Inactive Web browser redirects to random sites - please help!

atomski · Apr 21, 2011

When using Internet Explorer and Firefox, my browser has started (today) redirecting to random sites. This happened shortly after a USB stick was connected to my laptop, so I suspect a malware infection.

I have tried running McAfee On Demand scan and Malwarebyte's Antimalware, but the problem persits. I have followed the 8-step to identifying malware infections, the logs follow at the end of this post.

I am running Windows XP Version 5.1 Service Pack 3.

I would greatly appreciate help in resolving this problem.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6407

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

20/04/2011 20:25:38
mbam-log-2011-04-20 (20-25-38).txt

Scan type: Quick scan
Objects scanned: 156895
Time elapsed: 7 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-04-21 07:42:52
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.LB01
Running: ccjnqwxm.exe; Driver: C:\DOCUME~1\NEILHY~1\LOCALS~1\Temp\kfpcrfog.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Tcp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Udp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\RawIp mdvrmng.sys

---- EOF - GMER 1.0.15 ----

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Neil Hy at 7:55:56.71 on 21/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3069.2556 [GMT 1:00]
.
AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\EPSON\BSTM\PG\E_L20IC2.EXE
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Switcher.exe] "c:\program files\sony\wireless switch setting utility\Switcher.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NWTRAY] NWTRAY.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [EPSON PageSTM TrayIcon01] c:\program files\epson\bstm\pg\E_L20IC2.EXE
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\neilhy~1\applic~1\mozilla\firefox\profiles\yg4zx6hy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\neil hy\application data\mozilla\firefox\profiles\yg4zx6hy.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 BecHelperService;BecHelperService;c:\program files\3 mobile broadband\3connect\BecHelperService.exe [2011-1-9 1737464]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-9-12 104000]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R3 5U875UVC;Sony Visual Communication Camera;c:\windows\system32\drivers\5U875.sys [2008-9-15 72448]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-9-12 244368]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-9-12 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-9-12 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-9-12 168776]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2008-4-22 37040]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-23 135664]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-8-3 100736]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-1-9 9216]
.
=============== Created Last 30 ================
.
2011-04-20 17:13:29 -------- d-sha-r- C:\cmdcons
2011-04-20 17:10:33 98816 ----a-w- c:\windows\sed.exe
2011-04-20 17:10:33 89088 ----a-w- c:\windows\MBR.exe
2011-04-20 17:10:33 256512 ----a-w- c:\windows\PEV.exe
2011-04-20 17:10:33 161792 ----a-w- c:\windows\SWREG.exe
2011-04-20 16:01:40 -------- d-----w- c:\docume~1\neilhy~1\applic~1\Malwarebytes
2011-04-20 16:01:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-20 16:01:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-20 16:01:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-20 16:01:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-20 11:06:41 0 ----a-w- c:\windows\Vyiqo.bin
2011-04-20 11:06:08 -------- d-----w- c:\docume~1\neilhy~1\applic~1\Wyaw
2011-04-20 11:06:08 -------- d-----w- c:\docume~1\neilhy~1\applic~1\Ukdy
2011-04-20 11:04:50 69632 --sha-r- c:\windows\system32\pmsplp.dll
2011-04-19 11:14:37 -------- d-----w- c:\windows\Yb2Ti2O7
2011-04-10 17:48:24 -------- d-----w- c:\docume~1\neilhy~1\locals~1\applic~1\Help
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-10 07:49:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-10 07:49:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
============= FINISH: 7:56:55.39 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/09/2008 12:15:33
System Uptime: 21/04/2011 07:47:44 (0 hours ago)
.
Motherboard: Sony Corporation | | VAIO
Processor: Intel Pentium III Xeon processor | N/A | 791/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 182 GiB total, 124.605 GiB free.
D: is CDROM (UDF)
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 20/04/2011 14:05:14 - System Checkpoint
.
==== Installed Programs ======================
.
3Connect
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.2.6
Apple Software Update
ATOMS60
Audacity 1.2.6
Brother HL-5150D
Chinese Simplified Fonts Support For Adobe Reader 8
EPSON AcuLaser M2000_M2010 Manual
EPSON Printer Software
Epson Universal Laser P6
EPSON Web-To-Page
GlobeTrotter Connect
Google Toolbar for Internet Explorer
Google Update Helper
GSAS & EXPGUI
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB981793)
Huawei modem
Ifeffit 1.2.11
Intel PROSet Wireless
Intel(R) PROSet/Wireless WiFi Software
J2SE Runtime Environment 5.0 Update 5
Japanese Fonts Support For Adobe Reader 8
Java Auto Updater
Java(TM) 6 Update 22
Korean Fonts Support For Adobe Reader 8
Malwarebytes' Anti-Malware
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6.16)
NICI (Shared) U.S./Worldwide (128 bit) (2.6.8-2)
NMAS Challenge Response Method
NMAS Client
Novell Client for Windows
NVIDIA Drivers
OGA Notifier 2.0.0048.0
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2464594)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Soft Data Fax Modem with SmartCP
Sony Utilities DLL
Sony Visual Communication Camera Ver.6.201.220.0
SRIM
System Requirements Lab for Intel
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Outlook 2007 Junk Email Filter (KB2522999)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
WIDCOMM Bluetooth Software
Windows 7 Upgrade Advisor
Windows Driver Package - Intel (e1yexpress) Net (03/27/2008 9.50.14.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Wireless Switch Setting Utility
ZTE_1.2059.0.8
.
==== Event Viewer Messages From Past Week ========
.
20/04/2011 20:13:39, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
20/04/2011 20:13:39, error: Service Control Manager [7034] - The McAfee Task Manager service terminated unexpectedly. It has done this 1 time(s).
20/04/2011 20:13:39, error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
20/04/2011 20:13:39, error: Service Control Manager [7034] - The McAfee Framework Service service terminated unexpectedly. It has done this 1 time(s).
20/04/2011 20:13:39, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
20/04/2011 20:13:39, error: Service Control Manager [7034] - The Intel® PROSet/Wireless Registry Service service terminated unexpectedly. It has done this 1 time(s).
20/04/2011 20:13:39, error: Service Control Manager [7034] - The Intel® PROSet/Wireless Event Log service terminated unexpectedly. It has done this 1 time(s).
20/04/2011 20:13:39, error: Service Control Manager [7034] - The BecHelperService service terminated unexpectedly. It has done this 1 time(s).
20/04/2011 20:13:38, error: Service Control Manager [7034] - The Intel® PROSet/Wireless WiFi Service service terminated unexpectedly. It has done this 1 time(s).
20/04/2011 20:13:38, error: Service Control Manager [7034] - The EpsonBidirectionalService service terminated unexpectedly. It has done this 1 time(s).
20/04/2011 20:13:38, error: Service Control Manager [7034] - The BrSplService service terminated unexpectedly. It has done this 1 time(s).
20/04/2011 20:13:38, error: Service Control Manager [7031] - The Bluetooth Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
20/04/2011 17:57:49, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
20/04/2011 15:46:08, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
20/04/2011 15:40:39, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
20/04/2011 15:38:25, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
20/04/2011 11:53:39, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.
18/04/2011 16:02:17, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
18/04/2011 16:02:17, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
16/04/2011 18:21:53, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
16/04/2011 18:20:27, error: Service Control Manager [7002] - The BrPar service depends on the Parallel arbitrator group and no member of this group started.
15/04/2011 08:47:28, error: Dhcp [1002] - The IP address lease 82.38.206.254 for the Network Card with network address 001A80D62BD0 has been denied by the DHCP server 143.167.2.2 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================

Bobbye · Apr 21, 2011

Welcome to TechSpot! I'll help you find and remove the culprit! I note several suspicious entries in these logs, so we should check further:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the Active X control to install
Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
Click Start
Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
Click Scan
Wait for the scan to finish
Click on "Copy to Clipboard"> (you won't see the 'clipboard')
Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
Re-enable your Antivirus software.
NOTE: If you forget to copy to the clipboard you can find the log here:
C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

========================================
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

Double click combofix.exe & follow the prompts.
ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
.Click on Yes, to continue scanning for malware
.If Combofix asks you to update the program, allow
.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
.Close any open browsers.
.Double click combofix.exe

& follow the prompts to run.
When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=====================================
Note: McAfee sometimes pops up and tells the user that he is using a malware related program. This is usually based on the file extension. The downloads I'm giving you are clean and safe. If you do get the pop up from McAfee, okay to override it. If you cannot, please let me know and I will instruct you furthe.

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

NOTE: You should update both of the following. Then uninstall the earlier versions in Add/Remove Programs:
Java Update
Adobe Reader Update

atomski · Apr 21, 2011

Next step

Hi Bobbye

Thanks for your help in this, I have followed your instructions and also updated Java and Adobe Reader. The output logs follow. Please advise on the next step, after review.

****

ESET log

C:\Qoobox\Quarantine\C\WINDOWS\Mqafua.exe.vir a variant of Win32/Kryptik.MUU trojan
C:\Qoobox\Quarantine\C\WINDOWS\oxofiyasomizihaw.dll.vir a variant of Win32/Kryptik.MVM trojan
C:\System Volume Information\_restore{A3F6F97F-42A8-4B51-B6D3-F2DED1A65F14}\RP1\A0000022.exe a variant of Win32/Adware.HotBar.H application

****

ComboFix 11-04-21.01 - Neil 21/04/2011 18:54:09.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3069.2469 [GMT 1:00]
Running from: c:\documents and settings\Neil \Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-21 to 2011-04-21 )))))))))))))))))))))))))))))))
.
.
2011-04-21 17:08 . 2011-04-21 17:08 -------- d-----w- c:\program files\ESET
2011-04-20 16:01 . 2011-04-20 16:01 -------- d-----w- c:\documents and settings\Neil \Application Data\Malwarebytes
2011-04-20 16:01 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-20 16:01 . 2011-04-20 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-20 16:01 . 2011-04-20 16:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-20 16:01 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-20 11:06 . 2011-04-20 11:06 0 ----a-w- c:\windows\Vyiqo.bin
2011-04-20 11:06 . 2011-04-20 13:01 -------- d-----w- c:\documents and settings\Neil \Application Data\Ukdy
2011-04-20 11:06 . 2011-04-20 11:32 -------- d-----w- c:\documents and settings\Neil \Application Data\Wyaw
2011-04-20 11:04 . 2011-04-20 11:04 69632 --sha-r- c:\windows\system32\pmsplp.dll
2011-04-19 11:14 . 2011-04-19 12:06 -------- d-----w- c:\windows\Yb2Ti2O7
2011-04-10 17:48 . 2011-04-10 17:48 -------- d-----w- c:\documents and settings\Neil \Local Settings\Application Data\Help
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2008-04-22 15:26 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2008-04-22 07:17 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-04-22 07:17 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2008-04-22 07:17 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2008-04-22 07:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2008-04-22 07:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2008-04-22 07:16 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2008-04-22 07:16 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2008-04-22 07:17 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-07-23 07:34 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2008-04-22 07:16 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-10 07:49 . 2011-02-10 07:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-10 07:49 . 2011-02-10 07:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-09 13:53 . 2008-04-22 07:17 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-22 07:16 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2008-04-22 07:16 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2008-04-22 07:16 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2008-04-22 15:25 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-04-22 15:25 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-20_17.19.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-21 08:29 . 2011-04-21 08:29 16384 c:\windows\Temp\Perflib_Perfdata_694.dat
+ 2008-04-22 07:17 . 2011-04-21 08:33 72756 c:\windows\system32\perfc009.dat
- 2008-04-22 07:17 . 2011-04-20 17:01 72756 c:\windows\system32\perfc009.dat
+ 2008-04-22 07:17 . 2011-04-21 08:33 445238 c:\windows\system32\perfh009.dat
- 2008-04-22 07:17 . 2011-04-20 17:01 445238 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-23 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2008-05-13 503808]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-30 13529088]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-04-30 1347584]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-04-30 1191936]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NWTRAY"="NWTRAY.EXE" [2006-07-13 28672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"EPSON PageSTM TrayIcon01"="c:\program files\EPSON\BSTM\PG\E_L20IC2.EXE" [2007-12-11 151552]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-11-26 274608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-12-6 576104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
.
R2 BecHelperService;BecHelperService;c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe [09/01/2011 11:05 1737464]
R3 5U875UVC;Sony Visual Communication Camera;c:\windows\system32\drivers\5U875.sys [15/09/2008 13:30 72448]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [12/09/2008 15:49 244368]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [22/04/2008 17:24 37040]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [23/07/2010 09:21 135664]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 11336]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [03/08/2010 08:19 100736]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [09/01/2011 11:04 9216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-23 08:21]
.
2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-23 08:21]
.
2011-04-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1947724138-2050635879-2572181111-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
.
2011-04-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1947724138-2050635879-2572181111-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Neil \Application Data\Mozilla\Firefox\Profiles\yg4zx6hy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-21 18:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\NLS\ENGLISH\MAPBASER.DLL
c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'Explorer.exe'(2500)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-21 18:58:13
ComboFix-quarantined-files.txt 2011-04-21 17:58
ComboFix2.txt 2011-04-20 17:49
ComboFix3.txt 2011-04-20 17:22
.
Pre-Run: 133,536,137,216 bytes free
Post-Run: 133,514,391,552 bytes free
.
- - End Of File - - E0BB06DBC9A615CCCEBB9FF1484E1C16

