Jump to content

search engine redirect

j the teacher
 Share

Recommended Posts

j the teacher

j the teacher

Posted
Posted

search engine redirect on IE and FireFox.

I have copied and pasted DDS file below

I have attached the attach.txt file in zipped format

I ran the Rootkit scanner 2 times but it FROZE up my computer

DDS.txt file

.

DDS (Ver_2011-06-02.02) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07

Run by jennifer at 11:23:23 on 2011-06-03

.

============== Running Processes ===============

.

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Documents and Settings\jennifer.32DB736A8C104A3\Desktop\dds.scr

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [NBJ] "c:\progra~1\ahead\neroba~1\NBJ.exe"

uRun: [ayRmyfbCTPl] c:\documents and settings\all users.windows\application data\ayRmyfbCTPl.exe

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1301174659789

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{04F92447-220D-4343-872C-9A927319AFBE} : DhcpNameServer = 192.168.1.1

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\jennifer.32db736a8c104a3\application data\mozilla\firefox\profiles\gm344bx9.default\

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

S? AntiVirSchedulerService;Avira AntiVir Scheduler

S? AntiVirService;Avira AntiVir Guard

S? ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor

S? avgio;avgio

S? avgntflt;avgntflt

.

=============== Created Last 30 ================

.

2011-06-03 16:01:18 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-03 16:01:17 -------- d-----w- c:\program files\Avira

2011-06-03 16:01:17 -------- d-----w- c:\documents and settings\all users.windows\application data\Avira

2011-06-01 22:13:45 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll

2011-06-01 06:56:23 -------- d-----w- c:\documents and settings\jennifer.32db736a8c104a3\application data\Malwarebytes

2011-06-01 06:39:32 -------- d--h--w- c:\documents and settings\jennifer.32db736a8c104a3\Recent(3)

2011-06-01 06:31:21 -------- d--h--w- c:\documents and settings\jennifer.32db736a8c104a3\Recent(2)

2011-06-01 03:07:14 65536 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\4791170.tmp

2011-05-21 19:59:15 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-13 01:35:11 221184 ----a-w- c:\windows\system32\wmpns.dll

.

==================== Find3M ====================

.

2011-04-06 21:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll

2011-04-06 21:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll

2011-04-06 21:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll

2011-04-06 21:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-01-11 20:17:54 361089264 ----a-w- c:\program files\WordPerfectOfficeInstaller.exe

2010-03-20 14:49:50 2114184 ----a-w- c:\program files\Install_Facebook_Plug-In_1.0.3[1]

2003-03-21 18:45:22 250544 ----a-w- c:\program files\common files\keyhelp.ocx

2008-04-14 00:12:40 73728 --sha-w- c:\windows\registeredpackages\{dd90d410-1823-43eb-9a16-a2331bf08799}$backup$\system\wmplayer.exe

.

============= FINISH: 11:24:20.18 ===============

attach.zip

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites
j the teacher

j the teacher

Posted
  • Author
Posted

Thanks in advance for your help!!!

MBAM log June 8th

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6803

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/8/2011 4:19:41 PM

mbam-log-2011-06-08 (16-19-41).txt

Scan type: Quick scan

Objects scanned: 293210

Time elapsed: 3 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

combofix

ComboFix 11-06-06.07 - jennifer 06/08/2011 15:42:53.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1607 [GMT -5:00]

Running from: c:\documents and settings\jennifer.32DB736A8C104A3\Desktop\virus protection stuff\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\jason.32DB736A8C104A3\WINDOWS

c:\documents and settings\jason\Start Menu\Programs\System Tool

c:\documents and settings\jason\WINDOWS

c:\documents and settings\jennifer\WINDOWS

c:\program files\Internet Explorer\Internet.exe

.

Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected

Restored copy from - Kitty had a snack :P

.

((((((((((((((((((((((((( Files Created from 2011-05-08 to 2011-06-08 )))))))))))))))))))))))))))))))

.

.

2011-06-06 17:45 . 2011-06-06 17:45 -------- d-----w- c:\documents and settings\jennifer.32DB736A8C104A3\Application Data\Avira

2011-06-03 16:01 . 2011-04-01 22:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-03 16:01 . 2011-04-01 22:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-06-03 16:01 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-06-03 16:01 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-06-03 16:01 . 2011-06-03 16:01 -------- d-----w- c:\program files\Avira

2011-06-03 16:01 . 2011-06-03 16:01 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira

2011-06-01 22:13 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll

2011-06-01 06:56 . 2011-06-01 06:56 -------- d-----w- c:\documents and settings\jennifer.32DB736A8C104A3\Application Data\Malwarebytes

2011-06-01 03:07 . 2011-06-01 03:07 65536 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\4791170.tmp

2011-05-21 19:59 . 2008-06-10 07:32 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-13 01:35 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll

2011-05-13 01:35 . 2011-05-13 01:35 -------- d-----w- c:\documents and settings\calder.32DB736A8C104A3

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-06 21:20 . 2011-04-06 21:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2011-04-06 21:20 . 2011-04-06 21:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll

2011-04-06 21:20 . 2011-04-06 21:20 197920 ----a-w- c:\windows\system32\dnssdX.dll

2011-04-06 21:20 . 2011-04-06 21:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2011-01-11 20:17 . 2011-01-11 20:09 361089264 ----a-w- c:\program files\WordPerfectOfficeInstaller.exe

2010-03-20 14:49 . 2010-03-20 14:49 2114184 ----a-w- c:\program files\Install_Facebook_Plug-In_1.0.3[1]

2003-03-21 18:45 . 2008-10-15 03:32 250544 ----a-w- c:\program files\Common Files\keyhelp.ocx

2011-05-11 04:00 . 2011-03-26 20:58 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2008-04-14 00:12 73728 --sha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NBJ"="c:\progra~1\Ahead\NEROBA~1\NBJ.exe" [2005-10-12 1961984]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-18 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-18 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-18 141848]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]

.

c:\documents and settings\jennifer\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

RCA Detective.lnk - c:\documents and settings\jennifer\My Documents\RCA Detective\RCADetective.exe [N/A]

.

c:\documents and settings\calder\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\documents and settings\jason\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

desktop(2).ini [2011-3-20 84]

desktop(3).ini [2011-3-20 84]

Microsoft Office(2).lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Microsoft Office(3).lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\C\\Documents and Settings\\jennifer\\Local Settings\\Temp\\._msige60\\program files\\Google\\Google Earth\\client\\googleearth.exe"=

.

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/3/2011 11:01 AM 136360]

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 3:30 PM 79168]

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\jennifer.32DB736A8C104A3\Application Data\Mozilla\Firefox\Profiles\gm344bx9.default\

FF - prefs.js: network.proxy.type - 4

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

HKCU-Run-ayRmyfbCTPl - c:\documents and settings\All Users.WINDOWS\Application Data\ayRmyfbCTPl.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-08 15:51

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Completion time: 2011-06-08 15:52:33

ComboFix-quarantined-files.txt 2011-06-08 20:52

.

Pre-Run: 37,989,838,848 bytes free

Post-Run: 42,650,812,416 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - D46188029260C1FD69E63F842F7032AA

dds log

.

DDS (Ver_2011-06-02.02) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07

Run by jennifer at 16:10:03 on 2011-06-08

.

============== Running Processes ===============

.

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\Documents and Settings\jennifer.32DB736A8C104A3\Desktop\virus protection stuff\dds.scr

C:\Program Files\Avira\AntiVir Desktop\avwsc.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

uRun: [NBJ] "c:\progra~1\ahead\neroba~1\NBJ.exe"

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1301174659789

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{04F92447-220D-4343-872C-9A927319AFBE} : DhcpNameServer = 192.168.1.1

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\jennifer.32db736a8c104a3\application data\mozilla\firefox\profiles\gm344bx9.default\

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

S? AntiVirSchedulerService;Avira AntiVir Scheduler

S? AntiVirService;Avira AntiVir Guard

S? ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor

S? avgio;avgio

S? avgntflt;avgntflt

.

=============== Created Last 30 ================

.

2011-06-08 20:32:01 -------- d-sha-r- C:\cmdcons

2011-06-08 20:20:00 98816 ----a-w- c:\windows\sed.exe

2011-06-08 20:20:00 518144 ----a-w- c:\windows\SWREG.exe

2011-06-08 20:20:00 256512 ----a-w- c:\windows\PEV.exe

2011-06-08 20:20:00 208896 ----a-w- c:\windows\MBR.exe

2011-06-06 17:45:34 -------- d-----w- c:\documents and settings\jennifer.32db736a8c104a3\application data\Avira

2011-06-03 16:01:18 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-03 16:01:17 -------- d-----w- c:\program files\Avira

2011-06-03 16:01:17 -------- d-----w- c:\documents and settings\all users.windows\application data\Avira

2011-06-01 22:13:45 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll

2011-06-01 06:56:23 -------- d-----w- c:\documents and settings\jennifer.32db736a8c104a3\application data\Malwarebytes

2011-06-01 06:39:32 -------- d-----w- c:\documents and settings\jennifer.32db736a8c104a3\Recent(3)

2011-06-01 06:31:21 -------- d-----w- c:\documents and settings\jennifer.32db736a8c104a3\Recent(2)

2011-06-01 03:07:14 65536 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\4791170.tmp

2011-05-21 19:59:15 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-13 01:35:11 221184 ----a-w- c:\windows\system32\wmpns.dll

.

==================== Find3M ====================

.

2011-04-06 21:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll

2011-04-06 21:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll

2011-04-06 21:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll

2011-04-06 21:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe

2011-01-11 20:17:54 361089264 ----a-w- c:\program files\WordPerfectOfficeInstaller.exe

2010-03-20 14:49:50 2114184 ----a-w- c:\program files\Install_Facebook_Plug-In_1.0.3[1]

2003-03-21 18:45:22 250544 ----a-w- c:\program files\common files\keyhelp.ocx

2008-04-14 00:12:40 73728 --sha-w- c:\windows\registeredpackages\{dd90d410-1823-43eb-9a16-a2331bf08799}$backup$\system\wmplayer.exe

.

============= FINISH: 16:11:28.98 ===============

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites
j the teacher

j the teacher

Posted
  • Author
Posted

Screen 317,

Thanks for you help.

Search engines working normal again in IE and FIREFOX.

Below are the requested logs.

EsetOnlineScanner-log.txt

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6522

# api_version=3.0.2

# EOSSerial=db6e303f8ec8d548af7912fa8f8c84cd

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=false

# utc_time=2011-06-09 04:42:19

# local_time=2011-06-08 11:42:19 (-0600, Central Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1797 16775141 100 93 0 43177834 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=400123

# found=18

# cleaned=18

# scan_time=6455

C:\C\Documents and Settings\jason\Local Settings\Temp\plugtmp-25\plugin-smuvbdkurusd.php PDF/Exploit.Pidief.PGF.Gen trojan (cleaned by deleting - quarantined) 1217A482D4BFB2223DE2EA10034EE135 C

C:\C\Documents and Settings\jennifer\Local Settings\Application Data\Mozilla\Firefox\Profiles\eyyzbtmh.default\Cache\37FDE3E7d01 JS/Exploit.Pdfka.OWY trojan (cleaned by deleting - quarantined) 1EB12AA87A2B2B3B3887B54A05F5AA1F C

C:\C\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan (cleaned by deleting - quarantined) 2E2FEEC4329ED5B57090D9B5DB0F9D36 C

C:\C\WINDOWS\system32\termsrv.dll Win32/Spy.Ursnif.A virus (deleted - quarantined) 63999D0ABD8DABFD76A9C07F6E104868 C

C:\System Volume Information\_restore{67FB539D-8BD5-46BC-A11B-489B5D592DB5}\RP118\A0015807.exe a variant of Win32/Kryptik.HZ trojan (cleaned by deleting - quarantined) 85D73ABA23E5F820D4AD9A35DB7CF652 C

