Can someone explain this?

[Guest BlairWitch]

Here is the screenshots. Can someone explain this to me.

[AdvancedSetup]

It would appear you may have an onboard proxy - which could be an infection. Would need more information to determine that.

Download

DDS

and save it to your desktop

http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click

dds.scr

to run the tool.

When done, the

DDS.txt

will open.

Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

1. DDS.txt
   
   
2. Attach.txt

• Save both reports to your desktop
• Please include the following logs in your next reply:
  DDS.txt
  and
  Attach.txt

[Guest BlairWitch]

Here are the logs...

attach.zip

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29

Run by Omistaja at 9:45:51 on 2011-10-27

Microsoft Windows XP Home Edition 5.1.2600.3.1252.358.1035.18.1022.665 [GMT 3:00]

.

AV: Sunbelt VIPRE *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}

FW: ZoneAlarm Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe

C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

svchost.exe

C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\wscntfy.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.fi/

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

mRun: [smapp] c:\program files\analog devices\soundmax\Smtray.exe

mRun: [sBAMTray] "c:\program files\sunbelt software\vipre\SBAMTray.exe"

mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1310113573519

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxsrvc.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\omistaja\application data\mozilla\firefox\profiles\ivxvdwza.default\

FF - prefs.js: browser.startup.homepage - www.saunalahti.fi

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

R0 BC;BC;c:\windows\system32\drivers\BC.sys [2011-9-12 24984]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-13 67664]

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2011-9-10 21592]

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-8-29 101720]

R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2011-9-10 212568]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-10-24 532224]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]

R2 SBAMSvc;VIPRE Antivirus;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2011-9-6 2804280]

R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-9-10 74456]

R2 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\vipre\SBPIMSvc.exe [2011-9-6 181584]

R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

RUnknown 06183540;06183540; [x]

RUnknown 4379137drv;4379137drv; [x]

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]

S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]

S3 AntiyFirewall;AntiyFirewall;\??\c:\windows\system32\drivers\antiyfw.sys --> c:\windows\system32\drivers\AntiyFW.sys [?]

S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

.

=============== Created Last 30 ================

.

2011-10-27 06:36:11 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-27 06:36:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-26 13:57:01 -------- d-----w- c:\documents and settings\omistaja\application data\Runscanner.net

2011-10-26 13:42:26 -------- d-----w- c:\documents and settings\all users\application data\CA

2011-10-26 12:32:02 -------- d-----w- c:\documents and settings\omistaja\local settings\application data\FreeFixer

2011-10-26 12:32:02 -------- d-----w- c:\documents and settings\omistaja\application data\FreeFixer

2011-10-26 12:31:42 -------- d-----w- c:\program files\FreeFixer

2011-10-26 11:47:58 -------- d-----w- c:\documents and settings\all users\application data\Comodo

2011-10-26 11:47:55 -------- d-----w- c:\documents and settings\omistaja\application data\KillSwitch

2011-10-26 11:47:53 -------- d-----w- c:\documents and settings\omistaja\application data\CCE

2011-10-25 11:56:06 -------- d-----w- c:\documents and settings\omistaja\application data\Immunet

2011-10-25 11:24:51 -------- d-----w- c:\program files\common files\antiyl abs

2011-10-25 09:29:46 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-10-25 09:29:45 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-10-25 08:13:41 -------- d-----w- c:\program files\SecurityXploded

2011-10-24 20:14:59 -------- d-----w- C:\Temp

2011-10-24 19:49:22 -------- d-----w- c:\documents and settings\omistaja\application data\IndigoRose

2011-10-24 19:42:24 -------- d-----w- c:\windows\AutoPlay Media Studio 6.0 Trial

2011-10-24 12:02:31 -------- d-----w- c:\program files\uTorrent

2011-10-24 12:01:59 -------- d-----w- c:\documents and settings\omistaja\local settings\application data\uTorrent

2011-10-24 08:56:55 -------- d-----w- c:\documents and settings\omistaja\local settings\application data\Identities

2011-10-24 07:33:05 1238528 ----a-w- c:\windows\system32\zpeng25.dll

2011-10-24 07:33:04 -------- d-----w- c:\windows\system32\ZoneLabs

2011-10-24 07:33:00 -------- d-----w- c:\program files\Zone Labs

2011-10-23 16:54:39 -------- d-----w- c:\documents and settings\all users\application data\Comodo Downloader

2011-10-23 13:22:57 105984 ----a-w- c:\windows\system32\drivers\ianswxp.sys

2011-10-23 13:21:23 -------- d-----w- C:\IntelPRO

2011-10-23 13:02:36 -------- d-----w- c:\program files\Lavalys

.