Bobbye · Apr 24, 2011

Sorry- internet was down.

Nothing new in the Eset scan. Qoobox is where Combofix sends the entries it deletes. System Volume is a restore point. We will remove that at end of cleaning. The entry is not active in the system.

Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

Code:

File::
c:\windows\Vyiqo.bin
c:\windows\system32\pmsplp.dll
Folder::
c:\documents and settings\Neil \Application Data\Ukdy
c:\documents and settings\Neil \Application Data\Wyaw
c:\windows\Yb2Ti2O7
Extra::
File::
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
Firefox::
Firefox-: - Profile - c:\documents and settings\Neil \Application Data\Mozilla\Firefox\Profiles\yg4zx6hy.default\
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Please udate both of the following:
Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
Adobe Reader site Uninstall any earlier updates as they are vulnerabilities.

atomski · Apr 25, 2011

Step 2 complete

Hi Bobbeye

Ok, instructions carried out as you directed. During the Combofix run, a box opened to say a program "PEV.exe" had closed unexpectdly. I was planning to copy and paste the error message from the box, but Combofix closed it. The random redirect issue has not re-occurred in the last two days.

Thanks for your help, the latest log follows.

ComboFix 11-04-21.01 - Neil 25/04/2011 6:58.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3069.2573 [GMT 1:00]
Running from: c:\documents and settings\Neil \Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Neil \Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
FILE ::
"c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}"
"c:\windows\system32\pmsplp.dll"
"c:\windows\Vyiqo.bin"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\pmsplp.dll
c:\windows\Vyiqo.bin
c:\windows\Yb2Ti2O7
c:\windows\Yb2Ti2O7\Final stats.txt
c:\windows\Yb2Ti2O7\MSS\Copy (2) of MSS.EXP
c:\windows\Yb2Ti2O7\MSS\Copy (3) of MSS.EXP
c:\windows\Yb2Ti2O7\MSS\Copy of MSS.EXP
c:\windows\Yb2Ti2O7\MSS\MSS.CMT
c:\windows\Yb2Ti2O7\MSS\MSS.EXP
c:\windows\Yb2Ti2O7\MSS\MSS.LST
c:\windows\Yb2Ti2O7\MSS\MSS.O01
c:\windows\Yb2Ti2O7\MSS\MSS.O02
c:\windows\Yb2Ti2O7\MSS\MSS.O03
c:\windows\Yb2Ti2O7\MSS\MSS.O04
c:\windows\Yb2Ti2O7\MSS\MSS.O05
c:\windows\Yb2Ti2O7\MSS\MSS.O06
c:\windows\Yb2Ti2O7\MSS\MSS.O07
c:\windows\Yb2Ti2O7\MSS\MSS.O08
c:\windows\Yb2Ti2O7\MSS\MSS.O09
c:\windows\Yb2Ti2O7\MSS\MSS.O0A
c:\windows\Yb2Ti2O7\MSS\MSS.O0B
c:\windows\Yb2Ti2O7\MSS\MSS.O0C
c:\windows\Yb2Ti2O7\MSS\MSS.O0D
c:\windows\Yb2Ti2O7\MSS\MSS.O0E
c:\windows\Yb2Ti2O7\MSS\MSS.O0F
c:\windows\Yb2Ti2O7\MSS\MSS.O10
c:\windows\Yb2Ti2O7\MSS\MSS.O11
c:\windows\Yb2Ti2O7\MSS\MSS.O12
c:\windows\Yb2Ti2O7\MSS\MSS.O13
c:\windows\Yb2Ti2O7\MSS\MSS.O14
c:\windows\Yb2Ti2O7\MSS\MSS.O15
c:\windows\Yb2Ti2O7\MSS\MSS.O16
c:\windows\Yb2Ti2O7\MSS\MSS.O17
c:\windows\Yb2Ti2O7\MSS\MSS.O18
c:\windows\Yb2Ti2O7\MSS\MSS.O19
c:\windows\Yb2Ti2O7\MSS\MSS.O1A
c:\windows\Yb2Ti2O7\MSS\MSS.O1B
c:\windows\Yb2Ti2O7\MSS\MSS.O1C
c:\windows\Yb2Ti2O7\MSS\MSS.O1D
c:\windows\Yb2Ti2O7\MSS\MSS.O1E
c:\windows\Yb2Ti2O7\MSS\MSS.O1F
c:\windows\Yb2Ti2O7\MSS\MSS.O20
c:\windows\Yb2Ti2O7\MSS\MSS.O21
c:\windows\Yb2Ti2O7\MSS\MSS.O22
c:\windows\Yb2Ti2O7\MSS\MSS.O23
c:\windows\Yb2Ti2O7\MSS\MSS.O24
c:\windows\Yb2Ti2O7\MSS\MSS.O25
c:\windows\Yb2Ti2O7\MSS\MSS.O26
c:\windows\Yb2Ti2O7\MSS\MSS.O27
c:\windows\Yb2Ti2O7\MSS\MSS.O28
c:\windows\Yb2Ti2O7\MSS\MSS.O29
c:\windows\Yb2Ti2O7\MSS\MSS.O2A
c:\windows\Yb2Ti2O7\MSS\MSS.O2B
c:\windows\Yb2Ti2O7\MSS\MSS.O2C
c:\windows\Yb2Ti2O7\MSS\MSS.O2D
c:\windows\Yb2Ti2O7\MSS\MSS.O2E
c:\windows\Yb2Ti2O7\MSS\MSS.P01
c:\windows\Yb2Ti2O7\MSS\MSS.R01
c:\windows\Yb2Ti2O7\MSS\MSS.TBL
c:\windows\Yb2Ti2O7\MSS\Stoe.prm
c:\windows\Yb2Ti2O7\MSS\YT_MSSR_2.gsa
c:\windows\Yb2Ti2O7\SSS\Copy (2) of SSS.EXP
c:\windows\Yb2Ti2O7\SSS\Copy (3) of SSS.EXP
c:\windows\Yb2Ti2O7\SSS\Copy of SSS.EXP
c:\windows\Yb2Ti2O7\SSS\SSS.CMT
c:\windows\Yb2Ti2O7\SSS\SSS.EXP
c:\windows\Yb2Ti2O7\SSS\SSS.LST
c:\windows\Yb2Ti2O7\SSS\SSS.O01
c:\windows\Yb2Ti2O7\SSS\SSS.O02
c:\windows\Yb2Ti2O7\SSS\SSS.O03
c:\windows\Yb2Ti2O7\SSS\SSS.O04
c:\windows\Yb2Ti2O7\SSS\SSS.O05
c:\windows\Yb2Ti2O7\SSS\SSS.O06
c:\windows\Yb2Ti2O7\SSS\SSS.O07
c:\windows\Yb2Ti2O7\SSS\SSS.O08
c:\windows\Yb2Ti2O7\SSS\SSS.O09
c:\windows\Yb2Ti2O7\SSS\SSS.O0A
c:\windows\Yb2Ti2O7\SSS\SSS.O0B
c:\windows\Yb2Ti2O7\SSS\SSS.O0C
c:\windows\Yb2Ti2O7\SSS\SSS.O0D
c:\windows\Yb2Ti2O7\SSS\SSS.O0E
c:\windows\Yb2Ti2O7\SSS\SSS.O0F
c:\windows\Yb2Ti2O7\SSS\SSS.O10
c:\windows\Yb2Ti2O7\SSS\SSS.O11
c:\windows\Yb2Ti2O7\SSS\SSS.O12
c:\windows\Yb2Ti2O7\SSS\SSS.O13
c:\windows\Yb2Ti2O7\SSS\SSS.O14
c:\windows\Yb2Ti2O7\SSS\SSS.O15
c:\windows\Yb2Ti2O7\SSS\SSS.O16
c:\windows\Yb2Ti2O7\SSS\SSS.O17
c:\windows\Yb2Ti2O7\SSS\SSS.O18
c:\windows\Yb2Ti2O7\SSS\SSS.O19
c:\windows\Yb2Ti2O7\SSS\SSS.O1A
c:\windows\Yb2Ti2O7\SSS\SSS.O1B
c:\windows\Yb2Ti2O7\SSS\SSS.O1C
c:\windows\Yb2Ti2O7\SSS\SSS.P01
c:\windows\Yb2Ti2O7\SSS\SSS.R01
c:\windows\Yb2Ti2O7\SSS\SSS.TBL
c:\windows\Yb2Ti2O7\SSS\SSSU.CMT
c:\windows\Yb2Ti2O7\SSS\SSSU.EXP
c:\windows\Yb2Ti2O7\SSS\SSSU.LST
c:\windows\Yb2Ti2O7\SSS\SSSU.O01
c:\windows\Yb2Ti2O7\SSS\SSSU.O02
c:\windows\Yb2Ti2O7\SSS\SSSU.O03
c:\windows\Yb2Ti2O7\SSS\SSSU.P01
c:\windows\Yb2Ti2O7\SSS\SSSU.R01
c:\windows\Yb2Ti2O7\SSS\Stoe.prm
c:\windows\Yb2Ti2O7\SSS\YT_SSSR_2.gsa
.
.
((((((((((((((((((((((((( Files Created from 2011-03-25 to 2011-04-25 )))))))))))))))))))))))))))))))
.
.
2011-04-24 17:03 . 2011-04-24 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Advanced Chemistry Development
2011-04-24 17:02 . 2011-04-24 17:03 -------- d-----w- c:\program files\ACDFREE11
2011-04-24 16:47 . 2011-04-24 16:47 -------- d-----w- c:\documents and settings\Neil \Application Data\ChemAxon
2011-04-24 16:47 . 2011-04-24 18:15 -------- d-----w- c:\documents and settings\Neil \chemaxon
2011-04-24 16:43 . 2011-04-24 16:43 -------- d-----w- c:\program files\GreatStellaDEMO
2011-04-21 17:08 . 2011-04-21 17:08 -------- d-----w- c:\program files\ESET
2011-04-20 16:01 . 2011-04-20 16:01 -------- d-----w- c:\documents and settings\Neil \Application Data\Malwarebytes
2011-04-20 16:01 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-20 16:01 . 2011-04-20 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-20 16:01 . 2011-04-20 16:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-20 16:01 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-20 11:06 . 2011-04-20 13:01 -------- d-----w- c:\documents and settings\Neil \Application Data\Ukdy
2011-04-20 11:06 . 2011-04-20 11:32 -------- d-----w- c:\documents and settings\Neil \Application Data\Wyaw
2011-04-10 17:48 . 2011-04-10 17:48 -------- d-----w- c:\documents and settings\Neil \Local Settings\Application Data\Help
