Mkay Posted August 2, 2011 ID:460969 Share Posted August 2, 2011 After several Malware Bytes removals, the problem still persists. I have redirection of my browser, popups, this silly Antivirus 2012 program popups (rogue software I assume?) Anyway, I'm having a lot of trouble with all of this.DDS:.DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13Run by Office at 7:26:14 on 2011-08-02Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2604 [GMT -5:00].AV: CyberDefender Internet Security *Enabled/Updated* {5D12D320-0FBD-4B67-B6C6-3F4A7B2E9881}.============== Running Processes ===============.C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\ctfmon.exeC:\Documents and Settings\Office\Local Settings\Application Data\uta.exesvchost.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\System32\svchost.exe -k HPZ12C:\WINDOWS\System32\svchost.exe -k HPZ12C:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\svchost.exe -k HTTPFilterC:\Documents and Settings\Office\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Office\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Office\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\WINDOWS\system32\taskmgr.exeC:\Documents and Settings\Office\My Documents\Downloads\Defogger.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://google/uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/ieuInternet Settings,ProxyOverride = *.localuSearchAssistant = hxxp://www.google.com/iemSearchAssistant = hxxp://www.google.com/ieuURLSearchHooks: H - No FileBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllTB: uTorrentBar2 Toolbar: {b54561db-0bbb-41b4-a814-df8301fe0a8e} - c:\program files\utorrentbar2\prxtbuTor.dllTB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No FileTB: CyberDefender Link Patrol: {dd662a0c-12fe-4b38-ba53-247f7ec82f46} - c:\documents and settings\office\local settings\application data\cyberdefender\cdmyidd.dllTB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No FileuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [Npebiya] rundll32.exe "c:\windows\wiui132.dll",StartupuRun: [Google Update] "c:\documents and settings\office\local settings\application data\google\update\GoogleUpdate.exe" /cuRun: [419504918] c:\documents and settings\office\local settings\application data\uta.exemRun: [iDTSysTrayApp] sttray.exemRun: [sigmatelSysTrayApp] stsystra.exemRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kmRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscriptStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\linksy~1.lnk - c:\program files\linksys wireless guard\WscGuard.exeIE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exeIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeDPF: {1B566A03-760E-4923-863F-19A0A461E71F} - hxxps://sdg2.quickbooks.com/NetPay/QBGL/OEGL.cabDPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cabDPF: {6B9A6E3B-0307-47A7-82B1-F2D215973CAF} - hxxps://accounting.quickbooks.com/c1/v20.141/qboimax6.cabDPF: {843EE768-3A97-455C-9076-741BA3AD7B62} - hxxps://accounting.quickbooks.com/c1/v20.141/qboax10.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabTCP: DhcpNameServer = 68.87.72.134 68.87.77.134TCP: Interfaces\{8B8ABD08-EC39-4480-886A-4B39AE2916EC} : DhcpNameServer = 68.87.72.134 68.87.77.134Notify: AtiExtEvent - Ati2evxx.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll.================= FIREFOX ===================.FF - ProfilePath - c:\documents and settings\office\application data\mozilla\firefox\profiles\8m0b8vev.default\FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2832595&SearchSource=3&q={searchTerms}FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://google.comFF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101048100&s=FF - prefs.js: network.proxy.type - 4FF - component: c:\documents and settings\office\application data\mozilla\firefox\profiles\8m0b8vev.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCoreGecko19.dllFF - component: c:\documents and settings\office\application data\mozilla\firefox\profiles\8m0b8vev.default\extensions\{942cd1d4-9cc1-4d31-876a-ea8f489f7a59}\components\RadioWMPCoreGecko19.dllFF - component: c:\documents and settings\office\application data\mozilla\firefox\profiles\8m0b8vev.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dllFF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dllFF - plugin: c:\documents and settings\office\application data\facebook\npfbplugin_1_0_1.dllFF - plugin: c:\documents and settings\office\application data\facebook\npfbplugin_1_0_3.dllFF - plugin: c:\documents and settings\office\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dllFF - plugin: c:\documents and settings\office\local settings\application data\unity\webplayer\loader\npUnity3D32.dllFF - plugin: c:\program files\google\picasa3\npPicasa3.dllFF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dllFF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dllFF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dllFF - plugin: c:\program files\worldwinner.com, inc\worldwinner games\npwwload.dll.---- FIREFOX POLICIES ----FF - user.js: browser.search.selectedEngine - GoogleFF - user.js: browser.search.order.1 - GoogleFF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101048100&s=);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falseFF - user.js: browser.sessionstore.resume_from_crash - false.============= SERVICES / DRIVERS ===============.S0 dsopnfcu;dsopnfcu;c:\windows\system32\drivers\tbmqs.sys --> c:\windows\system32\drivers\tbmqs.sys [?]S0 nypmehr;nypmehr;c:\windows\system32\drivers\gafnvku.sys --> c:\windows\system32\drivers\gafnvku.sys [?]S2 WSCNetManager;Linksys Wireless Guard Network Manager Service;c:\program files\linksys wireless guard\WscNetMgrSvc.exe [2004-4-18 663635]S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [2011-3-9 96200]S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-4-30 41272]S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]S4 CDLauncher;CyberDefender Launcher;c:\program files\cyberdefender\antispyware\CDLauncherWS.exe [2011-3-9 190792]S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-10 136176]S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-10 136176]S4 vseamps;vseamps;c:\program files\common files\authentium\antivirus5\vseamps.exe [2010-4-8 117288]S4 vsedsps;vsedsps;c:\program files\common files\authentium\antivirus5\vsedsps.exe [2010-4-8 117288]S4 vseqrts;vseqrts;c:\program files\common files\authentium\antivirus5\vseqrts.exe [2010-4-8 154152].=============== Created Last 30 ================.2011-08-02 11:28:45 0 ----a-w- c:\documents and settings\office\local settings\application data\xkig.exe2011-08-02 11:28:45 0 ----a-w- c:\documents and settings\office\local settings\application data\sxdw.exe2011-08-02 11:28:45 0 ----a-w- c:\documents and settings\all users\application data\yels.exe2011-08-02 11:28:45 0 ----a-w- c:\documents and settings\all users\application data\peyj.exe2011-08-02 11:28:44 367104 ----a-w- c:\documents and settings\office\local settings\application data\uta.exe2011-08-02 11:28:44 0 ----a-w- c:\documents and settings\office\local settings\application data\nsgw.exe2011-08-02 11:28:44 0 ----a-w- c:\documents and settings\office\local settings\application data\hska.exe2011-08-02 11:28:44 0 ----a-w- c:\documents and settings\all users\application data\tldj.exe2011-08-02 11:28:44 0 ----a-w- c:\documents and settings\all users\application data\gjbs.exe2011-07-31 18:13:04 -------- d-----w- c:\documents and settings\office\WINDOWS2011-07-31 10:28:06 -------- d-----w- c:\documents and settings\all users\application data\kM01602GjJgF016022011-07-30 10:15:04 -------- d-----w- c:\program files\Incomplete2011-07-30 10:14:14 -------- d-----w- c:\program files\FrostWire2011-07-30 10:05:47 -------- d-----w- c:\documents and settings\office\local settings\application data\BearShare2011-07-30 10:05:16 -------- d-----w- c:\program files\BearShare Applications2011-07-30 10:05:16 -------- d-----w- c:\documents and settings\all users\application data\BearShare2011-07-30 10:04:50 -------- dc-h--w- c:\documents and settings\all users\application data\{309C802B-A076-4563-B164-B62C0C145153}2011-07-30 10:02:37 -------- d-----w- c:\documents and settings\office\local settings\application data\Conduit2011-07-30 09:46:16 -------- d-----w- c:\documents and settings\office\.frostwire52011-07-30 06:20:49 -------- d-----w- c:\documents and settings\all users\application data\nL01602FgJlP016022011-07-30 06:10:26 177664 ----a-w- c:\windows\Rqysea.exe2011-07-30 06:10:16 63488 --sha-r- c:\windows\system32\c_10082A.dll2011-07-30 05:56:19 -------- d-----w- c:\documents and settings\office\local settings\application data\Wide Angle Software2011-07-30 05:55:04 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys2011-07-30 05:55:04 107368 ----a-w- c:\windows\system32\GEARAspi.dll2011-07-30 05:54:11 -------- d-----w- c:\program files\iPod2011-07-30 05:54:08 -------- d-----w- c:\program files\iTunes2011-07-30 05:54:08 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}2011-07-30 05:52:37 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll2011-07-30 05:52:37 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys2011-07-12 16:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe2011-07-12 16:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll2011-07-12 16:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll2011-07-12 16:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll.==================== Find3M ====================.2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys2011-05-23 16:35:46 116224 ----a-w- c:\windows\system32\drivers\507270.sys.============= FINISH: 7:26:53.59 ===============attach.txtark.txt Link to post Share on other sites More sharing options...
Staff screen317 Posted August 3, 2011 Staff ID:461472 Share Posted August 3, 2011 Hi and welcome to Malwarebytes.Please update MBAM, run a Quick Scan, and post its log.Next, please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.-screen317 Link to post Share on other sites More sharing options...
Staff screen317 Posted August 10, 2011 Staff ID:464404 Share Posted August 10, 2011 Are you still with us? This topic will be closed in a few days if you do not respond. Link to post Share on other sites More sharing options...
Staff screen317 Posted August 16, 2011 Staff ID:466349 Share Posted August 16, 2011 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts