Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

IE hijacked and random music

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

IE hijacked and random music

Unread postby old bill » May 24th, 2009, 7:45 am

Hi Folks

Thanks for the advise on getting HJTinstall.exe to run, I now have a log.
An old timer here needing your help please.
My IE goes off to sites dictated by something called windowsclick rather than the sites I select. The machine also plays random music without any action from me. The log is below.
Many thanks for your help.
Bill

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:23, on 24/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Kontiki\KService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ChkDisk.lnk = ?
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6225 bytes
old bill
Regular Member
 
Posts: 218
Joined: May 23rd, 2009, 6:17 am
Advertisement
Register to Remove

Re: IE hijacked and random music

Unread postby jmw3 » May 25th, 2009, 10:20 pm

Hello & Welcome to Malware Removal

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is postedis ticked on the POST A REPLY page.

In the meantime please note the following:
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.
Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2
  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after two logs will appear, DDS.txt & Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply
Gmer
Download gmer.zip from Gmer here & save it to your desktop.
  • Right click on gmer.zip, select Extract All... & extract the contents to your desktop
  • Double click the Gmer.exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: IE hijacked and random music

Unread postby old bill » May 26th, 2009, 8:05 am

Hi jmw3
Many thanks for the reply. The dds program seemed to run ok but a message was displayed saying "sort utility encounted a problem and needs to close". The log files are below.
The gmer application refuses to execute so no log files.
Hope to hear from you soon.
Bill

DDS (Ver_09-05-14.01) - NTFSx86
Run by Graham Else at 12:04:08.85 on 26/05/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.676 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Documents and Settings\Graham Else\My Documents\Web downloads\keys\MacroMaker.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Graham Else\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = c:\program files\common files\microsoft shared\stationery\Blank.htm
uStart Page = http://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
TB: {71AAABE5-1F0F-11D7-BD6F-004854603DCE} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\graham~1\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\graham~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\KEM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\MSOFFICE.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
uPolicies-system: DisableRegistryTools = 0
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: mcafee.com
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/share ... cgdmgr.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/fl ... wflash.cab

============= SERVICES / DRIVERS ===============

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-8-1 29239]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-9 214024]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2004-9-1 188416]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-2-19 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-2-19 144704]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2004-8-3 62976]
R3 DCamUSBVideoLogic;HomeC@m;c:\windows\system32\drivers\p35u.sys [2005-11-19 90144]
R3 HSFHWCD2;HSFHWCD2;c:\windows\system32\drivers\HSFHWCD2.sys [2006-11-2 201728]
R3 kbdcap;kbdcap;c:\windows\system32\drivers\KbdCap.sys [2006-9-21 109440]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-2-19 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-19 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-19 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-2-19 40552]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-2-12 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-2-12 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-2-12 81288]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-2-19 34216]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-12 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-2-12 1079176]
S3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys [2005-12-1 224960]

=============== Created Last 30 ================

2009-05-24 12:28 <DIR> --d----- c:\program files\Trend Micro
2009-05-22 14:42 <DIR> --d----- c:\documents and settings\graham else\DoctorWeb
2009-05-20 14:39 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-05-20 14:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-05-19 15:57 192 a------- c:\docume~1\graham~1\applic~1\asd.bat

==================== Find3M ====================

2009-05-21 20:03 2,707,744 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-05-21 20:03 37,340 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-21 20:03 1,100 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-05-21 20:03 288 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-11 16:08 167 a------- C:\gprologvars.bat
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2008-04-07 11:38 61,224 a------- c:\documents and settings\graham else\GoToAssistDownloadHelper.exe

============= FINISH: 12:05:58.06 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 01/01/2003 16:48:04
System Uptime: 26/05/2009 11:52:36 (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | A8N-E
Processor: AMD Athlon(tm) 64 Processor 3200+ | Socket 939 | 2010/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 69.114 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

7-Zip 4.57
Adobe Flash Player 10 ActiveX
Adobe Photoshop Elements 2.0
Adobe Reader 7.0.8
Apple Software Update
Athlon 64 Processor Driver
AutoUpdate
Avi2Dvd 0.4.5 beta
AVIcodec (remove only)
AviSynth 2.5
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
BBC iPlayer Download Manager
Before You Know It 3.5 Lite
Brother HL-1430
Compatibility Pack for the 2007 Office system
DesignPro 5.0 Limited Edition
DivX Codec
DivX Converter
DivX Player
DVD Shrink 3.2
EPSON CardMonitor
EPSON Copy Utility
EPSON Photo Print
EPSON PhotoQuicker3.5
EPSON PhotoStarter3.1
EPSON Print CD
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
ESPR300 Reference Guide
ESPR300 Software Guide
ESPR300 Standalone Guide
EZY Prolog Suite
FinePix Studio
FinePixViewer Resource
FinePixViewer Ver.5.4
FUJIFILM USB Driver
GNU Prolog version 1.3.1
HijackThis 2.0.2
HomeC@m
Hotfix for Windows XP (KB952287)
ImgBurn (Remove Only)
Logitech SetPoint
MacroMaker
Max-FTP
McAfee SecurityCenter
MetaFrame Presentation Server Web Client for Win32
Microsoft Office 97, Professional Edition
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NVIDIA Drivers
P2400P Reference Guide
Palm Desktop
Photo Viewer V208G2
PIF DESIGNER2.1
Pinnacle InstantCD/DVD Suite
Pinnacle InstantCD/DVD Suite Update
PowerDVD
QuickTime
Realtek AC'97 Audio
Registry Healer 4.0.1 uninstall
ScanToWeb
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Skype 2.5
SoftV92 Data Fax Modem with SmartCP
Spyware Doctor 6.0
SWI-Prolog (remove only)
Trellian Dictionary v1.0
Trellian LiveUpgrade v2.0
Trellian WebPage
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual Prolog 7.2 Personal Edition
Visual Prolog Examples
Web Design Group CSS Reference
Web Design Group HTML Reference
WebFldrs XP
WinAVIVideoConverter
Windows Backup Utility
Windows Genuine Advantage Validation Tool (KB892130)
Windows XP Service Pack 3
Xvid 1.1.2 final uninstall

==== Event Viewer Messages From Past Week ========

26/05/2009 12:04:11, error: Service Control Manager [7016] - The SmartLinkService service has reported an invalid current state 0.
26/05/2009 12:04:10, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.
22/05/2009 13:34:10, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.
22/05/2009 12:26:38, information: Windows File Protection [64018] - Windows File Protection file scan was cancelled by user interaction, user name is Graham Else.
22/05/2009 12:16:55, information: Windows File Protection [64016] - Windows File Protection file scan was started.
22/05/2009 11:12:26, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
22/05/2009 11:12:02, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
22/05/2009 11:11:45, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 Fips IPSec mfehidk MPFP MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
22/05/2009 11:11:45, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
22/05/2009 11:11:45, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
22/05/2009 11:11:45, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
22/05/2009 11:11:45, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
22/05/2009 11:10:42, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
22/05/2009 11:10:37, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
21/05/2009 16:56:47, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
20/05/2009 17:38:43, error: System Error [1003] - Error code 100000d1, parameter1 e1d2a000, parameter2 00000002, parameter3 00000000, parameter4 eed67b00.
20/05/2009 14:09:36, error: System Error [1003] - Error code 1000000a, parameter1 eb00004f, parameter2 00000002, parameter3 00000001, parameter4 8051eefd.
19/05/2009 16:19:22, error: Service Control Manager [7022] - The KService service hung on starting.
19/05/2009 16:04:12, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================
old bill
Regular Member
 
Posts: 218
Joined: May 23rd, 2009, 6:17 am

Re: IE hijacked and random music

Unread postby jmw3 » May 26th, 2009, 9:34 am

Hi
See if this works for Gmer:
Open notepad & copy/paste the text in the Codebox below into it:
Code: Select all
@echo off
copy /y gmer.exe omer.exe
start omer

Save this as run.bat Choose to "Save type as - All Files" & save it next to gmer.exe on your desktop
It should look like this: Image
Double click on run.bat & allow it to run

Then, use these settings to produce a log.

  • If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and attach it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Post the contents of the log in your next reply.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: IE hijacked and random music

Unread postby old bill » May 26th, 2009, 12:06 pm

Hi
Great magic it worked. Log below.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-26 17:01:14
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEB07F4EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xEB07F581]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEB07F498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEB07F4AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEB07F595]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEB07F5C1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEB07F634]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEB07F619]
Code 86C011F0 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEB07F52A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEB07F65E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEB07F56D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEB07F470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEB07F484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEB07F4FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEB07F69A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEB07F603]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEB07F5ED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEB07F5AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEB07F686]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEB07F672]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEB07F4D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEB07F4C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xEB07F5D7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEB07F559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEB07F648]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEB07F540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEB07F514]
Code 86C177C6 IofCallDriver
Code 86BE410E IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 kbdcap.SYS
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 kbdcap.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACkaxiyiyxmoyxado.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [936] 0x008A0000
Library \\?\globalroot\systemroot\system32\UACkaxiyiyxmoyxado.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [980] 0x00C20000
Library \\?\globalroot\systemroot\system32\UACkaxiyiyxmoyxado.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [996] 0x008A0000
Library \\?\globalroot\systemroot\system32\UACkaxiyiyxmoyxado.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1032] 0x008A0000
Library \\?\globalroot\systemroot\system32\UACkaxiyiyxmoyxado.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1084] 0x008A0000
Library \\?\globalroot\systemroot\system32\UACkaxiyiyxmoyxado.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1152] 0x008A0000
Library \\?\globalroot\systemroot\system32\UACkaxiyiyxmoyxado.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1520] 0x008A0000
Library \\?\globalroot\systemroot\system32\UACkaxiyiyxmoyxado.dll (*** hidden *** ) @ c:\program files\internet explorer\iexplore.exe [3720] 0x00C20000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACjbvrgrrrulvbone.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACjbvrgrrrulvbone.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACjbvrgrrrulvbone.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACvndchtvktpxmjds.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACilbgskcomnxfvbb.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACqpodibkmlkgynbt.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACpkltxbcpurrkljp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACynmyfkevitbdjnl.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACkaxiyiyxmoyxado.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACgtnsymrxdonylkd.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACbhmtvpyetttekmh.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACrorbpsxkxwulfwq.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACjbvrgrrrulvbone.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACjbvrgrrrulvbone.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACvndchtvktpxmjds.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACilbgskcomnxfvbb.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACqpodibkmlkgynbt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACpkltxbcpurrkljp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACynmyfkevitbdjnl.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACkaxiyiyxmoyxado.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACgtnsymrxdonylkd.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACbhmtvpyetttekmh.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACrorbpsxkxwulfwq.log

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Graham Else\DoctorWeb\Quarantine\UACd67a.tmp 66560 bytes
File C:\Documents and Settings\Graham Else\DoctorWeb\Quarantine\UACkaxiyiyxmoyxado.dll 66560 bytes
File C:\Documents and Settings\Graham Else\DoctorWeb\Quarantine\UACvndchtvktpxmjds.dll 24064 bytes executable
File C:\Documents and Settings\Graham Else\Local Settings\Temp\UACad3f.tmp 343040 bytes executable
File C:\WINDOWS\system32\drivers\UACjbvrgrrrulvbone.sys 52224 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\UACgtnsymrxdonylkd.log 48545 bytes
File C:\WINDOWS\system32\UACilbgskcomnxfvbb.dat 224 bytes
File C:\WINDOWS\system32\uacinit.dll 5712 bytes
File C:\WINDOWS\system32\UACkaxiyiyxmoyxado.dll 66560 bytes
File C:\WINDOWS\system32\UACpkltxbcpurrkljp.dll 17408 bytes executable
File C:\WINDOWS\system32\UACqpodibkmlkgynbt.dll 19968 bytes executable
File C:\WINDOWS\system32\UACvndchtvktpxmjds.dll 24064 bytes executable
File C:\WINDOWS\system32\UACynmyfkevitbdjnl.dll 19456 bytes executable
File C:\WINDOWS\Temp\UACf174.tmp 66560 bytes

---- EOF - GMER 1.0.15 ----
old bill
Regular Member
 
Posts: 218
Joined: May 23rd, 2009, 6:17 am

Re: IE hijacked and random music

Unread postby jmw3 » May 26th, 2009, 12:20 pm

Hi
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Combofix
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

**IMPORTANT !!! Rename ComboFix.exe to Commy.exe BEFORE saving it your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Could you also run Gmer again for me please.

