TechSpot

Google Redirect Virus

By Utkman
Aug 14, 2011
  1. Just keeps lingering - I have no other noticeable issues.

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7467

    Windows 6.1.7601 Service Pack 1
    Internet Explorer 9.0.8112.16421

    8/14/2011 5:30:56 PM
    mbam-log-2011-08-14 (17-30-56).txt

    Scan type: Quick scan
    Objects scanned: 168001
    Time elapsed: 4 minute(s), 32 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ------------------------------------------------------------------------------------------
    Gmer found no issues

    ------------------------------------------------------------------------------------------
    .
    DDS (Ver_2011-06-23.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
    Run by user at 17:57:21 on 2011-08-14
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2038.664 [GMT -4:00]
    .
    AV: Norton Security Suite *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Norton Security Suite *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    FW: Norton Security Suite *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskhost.exe
    C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\System32\igfxpers.exe
    C:\ProgramData\Norton\NUA.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyOverride = *.local
    mWinlogon: Userinit=userinit.exe,
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\4.3.0.5\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\4.3.0.5\IPSBHO.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\4.3.0.5\coIEPlg.dll
    uRun: [NortonUpdateAgent] C:\ProgramData\Norton\NUA.exe
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    TCP: DhcpNameServer = 68.87.68.166 68.87.74.166
    TCP: Interfaces\{E05D06E8-5F30-460C-B5AF-B73E6135F66B} : DhcpNameServer = 68.87.68.166 68.87.74.166
    TCP: Interfaces\{E05D06E8-5F30-460C-B5AF-B73E6135F66B}\37861646F677 : DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{E05D06E8-5F30-460C-B5AF-B73E6135F66B}\C4F6767696E637 : DhcpNameServer = 192.168.2.1
    BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\4.3.0.5\coIEPlg.dll
    BHO-X64: Symantec NCO BHO - No File
    BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\4.3.0.5\IPSBHO.DLL
    BHO-X64: Symantec Intrusion Prevention - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\4.3.0.5\coIEPlg.dll
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRunOnce-x64: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yx9z8dow.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Users\user\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
    FF - plugin: C:\Users\user\AppData\Roaming\Move Networks\plugins\npqmp071706000001.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\N360x64\0403000.005\SYMDS64.SYS --> C:\Windows\system32\drivers\N360x64\0403000.005\SYMDS64.SYS [?]
    R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\N360x64\0403000.005\SYMEFA64.SYS --> C:\Windows\system32\drivers\N360x64\0403000.005\SYMEFA64.SYS [?]
    R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110723.001\BHDrvx64.sys [2011-7-22 1151096]
    R1 ccHP;Symantec Hash Provider;C:\Windows\system32\drivers\N360x64\0403000.005\ccHPx64.sys --> C:\Windows\system32\drivers\N360x64\0403000.005\ccHPx64.sys [?]
    R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110812.030\IDSviA64.sys [2011-8-13 488056]
    R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\N360x64\0403000.005\Ironx64.SYS --> C:\Windows\system32\drivers\N360x64\0403000.005\Ironx64.SYS [?]
    R1 SYMTDIv;Symantec Vista Network Dispatch Driver;C:\Windows\system32\Drivers\N360x64\0403000.005\SYMTDIV.SYS --> C:\Windows\system32\Drivers\N360x64\0403000.005\SYMTDIV.SYS [?]
    R2 N360;Norton Security Suite;C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe [2011-5-13 126392]
    R3 appliandMP;appliandMP;C:\Windows\system32\DRIVERS\appliand.sys --> C:\Windows\system32\DRIVERS\appliand.sys [?]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-8-13 136824]
    R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
    R3 pneteth;PdaNet Broadband;C:\Windows\system32\DRIVERS\pneteth.sys --> C:\Windows\system32\DRIVERS\pneteth.sys [?]
    R3 pnetmdm;PdaNet Modem;C:\Windows\system32\DRIVERS\pnetmdm64.sys --> C:\Windows\system32\DRIVERS\pnetmdm64.sys [?]
    R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
    R3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
    R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 appliand;Applian Network Service;C:\Windows\system32\DRIVERS\appliand.sys --> C:\Windows\system32\DRIVERS\appliand.sys [?]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    .
    =============== Created Last 30 ================
    .
    2011-08-14 21:24:34 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
    2011-08-14 21:24:30 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-08-14 02:41:57 338432 ----a-w- C:\Windows\System32\conhost.exe
    2011-08-14 02:39:57 1923968 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2011-08-11 02:14:29 4096 ---ha-w- C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
    2011-08-04 01:18:18 -------- d-----w- C:\Users\user\AppData\Roaming\Malwarebytes
    2011-08-04 01:18:11 -------- d-----w- C:\ProgramData\Malwarebytes
    2011-08-04 01:18:08 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-08-01 03:51:51 -------- d-----w- C:\Program Files (x86)\Lavasoft
    2011-07-25 01:26:26 -------- d-----w- C:\Program Files\iPod
    2011-07-25 01:26:25 -------- d-----w- C:\Program Files\iTunes
    2011-07-25 01:21:27 -------- d-----w- C:\Program Files\Bonjour
    2011-07-25 01:21:27 -------- d-----w- C:\Program Files (x86)\Bonjour
    2011-07-24 02:22:28 -------- d-----w- C:\Users\user\AppData\Local\CrashDumps
    2011-07-16 01:24:35 -------- d-----w- C:\Users\user\AppData\Roaming\Spotify
    2011-07-16 01:24:35 -------- d-----w- C:\Users\user\AppData\Local\Spotify
    2011-07-16 01:24:25 -------- d-----w- C:\Program Files (x86)\Spotify
    .
    ==================== Find3M ====================
    .
    2011-07-22 05:42:23 2303488 ----a-w- C:\Windows\System32\jscript9.dll
    2011-07-22 05:36:16 1389056 ----a-w- C:\Windows\System32\wininet.dll
    2011-07-22 05:32:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2011-07-22 02:54:43 1797632 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2011-07-22 02:48:26 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
    2011-07-22 02:44:36 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2011-07-16 05:41:50 362496 ----a-w- C:\Windows\System32\wow64win.dll
    2011-07-16 05:41:49 243200 ----a-w- C:\Windows\System32\wow64.dll
    2011-07-16 05:41:49 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
    2011-07-16 05:39:10 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
    2011-07-16 05:37:12 421888 ----a-w- C:\Windows\System32\KernelBase.dll
    2011-07-16 04:29:19 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
    2011-07-16 04:26:00 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
    2011-07-16 04:25:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
    2011-07-16 04:24:23 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
    2011-07-16 04:24:22 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
    2011-07-16 02:21:44 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
    2011-07-16 02:21:41 2048 ----a-w- C:\Windows\SysWow64\user.exe
    2011-07-16 02:17:19 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    2011-07-16 02:17:19 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    2011-07-16 02:17:19 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    2011-07-16 02:17:19 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    2011-07-12 15:34:00 96104 ----a-w- C:\Windows\System32\dns-sd.exe
    2011-07-12 15:34:00 85864 ----a-w- C:\Windows\System32\dnssd.dll
    2011-07-12 15:34:00 61288 ----a-w- C:\Windows\System32\jdns_sd.dll
    2011-07-12 15:34:00 212840 ----a-w- C:\Windows\System32\dnssdX.dll
    2011-07-12 15:20:54 83816 ----a-w- C:\Windows\SysWow64\dns-sd.exe
    2011-07-12 15:20:54 73064 ----a-w- C:\Windows\SysWow64\dnssd.dll
    2011-07-12 15:20:54 50536 ----a-w- C:\Windows\SysWow64\jdns_sd.dll
    2011-07-12 15:20:54 178536 ----a-w- C:\Windows\SysWow64\dnssdX.dll
    2011-07-09 02:46:28 288768 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
    2011-07-05 22:37:00 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
    2011-07-05 22:37:00 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
    2011-06-29 13:43:54 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
    2011-06-29 13:43:51 175616 ----a-w- C:\Windows\System32\msclmd.dll
    2011-06-28 01:20:02 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-06-24 05:34:53 214528 ----a-w- C:\Windows\System32\winsrv.dll
    2011-06-23 05:43:12 5561216 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2011-06-23 04:33:57 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2011-06-23 04:33:57 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2011-06-15 10:02:23 212992 ----a-w- C:\Windows\System32\odbctrac.dll
    2011-06-15 10:02:23 163840 ----a-w- C:\Windows\System32\odbccp32.dll
    2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccu32.dll
    2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccr32.dll
    2011-06-15 08:55:19 86016 ----a-w- C:\Windows\SysWow64\odbccu32.dll
    2011-06-15 08:55:19 81920 ----a-w- C:\Windows\SysWow64\odbccr32.dll
    2011-06-15 08:55:19 319488 ----a-w- C:\Windows\SysWow64\odbcjt32.dll
    2011-06-15 08:55:19 163840 ----a-w- C:\Windows\SysWow64\odbctrac.dll
    2011-06-15 08:55:19 122880 ----a-w- C:\Windows\SysWow64\odbccp32.dll
    2011-06-11 03:07:25 3137536 ----a-w- C:\Windows\System32\win32k.sys
    2011-05-24 11:42:55 404480 ----a-w- C:\Windows\System32\umpnpmgr.dll
    2011-05-24 10:40:05 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
    2011-05-24 10:40:05 44544 ----a-w- C:\Windows\SysWow64\devrtl.dll
    2011-05-24 10:39:38 145920 ----a-w- C:\Windows\SysWow64\cfgmgr32.dll
    2011-05-24 10:37:54 252928 ----a-w- C:\Windows\SysWow64\drvinst.exe
    .
    ============= FINISH: 17:58:03.31 ===============

    ---------------------------------------------------------------------------------------------------

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/30/2010 11:57:32 AM
    System Uptime: 8/14/2011 11:28:57 AM (6 hours ago)
    .
    Motherboard: Dell Inc. | | 0KU184
    Processor: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 2001/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 75 GiB total, 33.525 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP150: 8/14/2011 12:05:43 AM - Installed Java(TM) 6 Update 26
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.5
    Apple Application Support
    Apple Software Update
    Applian Director
    Core FTP LE 2.1
    iJoysoft DVD Ripper Platinum
    Java Auto Updater
    Java(TM) 6 Update 26
    LG Android Driver
    Macromedia Dreamweaver 8
    Macromedia Extension Manager
    Macromedia Fireworks 8
    Malwarebytes' Anti-Malware version 1.51.1.1800
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Move Media Player
    Mozilla Firefox 5.0 (x86 en-US)
    Norton Security Suite
    oDesk Team
    PdaNet for Android 2.45
    PrimoPDF -- brought to you by Nitro PDF Software
    QuickTime
    Safari
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2509488)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft Office 2007 System (KB2541012)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2541007)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Spotify
    Startup Manager 2.4.2
    Update for 2007 Microsoft Office System (KB2284654)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Outlook 2007 (KB2509470)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2586924)
    USB Webcam
    VideoPad Video Editor
    Windows Media Player Firefox Plugin
    WinZip 15.0
    Yahoo! BrowserPlus 2.9.8
    Yahoo! Detect
    .
    ==== Event Viewer Messages From Past Week ========
    .
    8/7/2011 12:35:28 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    8/14/2011 12:33:07 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer ADMIN-8F2931F9A that believes that it is the master browser for the domain on transport NetBT_Tcpip_{E05D06E8-5F30-460C-B5AF-B73E6135F66B}. The master browser is stopping or an election is being forced.
    8/13/2011 10:56:32 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    8/13/2011 10:35:20 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80242016: Update Rollup for ActiveX Killbits for Windows 7 for x64-based Systems (KB2562937).
    8/13/2011 10:35:20 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80242016: Update for Windows 7 for x64-based Systems (KB2563227).
    8/13/2011 10:35:20 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80242016: Security Update for Windows 7 for x64-based Systems (KB2567680).
    8/13/2011 10:35:20 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80242016: Security Update for Windows 7 for x64-based Systems (KB2563894).
    8/13/2011 10:35:20 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80242016: Security Update for Windows 7 for x64-based Systems (KB2560656).
    8/13/2011 10:35:20 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80242016: Security Update for Windows 7 for x64-based Systems (KB2556532).
    8/13/2011 10:35:20 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80242016: Security Update for Windows 7 for x64-based Systems (KB2536276).
    8/13/2011 10:35:20 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80242016: Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 SP1 for x64-based Systems (KB2539635).
    8/13/2011 10:35:20 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80242016: Cumulative Security Update for Internet Explorer 9 for Windows 7 for x64-based Systems (KB2559049).
    8/13/2011 10:32:53 PM, Error: Service Control Manager [7024] - The HomeGroup Listener service terminated with service-specific error %%-2147023143.
    8/13/2011 10:31:56 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SRTSP
    8/13/2011 10:31:51 PM, Error: Service Control Manager [7024] - The Windows Firewall service terminated with service-specific error Access is denied..
    8/13/2011 10:31:28 PM, Error: SRTSP [5] - Error loading Symantec real time Anti-Virus driver.
    8/13/2011 10:31:28 PM, Error: SRTSP [4] - Error loading virus definitions.
    8/13/2011 10:13:12 PM, Error: Service Control Manager [7000] - The Norton Security Suite service failed to start due to the following error: The pipe has been ended.
    8/13/2011 10:11:15 PM, Error: Service Control Manager [7043] - The Windows Modules Installer service did not shut down properly after receiving a preshutdown control.
    8/13/2011 10:11:12 PM, Error: Service Control Manager [7031] - The Norton Security Suite service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the malware, but would appreciate it if you would expand on what you mean here:
    When did it start? What did you do before it began>> download? Update? Install? Other?
    =================================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    The system look good so far, but there are a couple of things you need to check into:
    The latest Windows Updates have failed to install.
    Norton is failing to start up.
    ===================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ======================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.

    Logs in next reply please.
     
  3. Utkman

    Utkman TS Rookie Topic Starter

    I first noticed it about 10-12 days ago. I have not installed any new programs in that time, but Norton has a trojan c:\windows\syswow64\api-ms-win-core-memory-l1-1-032.dll quarantined on July 27 in the history.

    Here are the logs requested:

    ESET:
    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yx9z8dow.default\extensions\{fa8ab628-e6fa-48f8-8c8e-d77497511edd}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yx9z8dow.default\extensions\{fa8ab628-e6fa-48f8-8c8e-d77497511edd}\chrome\xulcache.jar JS/Agent.NDJ trojan

    ComboFix:
    ComboFix 11-08-15.07 - user 08/14/2011 23:45:47.1.2 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2038.669 [GMT -4:00]
    Running from: c:\users\user\Downloads\ComboFix.exe
    AV: Norton Security Suite *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    FW: Norton Security Suite *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
    SP: Norton Security Suite *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yx9z8dow.default\extensions\{fa8ab628-e6fa-48f8-8c8e-d77497511edd}
    c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yx9z8dow.default\extensions\{fa8ab628-e6fa-48f8-8c8e-d77497511edd}\chrome.manifest
    c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yx9z8dow.default\extensions\{fa8ab628-e6fa-48f8-8c8e-d77497511edd}\chrome\xulcache.jar
    c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yx9z8dow.default\extensions\{fa8ab628-e6fa-48f8-8c8e-d77497511edd}\defaults\preferences\xulcache.js
    c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yx9z8dow.default\extensions\{fa8ab628-e6fa-48f8-8c8e-d77497511edd}\install.rdf
    c:\windows\SysWow64\Packet.dll
    c:\windows\SysWow64\pthreadVC.dll
    c:\windows\SysWow64\wpcap.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_NPF
    -------\Service_NPF
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-15 to 2011-08-15 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-15 01:39 . 2011-08-15 01:39 -------- d-----w- c:\program files (x86)\ESET
    2011-08-14 21:24 . 2011-07-06 23:52 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-08-14 21:24 . 2011-07-06 23:52 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-14 04:07 . 2011-08-14 04:07 -------- d-----w- c:\program files (x86)\Common Files\Java
    2011-08-14 02:41 . 2011-06-24 05:25 338432 ----a-w- c:\windows\system32\conhost.exe
    2011-08-14 02:39 . 2011-06-21 06:34 1923968 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-08-11 02:14 . 2011-07-16 05:21 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
    2011-08-04 01:18 . 2011-08-04 01:18 -------- d-----w- c:\users\user\AppData\Roaming\Malwarebytes
    2011-08-04 01:18 . 2011-08-04 01:18 -------- d-----w- c:\programdata\Malwarebytes
    2011-08-04 01:18 . 2011-08-14 21:24 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-08-01 03:51 . 2011-08-01 03:51 -------- d-----w- c:\program files (x86)\Lavasoft
    2011-08-01 03:51 . 2011-08-01 03:51 -------- d-----w- c:\programdata\Lavasoft
    2011-07-25 01:26 . 2011-07-25 01:26 -------- d-----w- c:\program files\iPod
    2011-07-25 01:26 . 2011-07-25 01:27 -------- d-----w- c:\program files\iTunes
    2011-07-25 01:21 . 2011-08-14 02:29 -------- d-----w- c:\program files (x86)\Bonjour
    2011-07-25 01:21 . 2011-07-25 01:21 -------- d-----w- c:\program files\Bonjour
    2011-07-24 02:22 . 2011-07-24 02:22 -------- d-----w- c:\users\user\AppData\Local\CrashDumps
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-16 04:26 . 2011-08-14 02:41 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    2011-07-12 15:34 . 2011-07-12 15:34 96104 ----a-w- c:\windows\system32\dns-sd.exe
    2011-07-12 15:34 . 2011-07-12 15:34 85864 ----a-w- c:\windows\system32\dnssd.dll
    2011-07-12 15:34 . 2011-07-12 15:34 61288 ----a-w- c:\windows\system32\jdns_sd.dll
    2011-07-12 15:34 . 2011-07-12 15:34 212840 ----a-w- c:\windows\system32\dnssdX.dll
    2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\SysWow64\dns-sd.exe
    2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\SysWow64\dnssd.dll
    2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\SysWow64\jdns_sd.dll
    2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\SysWow64\dnssdX.dll
    2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
    2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
    2011-06-29 13:43 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
    2011-06-29 13:43 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
    2011-06-28 01:20 . 2011-06-28 01:20 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-06-11 03:07 . 2011-07-14 00:13 3137536 ----a-w- c:\windows\system32\win32k.sys
    2011-05-31 13:05 . 2011-05-31 13:05 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
    2011-05-31 13:05 . 2011-05-31 13:05 161792 ----a-w- c:\windows\SysWow64\msls31.dll
    2011-05-31 13:05 . 2011-05-31 13:05 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
    2011-05-31 13:05 . 2011-05-31 13:05 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
    2011-05-31 13:05 . 2011-05-31 13:05 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
    2011-05-31 13:05 . 2011-05-31 13:05 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
    2011-05-31 13:05 . 2011-05-31 13:05 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
    2011-05-31 13:05 . 2011-05-31 13:05 367104 ----a-w- c:\windows\SysWow64\html.iec
    2011-05-31 13:05 . 2011-05-31 13:05 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
    2011-05-31 13:05 . 2011-05-31 13:05 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
    2011-05-31 13:05 . 2011-05-31 13:05 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
    2011-05-31 13:05 . 2011-05-31 13:05 152064 ----a-w- c:\windows\SysWow64\wextract.exe
    2011-05-31 13:05 . 2011-05-31 13:05 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
    2011-05-31 13:05 . 2011-05-31 13:05 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
    2011-05-31 13:05 . 2011-05-31 13:05 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
    2011-05-31 13:05 . 2011-05-31 13:05 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
    2011-05-31 13:05 . 2011-05-31 13:05 11776 ----a-w- c:\windows\SysWow64\mshta.exe
    2011-05-31 13:05 . 2011-05-31 13:05 101888 ----a-w- c:\windows\SysWow64\admparse.dll
    2011-05-31 13:05 . 2011-05-31 13:05 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2011-05-31 13:05 . 2011-05-31 13:05 222208 ----a-w- c:\windows\system32\msls31.dll
    2011-05-31 13:05 . 2011-05-31 13:05 173056 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-05-31 13:05 . 2011-05-31 13:05 12288 ----a-w- c:\windows\system32\mshta.exe
    2011-05-31 13:05 . 2011-05-31 13:05 114176 ----a-w- c:\windows\system32\admparse.dll
    2011-05-31 13:05 . 2011-05-31 13:05 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2011-05-31 13:05 . 2011-05-31 13:05 76800 ----a-w- c:\windows\system32\tdc.ocx
    2011-05-31 13:05 . 2011-05-31 13:05 49664 ----a-w- c:\windows\system32\imgutil.dll
    2011-05-31 13:05 . 2011-05-31 13:05 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2011-05-31 13:05 . 2011-05-31 13:05 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
    2011-05-31 13:05 . 2011-05-31 13:05 111616 ----a-w- c:\windows\system32\iesysprep.dll
    2011-05-31 13:05 . 2011-05-31 13:05 85504 ----a-w- c:\windows\system32\iesetup.dll
    2011-05-31 13:05 . 2011-05-31 13:05 603648 ----a-w- c:\windows\system32\vbscript.dll
    2011-05-31 13:05 . 2011-05-31 13:05 448512 ----a-w- c:\windows\system32\html.iec
    2011-05-31 13:05 . 2011-05-31 13:05 30720 ----a-w- c:\windows\system32\licmgr10.dll
    2011-05-31 13:05 . 2011-05-31 13:05 165888 ----a-w- c:\windows\system32\iexpress.exe
    2011-05-31 13:05 . 2011-05-31 13:05 160256 ----a-w- c:\windows\system32\wextract.exe
    2011-05-31 13:05 . 2011-05-31 13:05 1492992 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-05-24 11:42 . 2011-06-29 01:10 404480 ----a-w- c:\windows\system32\umpnpmgr.dll
    2011-05-24 10:40 . 2011-06-29 01:10 64512 ----a-w- c:\windows\SysWow64\devobj.dll
    2011-05-24 10:40 . 2011-06-29 01:10 44544 ----a-w- c:\windows\SysWow64\devrtl.dll
    2011-05-24 10:39 . 2011-06-29 01:10 145920 ----a-w- c:\windows\SysWow64\cfgmgr32.dll
    2011-05-24 10:37 . 2011-06-29 01:10 252928 ----a-w- c:\windows\SysWow64\drvinst.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NortonUpdateAgent"="c:\programdata\Norton\NUA.exe" [2011-04-05 2692024]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 appliand;Applian Network Service;c:\windows\system32\DRIVERS\appliand.sys [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0403000.005\SYMDS64.SYS [x]
    S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0403000.005\SYMEFA64.SYS [x]
    S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110723.001\BHDrvx64.sys [2011-07-23 1151096]
    S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360x64\0403000.005\ccHPx64.sys [x]
    S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110812.030\IDSvia64.sys [2011-06-30 488056]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0403000.005\Ironx64.SYS [x]
    S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360x64\0403000.005\SYMTDIV.SYS [x]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
    S2 N360;Norton Security Suite;c:\program files (x86)\Norton Security Suite\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe [2010-02-26 126392]
    S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys [x]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-08-14 136824]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
    S3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys [x]
    S3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm64.sys [x]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MBAMPROTECTOR
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "combofix"="c:\combofix\CF7401.cfxxe" [X]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 165912]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 385560]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 363544]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 68.87.68.166 68.87.74.166
    FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yx9z8dow.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
    FF - prefs.js: network.proxy.type - 0
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\N360]
    "ImagePath"="\"c:\program files (x86)\Norton Security Suite\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton Security Suite\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-15 00:00:43 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-15 04:00
    .
    Pre-Run: 38,130,946,048 bytes free
    Post-Run: 37,769,875,456 bytes free
    .
    - - End Of File - - E979E5109D6BCEDA2029A8908F54D5CE
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, part of the malware was quarantined and deleted in Combofix.
    The following needs to be done to empty some caches:

    Clear Java Cache
    1. . Click Start > Control Panel.
    2. . Double-click the Java icon [​IMG] in the Control Panel.
    3. . Click Settings under Temporary Internet Files.
      http://www.java.com/en/img/download/5000020303.jpg[/b]
      There are three options on this window to clear the cache.(Version dependent)
      [o]. Delete Files
      [o]. View Applications
      [o]. View Applets
      [*]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [*]. Click OK on Temporary Files Settings window. [/list]
      =================================
      [B]Clear Firefox Cache[/B][list=1]
      [*] Open Firefox> Click on Tools> Options
      [*] Select the [B]Advanced[/B] panel.
      [*] Click on the [B]Network tab[/B]
      [*] In the Offline Storage section, click [B]Clear Now.[/B][/list]
      [IMG]http://support.mozilla.com/media/uploads/gallery/images/2bd0b316b0ef6a181452357b0f563477-1270320067-928-1.jpg
      ==================================
      I'll be back in the morning to check Combofix. I am really tired and am closing down for the night.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...