Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

need help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: need help

Unread postby vict0r » November 24th, 2010, 3:45 pm

Hi.

I will have to get back to you on the problem with Kaspersky in my next post.

Please post:
the OTL log
the GMER log
and the DDS log
vict0r
Regular Member
 
Posts: 1043
Joined: December 3rd, 2008, 3:00 pm
Advertisement
Register to Remove

Re: need help

Unread postby beanscool » November 27th, 2010, 7:08 am

OTL:
All processes killed
========== OTL ==========
Prefs.js: "GoogleFeed.net" removed from browser.search.selectedEngine
Prefs.js: "http://www.smartwebsearch.net/index.php?from=3" removed from browser.startup.homepage
Prefs.js: "http://www.veerboo.com/results.php?q=" removed from keyword.URL
========== COMMANDS ==========

[EMPTYTEMP]

User: Agnieszka Podolecka
->Temp folder emptied: 172488941 bytes
->Temporary Internet Files folder emptied: 52663573 bytes
->Java cache emptied: 1789002 bytes
->FireFox cache emptied: 113045711 bytes
->Google Chrome cache emptied: 9641373 bytes
->Flash cache emptied: 22956 bytes

User: All Users

User: Default User
->Temp folder emptied: 1597440 bytes
->Temporary Internet Files folder emptied: 65670 bytes

User: Guest
->Temp folder emptied: 2971903 bytes
->Temporary Internet Files folder emptied: 16766931 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 42477899 bytes
->Google Chrome cache emptied: 15622923 bytes
->Flash cache emptied: 1194 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 3316624 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4631648 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 28821342 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 121361523 bytes

Total Files Cleaned = 560.00 mb


OTL by OldTimer - Version 3.2.17.3 log created on 11212010_003141

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...


DDS:

DDS (Ver_10-11-10.01) - NTFSx86
Run by Agnieszka Podolecka at 12:36:12.01 on 20/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.514 [GMT 0:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\samsung\SAB60E~1\SUPNOT~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Agnieszka Podolecka\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\sziebho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [SUPBackground] c:\program files\samsung\samsung update plus\SUPBackground.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Free YouTube Download - c:\documents and settings\agnieszka podolecka\application data\dvdvideosoftiehelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\agnieszka podolecka\application data\dvdvideosoftiehelpers\youtubetomp3.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\agnies~1\applic~1\mozilla\firefox\profiles\2dwfqpyr.default\
FF - prefs.js: browser.search.selectedEngine - GoogleFeed.net
FF - prefs.js: browser.startup.homepage - hxxp://www.smartwebsearch.net/index.php?from=3
FF - prefs.js: keyword.URL - hxxp://www.veerboo.com/results.php?q=
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-5-12 59280]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-31 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-31 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-31 40384]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-7-30 55152]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-31 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-31 40384]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-10-21 117504]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-10-21 100992]
R3 RTL819xp;Realtek RTL8190\RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\rtl819xp.sys [2009-7-30 517504]
R3 VMC33F;Vimicro Camera Service VMC33F;c:\windows\system32\drivers\VMC33F.sys [2009-7-30 237952]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-16 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-7-30 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-7 533360]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [2010-8-3 40060]

=============== Created Last 30 ================

2010-11-18 17:36:01 -------- d-----w- C:\_OTL
2010-11-17 16:34:06 -------- d-----w- c:\docume~1\agnies~1\applic~1\Malwarebytes
2010-11-17 16:33:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-17 16:33:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-17 16:33:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-17 16:33:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-14 15:11:32 388096 ----a-r- c:\docume~1\agnies~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-11-14 15:11:32 -------- d-----w- c:\program files\Trend Micro
2010-11-12 13:04:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-11-12 13:03:24 -------- d-----w- c:\program files\STOPzilla!
2010-11-12 13:03:23 -------- d-----w- c:\program files\common files\iS3
2010-11-12 13:03:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-11-11 17:36:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\Sports Interactive
2010-11-11 17:34:59 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
2010-11-11 17:33:41 -------- d-----w- c:\windows\Logs
2010-11-11 17:29:38 -------- d--h--w- c:\program files\Zero G Registry
2010-11-11 17:29:38 -------- d-----w- c:\program files\Sports Interactive
2010-11-11 17:28:20 -------- d--h--w- c:\documents and settings\agnieszka podolecka\InstallAnywhere
2010-11-10 17:32:18 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2010-11-10 17:32:16 546256 ----a-r- c:\windows\system32\SZComp5.dll
2010-11-10 17:32:16 452048 ----a-r- c:\windows\system32\SZBase5.dll
2010-11-10 17:32:16 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2010-11-10 17:32:16 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2010-11-10 17:32:16 22992 ----a-r- c:\windows\system32\SZIO5.dll
2010-11-10 17:32:14 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2010-11-10 17:32:14 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2010-11-10 17:32:14 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2010-11-10 17:32:14 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2010-11-10 17:32:14 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2010-11-10 17:32:12 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2010-10-21 22:27:52 -------- d-sh--w- c:\documents and settings\agnieszka podolecka\IECompatCache
2010-10-21 17:26:25 861696 ----a-w- c:\windows\system32\drivers\mod7700.sys
2010-10-21 17:26:25 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2010-10-21 17:26:25 117504 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2010-10-21 17:26:25 11136 ----a-w- c:\windows\system32\drivers\ew_usbenumfilter.sys
2010-10-21 17:26:25 105728 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2010-10-21 17:26:25 100992 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2010-10-21 17:26:13 -------- d-----w- c:\program files\WEB Partner

==================== Find3M ====================

2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

============= FINISH: 12:37:08.56 ===============


GMER:
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-27 11:05:47
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HM160HI rev.HH100-06
Running: p6p4hhip.exe; Driver: C:\DOCUME~1\AGNIES~1\LOCALS~1\Temp\uwtdrpod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xA9E55CF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xA9E55BAC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xA9E56160]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xA9E5608A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xA9E55782]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xA9E55C86]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xA9E556C2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xA9E55726]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xA9E55DA6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xA9E5622E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xA9E55D66]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xA9E55EE6]
SSDT szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) ZwTerminateProcess [0xF7620496]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA9E62BAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xA9E629D2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xA9E62B0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ObInsertObject 8056DA64 5 Bytes JMP A9E5FFFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!NtCreateSection 8056DB66 7 Bytes JMP A9E629D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8059056D 7 Bytes JMP A9E62BB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805AEDE2 7 Bytes JMP A9E62B10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 805E74E6 5 Bytes JMP A9E5E5D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[164] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----
beanscool
Active Member
 
Posts: 13
Joined: November 14th, 2010, 11:21 am

Re: need help

Unread postby vict0r » November 27th, 2010, 7:15 pm

Hi

Please try to do the instructions and reply to this topic once a day. If not, then we might not be able to fully clean your computer of malware.
I'd appreciate if you notify me in advance if you know you will be unable to reply for more than a day. :)


Download ComboFix

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper.

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

Please download and save ComboFix to the desktop from one of the following links, do not run the tool yet:

Link1
Link2


Disable Avast

  • Right click on the avast! icon in system tray (looks like this: Image) and choose (Stop On-Access Protection)
  • Note: Don't forget to re-enable it after the fix.


Run ComboFix

Double click the ComboFix icon on the desktop to run the tool and click Yes to the disclaimer.

Please install the Recovery Console if prompted.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode. This allows us to more easily help you if your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Please include the ComboFix log (C:\ComboFix.txt) in your next reply for further review.


Please enable Avast after ComboFix is finished.

To post:
  • Combofix log
  • Did any problems occur while following the instructions?
  • Please give me an update to the performance of your computer. Are you still redirected after running Combofix?
vict0r
Regular Member
 
Posts: 1043
Joined: December 3rd, 2008, 3:00 pm

Re: need help

Unread postby beanscool » November 29th, 2010, 11:51 am

ComboFix 10-11-28.05 - Agnieszka Podolecka 29/11/2010 15:30:56.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.327 [GMT 0:00]
Running from: c:\documents and settings\Agnieszka Podolecka\My Documents\Pobieranie\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Agnieszka Podolecka\Application Data\.#
c:\windows\SEC
c:\windows\SEC\DelMt.cmd
c:\windows\SEC\JRE150.exe
c:\windows\SEC\Marker.exe
c:\windows\SEC\MEMIO.sys
c:\windows\SEC\MEMIO.vxd
c:\windows\SEC\MP10ENG.exe
c:\windows\SEC\Region.vbs
c:\windows\SEC\SECINSTALL.EXE
c:\windows\SEC\SECINSTALL.INI
c:\windows\SEC\StartMem.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 )))))))))))))))))))))))))))))))
.

2010-11-20 19:15 . 2010-11-29 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-11-18 17:36 . 2010-11-18 17:36 -------- d-----w- C:\_OTL
2010-11-18 17:33 . 2010-11-18 17:34 -------- d-----w- c:\program files\ERUNT
2010-11-17 17:02 . 2010-11-17 17:03 -------- d-----w- C:\rsit
2010-11-17 16:34 . 2010-11-17 16:34 -------- d-----w- c:\documents and settings\Agnieszka Podolecka\Application Data\Malwarebytes
2010-11-17 16:33 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-17 16:33 . 2010-11-17 16:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-17 16:33 . 2010-11-17 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-17 16:33 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-16 18:03 . 2010-11-16 18:03 546256 ----a-r- c:\windows\system32\SZComp5.dll
2010-11-16 18:03 . 2010-11-16 18:03 22992 ----a-r- c:\windows\system32\SZIO5.dll
2010-11-16 18:03 . 2010-11-16 18:03 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2010-11-16 18:03 . 2010-11-16 18:03 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2010-11-16 18:03 . 2010-11-16 18:03 452048 ----a-r- c:\windows\system32\SZBase5.dll
2010-11-16 18:03 . 2010-11-16 18:03 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2010-11-16 18:03 . 2010-11-16 18:03 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2010-11-16 18:03 . 2010-11-16 18:03 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2010-11-16 18:03 . 2010-11-16 18:03 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2010-11-16 18:03 . 2010-11-16 18:03 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2010-11-16 18:03 . 2010-11-16 18:03 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2010-11-16 18:03 . 2010-11-16 18:03 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2010-11-14 15:11 . 2010-11-17 17:03 -------- d-----w- c:\program files\Trend Micro
2010-11-14 15:11 . 2010-11-14 15:11 388096 ----a-r- c:\documents and settings\Agnieszka Podolecka\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-12 13:04 . 2010-11-12 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-11-12 13:03 . 2010-11-12 13:03 -------- d-----w- c:\program files\Common Files\iS3
2010-11-11 17:36 . 2010-11-11 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Sports Interactive
2010-11-11 17:34 . 2008-05-30 14:18 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
2010-11-11 17:33 . 2010-11-11 20:22 -------- d-----w- c:\windows\Logs
2010-11-11 17:29 . 2010-11-11 17:33 -------- d--h--w- c:\program files\Zero G Registry
2010-11-11 17:29 . 2010-11-11 17:29 -------- d-----w- c:\program files\Sports Interactive
2010-11-11 17:28 . 2010-11-11 17:28 -------- d--h--w- c:\documents and settings\Agnieszka Podolecka\InstallAnywhere

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 11:23 . 2009-07-30 21:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2009-07-30 21:55 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2009-07-30 21:55 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2009-07-30 21:55 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2009-07-30 21:55 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2009-07-30 21:55 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2009-07-30 21:55 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-07 15:12 . 2010-07-31 18:41 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-07-31 18:29 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-07-31 18:29 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-07-31 18:29 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-07-31 18:29 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-07-31 18:29 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-07-31 18:29 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-07-31 18:29 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-07-31 18:29 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-01 11:51 . 2009-07-30 21:55 285824 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-18 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2009-06-02 3153408]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"SUPBackground"="c:\program files\Samsung\Samsung Update Plus\SUPBackground.exe" [2009-05-21 298664]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [07/12/2009 16:59 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [12/05/2010 17:01 59280]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [31/07/2010 18:29 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [31/07/2010 18:29 17744]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [21/10/2010 17:26 117504]
R3 RTL819xp;Realtek RTL8190\RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\rtl819xp.sys [30/07/2009 22:37 517504]
R3 VMC33F;Vimicro Camera Service VMC33F;c:\windows\system32\drivers\VMC33F.sys [30/07/2009 22:37 237952]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [07/12/2009 16:59 61328]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [16/08/2010 14:02 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [30/07/2009 22:35 1684736]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [21/10/2010 17:26 100992]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [03/08/2010 17:55 40060]
.
Contents of the 'Scheduled Tasks' folder

2010-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-16 14:02]

2010-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-16 14:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Free YouTube Download - c:\documents and settings\Agnieszka Podolecka\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Agnieszka Podolecka\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
FF - ProfilePath - c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: keyword.URL - hxxp://www.veerboo.com/results.php?q=
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
FF - Extension: Illimitux: illimitux@illimitux.net - c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\illimitux@illimitux.net
FF - Extension: Search Results Optimizator: search@helper - c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\SearchHelper
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
Notify-TPSvc - TPSvc.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-29 15:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3608)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\iS3\Anti-Spyware\SZServer.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-11-29 15:44:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-29 15:44

Pre-Run: 25,550,393,344 bytes free
Post-Run: 25,696,456,704 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - CAD8A23914AA3A15DDC35E40ACFAF864


there was to problem wile following the instructions. The homepage doesnt redirect anymore but there is still loads of other pages that still do.
beanscool
Active Member
 
Posts: 13
Joined: November 14th, 2010, 11:21 am

Re: need help

Unread postby vict0r » November 29th, 2010, 7:42 pm

Hi

Combofix is spesifically designed to run directly from the desktop. You have to move it to the desktop before you continue with the Combofix instructions below.

