Jump to content

Infeceted with fsharproj.BHO and possibly other stuff?


Recommended Posts

Thank you all in advance for the help. My anti-virus won't quite get rid of this sucker :\.

I followed your steps prior to posting. Hope I did everything right! Here are my results:

-Austin

--------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7499

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/18/2011 9:16:52 AM

mbam-log-2011-08-18 (09-16-52).txt

Scan type: Quick scan

Objects scanned: 170712

Time elapsed: 7 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\localservice\application data\020000003b8bcbe01406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\documents and settings\localservice\application data\020000003b8bcbe01406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\documents and settings\localservice\application data\020000003b8bcbe01406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\documents and settings\localservice\application data\020000003b8bcbe01406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\020000003b8bcbe01406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\020000003b8bcbe01406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\020000003b8bcbe01406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\020000003b8bcbe01406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

--------------------------------------------------------------------------------------

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Run by Austin Gustafson at 9:32:44 on 2011-08-18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.488 [GMT -4:00]

.

AV: avast! Internet Security *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: avast! Internet Security *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AVAST Software\Avast\afwServ.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\Program Files\AIM7\aim.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\wmpps32.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\system32\atrace32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: {0e66d269-30c5-4230-9e36-286562b3b9e8} - c:\windows\system32\atrace32.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

TB: {35065594-9169-4A34-B167-FC4865038E53} - No File

uRun: [AIM] "c:\program files\aim7\aim.exe" /d locale=en-US

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

StartupFolder: c:\docume~1\austin~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: microsoft.com\www.update

DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1288273749000

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 68.87.74.166 68.87.68.166

TCP: Interfaces\{84427DA0-3E60-4434-A20D-072958FA2AF7} : DhcpNameServer = 68.87.74.166 68.87.68.166

AppInit_DLLs: c:\windows\system32\msnetobj32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\austin gustafson\application data\mozilla\firefox\profiles\l2hqcyhh.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://us.mg4.mail.yahoo.com/dc/launch?.gx=1&.rand=agt92ikbk8pjs

FF - prefs.js: keyword.URL - hxxp://eis.esnips.com/page/search_provider/?client_uuid=bda82ac0-85c3-4b48-b0d2-41fde8d1391d&q=

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 53798

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(general.useragent.extra.brc, BRI/1

.

============= SERVICES / DRIVERS ===============

.

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2011-5-24 12112]

R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [2011-5-24 194264]

R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [2011-5-24 103384]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-24 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-5-24 309848]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-5-24 19544]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-5-24 42184]

R2 avast! Firewall;avast! Firewall;c:\program files\avast software\avast\afwServ.exe [2011-5-24 121000]

R2 seclogon32;Secondary Logon ;c:\windows\system32\wmpps32.exe [2011-8-16 706560]

S1 MpKsl31ac5a10;MpKsl31ac5a10;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2f2b2981-7335-4d85-8336-a79b99ac6dae}\mpksl31ac5a10.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2f2b2981-7335-4d85-8336-a79b99ac6dae}\MpKsl31ac5a10.sys [?]

S1 MpKsl461828cc;MpKsl461828cc;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{00eb6557-3a6b-4166-a43a-92d7c281ce8a}\mpksl461828cc.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{00eb6557-3a6b-4166-a43a-92d7c281ce8a}\MpKsl461828cc.sys [?]

S1 MpKsl71a9ace2;MpKsl71a9ace2;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{05e2efc4-e7b4-46cb-9901-ed4033ea5cec}\mpksl71a9ace2.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{05e2efc4-e7b4-46cb-9901-ed4033ea5cec}\MpKsl71a9ace2.sys [?]

S1 MpKslc7de6f4b;MpKslc7de6f4b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2f2b2981-7335-4d85-8336-a79b99ac6dae}\mpkslc7de6f4b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2f2b2981-7335-4d85-8336-a79b99ac6dae}\MpKslc7de6f4b.sys [?]

S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\austin~1\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\austin~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\austin~1\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\austin~1\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-8-18 41272]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-08-18 13:07:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-18 13:07:48 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-18 09:47:58 0 ---ha-w- c:\documents and settings\austin gustafson\irgmpnstoq.tmp

2011-08-18 01:18:06 155136 ----a-w- c:\windows\system32\msnetobj32.dll

2011-08-17 13:02:55 1152 ----a-w- c:\windows\system32\windrv.sys

2011-08-16 12:11:04 706560 ----a-w- c:\windows\system32\atrace32.exe

2011-08-16 12:10:52 706560 ----a-w- c:\windows\system32\wmpps32.exe

2011-08-16 12:10:40 328704 ----a-w- c:\windows\system32\atrace32.dll

2011-08-10 04:29:47 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-10 04:29:24 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

.

==================== Find3M ====================

.

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-04 11:43:53 40112 ----a-w- c:\windows\avastSS.scr

2011-07-04 11:37:33 103384 ----a-w- c:\windows\system32\drivers\aswFW.sys

2011-07-04 11:36:43 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-07-04 11:36:18 194264 ----a-w- c:\windows\system32\drivers\aswNdis2.sys

2011-06-26 06:45:56 256000 ----a-w- c:\windows\PEV.exe

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 9:36:55.89 ===============

--------------------------------------------------------------------------------------

Hi, I just want to report that I've been experiencing a lot of redirects to several different sites from my google searches as of late.

Thanks.

attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

I notice that you are using more than one antivirus program (avast and Microsoft). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.