP\Application Data\Malwarebytes

2009-02-25 13:45 . 2004-05-10 14:37 <DIR> d-------- c:\documents and settings\Administrator.AMITNEWCOMP\Application Data\Symantec

2009-02-25 13:45 . 2004-05-10 14:40 <DIR> d-------- c:\documents and settings\Administrator.AMITNEWCOMP\Application Data\Sonic

2009-02-25 13:45 . 2004-05-10 14:36 <DIR> d-------- c:\documents and settings\Administrator.AMITNEWCOMP\Application Data\Jasc Software Inc

2009-02-25 13:45 . 2009-02-25 13:45 <DIR> d-------- c:\documents and settings\Administrator.AMITNEWCOMP

2009-02-25 13:43 . 2009-02-25 13:43 <DIR> d-------- c:\documents and settings\Amit\Application Data\Malwarebytes

2009-02-25 13:43 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys

2009-02-25 13:43 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys

2009-02-25 13:16 . 2009-02-25 13:43 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-25 13:16 . 2009-02-25 13:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-25 11:54 . 2009-02-25 12:02 7 --a------ c:\windows\SYSTEM32\nar.bin

2009-02-25 11:52 . 2009-02-25 13:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro

2009-02-25 11:51 . 2009-03-10 09:42 <DIR> d-------- c:\program files\Trend Micro

2009-02-25 11:12 . 2009-02-25 11:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Lavasoft

2009-02-25 11:07 . 2004-05-10 14:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec

2009-02-25 11:07 . 2004-05-10 14:40 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic

2009-02-25 11:07 . 2004-05-10 14:36 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc

2009-02-25 11:07 . 2009-02-25 11:07 <DIR> d-------- c:\documents and settings\Administrator

2009-02-25 10:55 . 2009-02-25 10:55 8,768 --a------ c:\windows\SYSTEM32\DRIVERS\wATV03nt.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-11 22:45 --------- d-----w c:\program files\AOL Toolbar

2009-03-09 16:18 --------- d-----w c:\documents and settings\Amit\Application Data\Corel

2009-03-06 23:18 --------- d-----w c:\program files\America Online 8.0

2009-02-10 17:33 --------- d-----w c:\documents and settings\Amit\Application Data\AdobeUM

2009-01-30 22:35 --------- d-----w c:\program files\America Online 7.0

2009-01-29 22:43 --------- d-----w c:\documents and settings\Amit\Application Data\Galaxy Ship

2009-01-28 18:02 60,744 ----a-w c:\documents and settings\Amit\g2mdlhlpx.exe

2009-01-19 22:15 --------- d-----w c:\program files\EFTP

2009-01-19 17:38 --------- d-----w c:\documents and settings\All Users\Application Data\AOL

2006-04-21 16:50 630,784 ----a-w c:\documents and settings\Amit\chatlnk.exe

2008-08-04 23:24 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008080420080805\index.dat

.

((((((((((((((((((((((((((((( SnapShot@2009-03-12_ 9.25.30.20 )))))))))))))))))))))))))))))))))))))))))

.

+ 2005-10-21 04:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE

+ 2009-03-12 17:55:24 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_150.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"EZBack-it-up Tray Scheduler"="c:\program files\EZBackitup\EZBkuptray.exe" [2004-06-03 631808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-02-11 399504]

c:\documents and settings\Amit\Start Menu\Programs\Startup\

Shortcut to PK32.lnk - c:\program files\Perfect Keyboard\PK32.EXE [2004-06-05 647168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-21 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2003-10-31 11:01 8704 c:\windows\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.iv50"= c:\windows\ir50_32.dll

"vidc.mpg4"= c:\windows\mpg4c32.dll

"vidc.mpg2"= c:\windows\mpg4c32.dll

"vidc.mpg3"= c:\windows\mpg4c32.dll

"vidc.GEOX"= c:\windows\GeoCodec.dll

"vidc.MJPG"= m3jpeg32.dll

"vidc.dmb1"= m3jpeg32.dll

"vidc.mp42"= c:\windows\Mpg4c32.dll

"vidc.mp43"= c:\windows\Mpg4c32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wATV03nt.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk

backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk

backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

--a------ 2008-10-01 12:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

--------- 2003-08-05 22:04 114741 c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]

--------- 2003-08-13 07:27 28672 c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

--a------ 2006-03-10 14:22 48280 c:\program files\Common Files\AOL\1129563433\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

--a------ 2006-03-20 16:34 213936 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

--a------ 2006-03-20 16:34 213936 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

--a------ 2006-03-20 16:34 86960 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

--a------ 2003-10-06 07:05 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--------- 2002-11-07 23:22 4243456 c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

--------- 2003-08-26 16:47 204800 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

--a------ 2003-08-19 00:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]

--------- 2002-11-07 23:22 770117 c:\windows\SYSTEM32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--------- 2002-11-07 23:22 315392 c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"AdobeActiveFileMonitor5.0"=2 (0x2)

"NTService1"=2 (0x2)

"iPod Service"=3 (0x3)

"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\America Online 8.0\\waol.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\WinAw32.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=

"c:\\RemoteView\\BcastTcp.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 MSSQL$SHIPWORKS;MSSQL$SHIPWORKS;c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe -sSHIPWORKS --> c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe -sSHIPWORKS [?]

R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [2009-02-25 15504]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-02-25 179856]

S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]

S3 SQLAgent$SHIPWORKS;SQLAgent$SHIPWORKS;c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlagent.EXE -i SHIPWORKS --> c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlagent.EXE -i SHIPWORKS [?]

.

Contents of the 'Scheduled Tasks' folder

2004-06-05 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 16:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://members.ebay.com/aboutme/diageminc

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

DPF: {E84E5574-FAE4-4EE2-877D-092AFF688F21} - hxxp://192.168.0.200/cab/RPB.cab

FF - ProfilePath - c:\documents and settings\Amit\Application Data\Mozilla\Firefox\Profiles\default.5b1\

FF - prefs.js: browser.startup.homepage - hxxp://members.ebay.com/ws/eBayISAPI.dll?ViewUserPage&userid=diageminc

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-12 09:55:38

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe

c:\windows\SYSTEM32\nvsvc32.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\windows\SYSTEM32\wdfmgr.exe

c:\windows\wanmpsvc.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\SYSTEM32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-03-12 10:00:41 - machine was rebooted

ComboFix-quarantined-files.txt 2009-03-12 18:00:38

ComboFix2.txt 2009-03-12 17:26:21

Pre-Run: 36,618,674,176 bytes free

Post-Run: 36,513,931,264 bytes free

212 --- E O F --- 2009-03-12 00:26:15

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again.

Then, please visit this site:

http://www.bleepingcomputer.com/submit-malware.php?channel=8

Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)

Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

  • Staff

As far as I can see here, the files I asked to collect (zip) were already gone. They showed up in the previous log though.

Strange since I don't see either that Combofix removed them.

Unless you updated MBAM in between and performed a scan, because it should detect them now.

Anyway, how are things running now?

Link to post
Share on other sites

Thanks for your help,

1. I found out that MBAM was updated and a scan was done between the first combofix run and the second one, sorry about that, do you want me to do the entire process again?

2. Google search so far are not been redirected, hopefully the issue was taken care of, do you think i should run MBAM again to see if it finds anything new?

I just want to say that you guys are doing a great job, i cannot believe that such volunteer work is possible, the quality and the level of service you are providing puts any paid services or high costing programs to shame, i whole heatedly appreciate your help, is there a donation i can do?

a

As far as I can see here, the files I asked to collect (zip) were already gone. They showed up in the previous log though.

Strange since I don't see either that Combofix removed them.

Unless you updated MBAM in between and performed a scan, because it should detect them now.

Anyway, how are things running now?

Link to post
Share on other sites

  • Staff

Hi,

1. I found out that MBAM was updated and a scan was done between the first combofix run and the second one, sorry about that, do you want me to do the entire process again?
Yes, that's what I thought and it makes sense since MBAM detects this new variant now as well. :P

No, no need to do the process again, it should be OK now :P

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Glad I could help. :lol:

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Thank you for the wonderful tips and a well written blog, I have bookmarked it and will read it from time to time.

I am a big fan of marzipan from Belgium

i would like to send you a small paypal donation as a token of appreciation, if you are willing to accept then please provide a paypal email id

thanks

amit

Los Angeles

do

Hi,

Yes, that's what I thought and it makes sense since MBAM detects this new variant now as well. :P

No, no need to do the process again, it should be OK now :P

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Glad I could help. :lol:

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Root Admin

Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.