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2008-04-22 15:26 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2008-04-22 07:17 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-04-22 07:17 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2008-04-22 07:17 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2008-04-22 07:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2008-04-22 07:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2008-04-22 07:16 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2008-04-22 07:16 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2008-04-22 07:17 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-07-23 07:34 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2008-04-22 07:16 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2008-04-22 07:17 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-22 07:16 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2008-04-22 07:16 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2008-04-22 07:16 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 20:40 . 2011-02-10 07:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 18:19 . 2011-02-10 07:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2008-04-22 15:25 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-04-22 15:25 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-20_17.19.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-25 05:46 . 2011-04-25 05:46 16384 c:\windows\Temp\Perflib_Perfdata_31c.dat
- 2008-04-22 07:17 . 2011-04-20 17:01 72756 c:\windows\system32\perfc009.dat
+ 2008-04-22 07:17 . 2011-04-25 05:50 72756 c:\windows\system32\perfc009.dat
+ 2010-11-15 20:02 . 2010-11-15 20:02 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\ViewerPS.dll
+ 2010-11-15 20:02 . 2010-11-15 20:02 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\reader_sl.exe
+ 2010-11-15 20:02 . 2010-11-15 20:02 16808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\piaglbreakfinder.dll
+ 2010-11-15 20:02 . 2010-11-15 20:02 84896 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\PDFPrevHndlr.dll
+ 2010-11-15 20:02 . 2010-11-15 20:02 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\eula.exe
+ 2010-11-15 20:02 . 2010-11-15 20:02 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\acrotextextractor.exe
+ 2010-11-15 20:02 . 2010-11-15 20:02 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AcroRd32Info.exe
+ 2010-11-15 20:02 . 2010-11-15 20:02 62376 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\acroiehelpershim.dll
+ 2010-11-15 20:02 . 2010-11-15 20:02 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AcroIEHelper.dll
+ 2010-11-15 20:02 . 2010-11-15 20:02 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\Acrofx32.dll
+ 2008-04-22 07:17 . 2011-04-25 05:50 445238 c:\windows\system32\perfh009.dat
- 2008-04-22 07:17 . 2011-04-20 17:01 445238 c:\windows\system32\perfh009.dat
+ 2011-04-21 18:04 . 2011-02-02 20:40 157472 c:\windows\system32\javaws.exe
+ 2011-04-21 18:04 . 2011-02-02 20:40 145184 c:\windows\system32\javaw.exe
- 2011-02-10 07:49 . 2011-02-10 07:49 145184 c:\windows\system32\javaw.exe
+ 2011-04-21 18:04 . 2011-02-02 20:40 145184 c:\windows\system32\java.exe
- 2011-02-10 07:49 . 2011-02-10 07:49 145184 c:\windows\system32\java.exe
+ 2011-04-21 18:04 . 2011-04-21 18:04 180224 c:\windows\Installer\20e7cb9.msi
+ 2010-11-15 20:02 . 2010-11-15 20:02 390552 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\pdfshell.dll
+ 2010-11-15 20:02 . 2010-11-15 20:02 101288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\PDFPrevHndlrShim.exe
+ 2010-11-15 20:02 . 2010-11-15 20:02 135568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\nppdf32.dll
+ 2010-11-15 20:02 . 2010-11-15 20:02 681872 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\JP2KLib.dll
+ 2010-11-15 20:02 . 2010-11-15 20:02 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AiodLite.dll
+ 2010-11-15 20:02 . 2010-11-15 20:02 702352 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AcroPDF.dll
+ 2010-11-15 20:02 . 2010-11-15 20:02 294808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\acrobroker.exe
+ 2010-11-15 20:02 . 2010-11-15 20:02 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\a3dutils.dll
+ 2011-04-21 18:13 . 2011-04-21 18:13 2519552 c:\windows\Installer\20e7fe0.msi
+ 2010-11-15 20:02 . 2010-11-15 20:02 2207632 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\rt3d.dll
+ 2010-11-15 20:02 . 2010-11-15 20:02 6222744 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\authplay.dll
+ 2010-11-15 20:02 . 2010-11-15 20:02 5503368 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AGM.dll
+ 2010-11-15 20:02 . 2010-11-15 20:02 1216416 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AdobeCollabSync.exe
+ 2010-11-15 20:02 . 2010-11-15 20:02 1289624 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AcroRd32.exe
+ 2011-01-30 20:52 . 2011-01-30 20:52 12425728 c:\windows\Installer\2108f1.msp
+ 2010-11-15 20:02 . 2010-11-15 20:02 23724952 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-23 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2008-05-13 503808]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-30 13529088]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-04-30 1347584]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-04-30 1191936]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NWTRAY"="NWTRAY.EXE" [2006-07-13 28672]
"EPSON PageSTM TrayIcon01"="c:\program files\EPSON\BSTM\PG\E_L20IC2.EXE" [2007-12-11 151552]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-11-26 274608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-15 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-12-6 576104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
.
R2 BecHelperService;BecHelperService;c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe [09/01/2011 11:05 1737464]
R3 5U875UVC;Sony Visual Communication Camera;c:\windows\system32\drivers\5U875.sys [15/09/2008 13:30 72448]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [12/09/2008 15:49 244368]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [22/04/2008 17:24 37040]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [23/07/2010 09:21 135664]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 11336]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [03/08/2010 08:19 100736]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [09/01/2011 11:04 9216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-23 08:21]
.
2011-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-23 08:21]
.
2011-04-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1947724138-2050635879-2572181111-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
.
2011-04-24 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1947724138-2050635879-2572181111-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Neil \Application Data\Mozilla\Firefox\Profiles\yg4zx6hy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-25 07:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-25 07:07:39
ComboFix-quarantined-files.txt 2011-04-25 06:07
ComboFix2.txt 2011-04-21 17:58
ComboFix3.txt 2011-04-20 17:49
ComboFix4.txt 2011-04-20 17:22
.
Pre-Run: 132,066,652,160 bytes free
Post-Run: 132,082,331,648 bytes free
.
- - End Of File - - B87DD28214D3AD05C725E6B8E2CB960F

