Jump to content

Recommended Posts

Hello folks, I've reached the end of my wit with that little mofo, I'm not even entirely sure how I got it in the first place, and more surprisingly that I can't determine the root of th evil. Anyway, so apparently there's something that keeps on hijacking my browser's tabs randomly. If FireFox doesn't crash the tab gets labeled "Ad served by yourprofitclub", the tab's content varies; at times empty, at times indeed an add, at times a re-direct into oblivion.

I've scanned with Malwarebytes, Hijackthis, RougeKiller and am running MSE as main antivirus program, but I'm incapable of finding it. After hours of consulting friends, who basically had no further ideas than I, I decided to google and whatever seems to have taken care of the problems seems to have been related to ComboFix in one way or the other. However, I'm not familiar with that tool.

There's a topic that can be taken as reference to my problem, which can be found: http://forums.malwarebytes.org/index.php?showtopic=78513 .

This would be the content of my CombixFix Log:

ComboFix 11-05-19.02 - Marco 21.05.2011 1:59.2.4 - x64

Microsoft Windows 7 Professional 6.1.7600.0.1252.49.1033.18.8190.5255 [GMT 2:00]

ausgef

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes

Does it occur only in Firefox?

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

Thanks for the reply.

The problem occurs with FireFox as well as the IE (which I don't use, but I tested it to verify) difference being that FF often crashes while whatever I'm infected with works as intended with the IE.

Here's the logfile content you've asked for.

MBAM Quickscan:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6678

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

25.05.2011 22:51:58

mbam-log-2011-05-25 (22-51-58).txt

Scan type: Quick scan

Objects scanned: 164678

Time elapsed: 1 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS:

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_24

Run by Marco at 22:46:15 on 2011-05-25

Microsoft Windows 7 Professional 6.1.7600.0.1252.49.1033.18.8190.5193 [GMT 2:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\atieclxx.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\oodag.exe

C:\Windows\SysWOW64\PnkBstrA.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\taskhost.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\System32\oodtray.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe

C:\Program Files (x86)\Trillian\trillian.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

D:\Steam\Steam.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Users\Marco\Desktop\dds.scr

C:\Windows\SysWOW64\WSCRIPT.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = local

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files (x86)\Megaupload\Mega Manager\MegaIEMn.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

uRun: [VeohPlugin] "C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"

uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

StartupFolder: C:\Users\Marco\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Trillian.lnk - C:\Program Files (x86)\Trillian\trillian.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEG~1.LNK - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Nach Microsoft &Excel exportieren - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105

IE: {0483894E-2422-45E0-8384-021AFF1AF3CD} - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files (x86)\iMacros\imacros.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/emsisoft_webscan.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

TCP: {6DF440D2-5EC9-4999-8778-D5ABA9B67DD6} = 192.168.2.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

BHO-X64: Hotspot Shield Class: {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll

mRun-x64: [OODefragTray] C:\Windows\system32\oodtray.exe

mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

mRun-x64: [skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe

mRun-x64: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"

mRun-x64: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Marco\AppData\Roaming\Mozilla\Firefox\Profiles\amtv4pvs.default\

FF - prefs.js: network.proxy.http - localhost

FF - prefs.js: network.proxy.http_port - 9666

FF - prefs.js: network.proxy.socks - localhost

FF - prefs.js: network.proxy.socks_port - 9050

FF - prefs.js: network.proxy.ssl - localhost

FF - prefs.js: network.proxy.ssl_port - 9666

FF - prefs.js: network.proxy.type - 0

FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npt.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\Marco\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

.

============= SERVICES / DRIVERS ===============

.

R0 SscRdBus;Virtual bus device (SuperSpeed LLC);C:\Windows\system32\DRIVERS\SscRdBus.sys --> C:\Windows\system32\DRIVERS\SscRdBus.sys [?]

R0 SscRdCls;RAM Disk (SuperSpeed LLC);C:\Windows\system32\DRIVERS\SscRdCls.sys --> C:\Windows\system32\DRIVERS\SscRdCls.sys [?]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]

R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-5-21 363344]

R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]

R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]

R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]

R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]

R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 282616]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-1-21 30963576]

S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\system32\Drivers\nx6000.sys --> C:\Windows\system32\Drivers\nx6000.sys [?]

S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]

S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

S3 SoRa_DRIVER53;SoRa_DRIVER53;D:\SoRa 4.6\SoRa_.sys [2009-3-29 30208]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]

S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S3 WPFFontCache_v0400;WPFFontCache_v0400;C:\Windows\Microsoft.NET\Framework64\v4.0.30128\WPF\WPFFontCache_v0400.exe --> C:\Windows\Microsoft.NET\Framework64\v4.0.30128\WPF\WPFFontCache_v0400.exe [?]

.

=============== Created Last 30 ================

.

2011-05-25 10:42:15 27008 ----a-w- C:\Windows\System32\drivers\Diskdump.sys

2011-05-25 08:31:14 8718160 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{07275312-4D84-4811-AEAF-9CA0633F1B5D}\mpengine.dll

2011-05-23 19:40:56 -------- d-sh--w- C:\ProgramData\DSS

2011-05-23 19:23:13 -------- d-----w- C:\Users\Marco\AppData\Roaming\Lionhead Studios

2011-05-23 19:22:26 446976 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{94039927-F791-4E88-94F9-29B3F9AED689}-paul.dll

2011-05-23 19:22:04 446976 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{2DE0AC4E-7699-4CC9-945D-835F14FB01FD}-paul.dll

2011-05-23 19:21:46 446976 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{B2802B96-AAC8-4DA4-86FC-A3A65E78CCDD}-PAUL.DLL

2011-05-21 09:12:15 601424 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AA03DC52-4F10-45F5-A9EE-FC263576C808}\gapaengine.dll

2011-05-21 09:01:23 -------- d-sh--w- C:\$RECYCLE.BIN

2011-05-21 00:05:54 -------- d-----w- C:\Users\Marco\AppData\Local\temp

2011-05-20 23:58:03 -------- d-----w- C:\ComboFix

2011-05-20 23:25:47 -------- d-----w- C:\RougeKiller

2011-05-20 23:23:46 -------- d-----w- C:\Users\Marco\AppData\Roaming\Malwarebytes

2011-05-20 23:23:00 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2011-05-20 23:23:00 -------- d-----w- C:\ProgramData\Malwarebytes

2011-05-20 23:22:57 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-05-20 23:22:57 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-05-20 08:54:04 142336 ----a-w- C:\Windows\System32\poqexec.exe

2011-05-20 08:54:04 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe

2011-05-20 08:52:25 142296 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll

2011-05-19 23:57:51 98816 ----a-w- C:\Windows\sed.exe

2011-05-19 23:57:51 89088 ----a-w- C:\Windows\MBR.exe

2011-05-19 23:57:51 256512 ----a-w- C:\Windows\PEV.exe

2011-05-19 23:57:51 161792 ----a-w- C:\Windows\SWREG.exe

2011-05-19 22:49:33 2655744 ----a-w- C:\Program Files (x86)\Mozilla Firefox\extensions\{68696d4f-36e3-8573-7772-d95ac9893684}\components\4bcaf0dd.dll

2011-05-19 15:53:26 -------- d-----w- C:\W7 FW Control

2011-05-19 10:47:26 -------- d-----w- C:\Users\Marco\AppData\Local\Two Worlds II

2011-05-19 10:47:16 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation

2011-05-19 10:40:27 146944 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{2E43C483-A3AB-49A8-AC0D-654865C4B94D}-rld-tw2k.exe

2011-05-16 15:01:15 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2011-05-11 08:34:26 -------- d-----w- C:\Program Files (x86)\uTorrent

2011-05-11 08:16:43 5509504 ----a-w- C:\Windows\System32\ntoskrnl.exe

2011-05-11 08:16:42 3957632 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2011-05-11 08:16:42 3901824 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2011-05-11 08:16:32 98816 ----a-w- C:\Windows\System32\drivers\usbccgp.sys

2011-05-11 08:16:32 7936 ----a-w- C:\Windows\System32\drivers\usbd.sys

2011-05-11 08:16:32 52224 ----a-w- C:\Windows\System32\drivers\usbehci.sys

2011-05-11 08:16:32 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys

2011-05-11 08:16:32 324608 ----a-w- C:\Windows\System32\drivers\usbport.sys

2011-05-11 08:16:32 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys

2011-05-11 08:16:32 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys

2011-05-01 11:08:02 -------- d-----w- C:\Users\Marco\AppData\Roaming\.minecraft

2011-04-27 09:50:22 2870272 ----a-w- C:\Windows\explorer.exe

2011-04-27 09:50:21 2614784 ----a-w- C:\Windows\SysWow64\explorer.exe

2011-04-27 09:50:14 662528 ----a-w- C:\Windows\System32\XpsPrint.dll

2011-04-27 09:50:14 442880 ----a-w- C:\Windows\SysWow64\XpsPrint.dll

.

==================== Find3M ====================

.

2011-04-22 15:45:08 480256 ----a-w- C:\Windows\System32\atieclxx.exe

2011-04-22 15:45:07 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll

2011-04-22 15:45:07 52736 ----a-w- C:\Windows\SysWow64\amdpcom32.dll

2011-04-22 15:45:01 28672 ----a-w- C:\Windows\SysWow64\atiu9pag.dll

2011-04-22 15:45:00 462848 ----a-w- C:\Windows\System32\ATIDEMGX.dll

2011-04-09 16:55:44 15453336 ----a-w- C:\Windows\SysWow64\xlive.dll

2011-04-09 16:55:42 13642904 ----a-w- C:\Windows\SysWow64\xlivefnt.dll

2011-03-13 21:46:06 254528 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys

2011-03-11 06:23:13 187264 ----a-w- C:\Windows\System32\drivers\storport.sys

2011-03-11 06:23:06 166272 ----a-w- C:\Windows\System32\drivers\nvstor.sys

2011-03-11 06:23:06 1657216 ----a-w- C:\Windows\System32\drivers\ntfs.sys

2011-03-11 06:23:06 148352 ----a-w- C:\Windows\System32\drivers\nvraid.sys

2011-03-11 06:23:00 410496 ----a-w- C:\Windows\System32\drivers\iaStorV.sys

2011-03-11 06:22:41 107904 ----a-w- C:\Windows\System32\drivers\amdsata.sys

2011-03-11 06:22:40 27008 ----a-w- C:\Windows\System32\drivers\amdxata.sys

2011-03-11 06:19:26 1395712 ----a-w- C:\Windows\System32\mfc42.dll

2011-03-11 06:19:26 1359872 ----a-w- C:\Windows\System32\mfc42u.dll

2011-03-11 06:18:20 2566144 ----a-w- C:\Windows\System32\esent.dll

2011-03-11 06:15:54 96768 ----a-w- C:\Windows\System32\fsutil.exe

2011-03-11 05:40:24 1164288 ----a-w- C:\Windows\SysWow64\mfc42u.dll

2011-03-11 05:40:24 1137664 ----a-w- C:\Windows\SysWow64\mfc42.dll

2011-03-11 05:39:35 1686016 ----a-w- C:\Windows\SysWow64\esent.dll

2011-03-11 05:37:34 74240 ----a-w- C:\Windows\SysWow64\fsutil.exe

2011-03-08 06:14:30 976896 ----a-w- C:\Windows\System32\inetcomm.dll

2011-03-08 05:38:13 740864 ----a-w- C:\Windows\SysWow64\inetcomm.dll

2011-03-04 06:17:25 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2011-03-04 06:17:24 347648 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

2011-03-03 06:17:10 182272 ----a-w- C:\Windows\System32\dnsrslvr.dll

2011-03-03 06:14:38 30208 ----a-w- C:\Windows\System32\dnscacheugc.exe

2011-03-03 05:27:30 28672 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe

2011-03-03 03:58:32 3133440 ----a-w- C:\Windows\System32\win32k.sys

.

============= FINISH: 22:47:05,15 ===============

Link to post
Share on other sites

I finally got around to myself through the logfile, with some research it was quite easy and I finally found the culprit.

After having gotten rid of these:

2011-05-19 23:57:51 98816 ----a-w- C:\Windows\sed.exe

2011-05-19 23:57:51 89088 ----a-w- C:\Windows\MBR.exe

2011-05-19 23:57:51 256512 ----a-w- C:\Windows\PEV.exe

2011-05-19 23:57:51 161792 ----a-w- C:\Windows\SWREG.exe

The problem still persisted, until I came across this entry:

2011-05-19 22:49:33 2655744 ----a-w- C:\Program Files (x86)\Mozilla Firefox\extensions\{68696d4f-36e3-8573-7772-d95ac9893684}\components\4bcaf0dd.dll

I've not installed any FF components, extensions, add-ons in ages. When I got rid of it the pop-ups and re-directs went away as well.

In that sense, the issue has been resolved.

Thank you for introducing DDS to me, I love the "last 30 days" list of newly created folders/files, it shall be of help for the rest of my Internet life.

Link to post
Share on other sites

  • Staff

Good work! I suggest a clean install of Firefox to remove any remnants.

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.