To post in next reply:
Combofix log
New Gmer log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: IE hijacked and random music

Unread postby old bill » May 27th, 2009, 7:45 am

Hi
As always my thanks for your help.
Logs below.
Regards Bill

ComboFix 09-05-26.02 - Graham Else 27/05/2009 10:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.778 [GMT 1:00]
Running from: c:\documents and settings\Graham Else\Desktop\Comy.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Graham Else\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\drivers\UACjbvrgrrrulvbone.sys
c:\windows\system32\UACbhmtvpyetttekmh.log
c:\windows\system32\UACgtnsymrxdonylkd.log
c:\windows\system32\UACilbgskcomnxfvbb.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkaxiyiyxmoyxado.dll
c:\windows\system32\UACpkltxbcpurrkljp.dll
c:\windows\system32\UACqpodibkmlkgynbt.dll
c:\windows\system32\UACrorbpsxkxwulfwq.log
c:\windows\system32\UACvndchtvktpxmjds.dll
c:\windows\system32\UACynmyfkevitbdjnl.dll

----- BITS: Possible infected sites -----

hxxp://softwaredownloadcentercom.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-27 to 2009-05-27 )))))))))))))))))))))))))))))))
.

2009-05-24 11:28 . 2009-05-24 11:28 -------- d-----w c:\program files\Trend Micro
2009-05-22 13:42 . 2009-05-22 14:46 -------- d-----w c:\documents and settings\Graham Else\DoctorWeb
2009-05-22 11:35 . 2004-08-04 12:00 10096640 -c--a-w c:\windows\system32\dllcache\hwxcht.dll
2009-05-20 16:39 . 2009-05-21 19:03 2707744 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-20 16:36 . 2009-05-21 19:03 288 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-05-20 13:39 . 2009-05-21 15:56 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-05-20 13:39 . 2009-05-21 15:56 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-05-20 13:38 . 2009-05-20 13:38 -------- d-----w c:\documents and settings\Graham Else\Local Settings\Application Data\Downloaded Installations
2009-05-19 14:57 . 2009-05-19 14:57 192 ----a-w c:\documents and settings\Graham Else\Application Data\asd.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-27 10:00 . 2008-01-21 11:38 -------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-05-27 09:55 . 2005-12-24 11:03 -------- d-----w c:\documents and settings\Graham Else\Application Data\Skype
2009-05-22 11:05 . 2009-02-12 16:13 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-21 19:03 . 2009-05-20 16:39 37340 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-21 19:03 . 2009-05-20 16:36 1100 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-05-19 15:30 . 2009-02-12 16:13 -------- d-----w c:\program files\Spyware Doctor
2009-05-09 09:32 . 2005-11-12 16:09 -------- d-----w c:\program files\FinePixViewer
2009-04-18 09:08 . 2009-02-19 13:42 -------- d-----w c:\program files\McAfee
2009-04-12 14:11 . 2009-04-12 14:11 -------- d-----w c:\program files\EZY-Software
2009-04-11 15:44 . 2009-04-11 15:44 -------- d-----w c:\documents and settings\Graham Else\Application Data\xpce
2009-04-11 15:38 . 2009-04-11 15:38 -------- d-----w c:\documents and settings\Graham Else\Application Data\SWI-Prolog
2009-04-11 15:35 . 2009-04-11 15:35 -------- d-----w c:\program files\pl
2009-04-11 15:08 . 2009-04-11 15:08 167 ----a-w C:\gprologvars.bat
2009-04-11 14:44 . 2009-04-11 14:44 5120 ----a-r c:\documents and settings\Graham Else\Application Data\Microsoft\Installer\{55CD2575-CD3C-40CC-A492-3BBBDE44D811}\Icon0F1F231E.exe
2009-04-11 14:44 . 2009-04-11 14:44 -------- d-----w c:\program files\Visual Prolog 7.2 PE
2009-03-25 10:06 . 2009-02-19 13:42 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 10:06 . 2009-02-19 13:42 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 10:06 . 2009-02-19 13:42 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 10:06 . 2009-01-09 12:03 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 10:05 . 2009-02-19 13:40 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-11-24 20058152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-15 6803456]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-06-15 86016]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" [2003-09-11 99840]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-11-15 77824]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-06-15 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Graham Else\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-12 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2007-10-22 303104]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2006-1-6 581632]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-8-1 111376]
Microsoft Office Shortcut Bar.lnk - c:\program files\Microsoft Office\Office\MSOFFICE.EXE [1997-8-1 333824]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-1 51984]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
"wave2"= serwvdrv.dll
"wave3"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="1"
"UpdatesDisableNotify"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [01/08/2003 15:47 29239]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [01/09/2004 15:50 188416]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [03/08/2004 12:10 62976]
R3 DCamUSBVideoLogic;HomeC@m;c:\windows\system32\drivers\p35u.sys [19/11/2005 17:05 90144]
R3 HSFHWCD2;HSFHWCD2;c:\windows\system32\drivers\HSFHWCD2.sys [02/11/2006 16:30 201728]
R3 kbdcap;kbdcap;c:\windows\system32\drivers\KbdCap.sys [21/09/2006 17:48 109440]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/02/2009 17:13 356920]
S3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys [01/12/2005 15:59 224960]
.
Contents of the 'Scheduled Tasks' folder