Bobbye · Apr 25, 2011

I may have had you remove something you needed!

I saw this directory to c:\windows\Yb2Ti2O7 and could not find any computer-related identification for it. But now I see these entries:
2011-04-24 17:03 . 2011-04-24 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Advanced Chemistry Development
2011-04-24 16:47 . 2011-04-24 16:47 -------- d-----w- c:\documents and settings\Neil \Application Data\ChemAxon
2011-04-24 16:47 . 2011-04-24 18:15 -------- d-----w- c:\documents and settings\Neil \chemaxon

Did I inadvertently remove data for the Chemistry? Did you need it? Would you like me to try and restore it? You can see all the files at the beginning of Combofix.

atomski · Apr 25, 2011

No problem

Hi Bobbeye

I had it backed up, so no problem. Am I now "clean"?

Bobbye · Apr 25, 2011

We're not quite through yet! I am very glad you had the files backed up! I usually ask if I see a file like that before zapping it! I will be back after dinner to check the new Combofix log.

How are the redirects? Any other related problems?

Bobbye · Apr 25, 2011

This time I will ask first: Do you know what either of these are?
2011-04-20 13:01 c:\documents and settings\Neil \Application Data\Ukdy
2011-04-20 11:06 .c:\documents and settings\Neil \Application Data\Wyaw

You need to remove this outdated Java extension from Firefox: v6u22
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

You do not need to add a separate update to Firefox when updating Java.
====================================
Both of the following need to be updated:
Java: Check this site .Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
Adobe Reader: Visit this Adobe Reader site Uninstall any earlier updates as they are vulnerabilities.
=====================================
The flash drive you used when you first notice the problem should be disinfected:
These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

Please disinfect all movable drives

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================
Have the redirects been resolved?

atomski · Apr 26, 2011

Next step

Hi Bobbeye

I'll run through this in the next couple of days as I will be travelling. No browser redirect issues at present. I'll post the logs at the earliest opportunity.

Bobbye · Apr 26, 2011

Okay- Ill make myself a note to keep the thread open. Post when you can.

To Bobbye: Member is traveling. Please keep thread open.

Inactive Web browser redirects to random sites - please help!

atomski

Bobbye

Posts: 16,313 +36

atomski

Bobbye

Posts: 16,313 +36

atomski

Bobbye

Posts: 16,313 +36

atomski

Bobbye

Posts: 16,313 +36

Bobbye

Posts: 16,313 +36

atomski

Bobbye

Posts: 16,313 +36

Similar threads

Latest posts