==================== Find3M ====================

.

2011-10-24 20:46:18 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-09-26 08:41:48 612864 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 08:41:48 20992 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-26 08:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-13 19:25:45 81984 ----a-w- c:\windows\system32\bdod.bin

2011-09-09 09:12:03 600576 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 14:10:01 1859200 ----a-w- c:\windows\system32\win32k.sys

2011-09-06 09:30:42 42832 ----a-w- c:\windows\system32\sbbd.exe

2011-09-04 15:23:49 12872 ----a-w- c:\windows\system32\bootdelete.exe

2011-09-02 03:59:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-29 19:03:00 110 ----a-w- c:\documents and settings\omistaja\application data\netstat.bat

2011-08-29 14:36:34 74456 ----a-w- c:\windows\system32\drivers\sbapifs.sys

2011-08-29 14:36:34 21592 ----a-w- c:\windows\system32\drivers\sbaphd.sys

2011-08-29 14:36:34 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-08-22 23:41:04 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:41:03 43520 ------w- c:\windows\system32\licmgr10.dll

2011-08-22 23:41:03 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56:53 385024 ------w- c:\windows\system32\html.iec

2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-08-06 16:25:11 11376 ----a-w- c:\windows\system32\drivers\secdrv.sys

.

============= FINISH: 9:47:47,98 ===============

This is actually my mothers computer and i will be leaving this computer behind after couple of hours but i would still like to know if it's infected because i gave this computer to her... Maybe i can fix it the next time i come to visit her. Thanks.

[Guest BlairWitch]

I did a little examining with the rootkit unhooker and found these...

Uploaded with ImageShack.us

Maybe the files are just nothing important but i dumped them so here you can download them... dumps.zip

[AdvancedSetup]

Scanned with VirusTotal

File name: 4379137drv.sys

Submission date: 2011-10-27 08:15:47 (UTC)

Current status: queued queued analysing finished

Result: 0/ 43 (0.0%)

VirusTotal site starting acting up and would not allow scan of the other file so I ran it on Jotti's site instead.

06183540.sys scanned at Jotti

Both files were not detected by any of the AV scanners.

[AdvancedSetup]

When you have time maybe best to have someone assist you further in checking it out.

If you think you are infected, here are the steps needed to get your computer cleaned....

Please read the following so that you can begin the cleaning process:

Don't use any temporary file cleaners unless requested - this can cause data loss and make recovery difficult

You have 3 Options that you can choose from as listed below:

• Option 1 —— Free Expert advice in the Malware Removal Forum
  
• Option 2 —— Paying customer -- Contact Support via email
  
• Option 3 —— Premium, Fee-Based Support

OPTION 1

As we don't deal with malware removal in the

General Malwarebytes' Anti-Malware Forum

, you need to start a topic in the

Malware Removal forum

so a qualified helper can help you fix any malware related problems/infections you may have.

• Please read and follow the
  directions here
  , skipping any steps you are unable to complete.
  
  
• After posting your new post, make sure under
  options
  , you select
  Track this topic
  and choose
  Immediate Email Notification
  ,
  
  
  so that you're alerted when someone has replied to your post.
  
  

NOTE:

Please do not post back to (bump) your topic within the first 48 hours.

Replying to your own posts changes the post count and helpers are looking for topics with zero replies.

If you reply to your own post helpers may think that you're already being helped and thus overlook your post.

• If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.
  
  
  Or
  
  
• You may send a Private Message to a Moderator asking for assistance.

  
  

OPTION 2

Alternatively, as a paying customer, you can contact the help desk at

support@malwarebytes.org

or

here

.

OPTION 3

If you would like to use our

Malwarebytes Premium Services

, Comprehensive solutions to all your computer support needs—from installation and set-up to troubleshooting and tune-ups go to our

Malwarebytes Premium Services

support site.

Please be patient, someone will assist you as soon as possible.

PS: Please use the "Add Reply" button not the Reply button when you start replying.