Jump to content

Ugh - Having redirect + Security.Hijack issues.


Recommended Posts

HEY! so need your help. We recently reconnected a PC running vista (yuck) that we hadn't used in over a year and promptly after reconnecting it, got a slew of viruses/malware. Fortunately Malwrebytes helped get rid of that... or at least most of it (it was the one that reports that you have numerous viruses, wants you to buy software to fix it, hides icons + programs and then shuts down your computer.)

As part of the remedy for THAT solution, I downloaded the TDSS rootkiller kit - after following the instructions, renames, running at administrator, etc, the root kit exe still never pulled up and executed which probably what led to THIS problem today.

BTW - Everytime I log in, IE is automatically loading and re-establishing itself as the default even though we do NOT use it. Whenever I google anything, the right search results appear but when I click on links, it's redirecting me to sites like scour and other landing pages. I've been coping + pasting the correct links to access the true sites successfully. After scanning and "removing" the affected files as identified by Malwarebytes, the computer is still redirecting all searches so even though it says that there are no longer malicious items detected, the search results are telling a different story.

So here are the DDS file and the MBAM log... I've never posted to a forum like this though I've used it. I SO greatly appreciate your time and help with this....

BEFORE I forget, 1 quick question - if I were to back up all of the personal files, images and music on this computer and simply do a reformat, will this registry key virus/trojan/malware/whatever copy to my external HDD and affect the other files on there? I'm wondering if that's the easier solution since this computer has been nothing but problematic since reconnecting it...

Here goes - thank you all again so much.

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.6.0_26

Run by admin at 11:10:40 on 2011-07-12

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1918.821 [GMT -4:00]

.

AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}

SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\rundll32.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Windows\system32\atashost.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Intronis\BackupAgent.exe

C:\Intronis\BackupUpdater.exe

C:\Program Files\Bonjour\mDNSResponder.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Program Files\ServiceCEO\MSDE\MSSQL\Binn\sqlservr.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Secunia\PSI\PSIA.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Secunia\PSI\sua.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\hp\support\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

C:\WINDOWS\RtHDVCpl.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\HP\HP Software Update\hpwuschd2.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Users\Tenita\AppData\Roaming\Smilebox\SmileboxTray.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Secunia\PSI\psi_tray.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\RescueTime\RescueTime.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\rundll32.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\hp\support\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

C:\WINDOWS\RtHDVCpl.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\HP\HP Software Update\hpwuschd2.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Secunia\PSI\psi_tray.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\System32\mobsync.exe

C:\Windows\System32\mobsync.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\hp\kbd\kbd.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\hp\kbd\kbd.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/?rs=1

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop

mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop

uURLSearchHooks: H - No File

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

uRun: [HPADVISOR] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe

mRun: [KBD] c:\hp\kbd\KbdStub.EXE

mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [brMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [<NO NAME>]

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

Trusted Zone: real.com\rhap-app-4-0

Trusted Zone: real.com\rhapreg

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

TCP: DhcpNameServer = 192.168.2.1

TCP: Interfaces\{4941E980-ED4C-47C7-AB02-298721120AFC} : DhcpNameServer = 192.168.2.1

TCP: Interfaces\{C72E7ECC-A52E-44E5-BB8C-DE04629CEB0B} : DhcpNameServer = 192.168.2.1 192.168.1.254

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

AppInit_DLLs: avgrsstx.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\3ppbly7n.default\

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4a20bd50&v=6.103.018.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=

FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll

FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\users\tenita\appdata\roaming\move networks\plugins\npqmp071706000001.dll

.

============= SERVICES / DRIVERS ===============

.

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-26 335240]

R1 AvgMfx86;AVG Minifilter x86 Resident Driver;c:\windows\system32\drivers\avgmfx86.sys [2008-1-30 27784]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-26 108552]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-3-10 47640]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-12 22712]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]

R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\drivers\xcbda.sys [2007-9-7 156928]

S3 bcm;Beceem Communications Inc. Tarang3;c:\windows\system32\drivers\drxvi314.sys [2009-6-16 230912]

S3 bcmbusctr;Beceem Devices' Enumerator Driver;c:\windows\system32\drivers\BcmBusCtr.sys [2009-6-16 54784]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-26 39984]

S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2008-2-26 493568]

S3 ustp2;ustp2;c:\windows\system32\drivers\ustp2.sys [2007-4-22 19840]

S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-6-20 16896]

.

=============== Created Last 30 ================

.

2011-07-12 12:28:34 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-11 07:53:15 876032 ----a-w- c:\windows\system32\XpsPrint.dll

2011-07-11 07:29:33 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

2011-07-11 07:29:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

2011-07-10 14:55:10 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2011-07-10 14:43:18 2048 ----a-w- c:\windows\system32\winrsmgr.dll

2011-07-10 14:06:03 979456 ----a-w- c:\windows\system32\MFH264Dec.dll

2011-07-10 14:06:02 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2011-07-10 14:06:02 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll

2011-07-10 14:06:02 302592 ----a-w- c:\windows\system32\mfmp4src.dll

2011-07-10 14:06:02 261632 ----a-w- c:\windows\system32\mfreadwrite.dll

2011-07-10 14:06:02 135680 ----a-w- c:\windows\system32\XpsRasterService.dll

2011-07-10 14:06:01 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe

2011-07-10 14:06:01 478720 ----a-w- c:\windows\system32\dxgi.dll

2011-07-10 14:06:01 2873344 ----a-w- c:\windows\system32\mf.dll

2011-07-10 14:06:00 586240 ----a-w- c:\windows\system32\stobject.dll

2011-07-10 14:06:00 209920 ----a-w- c:\windows\system32\mfplat.dll

2011-07-10 13:39:49 -------- d-----w- c:\windows\Hewlett-Packard

2011-07-08 13:23:13 7074640 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{415b6084-b549-4a27-b947-29995f61138a}\mpengine.dll

2011-07-06 01:55:51 276992 ----a-w- c:\windows\system32\schannel.dll

2011-07-02 18:31:15 -------- d-----w- c:\users\admin\appdata\local\Apple

2011-06-27 15:27:15 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll

2011-06-27 15:27:15 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll

2011-06-27 01:41:08 -------- d-----w- c:\users\admin\appdata\local\Secunia PSI

2011-06-27 01:41:03 -------- d-----w- c:\program files\Secunia

2011-06-26 13:29:51 -------- d-----w- c:\users\admin\appdata\roaming\Malwarebytes

2011-06-26 13:29:44 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-26 13:29:44 -------- d-----w- c:\programdata\Malwarebytes

2011-06-26 13:29:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-25 17:15:11 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-21 11:42:36 -------- d-----w- c:\programdata\Clearwire

2011-06-20 22:23:12 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll

2011-06-20 22:23:12 57344 ----a-w- c:\program files\common files\system\msadc\msadcs.dll

2011-06-20 22:23:12 413696 ----a-w- c:\windows\system32\odbc32.dll

2011-06-20 22:23:12 253952 ----a-w- c:\program files\common files\system\ado\msadox.dll

2011-06-20 22:23:12 241664 ----a-w- c:\program files\common files\system\ado\msadomd.dll

2011-06-20 22:23:12 180224 ----a-w- c:\program files\common files\system\msadc\msadco.dll

2011-06-20 22:23:06 125952 ----a-w- c:\windows\system32\srvsvc.dll

2011-06-20 22:23:05 17920 ----a-w- c:\windows\system32\netevent.dll

2011-06-20 22:22:48 86528 ----a-w- c:\windows\system32\dnsrslvr.dll

2011-06-20 22:22:48 25088 ----a-w- c:\windows\system32\dnscacheugc.exe

2011-06-20 22:22:40 8147456 ----a-w- c:\windows\system32\wmploc.DLL

2011-06-20 22:22:40 168960 ----a-w- c:\program files\windows media player\wmplayer.exe

2011-06-20 22:22:09 601600 ----a-w- c:\windows\system32\schedsvc.dll

2011-06-20 22:22:09 352768 ----a-w- c:\windows\system32\taskschd.dll

2011-06-20 22:22:09 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll

2011-06-20 22:22:08 270336 ----a-w- c:\windows\system32\taskcomp.dll

2011-06-20 22:22:08 171520 ----a-w- c:\windows\system32\taskeng.exe

2011-06-20 22:19:59 531968 ----a-w- c:\windows\system32\comctl32.dll

2011-06-20 22:19:51 2048 ----a-w- c:\windows\system32\tzres.dll

2011-06-20 22:11:46 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

2011-06-20 22:11:46 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-06-20 22:03:12 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-06-20 22:03:12 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll

2011-06-20 22:03:12 1850328 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-06-20 22:03:12 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe

2011-06-20 22:03:12 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-06-20 22:03:11 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-06-20 22:03:11 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-06-20 22:03:11 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-06-20 21:53:19 -------- d-----w- c:\users\admin\appdata\local\AVG Security Toolbar

2011-06-20 21:52:59 -------- d-----w- c:\users\admin\appdata\local\Mozilla

2011-06-20 19:35:32 -------- d-----w- c:\program files\common files\AnswerWorks 5.0

2011-06-20 19:35:30 733184 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iKernel.dll

2011-06-20 19:35:30 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\ctor.dll

2011-06-20 19:35:30 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\DotNetInstaller.exe

2011-06-20 19:35:30 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iscript.dll

2011-06-20 19:35:30 180356 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iGdi.dll

2011-06-20 19:35:30 172032 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iuser.dll

2011-06-20 19:35:29 303236 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\setup.dll

2011-06-20 19:35:18 4199768 ----a-w- c:\windows\system32\cdintf400.dll

2011-06-20 19:34:06 -------- d-----w- c:\users\admin\appdata\roaming\Intuit

2011-06-20 19:34:06 -------- d-----w- c:\program files\Quicken

2011-06-17 22:34:22 -------- d-----w- c:\users\admin\appdata\local\Apple Computer

.

==================== Find3M ====================

.

2011-06-21 11:36:28 1838 --sha-w- c:\windows\system32\KGyGaAvL.sys

2011-05-28 06:08:58 916480 ----a-w- c:\windows\system32\wininet.dll

2011-05-28 06:04:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-05-28 06:04:17 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-05-28 06:04:03 71680 ----a-w- c:\windows\system32\iesetup.dll

2011-05-28 06:04:03 109056 ----a-w- c:\windows\system32\iesysprep.dll

2011-05-28 05:10:26 385024 ----a-w- c:\windows\system32\html.iec

2011-05-28 04:33:03 133632 ----a-w- c:\windows\system32\ieUnatt.exe

2011-05-28 04:31:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-05-02 17:16:14 739328 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 13:25:10 146432 ----a-w- c:\windows\system32\drivers\srv2.sys

2011-04-29 13:25:09 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys

2011-04-29 13:24:50 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-04-29 13:24:42 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys

2011-04-29 13:24:40 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-21 13:58:27 273408 ----a-w- c:\windows\system32\drivers\afd.sys

2011-04-14 14:59:03 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys

.

============= FINISH: 11:11:49.09 ===============

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 7084

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.19088

7/12/2011 11:02:46 AM

mbam-log-2011-07-12 (11-02-46).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 367516

Time elapsed: 1 hour(s), 56 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 12

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hidec.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pev.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swsc.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hello tarynp and welcome to Malwarebytes! :welcome:

I am D-FRED-BROWN and I will be helping you. :)

BEFORE I forget, 1 quick question - if I were to back up all of the personal files, images and music on this computer and simply do a reformat, will this registry key virus/trojan/malware/whatever copy to my external HDD and affect the other files on there? I'm wondering if that's the easier solution since this computer has been nothing but problematic since reconnecting it...

We don't quite know what you have yet, so I can't guarantee anything at this point. Regardless, we can still try to clean it ;)

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

***Note: In order for ComboFix to run properly AVG must be uninstalled. Please go here and follow the instructions to uninstall AVG.

AVG needs to remain uninstalled until I tell you its safest to reinstall it.

-------------

Please download and run the following file: http://download.bleepingcomputer.com/grinler/beta/unhide.exe

Let me know if that restores your missing Start Menu and Desktop shortcuts.

Please note that if you have recently delted your temporary files, you will be unable to restore these missing shortcuts.

-------------

Please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue tdsskiller2.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue tdsskiller3.png
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):

  • TDSSKiller_log.txt
how the PC is running now?
-------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
***IMPORTANT: save ComboFix to your Desktop***
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please go here to see a list of programs that should be disabled.
**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**
Please include the C:\ComboFix.txt in your next reply for further review.
Also, please let me know if any problems still remain.
-------------
Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-------------

In your next reply, please include:

  • C:\ComboFix.txt
  • TDSSKiller log
  • Security Check checkup.txt

How is your computer running now?

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.