Jump to content

Google redirect Virus/Anti Malware Doctor Virus

Sin

By Sin
in Resolved Malware Removal Logs

 Share

Recommended Posts

Sin

Sin

Posted
Posted

Hello I recently became suspicious that I may have obtained a virus ( or 2) after my computer began behaving erratically. As the day progressed, my browser slowed and began redirecting itself to random sites. I restarted the computer hoping to rid myself of whatever that was wrong. After Windows opened the AntiMalware doctor window popped up insisting I had viruses. Things became progressively worse and based on what I've read I fear I will lose control of my internet soon. My BF being the computer novice he is, helped me rid myself of 36 trojan/virus/worms. However the redirecting continues. Here are the reports as requested :

DDS (Ver_10-03-17.01) - FAT32x86

Run by amanda at 16:11:46.35 on Wed 07/21/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.227 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS.XP\system32\svchost -k DcomLaunch

SVCHOST.EXE

C:\WINDOWS.XP\System32\svchost.exe -k netsvcs

C:\WINDOWS.XP\system32\svchost.exe -k WudfServiceGroup

SVCHOST.EXE

SVCHOST.EXE

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS.XP\system32\spoolsv.exe

SVCHOST.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS.XP\system32\svchost.exe -k imgsvc

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\WINDOWS.XP\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS.XP\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\NETGEAR\WG111T\wlan111t.exe

C:\WINDOWS.XP\Twain_32\CA561A\SnapDetect.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\WINDOWS.XP\system32\wuauclt.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\amanda\Desktop\Downloads\Defogger.exe

C:\Documents and Settings\amanda\Desktop\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com

uSearch Page =

uSearch Bar =

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

mSearchAssistant =

uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows.xp\system32\ctfmon.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1.xp\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe

StartupFolder: c:\docume~1\alluse~1.xp\startm~1\programs\startup\snapde~1.lnk - c:\windows.xp\twain_32\ca561a\SnapDetect.exe

IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\amanda\start menu\programs\imvu\Run IMVU.lnk

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: DirectAnimation Java Classes - file://c:\windows.xp\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows.xp\java\classes\xmldso.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232577516538

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230579599659

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows.xp\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\amanda\applic~1\mozilla\firefox\profiles\dpywfwfj.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows.xp\system32\drivers\aswSP.sys [2010-7-20 165456]

R2 aswFsBlk;aswFsBlk;c:\windows.xp\system32\drivers\aswFsBlk.sys [2010-7-20 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-20 40384]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-20 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-20 40384]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows.xp\system32\DNINDIS5.sys [2008-12-29 17149]

S3 npggsvc;nProtect GameGuard Service;c:\windows.xp\system32\gamemon.des -service --> c:\windows.xp\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2010-07-21 20:11:18 0 ----a-w- c:\documents and settings\amanda\defogger_reenable

2010-07-21 13:54:49 0 d-----w- c:\docume~1\amanda\applic~1\Malwarebytes

2010-07-21 13:54:43 38224 ----a-w- c:\windows.xp\system32\drivers\mbamswissarmy.sys

2010-07-21 13:54:42 20952 ----a-w- c:\windows.xp\system32\drivers\mbam.sys

2010-07-21 13:54:42 0 d-----w- c:\docume~1\alluse~1.xp\applic~1\Malwarebytes

2010-07-21 13:54:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-21 03:03:25 16968 ----a-w- c:\windows.xp\system32\drivers\hitmanpro35.sys

2010-07-21 03:03:13 0 d-----w- c:\program files\Hitman Pro 3.5

2010-07-21 03:03:13 0 d-----w- c:\docume~1\alluse~1.xp\applic~1\Hitman Pro

2010-07-21 02:49:19 0 d-s---w- C:\ComboFix

2010-07-20 20:39:28 38848 ----a-w- c:\windows.xp\avastSS.scr

2010-07-20 20:39:10 0 d-----w- c:\docume~1\alluse~1.xp\applic~1\Alwil Software

2010-07-20 20:08:49 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-07-20 20:08:49 0 d-----w- c:\docume~1\alluse~1.xp\applic~1\Spybot - Search & Destroy

2010-07-19 23:20:27 743424 ------w- c:\windows.xp\system32\dllcache\iedvtool.dll

2010-07-19 23:08:38 0 d-sh--w- C:\FOUND.066

2010-07-19 23:04:23 0 d-----w- c:\windows.xp\system32\wbem\Repository

2010-07-19 16:25:11 0 d-----w- c:\docume~1\amanda\applic~1\0A2466412CA74FF8C68D444EFAC98ECE

2010-07-18 20:31:15 11452 ----a-w- c:\documents and settings\amanda\.recently-used.xbel

2010-07-17 13:34:20 0 d-sh--w- C:\FOUND.065

2010-07-17 01:06:08 0 d-sh--w- C:\FOUND.064

2010-07-14 18:43:32 744448 ------w- c:\windows.xp\system32\dllcache\helpsvc.exe

2010-07-13 14:47:20 0 d-sh--w- C:\FOUND.063

2010-06-24 01:56:20 0 d-sh--w- C:\FOUND.062

2010-06-24 00:23:17 0 d-----w- c:\program files\Pando Networks

==================== Find3M ====================

2010-07-19 02:48:48 115200 ----a-w- c:\windows.xp\snap.dat

2010-07-11 17:15:04 530451 ----a-w- c:\windows.xp\fonts\BILLY-ARGEL-MAJOR-GUILTY-FONT.jpg

2010-07-11 16:21:04 131452 ----a-w- c:\windows.xp\fonts\MAJOR ___.otf

2010-07-01 23:35:44 107996 ----a-w- c:\windows.xp\fonts\DIRTYBAG___.otf

2010-07-01 23:29:34 324099 ----a-w- c:\windows.xp\fonts\BILLY-ARGEL-DIRTYBAG-FONT-d.jpg

2010-05-05 13:30:58 173056 ------w- c:\windows.xp\system32\dllcache\ie4uinit.exe

2010-05-03 18:09:08 450836 ----a-w- c:\windows.xp\fonts\TouchingLetters.ttf

2010-05-03 04:33:36 39156 ----a-w- c:\windows.xp\fonts\BILLY ARGEL TRIAL___.otf

2010-05-02 05:22:50 1851264 ----a-w- c:\windows.xp\system32\win32k.sys

2010-05-02 05:22:50 1851264 ------w- c:\windows.xp\system32\dllcache\win32k.sys

2010-04-25 20:53:58 323624 ----a-w- c:\windows.xp\system32\wiaaut.dll

2008-12-29 00:40:44 266 --sh--w- c:\program files\desktop.ini

2008-12-29 00:40:44 11079 ------w- c:\program files\folder.htt

2009-02-01 13:35:22 32768 --sha-w- c:\windows.xp\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011920090126\index.dat

2009-02-01 13:35:22 32768 --sha-w- c:\windows.xp\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020120090202\index.dat

============= FINISH: 16:13:11.03 ===============

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-07-21 16:19:05

Windows 5.1.2600 Service Pack 3

Running: oh4plzpf.exe; Driver: C:\DOCUME~1\amanda\LOCALS~1\Temp\pwtdrpog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAA3FECD2]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAA3FEB8E]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xAA3FF142]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAA3FF06C]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAA3FE764]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAA3FEC68]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAA3FE6A4]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAA3FE708]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAA3FED88]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xAA3FF210]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAA3FED48]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAA3FEEC8]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xAA40BB9C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xAA40B9C0]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xAA40BAFA]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- EOF - GMER 1.0.15 ----

Scan with Viruses detected

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4335

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

7/21/2010 1:13:54 PM

mbam-log-2010-07-21 (13-13-54).txt

Scan type: Quick scan

Objects scanned: 141001

Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 12

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\primoadsforyou.primoadsforyou (Adware.PlayMP3z) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\primoadsforyou.primoadsforyou.1 (Adware.PlayMP3z) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{418d86be-7386-4f1a-83e0-53604adbda74} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{d35da2a5-1d09-03bb-fe6e-c569be05cfa0} (Adware.PlayMP3z) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d35da2a5-1d09-03bb-fe6e-c569be05cfa0} (Adware.PlayMP3z) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\WINDOWS.XP\system32\SystemX86 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:

D:\AUTORUN.INF (Worm.Agent.H) -> Delete on reboot.

C:\WINDOWS.XP\system32\SystemX86\245.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS.XP\system32\SystemX86\246.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS.XP\system32\SystemX86\247.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS.XP\system32\SystemX86\248.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS.XP\system32\SystemX86\249.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS.XP\system32\SystemX86\250.music2.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS.XP\system32\SystemX86\251.music3.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS.XP\system32\SystemX86\252.music.snd.kwd (Worm.Archive) -> Quarantined and deleted successfully.

Scan after the reboot

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4335

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

7/21/2010 2:38:44 PM

mbam-log-2010-07-21 (14-38-44).txt

Scan type: Quick scan

Objects scanned: 140982

Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Hope this Helps you Help Me

(atm the virus isnt allowing me to post from infected comp...)

Anxiously waiting :D

Sin_Attachreport.zip

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi and welcome to Malwarebytes.

Please know that running ComboFix is dangerous unless under the supervision of a trained analyst. With that said, please post its log (it can be found at C:\ComboFix.txt).

After that, post a fresh DDS log (DDS.txt only), and we'll take it from there.

-screen317

Link to post
Share on other sites
Sin

Sin

Posted
  • Author
Posted
Please know that running ComboFix is dangerous unless under the supervision of a trained analyst. With that said, please post its log (it can be found at C:\ComboFix.txt).

Hello thank you in advance for the help.

I downloaded Combofix and it asked to install something because I didn't have Windows Recovery. What should I do? Install or Decline?

( I'm having issues connecting to this site due to the virus. It allows me to view and post on the site sporadically)

Link to post
Share on other sites
Sin

Sin

Posted
  • Author
Posted

**Edit** AutoScan is frozen. I briefly lost internet before responding here and it froze. I want to restart it fresh but Im scared i will mess up my computer. Is it safe to restart my computer while Autorun is open? It wont close even through task manager :D

Link to post
Share on other sites
Sin

Sin

Posted
  • Author
Posted

"Scannig for infected files...

This typically doesn't take more than 10 minutes

However, scan times for badly infected machines may easily double time."

That is all my combofix screen shows me. And its been 2 hours already. I don't know if my combofix still working or not, so i can't get the log file to post here. What should i do?

Link to post
Share on other sites
Sin

Sin

Posted
  • Author
Posted
Hi,

All I asked for was its log since you said you ran it already.... Please post it (it can be found at C:\ComboFix.txt)

ok I could have sworn we ran combofix but apparently not since there aren't any files :lol: sorry about that. Combofix was on all day and all night and still didn't move past the 1st initial stage. the DDS report is below:

DDS (Ver_10-03-17.01) - FAT32x86

Run by amanda at 16:11:46.35 on Wed 07/21/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.227 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS.XP\system32\svchost -k DcomLaunch

SVCHOST.EXE

C:\WINDOWS.XP\System32\svchost.exe -k netsvcs

C:\WINDOWS.XP\system32\svchost.exe -k WudfServiceGroup

SVCHOST.EXE

SVCHOST.EXE

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS.XP\system32\spoolsv.exe

SVCHOST.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS.XP\system32\svchost.exe -k imgsvc

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\WINDOWS.XP\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS.XP\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\NETGEAR\WG111T\wlan111t.exe

C:\WINDOWS.XP\Twain_32\CA561A\SnapDetect.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\WINDOWS.XP\system32\wuauclt.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\amanda\Desktop\Downloads\Defogger.exe

C:\Documents and Settings\amanda\Desktop\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com

uSearch Page =

uSearch Bar =

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

mSearchAssistant =

uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows.xp\system32\ctfmon.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1.xp\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe

StartupFolder: c:\docume~1\alluse~1.xp\startm~1\programs\startup\snapde~1.lnk - c:\windows.xp\twain_32\ca561a\SnapDetect.exe

IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\amanda\start menu\programs\imvu\Run IMVU.lnk

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: DirectAnimation Java Classes - file://c:\windows.xp\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows.xp\java\classes\xmldso.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232577516538

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230579599659

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows.xp\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\amanda\applic~1\mozilla\firefox\profiles\dpywfwfj.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows.xp\system32\drivers\aswSP.sys [2010-7-20 165456]

R2 aswFsBlk;aswFsBlk;c:\windows.xp\system32\drivers\aswFsBlk.sys [2010-7-20 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-20 40384]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-20 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-20 40384]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows.xp\system32\DNINDIS5.sys [2008-12-29 17149]

S3 npggsvc;nProtect GameGuard Service;c:\windows.xp\system32\gamemon.des -service --> c:\windows.xp\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2010-07-21 20:11:18 0 ----a-w- c:\documents and settings\amanda\defogger_reenable

2010-07-21 13:54:49 0 d-----w- c:\docume~1\amanda\applic~1\Malwarebytes

2010-07-21 13:54:43 38224 ----a-w- c:\windows.xp\system32\drivers\mbamswissarmy.sys

2010-07-21 13:54:42 20952 ----a-w- c:\windows.xp\system32\drivers\mbam.sys

2010-07-21 13:54:42 0 d-----w- c:\docume~1\alluse~1.xp\applic~1\Malwarebytes

2010-07-21 13:54:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-21 03:03:25 16968 ----a-w- c:\windows.xp\system32\drivers\hitmanpro35.sys

2010-07-21 03:03:13 0 d-----w- c:\program files\Hitman Pro 3.5

2010-07-21 03:03:13 0 d-----w- c:\docume~1\alluse~1.xp\applic~1\Hitman Pro

2010-07-21 02:49:19 0 d-s---w- C:\ComboFix

2010-07-20 20:39:28 38848 ----a-w- c:\windows.xp\avastSS.scr

2010-07-20 20:39:10 0 d-----w- c:\docume~1\alluse~1.xp\applic~1\Alwil Software

2010-07-20 20:08:49 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-07-20 20:08:49 0 d-----w- c:\docume~1\alluse~1.xp\applic~1\Spybot - Search & Destroy

2010-07-19 23:20:27 743424 ------w- c:\windows.xp\system32\dllcache\iedvtool.dll

2010-07-19 23:08:38 0 d-sh--w- C:\FOUND.066

2010-07-19 23:04:23 0 d-----w- c:\windows.xp\system32\wbem\Repository

2010-07-19 16:25:11 0 d-----w- c:\docume~1\amanda\applic~1\0A2466412CA74FF8C68D444EFAC98ECE

2010-07-18 20:31:15 11452 ----a-w- c:\documents and settings\amanda\.recently-used.xbel

2010-07-17 13:34:20 0 d-sh--w- C:\FOUND.065

2010-07-17 01:06:08 0 d-sh--w- C:\FOUND.064

2010-07-14 18:43:32 744448 ------w- c:\windows.xp\system32\dllcache\helpsvc.exe

2010-07-13 14:47:20 0 d-sh--w- C:\FOUND.063

2010-06-24 01:56:20 0 d-sh--w- C:\FOUND.062

2010-06-24 00:23:17 0 d-----w- c:\program files\Pando Networks

==================== Find3M ====================

2010-07-19 02:48:48 115200 ----a-w- c:\windows.xp\snap.dat

2010-07-11 17:15:04 530451 ----a-w- c:\windows.xp\fonts\BILLY-ARGEL-MAJOR-GUILTY-FONT.jpg