2009-02-19 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-19 10:53]

2009-02-19 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-19 10:53]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uLocal Page = c:\program files\Common Files\Microsoft Shared\Stationery\Blank.htm
uStart Page = http://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-27 11:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-1993962763-2147061141-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-05-27 11:02
ComboFix-quarantined-files.txt 2009-05-27 10:01

Pre-Run: 74,129,739,776 bytes free
Post-Run: 74,633,584,640 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

168 --- E O F --- 2009-05-14 09:03

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-27 12:34:00
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEB0DD4EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEB0DD498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEB0DD4AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEB0DD52A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEB0DD470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEB0DD484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEB0DD4FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEB0DD4D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEB0DD4C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEB0DD559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEB0DD540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEB0DD514]
Code \??\C:\DOCUME~1\GRAHAM~1\LOCALS~1\Temp\catchme.sys pIofCallDriver
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 kbdcap.SYS
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 kbdcap.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----
old bill
Regular Member
 
Posts: 218
Joined: May 23rd, 2009, 6:17 am

Re: IE hijacked and random music

Unread postby jmw3 » May 27th, 2009, 9:41 am

Hi

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
File::
c:\documents and settings\Graham Else\Application Data\asd.bat
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
DDS::
TB: {71AAABE5-1F0F-11D7-BD6F-004854603DCE} - No File
uPolicies-system: DisableRegistryTools = 0
Trusted Zone: mcafee.com
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


ATF Cleaner
Download ATF Cleaner here by Atribune.
    Double-click ATF-Cleaner.exe to run the program
    Under Main choose: Select All
    Click the Empty Selected button
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
Click Exit on the Main menu to close the program.

Kaspersky Online Scan
Please make sure that all programs are closed when installing Java.