C:\System Volume Information\_restore{67FB539D-8BD5-46BC-A11B-489B5D592DB5}\RP118\A0015811.dll a variant of Win32/PSW.OnLineGames.OBQ trojan (cleaned by deleting - quarantined) E00242FB4D23093D022467D144181CB2 C

C:\System Volume Information\_restore{67FB539D-8BD5-46BC-A11B-489B5D592DB5}\RP118\A0015812.dll a variant of Win32/PSW.OnLineGames.OBQ trojan (cleaned by deleting - quarantined) E00242FB4D23093D022467D144181CB2 C

C:\System Volume Information\_restore{67FB539D-8BD5-46BC-A11B-489B5D592DB5}\RP118\A0015813.exe a variant of Win32/PSW.OnLineGames.OBQ trojan (cleaned by deleting - quarantined) A1956B60215576F21C4DBBD9DB55AEC2 C

C:\System Volume Information\_restore{67FB539D-8BD5-46BC-A11B-489B5D592DB5}\RP118\A0015814.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 7A5D2F0834F84E92C472D2D3C2A83F4C C

C:\System Volume Information\_restore{67FB539D-8BD5-46BC-A11B-489B5D592DB5}\RP118\A0015815.exe a variant of Win32/Kryptik.KA trojan (cleaned by deleting - quarantined) A6A28A01FA810A10E99E02D5C03905F2 C

C:\System Volume Information\_restore{67FB539D-8BD5-46BC-A11B-489B5D592DB5}\RP118\A0015816.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 7A5D2F0834F84E92C472D2D3C2A83F4C C

C:\System Volume Information\_restore{67FB539D-8BD5-46BC-A11B-489B5D592DB5}\RP118\A0015817.exe a variant of Win32/Kryptik.KA trojan (cleaned by deleting - quarantined) A6A28A01FA810A10E99E02D5C03905F2 C

C:\System Volume Information\_restore{67FB539D-8BD5-46BC-A11B-489B5D592DB5}\RP118\A0015818.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 7A5D2F0834F84E92C472D2D3C2A83F4C C

C:\System Volume Information\_restore{67FB539D-8BD5-46BC-A11B-489B5D592DB5}\RP118\A0015820.exe a variant of Win32/Kryptik.BGR trojan (cleaned by deleting - quarantined) 1630E02EEBED76F932685B823FBBC794 C

C:\System Volume Information\_restore{67FB539D-8BD5-46BC-A11B-489B5D592DB5}\RP118\A0015821.exe Win32/TrojanDownloader.Small.OJX trojan (cleaned by deleting - quarantined) 77E75FE6BA65CA823AC449CA165C463E C

C:\System Volume Information\_restore{67FB539D-8BD5-46BC-A11B-489B5D592DB5}\RP119\A0017979.sys Win32/Olmasco.E trojan (deleted - quarantined) 7C38F81F40D61D1607DDB62FE5817BB9 C

C:\System Volume Information\_restore{67FB539D-8BD5-46BC-A11B-489B5D592DB5}\RP120\A0018057.dll Win32/Spy.Ursnif.A virus (deleted - quarantined) 63999D0ABD8DABFD76A9C07F6E104868 C

C:\WINDOWS\system32\spool\prtprocs\w32x86\4791170.tmp a variant of Win32/Kryptik.OMF trojan (cleaned by deleting - quarantined) F1E2B611AF14E478E54B88965B957F09 C

Checkup .txt

Results of screen317's Security Check version 0.99.12

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Avira AntiVir Personal - Free Antivirus

ESET Online Scanner v3

Avira successfully updated!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 7

Java 2 Runtime Environment, SE v1.4.2

Out of date Java installed!

Flash Player Out of Date!

Adobe Flash Player 10.2.153.1

Adobe Reader 8.1.3

Out of date Adobe Reader installed!

Mozilla Firefox (x86 en-US..)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

jennifer.32DB736A8C104A3 Desktop virus protection stuff SecurityCheck.exe

ESET ESET Online Scanner OnlineCmdLineScanner.exe

``````````End of Log````````````

Link to post
Share on other sites
  • 2 weeks later...
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.