Jump to content

Infected!

Mkay

By Mkay
in Resolved Malware Removal Logs

 Share

Recommended Posts

Mkay

Mkay

Posted
Posted

After several Malware Bytes removals, the problem still persists. I have redirection of my browser, popups, this silly Antivirus 2012 program popups (rogue software I assume?) Anyway, I'm having a lot of trouble with all of this.

DDS:

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13

Run by Office at 7:26:14 on 2011-08-02

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2604 [GMT -5:00]

.

AV: CyberDefender Internet Security *Enabled/Updated* {5D12D320-0FBD-4B67-B6C6-3F4A7B2E9881}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Office\Local Settings\Application Data\uta.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Documents and Settings\Office\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Office\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Office\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Documents and Settings\Office\My Documents\Downloads\Defogger.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://google/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: H - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

TB: uTorrentBar2 Toolbar: {b54561db-0bbb-41b4-a814-df8301fe0a8e} - c:\program files\utorrentbar2\prxtbuTor.dll

TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File

TB: CyberDefender Link Patrol: {dd662a0c-12fe-4b38-ba53-247f7ec82f46} - c:\documents and settings\office\local settings\application data\cyberdefender\cdmyidd.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Npebiya] rundll32.exe "c:\windows\wiui132.dll",Startup

uRun: [Google Update] "c:\documents and settings\office\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [419504918] c:\documents and settings\office\local settings\application data\uta.exe

mRun: [iDTSysTrayApp] sttray.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\linksy~1.lnk - c:\program files\linksys wireless guard\WscGuard.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

DPF: {1B566A03-760E-4923-863F-19A0A461E71F} - hxxps://sdg2.quickbooks.com/NetPay/QBGL/OEGL.cab

DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab

DPF: {6B9A6E3B-0307-47A7-82B1-F2D215973CAF} - hxxps://accounting.quickbooks.com/c1/v20.141/qboimax6.cab

DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} - hxxps://accounting.quickbooks.com/c1/v20.141/qboax10.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 68.87.72.134 68.87.77.134

TCP: Interfaces\{8B8ABD08-EC39-4480-886A-4B39AE2916EC} : DhcpNameServer = 68.87.72.134 68.87.77.134

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\office\application data\mozilla\firefox\profiles\8m0b8vev.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2832595&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://google.com

FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101048100&s=

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\office\application data\mozilla\firefox\profiles\8m0b8vev.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCoreGecko19.dll

FF - component: c:\documents and settings\office\application data\mozilla\firefox\profiles\8m0b8vev.default\extensions\{942cd1d4-9cc1-4d31-876a-ea8f489f7a59}\components\RadioWMPCoreGecko19.dll

FF - component: c:\documents and settings\office\application data\mozilla\firefox\profiles\8m0b8vev.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll

FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll

FF - plugin: c:\documents and settings\office\application data\facebook\npfbplugin_1_0_1.dll

FF - plugin: c:\documents and settings\office\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\office\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: c:\documents and settings\office\local settings\application data\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: c:\program files\worldwinner.com, inc\worldwinner games\npwwload.dll

.

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - Google

FF - user.js: browser.search.order.1 - Google

FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101048100&s=);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false

FF - user.js: browser.sessionstore.resume_from_crash - false

.

============= SERVICES / DRIVERS ===============

.

S0 dsopnfcu;dsopnfcu;c:\windows\system32\drivers\tbmqs.sys --> c:\windows\system32\drivers\tbmqs.sys [?]

S0 nypmehr;nypmehr;c:\windows\system32\drivers\gafnvku.sys --> c:\windows\system32\drivers\gafnvku.sys [?]