  • Click here to visit Java's website
  • Scroll down to Java Runtime Environment (JRE) 6 Update 13. Click on Download
  • Select Windows from the drop-down list for Platform
  • Select Multi-language from the drop-down list for Language
  • Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue
  • Click on jre-6u13-windows-i586-p.exe link to download it and save this to a convenient location
  • Double click on jre-6u13-windows-i586-p.exe to install Java
  • After the Java installation has finished, go to Kaspersky website and perform an online antivirus scan
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply
To post in next reply:
Combofix log
Kaspersky Scan log
Update on how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: IE hijacked and random music

Unread postby old bill » May 27th, 2009, 10:44 am

Hi
Sorry didn't get far with those instructions.
As soon as I dragged the CFScript.txt to Commy.exe Mcafee jumped in declared Commy a virus and deleted it.
Please advise. Regards
Bill
old bill
Regular Member
 
Posts: 218
Joined: May 23rd, 2009, 6:17 am

Re: IE hijacked and random music

Unread postby jmw3 » May 27th, 2009, 4:33 pm

Hi
Make sure you have McAfee disabled then download Combofix again (shouldn't need to rename it this time):
Link 1
Link 2
Link 3

Then continue on with the CFScript & Kaspersky instructions.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: IE hijacked and random music

Unread postby old bill » May 28th, 2009, 6:43 am

Good Morning.
Your instructions worked fine. Logs below.
An observation on this set of tests reveals a new Internet Explorer icon has appeared on my desktop.
Overall observation sugests that IE is now behaving normally and the mysterious music is no longer playing.
Things sounding good.

Thanks Bill

ComboFix 09-05-26.05 - Graham Else 28/05/2009 9:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.724 [GMT 1:00]
Running from: c:\documents and settings\Graham Else\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Graham Else\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
* Resident AV is active


FILE ::
"c:\documents and settings\Graham Else\Application Data\asd.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Graham Else\Application Data\asd.bat

.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))
.

2009-05-27 09:37 . 2009-05-27 10:02 -------- d-s---w C:\Comy
2009-05-24 11:28 . 2009-05-24 11:28 -------- d-----w c:\program files\Trend Micro
2009-05-22 13:42 . 2009-05-22 14:46 -------- d-----w c:\documents and settings\Graham Else\DoctorWeb
2009-05-22 11:35 . 2004-08-04 12:00 10096640 -c--a-w c:\windows\system32\dllcache\hwxcht.dll
2009-05-20 16:39 . 2009-05-21 19:03 2707744 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-20 16:36 . 2009-05-21 19:03 288 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-05-20 13:39 . 2009-05-21 15:56 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-05-20 13:39 . 2009-05-21 15:56 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-05-20 13:38 . 2009-05-20 13:38 -------- d-----w c:\documents and settings\Graham Else\Local Settings\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-28 08:38 . 2005-12-24 11:03 -------- d-----w c:\documents and settings\Graham Else\Application Data\Skype
2009-05-28 08:37 . 2008-01-21 11:38 -------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-05-22 11:05 . 2009-02-12 16:13 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-21 19:03 . 2009-05-20 16:39 37340 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-21 19:03 . 2009-05-20 16:36 1100 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-05-19 15:30 . 2009-02-12 16:13 -------- d-----w c:\program files\Spyware Doctor
2009-05-09 09:32 . 2005-11-12 16:09 -------- d-----w c:\program files\FinePixViewer
2009-04-18 09:08 . 2009-02-19 13:42 -------- d-----w c:\program files\McAfee
2009-04-12 14:11 . 2009-04-12 14:11 -------- d-----w c:\program files\EZY-Software
2009-04-11 15:44 . 2009-04-11 15:44 -------- d-----w c:\documents and settings\Graham Else\Application Data\xpce
2009-04-11 15:38 . 2009-04-11 15:38 -------- d-----w c:\documents and settings\Graham Else\Application Data\SWI-Prolog
2009-04-11 15:35 . 2009-04-11 15:35 -------- d-----w c:\program files\pl
2009-04-11 15:08 . 2009-04-11 15:08 167 ----a-w C:\gprologvars.bat
2009-04-11 14:44 . 2009-04-11 14:44 5120 ----a-r c:\documents and settings\Graham Else\Application Data\Microsoft\Installer\{55CD2575-CD3C-40CC-A492-3BBBDE44D811}\Icon0F1F231E.exe
2009-04-11 14:44 . 2009-04-11 14:44 -------- d-----w c:\program files\Visual Prolog 7.2 PE
2009-03-25 10:06 . 2009-02-19 13:42 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 10:06 . 2009-02-19 13:42 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 10:06 . 2009-02-19 13:42 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 10:06 . 2009-01-09 12:03 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 10:05 . 2009-02-19 13:40 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-27_10.00.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-28 08:25 . 2009-05-28 08:25 16384 c:\windows\Temp\Perflib_Perfdata_684.dat
+ 2003-01-01 16:49 . 2009-05-28 08:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2003-01-01 16:49 . 2009-05-27 09:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2003-01-01 16:49 . 2009-05-28 08:31 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2003-01-01 16:49 . 2009-05-27 09:25 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-11-24 20058152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-15 6803456]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-06-15 86016]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" [2003-09-11 99840]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-11-15 77824]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-06-15 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Graham Else\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-12 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2007-10-22 303104]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2006-1-6 581632]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-8-1 111376]
Microsoft Office Shortcut Bar.lnk - c:\program files\Microsoft Office\Office\MSOFFICE.EXE [1997-8-1 333824]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-1 51984]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
"wave2"= serwvdrv.dll
"wave3"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [01/08/2003 15:47 29239]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [01/09/2004 15:50 188416]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [03/08/2004 12:10 62976]
R3 DCamUSBVideoLogic;HomeC@m;c:\windows\system32\drivers\p35u.sys [19/11/2005 17:05 90144]
R3 HSFHWCD2;HSFHWCD2;c:\windows\system32\drivers\HSFHWCD2.sys [02/11/2006 16:30 201728]
R3 kbdcap;kbdcap;c:\windows\system32\drivers\KbdCap.sys [21/09/2006 17:48 109440]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/02/2009 17:13 356920]
S3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys [01/12/2005 15:59 224960]
.
Contents of the 'Scheduled Tasks' folder

2009-02-19 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-19 10:53]

2009-02-19 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-19 10:53]
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\program files\Common Files\Microsoft Shared\Stationery\Blank.htm
uStart Page = http://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-28 09:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-1993962763-2147061141-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-05-28 9:39
ComboFix-quarantined-files.txt 2009-05-28 08:39
ComboFix2.txt 2009-05-27 10:02

Pre-Run: 74,613,829,632 bytes free
Post-Run: 74,600,456,192 bytes free

148 --- E O F --- 2009-05-14 09:03

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, May 28, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, May 28, 2009 10:15:15
Records in database: 2264096
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 71413
Threat name: 6
Infected objects: 15
Suspicious objects: 1
Duration of the scan: 01:07:05


File name / Threat name / Threats count
C:\Backup\i5 070823.bkf Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Graham Else\DoctorWeb\Quarantine\UACd67a.tmp Infected: Trojan.Win32.TDSS.aegg 1
C:\Documents and Settings\Graham Else\DoctorWeb\Quarantine\UACkaxiyiyxmoyxado.dll Infected: Trojan.Win32.TDSS.aegg 1
C:\Documents and Settings\Graham Else\DoctorWeb\Quarantine\UACvndchtvktpxmjds.dll Infected: Trojan.Win32.TDSS.adzx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACjbvrgrrrulvbone.sys.vir Infected: Trojan.Win32.Agent.chwd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACkaxiyiyxmoyxado.dll.vir Infected: Trojan.Win32.TDSS.aegg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACpkltxbcpurrkljp.dll.vir Infected: Trojan.Win32.TDSS.adzx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACqpodibkmlkgynbt.dll.vir Infected: Trojan.Win32.TDSS.adzw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvndchtvktpxmjds.dll.vir Infected: Trojan.Win32.TDSS.adzx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACynmyfkevitbdjnl.dll.vir Infected: Trojan.Win32.TDSS.adzz 1
C:\System Volume Information\_restore{86D7B799-9C27-4B7D-A0B0-2E5E582D6199}\RP0\A0000001.sys Infected: Trojan.Win32.Agent.chwd 1
C:\System Volume Information\_restore{86D7B799-9C27-4B7D-A0B0-2E5E582D6199}\RP0\A0000002.dll Infected: Trojan.Win32.TDSS.adzx 1
C:\System Volume Information\_restore{86D7B799-9C27-4B7D-A0B0-2E5E582D6199}\RP0\A0000003.dll Infected: Trojan.Win32.TDSS.adzw 1
C:\System Volume Information\_restore{86D7B799-9C27-4B7D-A0B0-2E5E582D6199}\RP0\A0000004.dll Infected: Trojan.Win32.TDSS.adzx 1
C:\System Volume Information\_restore{86D7B799-9C27-4B7D-A0B0-2E5E582D6199}\RP0\A0000005.dll Infected: Trojan.Win32.TDSS.adzz 1
C:\System Volume Information\_restore{86D7B799-9C27-4B7D-A0B0-2E5E582D6199}\RP0\A0000006.dll Infected: Trojan.Win32.TDSS.aegg 1

The selected area was scanned.
old bill
Regular Member
 
Posts: 218
Joined: May 23rd, 2009, 6:17 am

Re: IE hijacked and random music

Unread postby jmw3 » May 28th, 2009, 8:40 am

Hi old bill
Comofix log is clean & the items in the Kaspersky log are all either quarantined or old system restore points. These will all be taken care of during clean up.
An observation on this set of tests reveals a new Internet Explorer icon has appeared on my desktop.
Is this along with one that was already there? Combofix resets a lot of things to the system default so if an IE shortcut was not on your desktop then Combofix would have put it back. Delete the desktop shortcut if you like.
Speaking of IE, you should really consider updating to IE8 as the older versions are open to many vulnerabilities: http://www.microsoft.com/windows/Intern ... fault.aspx

Clean Up
Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Remove Combofix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run then copy/paste the following bolded text into the Run box and click OK:
ComboFix /u
OTC
Download OTC by Old Timer here & save it to your desktop.
Double click on OTC.exe. Click on CleanUp!.
You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.
You can delete the following from your desktop:
DDS.scr
Any logs that may have been saved to your desktop

You should also remove HijackThis. You can do this by clicking Start>Control Panel>Add or Remove Programs, highlight HijackThis 2.0.2 then click Remove
You can either keep or delete ATF-Cleaner. It's a handy tool for cleaning out temporary folders.

Any problems?
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: IE hijacked and random music

Unread postby old bill » May 28th, 2009, 11:21 am

All now seems to be in good working order.
A very professional job, many thanks JMW3.
Having found your approach fascinating and in order to show my appreciation I shall volunteer for training for the MWR University. Maybe in 5 years I will be as good as you!
old bill
Regular Member
 
Posts: 218
Joined: May 23rd, 2009, 6:17 am

Re: IE hijacked and random music

Unread postby jmw3 » May 28th, 2009, 4:36 pm

old bill wrote:All now seems to be in good working order.
A very professional job, many thanks JMW3.
Having found your approach fascinating and in order to show my appreciation I shall volunteer for training for the MWR University. Maybe in 5 years I will be as good as you!
Good to hear everything is back to normal. Glad I could help.
And it's always good to have one more volunteer. There is always more people requiring help than there is people to help. Believe it or not but I don't have an IT background & had very basic computer skills before signing up for this. So if I can do it anybody can... says a lot for the training here. Good luck with it :)

All Clean
Congratulations, good work, your system is now clean. Now that your system is safe we would like you to keep it that way.
Take the time to follow these recommendations & it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
You can download it here & find a tutorial here.

SpywareBlaster
Download and install Javacools SpywareBlaster from here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlueTack's HOSTS Manager here, using Internet Explorer (Firefox won't work):
  • Double click the Installer on your desktop and let it Install the Hosts Manager
  • After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop)
  • When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled Options and Tools,
  • Click Disable DNS Service. This is important
  • In the Left Pane, click Download
  • It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Install WinPatrol
Download it here
You can find information about how WinPatrol works here

Read some information here on how to prevent Malware.

Hopefully these steps will help keep your computer clean.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

If there are any other questions then feel free to ask or in future do not hesitate to contact us here at The Malware Removal Forums
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: IE hijacked and random music

Unread postby NonSuch » May 29th, 2009, 11:39 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 612 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware