Jump to content

Recommended Posts

Another redirect. Yes I have a router.

-MBAM-

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6701

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

5/28/2011 11:05:42 AM

mbam-log-2011-05-28 (11-05-42).txt

Scan type: Quick scan

Objects scanned: 201311

Time elapsed: 7 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-DDS-

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17

Run by Mike at 11:06:51 on 2011-05-28

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1139 [GMT -7:00]

.

AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Malwarebytes' Anti-Malware2\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware2\mbamservice.exe

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\ehome\RMSvc.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\ehome\McrdSvc.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Malwarebytes' Anti-Malware2\mbam.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\SYSTEM32\NOTEPAD.EXE

C:\Documents and Settings\Mike\Desktop\Malware\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File

TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [iSTray] "c:\program files\spyware doctor\pctsTray.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware2\mbamgui.exe" /starttray

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: intuit.com\ttlc

Trusted Zone: turbotax.com

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} - hxxp://webiq005.webiqonline.com/WebIQ/DataServer/Pub/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}

DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxp://tu2-msg05.raymail.ray.com/iNotes6W.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab

DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1247841716749

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://rsvpn.raytheon.com/,DanaInfo=TU2-MSG05.raymail.ray.com+dwa8W.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab

DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://rsvpn.raytheon.com/,DanaInfo=TU2-MSG05.raymail.ray.com+dwa7W.cab

DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab57176.cab

DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - hxxp://entimg.msn.com/client/msnmusax3718.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: itlntfy - itlnfw32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli viwiyapa.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\mike\application data\mozilla\firefox\profiles\z3g4481a.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=

FF - plugin: c:\documents and settings\mike\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\mike\application data\move networks\plugins\npqmp071500000347.dll

FF - plugin: c:\documents and settings\mike\application data\move networks\plugins\npqmp071505000010.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

.

============= SERVICES / DRIVERS ===============

.

R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [2006-2-17 38784]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-31 218592]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-5-28 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-5-28 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-5-28 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-5-28 61960]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware2\mbamservice.exe [2011-5-26 363344]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-31 366840]

R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-31 1142224]

R3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [2006-2-17 116224]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-5-26 20952]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-3 136176]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-3 136176]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2010-7-13 18176]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2010-7-13 7680]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2010-7-13 23680]

S3 slsusb;Edge CS/CTS Device Driver;c:\windows\system32\drivers\slsusb.sys [2010-8-2 26208]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-4-30 280344]

S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2006-6-29 2383152]

.

=============== Created Last 30 ================

.

2018-03-15 01:35:23 -------- d-----w- c:\documents and settings\mike\application data\VyPRESS

2018-03-15 01:35:22 -------- d-----w- c:\program files\Vypress Tonecast

2011-05-28 17:50:13 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-05-28 17:50:12 -------- d-----w- c:\program files\Avira

2011-05-28 17:50:12 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-05-27 01:48:07 54016 ----a-w- c:\windows\system32\drivers\kfgvgff.sys

2011-05-26 13:11:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-26 13:11:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-26 13:11:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2

2011-05-26 02:44:12 54016 ----a-w- c:\windows\system32\drivers\qclykqmi.sys

2011-05-25 03:27:01 0 ----a-w- c:\windows\Emijiyopubo.bin

2011-05-25 03:26:49 39 ---h--w- c:\windows\cftnom.bat

2011-05-25 03:25:28 102912 --sha-r- c:\windows\system32\dot3uir.dll

2011-05-25 03:25:28 102912 --sha-r- c:\windows\system32\acctresy.dll

2011-05-01 16:19:05 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-05-01 16:19:03 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-05-01 16:19:03 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-05-01 16:19:03 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-05-01 16:19:03 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll

2011-05-01 16:19:03 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll

2011-05-01 16:19:03 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-05-01 16:19:03 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

.

==================== Find3M ====================

.

2011-03-08 03:20:05 398760 ----a-r- c:\windows\system32\cpnprt2.cid

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 11:07:50.32 ===============

Any help is appreciated.

-Mike

Link to post
Share on other sites

Hi Mike and :welcome:

I see indeed some malware running here.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.