S2 WSCNetManager;Linksys Wireless Guard Network Manager Service;c:\program files\linksys wireless guard\WscNetMgrSvc.exe [2004-4-18 663635]

S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [2011-3-9 96200]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-4-30 41272]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

S4 CDLauncher;CyberDefender Launcher;c:\program files\cyberdefender\antispyware\CDLauncherWS.exe [2011-3-9 190792]

S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-10 136176]

S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-10 136176]

S4 vseamps;vseamps;c:\program files\common files\authentium\antivirus5\vseamps.exe [2010-4-8 117288]

S4 vsedsps;vsedsps;c:\program files\common files\authentium\antivirus5\vsedsps.exe [2010-4-8 117288]

S4 vseqrts;vseqrts;c:\program files\common files\authentium\antivirus5\vseqrts.exe [2010-4-8 154152]

.

=============== Created Last 30 ================

.

2011-08-02 11:28:45 0 ----a-w- c:\documents and settings\office\local settings\application data\xkig.exe

2011-08-02 11:28:45 0 ----a-w- c:\documents and settings\office\local settings\application data\sxdw.exe

2011-08-02 11:28:45 0 ----a-w- c:\documents and settings\all users\application data\yels.exe

2011-08-02 11:28:45 0 ----a-w- c:\documents and settings\all users\application data\peyj.exe

2011-08-02 11:28:44 367104 ----a-w- c:\documents and settings\office\local settings\application data\uta.exe

2011-08-02 11:28:44 0 ----a-w- c:\documents and settings\office\local settings\application data\nsgw.exe

2011-08-02 11:28:44 0 ----a-w- c:\documents and settings\office\local settings\application data\hska.exe

2011-08-02 11:28:44 0 ----a-w- c:\documents and settings\all users\application data\tldj.exe

2011-08-02 11:28:44 0 ----a-w- c:\documents and settings\all users\application data\gjbs.exe

2011-07-31 18:13:04 -------- d-----w- c:\documents and settings\office\WINDOWS

2011-07-31 10:28:06 -------- d-----w- c:\documents and settings\all users\application data\kM01602GjJgF01602

2011-07-30 10:15:04 -------- d-----w- c:\program files\Incomplete

2011-07-30 10:14:14 -------- d-----w- c:\program files\FrostWire

2011-07-30 10:05:47 -------- d-----w- c:\documents and settings\office\local settings\application data\BearShare

2011-07-30 10:05:16 -------- d-----w- c:\program files\BearShare Applications

2011-07-30 10:05:16 -------- d-----w- c:\documents and settings\all users\application data\BearShare

2011-07-30 10:04:50 -------- dc-h--w- c:\documents and settings\all users\application data\{309C802B-A076-4563-B164-B62C0C145153}

2011-07-30 10:02:37 -------- d-----w- c:\documents and settings\office\local settings\application data\Conduit

2011-07-30 09:46:16 -------- d-----w- c:\documents and settings\office\.frostwire5

2011-07-30 06:20:49 -------- d-----w- c:\documents and settings\all users\application data\nL01602FgJlP01602

2011-07-30 06:10:26 177664 ----a-w- c:\windows\Rqysea.exe

2011-07-30 06:10:16 63488 --sha-r- c:\windows\system32\c_10082A.dll

2011-07-30 05:56:19 -------- d-----w- c:\documents and settings\office\local settings\application data\Wide Angle Software

2011-07-30 05:55:04 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2011-07-30 05:55:04 107368 ----a-w- c:\windows\system32\GEARAspi.dll

2011-07-30 05:54:11 -------- d-----w- c:\program files\iPod

2011-07-30 05:54:08 -------- d-----w- c:\program files\iTunes

2011-07-30 05:54:08 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2011-07-30 05:52:37 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-07-30 05:52:37 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2011-07-12 16:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-07-12 16:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll

2011-07-12 16:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll

2011-07-12 16:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll

.

==================== Find3M ====================

.

2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-23 16:35:46 116224 ----a-w- c:\windows\system32\drivers\507270.sys

.

============= FINISH: 7:26:53.59 ===============

attach.txt

ark.txt

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.