2010-07-11 16:21:04 131452 ----a-w- c:\windows.xp\fonts\MAJOR ___.otf

2010-07-01 23:35:44 107996 ----a-w- c:\windows.xp\fonts\DIRTYBAG___.otf

2010-07-01 23:29:34 324099 ----a-w- c:\windows.xp\fonts\BILLY-ARGEL-DIRTYBAG-FONT-d.jpg

2010-05-05 13:30:58 173056 ------w- c:\windows.xp\system32\dllcache\ie4uinit.exe

2010-05-03 18:09:08 450836 ----a-w- c:\windows.xp\fonts\TouchingLetters.ttf

2010-05-03 04:33:36 39156 ----a-w- c:\windows.xp\fonts\BILLY ARGEL TRIAL___.otf

2010-05-02 05:22:50 1851264 ----a-w- c:\windows.xp\system32\win32k.sys

2010-05-02 05:22:50 1851264 ------w- c:\windows.xp\system32\dllcache\win32k.sys

2010-04-25 20:53:58 323624 ----a-w- c:\windows.xp\system32\wiaaut.dll

2008-12-29 00:40:44 266 --sh--w- c:\program files\desktop.ini

2008-12-29 00:40:44 11079 ------w- c:\program files\folder.htt

2009-02-01 13:35:22 32768 --sha-w- c:\windows.xp\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011920090126\index.dat

2009-02-01 13:35:22 32768 --sha-w- c:\windows.xp\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020120090202\index.dat

============= FINISH: 16:13:11.03 ===============

Link to post
Share on other sites
Sin

Sin

Posted
  • Author
Posted
Hi,

Download MBRCheck.exe by a_d_13 and save it to your Desktop.

Run it; when it completes, a log will be available on your Desktop (MBRCheck xxxxxx .txt) where xxxxxx is the time it ran.

hello and thank you for sticking with me :D As you probably know, I am completely computer illiterate (amongst other things) and you're instructions are a bit black and white. For example I ran this file/program and I see this. I understand that we are using professional tools to fix my problem and I dont want to make you work any harder or screw up my computer anymore. Is it possible you can explain a bit more about what I should see or expect and what should I choose when running this? I dont want to make a mistake :D

file.png

I will close this for now and wait your response.

~Sin

Link to post
Share on other sites
Sin

Sin

Posted
  • Author
Posted

Btw Yesterday upon logging my Hitman Pro activated on its own and stated traces of Alureon malware (or something of the sort) was found I clicked continue and then close. I then noticed for the entire day the re-directs had stopped. Now they are back :D I dont understand what is going on but thought you might have an idea. Anyway thought that was important. Also what time are you usually on as I can make myself available?

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi Sin,

For the MBRCheck program, it's looking at a specific part of your hard drive that is infected. Running it like you did (which is exactly how I wanted it :) ) only produces a log and confirmed that the infection is present. Now we are going to run MBRCheck a different way to remove the infection.

Run MBRCheck again and choose Option 2. This restores a standard MBR (Master Boot Record) and removes the infected one.

When it completes, post its log again, and we will proceed from there.

-screen317

Link to post
Share on other sites
Sin

Sin

Posted
  • Author
Posted

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4345

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/24/2010 4:56:03 PM

mbam-log-2010-07-24 (16-56-03).txt

Scan type: Quick scan

Objects scanned: 142793

Time elapsed: 6 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> No action taken.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> No action taken.

It found 2 infected files :)

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Those are just adware; have MBAM remove them. The good news is that the main (nasty) infection appears to be gone. :)

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Run this scan instead:

Now, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.