Please navigate to c:\documents and settings\Agnieszka Podolecka\My Documents\Pobieranie\ and cut & paste ComboFix.exe to your desktop (or use drag & drop).


Disable Avast

  • Right click on the avast! icon in system tray (looks like this: Image) and choose (Stop On-Access Protection)
  • Note: Don't forget to re-enable it after the fix.


Combofix

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
FIREFOX::
FF - prefs.js: browser.search.selectedEngine - 
FF - prefs.js: keyword.URL - hxxp://www.veerboo.com/results.php?q=
FF - Extension: Search Results Optimizator: search@helper - c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\SearchHelper

Save the file as "CFScript.txt", and as Type: All Files (*.*) on your desktop.

Image

Refer to the picture above, then save all work and close all programs including any open browsers(!) and drag CFScript onto ComboFix.exe

If Combofix prompts you to upgrade, please allow it.

When finished, it shall produce a log for you at C:\ComboFix.txt.

Please check if you are still redirected in Firefox or not.


Kaspersky Online Scan

Make sure Avast is disabled and try the Kaspersky scan again. You will need to wait until all of the program is downloaded before the Settings button goes active. If it still does not work or download, then try the ESET instructions below instead.

Note: This download is about 200Mb and the scan can last for several hours.

  • Hold down Control then click on the following link to open a new window to Kaspersky Online Scan
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Make sure Avira Antivirus is disabled.
  • Click on My Computer under Scan. * This will take a while. Please be patient *.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

This online tutorial will help explain how to use the aforementioned online scan.


Run ESET online scanner.

If the Kaspersky online scan for some reason still does not work, then use the ESET online scanner instead:

If using Mozilla Firefox you will need to download "esetsmartinstaller_enu.exe" when prompted... then double click on it to install.

Please go to ESET Online Scanner - © ESET All Rights Reserved... to run an online scan.

    Press the "ESET Online Scanner" button.
  1. Check the box next to "YES, I accept the Terms of Use."
  2. Click "Start"... a window will open... it may appear nothing is happening... please be patient.
  3. Click Yes... at the run ActiveX prompt. Click Install... at the install ActiveX prompt.
    Once installed, the scanner will be initialized.
  4. Click "Start". Make sure that the options:
    • Remove found threats is UNCHECKED
    • Leave the "default" settings under Advanced as they are, if not set , please check:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
  5. Click "Start"... ESET scanner will begin to download the virus signatures database.
    When the signatures have been downloaded, the scan will start automatically.
  6. Wait for the scan to finish... it may take a while... please be patient. When the scan is finished...
  7. Use Notepad to open the log file located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  8. Copy and paste the contents of log.txt in your next reply.

Make sure Avast is enabled when the online antivirus scan is finished.


Please post:
  • Are you still redirected in firefox after the Combofix script?
  • Did any problems occur while following the instructions?
  • the Combofix log
  • the log from the online antivirus scan


Continue to reply to this thread until I tell you that the logs are clean! Absence of symptoms does not necessarily mean a clean computer!
vict0r
Regular Member
 
Posts: 1043
Joined: December 3rd, 2008, 3:00 pm

Re: need help

Unread postby beanscool » December 1st, 2010, 8:24 pm

Combofix log:
ComboFix 10-11-29.05 - Agnieszka Podolecka 30/11/2010 13:38:43.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.556 [GMT 0:00]
Running from: c:\documents and settings\Agnieszka Podolecka\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Agnieszka Podolecka\Desktop\CFScript.txt.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-30 )))))))))))))))))))))))))))))))
.

2010-11-20 19:15 . 2010-11-30 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-11-18 17:36 . 2010-11-18 17:36 -------- d-----w- C:\_OTL
2010-11-18 17:33 . 2010-11-18 17:34 -------- d-----w- c:\program files\ERUNT
2010-11-17 17:02 . 2010-11-17 17:03 -------- d-----w- C:\rsit
2010-11-17 16:34 . 2010-11-17 16:34 -------- d-----w- c:\documents and settings\Agnieszka Podolecka\Application Data\Malwarebytes
2010-11-17 16:33 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-17 16:33 . 2010-11-17 16:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-17 16:33 . 2010-11-17 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-17 16:33 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-16 18:03 . 2010-11-16 18:03 546256 ----a-r- c:\windows\system32\SZComp5.dll
2010-11-16 18:03 . 2010-11-16 18:03 22992 ----a-r- c:\windows\system32\SZIO5.dll
2010-11-16 18:03 . 2010-11-16 18:03 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2010-11-16 18:03 . 2010-11-16 18:03 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2010-11-16 18:03 . 2010-11-16 18:03 452048 ----a-r- c:\windows\system32\SZBase5.dll
2010-11-16 18:03 . 2010-11-16 18:03 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2010-11-16 18:03 . 2010-11-16 18:03 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2010-11-16 18:03 . 2010-11-16 18:03 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2010-11-16 18:03 . 2010-11-16 18:03 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2010-11-16 18:03 . 2010-11-16 18:03 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2010-11-16 18:03 . 2010-11-16 18:03 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2010-11-16 18:03 . 2010-11-16 18:03 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2010-11-14 15:11 . 2010-11-17 17:03 -------- d-----w- c:\program files\Trend Micro
2010-11-14 15:11 . 2010-11-14 15:11 388096 ----a-r- c:\documents and settings\Agnieszka Podolecka\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-12 13:04 . 2010-11-12 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-11-12 13:03 . 2010-11-12 13:03 -------- d-----w- c:\program files\Common Files\iS3
2010-11-11 17:36 . 2010-11-11 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Sports Interactive
2010-11-11 17:34 . 2008-05-30 14:18 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
2010-11-11 17:33 . 2010-11-11 20:22 -------- d-----w- c:\windows\Logs
2010-11-11 17:29 . 2010-11-11 17:33 -------- d--h--w- c:\program files\Zero G Registry
2010-11-11 17:29 . 2010-11-11 17:29 -------- d-----w- c:\program files\Sports Interactive
2010-11-11 17:28 . 2010-11-11 17:28 -------- d--h--w- c:\documents and settings\Agnieszka Podolecka\InstallAnywhere

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 11:23 . 2009-07-30 21:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2009-07-30 21:55 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2009-07-30 21:55 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2009-07-30 21:55 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2009-07-30 21:55 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2009-07-30 21:55 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2009-07-30 21:55 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-07 15:12 . 2010-07-31 18:41 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-07-31 18:29 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-07-31 18:29 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-07-31 18:29 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-07-31 18:29 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-07-31 18:29 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-07-31 18:29 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-07-31 18:29 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-07-31 18:29 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-11-29_15.40.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-30 13:24 . 2010-11-30 13:24 16384 c:\windows\Temp\Perflib_Perfdata_378.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-18 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2009-06-02 3153408]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"SUPBackground"="c:\program files\Samsung\Samsung Update Plus\SUPBackground.exe" [2009-05-21 298664]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
TPSvc.dll [BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [07/12/2009 16:59 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [12/05/2010 17:01 59280]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [31/07/2010 18:29 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [31/07/2010 18:29 17744]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [21/10/2010 17:26 117504]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [21/10/2010 17:26 100992]
R3 RTL819xp;Realtek RTL8190\RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\rtl819xp.sys [30/07/2009 22:37 517504]
R3 VMC33F;Vimicro Camera Service VMC33F;c:\windows\system32\drivers\VMC33F.sys [30/07/2009 22:37 237952]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [07/12/2009 16:59 61328]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [16/08/2010 14:02 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [30/07/2009 22:35 1684736]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [03/08/2010 17:55 40060]
.
Contents of the 'Scheduled Tasks' folder

2010-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-16 14:02]

2010-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-16 14:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Free YouTube Download - c:\documents and settings\Agnieszka Podolecka\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Agnieszka Podolecka\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
FF - ProfilePath - c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: keyword.URL - hxxp://www.veerboo.com/results.php?q=
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
FF - Extension: Illimitux: illimitux@illimitux.net - c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\illimitux@illimitux.net
FF - Extension: Search Results Optimizator: search@helper - c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\SearchHelper
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2680)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-11-30 13:47:11
ComboFix-quarantined-files.txt 2010-11-30 13:47
ComboFix2.txt 2010-11-29 15:44

Pre-Run: 25,587,183,616 bytes free
Post-Run: 25,583,472,640 bytes free

- - End Of File - - 9B71C33E75937E27CB03754F08C9013B


ESET:
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e69b3fbbb147d142a2ef7860d951a76d
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-02 12:17:48
# local_time=2010-12-02 12:17:48 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 1236843 1236843 0 0
# compatibility_mode=768 16777215 100 0 10645667 10645667 0 0
# compatibility_mode=8192 67108863 100 0 4389 4389 0 0
# scanned=53833
# found=6
# cleaned=0
# scan_time=2441
C:\Documents and Settings\Agnieszka Podolecka\My Documents\My Music\ALBUMS\Setup.exe Win32/Adware.180Solutions application 00000000000000000000000000000000 I
C:\Documents and Settings\Agnieszka Podolecka\My Documents\Pobieranie\XvidSetup.exe a variant of Win32/Adware.HotBar.G application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{13BA614D-CBA4-46B3-A807-F0A7CC52B6ED}\RP76\A0013327.exe Win32/Adware.FlvDirect.AB.Gen application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{13BA614D-CBA4-46B3-A807-F0A7CC52B6ED}\RP77\A0013334.exe a variant of Win32/Adware.OneStep.L application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{13BA614D-CBA4-46B3-A807-F0A7CC52B6ED}\RP81\A0013592.exe a variant of Win32/Adware.OneStep.P application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{13BA614D-CBA4-46B3-A807-F0A7CC52B6ED}\RP85\A0013698.dll a variant of Win32/Adware.OneStep.M application 00000000000000000000000000000000 I
beanscool
Active Member
 
Posts: 13
Joined: November 14th, 2010, 11:21 am

Re: need help

Unread postby vict0r » December 2nd, 2010, 8:23 pm

I'm sorry for the delay. I haven't forgotten your topic and will post my next set of instructions as soon as possible.
vict0r
Regular Member
 
Posts: 1043
Joined: December 3rd, 2008, 3:00 pm

Re: need help

Unread postby vict0r » December 3rd, 2010, 9:05 am

Hi


It seems the last fix didn't solve the problem. :(

Please try the following:


Disable Firefox add-ons

In Firefox, click the Tools menu and then Add-ons. Click on the Extensions-section and disable all add-ons listed, then click the Plugins-Section and disable all plugins listed. Please tell me if any add-ons or plugins are impossible to disable.


Disable Avast

  • Right click on the avast! icon in system tray (looks like this: Image) and choose (Stop On-Access Protection)
  • Note: Don't forget to re-enable it after the fix.


Combofix

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
FIREFOX::
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: keyword.URL - hxxp://www.veerboo.com/results.php?q=
FF - Extension: Illimitux: illimitux@illimitux.net - c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\illimitux@illimitux.net
FF - Extension: Search Results Optimizator: search@helper - c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\SearchHelper
FILE::
C:\Documents and Settings\Agnieszka Podolecka\My Documents\My Music\ALBUMS\Setup.exe
C:\Documents and Settings\Agnieszka Podolecka\My Documents\Pobieranie\XvidSetup.exe

Save the file as "CFScript.txt", and as Type: All Files (*.*) on your desktop.

Image

Refer to the picture above, then save all work and close all programs including any open browsers(!) and drag CFScript onto ComboFix.exe

If Combofix prompts you to upgrade, please allow it.

When finished, it shall produce a log for you at C:\ComboFix.txt.

Enable Avast and verify if you are still redirected in Firefox or not after combofix is finished.


Please post:
  • Don't forget to tell me if you are still redirected in Firefox after the Combofix script.
  • the Combofix log
vict0r
Regular Member
 
Posts: 1043
Joined: December 3rd, 2008, 3:00 pm

Re: need help

Unread postby beanscool » December 3rd, 2010, 11:29 pm

ComboFix 10-12-03.01 - Agnieszka Podolecka 04/12/2010 3:09.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.462 [GMT 0:00]
Running from: c:\documents and settings\Agnieszka Podolecka\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Agnieszka Podolecka\Desktop\CFScript.txt.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point

FILE ::
"c:\documents and settings\Agnieszka Podolecka\My Documents\My Music\ALBUMS\Setup.exe"
"c:\documents and settings\Agnieszka Podolecka\My Documents\Pobieranie\XvidSetup.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Agnieszka Podolecka\My Documents\My Music\ALBUMS\Setup.exe
c:\documents and settings\Agnieszka Podolecka\My Documents\Pobieranie\XvidSetup.exe

Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\ntfs.sys

.
((((((((((((((((((((((((( Files Created from 2010-11-04 to 2010-12-04 )))))))))))))))))))))))))))))))
.

2010-12-04 03:08 . 2010-12-04 03:08 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2010-12-01 23:24 . 2010-12-01 23:24 -------- d-----w- c:\program files\ESET
2010-11-20 19:15 . 2010-12-04 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-11-18 17:36 . 2010-11-18 17:36 -------- d-----w- C:\_OTL
2010-11-18 17:33 . 2010-11-18 17:34 -------- d-----w- c:\program files\ERUNT
2010-11-17 17:02 . 2010-11-17 17:03 -------- d-----w- C:\rsit
2010-11-17 16:34 . 2010-11-17 16:34 -------- d-----w- c:\documents and settings\Agnieszka Podolecka\Application Data\Malwarebytes
2010-11-17 16:33 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-17 16:33 . 2010-11-17 16:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-17 16:33 . 2010-11-17 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-17 16:33 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-16 18:03 . 2010-11-16 18:03 546256 ----a-r- c:\windows\system32\SZComp5.dll
2010-11-16 18:03 . 2010-11-16 18:03 22992 ----a-r- c:\windows\system32\SZIO5.dll
2010-11-16 18:03 . 2010-11-16 18:03 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2010-11-16 18:03 . 2010-11-16 18:03 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2010-11-16 18:03 . 2010-11-16 18:03 452048 ----a-r- c:\windows\system32\SZBase5.dll
2010-11-16 18:03 . 2010-11-16 18:03 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2010-11-16 18:03 . 2010-11-16 18:03 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2010-11-16 18:03 . 2010-11-16 18:03 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2010-11-16 18:03 . 2010-11-16 18:03 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2010-11-16 18:03 . 2010-11-16 18:03 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2010-11-16 18:03 . 2010-11-16 18:03 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2010-11-16 18:03 . 2010-11-16 18:03 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2010-11-14 15:11 . 2010-11-17 17:03 -------- d-----w- c:\program files\Trend Micro
2010-11-14 15:11 . 2010-11-14 15:11 388096 ----a-r- c:\documents and settings\Agnieszka Podolecka\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-12 13:04 . 2010-11-12 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-11-12 13:03 . 2010-11-12 13:03 -------- d-----w- c:\program files\Common Files\iS3
2010-11-11 17:36 . 2010-11-11 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Sports Interactive
2010-11-11 17:34 . 2008-05-30 14:18 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
2010-11-11 17:33 . 2010-11-11 20:22 -------- d-----w- c:\windows\Logs
2010-11-11 17:29 . 2010-11-11 17:33 -------- d--h--w- c:\program files\Zero G Registry
2010-11-11 17:29 . 2010-11-11 17:29 -------- d-----w- c:\program files\Sports Interactive
2010-11-11 17:28 . 2010-11-11 17:28 -------- d--h--w- c:\documents and settings\Agnieszka Podolecka\InstallAnywhere

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 11:23 . 2009-07-30 21:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2009-07-30 21:55 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2009-07-30 21:55 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2009-07-30 21:55 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2009-07-30 21:55 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2009-07-30 21:55 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2009-07-30 21:55 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-07 15:12 . 2010-07-31 18:41 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-07-31 18:29 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-07-31 18:29 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-07-31 18:29 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-07-31 18:29 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-07-31 18:29 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-07-31 18:29 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-07-31 18:29 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-07-31 18:29 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-11-29_15.40.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-04 03:18 . 2010-12-04 03:18 16384 c:\windows\Temp\Perflib_Perfdata_380.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-18 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2009-06-02 3153408]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"SUPBackground"="c:\program files\Samsung\Samsung Update Plus\SUPBackground.exe" [2009-05-21 298664]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
TPSvc.dll [BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [07/12/2009 16:59 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [12/05/2010 17:01 59280]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [31/07/2010 18:29 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [31/07/2010 18:29 17744]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [21/10/2010 17:26 117504]
R3 RTL819xp;Realtek RTL8190\RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\rtl819xp.sys [30/07/2009 22:37 517504]
R3 VMC33F;Vimicro Camera Service VMC33F;c:\windows\system32\drivers\VMC33F.sys [30/07/2009 22:37 237952]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [07/12/2009 16:59 61328]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [16/08/2010 14:02 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [30/07/2009 22:35 1684736]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [21/10/2010 17:26 100992]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [03/08/2010 17:55 40060]
.
Contents of the 'Scheduled Tasks' folder

2010-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-16 14:02]

2010-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-16 14:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Free YouTube Download - c:\documents and settings\Agnieszka Podolecka\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Agnieszka Podolecka\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
FF - ProfilePath - c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: keyword.URL - hxxp://www.veerboo.com/results.php?q=
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-04 03:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3028)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\iS3\Anti-Spyware\SZServer.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-12-04 03:23:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-04 03:23
ComboFix2.txt 2010-11-30 13:47
ComboFix3.txt 2010-11-29 15:44

Pre-Run: 24,795,721,728 bytes free
Post-Run: 24,915,570,688 bytes free

- - End Of File - - 52C3E963D625610CEEC656220D6CC834

I tried the websites that never let me in and always redirected and none of them did:) seems too be fixed or at least it look like that? how does the log look?



*ok its a day later and it seems that some of the pages very rarely still redirect...i have to say though its not as often as it used to be because i used to not be able to go on hotmail or facebook without it being redirected
beanscool
Active Member
 
Posts: 13
Joined: November 14th, 2010, 11:21 am

Re: need help

Unread postby vict0r » December 4th, 2010, 9:46 pm

beanscool wrote:*ok its a day later and it seems that some of the pages very rarely still redirect...i have to say though its not as often as it used to be because i used to not be able to go on hotmail or facebook without it being redirected
Hi.

It's improvement that the redirection was absent for some time and now not as aggressive as before. :thumbright:

I'm sorry for the delay. I will post new instructions as soon as possible. I am confident that we are able to solve this problem.
vict0r
Regular Member
 
Posts: 1043
Joined: December 3rd, 2008, 3:00 pm

Re: need help

Unread postby vict0r » December 5th, 2010, 4:46 pm

Hi

Please try the following, if it does not work we will have to work around the problem instead of fixing it.


Disable Avast

  • Right click on the avast! icon in system tray (looks like this: Image) and choose (Stop On-Access Protection)
  • Note: Don't forget to re-enable it after the fix.


Combofix

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
KillAll::
Firefox::
FF - ProfilePath - c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: keyword.URL - hxxp://www.veerboo.com/results.php?q=
FF - Extension: Search Results Optimizator: search@helper - c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\SearchHelper
Folder::
c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\SearchHelper

Save the file as "CFScript.txt", and as Type: All Files (*.*) on your desktop.

Image

Refer to the picture above, then save all work and close all programs including any open browsers(!) and drag CFScript onto ComboFix.exe

If Combofix prompts you to upgrade, please allow it.

When finished, it shall produce a log for you at C:\ComboFix.txt.

After Combofix has finished: Enable Avast.


Please post:
  • Please update me on the status of the redirection in Firefox.
  • the Combofix log and this log: C:\Qoobox\ComboFix-quarantined files.
vict0r
Regular Member
 
Posts: 1043
Joined: December 3rd, 2008, 3:00 pm

Re: need help

Unread postby beanscool » December 6th, 2010, 7:50 pm

so far its not redirecting i'll let you know wat will happen tmm.

here's the log:
ComboFix 10-12-04.06 - Agnieszka Podolecka 06/12/2010 23:35:48.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.608 [GMT 0:00]
Running from: c:\documents and settings\Agnieszka Podolecka\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Agnieszka Podolecka\Desktop\CFScript.txt.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\SearchHelper
c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\SearchHelper\chrome.manifest
c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\SearchHelper\content\firefoxOverlay.xul
c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\SearchHelper\content\overlay.js
c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\SearchHelper\install.rdf
c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\SearchHelper\SearchBHO.dll

.
((((((((((((((((((((((((( Files Created from 2010-11-06 to 2010-12-06 )))))))))))))))))))))))))))))))
.

2010-12-06 23:34 . 2010-12-06 23:34 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2010-12-01 23:24 . 2010-12-01 23:24 -------- d-----w- c:\program files\ESET
2010-11-20 19:15 . 2010-12-06 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-11-18 17:36 . 2010-11-18 17:36 -------- d-----w- C:\_OTL
2010-11-18 17:33 . 2010-11-18 17:34 -------- d-----w- c:\program files\ERUNT
2010-11-17 17:02 . 2010-11-17 17:03 -------- d-----w- C:\rsit
2010-11-17 16:34 . 2010-11-17 16:34 -------- d-----w- c:\documents and settings\Agnieszka Podolecka\Application Data\Malwarebytes
2010-11-17 16:33 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-17 16:33 . 2010-11-17 16:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-17 16:33 . 2010-11-17 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-17 16:33 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-16 18:03 . 2010-11-16 18:03 546256 ----a-r- c:\windows\system32\SZComp5.dll
2010-11-16 18:03 . 2010-11-16 18:03 22992 ----a-r- c:\windows\system32\SZIO5.dll
2010-11-16 18:03 . 2010-11-16 18:03 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2010-11-16 18:03 . 2010-11-16 18:03 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2010-11-16 18:03 . 2010-11-16 18:03 452048 ----a-r- c:\windows\system32\SZBase5.dll
2010-11-16 18:03 . 2010-11-16 18:03 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2010-11-16 18:03 . 2010-11-16 18:03 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2010-11-16 18:03 . 2010-11-16 18:03 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2010-11-16 18:03 . 2010-11-16 18:03 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2010-11-16 18:03 . 2010-11-16 18:03 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2010-11-16 18:03 . 2010-11-16 18:03 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2010-11-16 18:03 . 2010-11-16 18:03 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2010-11-14 15:11 . 2010-11-17 17:03 -------- d-----w- c:\program files\Trend Micro
2010-11-14 15:11 . 2010-11-14 15:11 388096 ----a-r- c:\documents and settings\Agnieszka Podolecka\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-12 13:04 . 2010-11-12 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-11-12 13:03 . 2010-11-12 13:03 -------- d-----w- c:\program files\Common Files\iS3
2010-11-11 17:36 . 2010-11-11 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Sports Interactive
2010-11-11 17:34 . 2008-05-30 14:18 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
2010-11-11 17:33 . 2010-11-11 20:22 -------- d-----w- c:\windows\Logs
2010-11-11 17:29 . 2010-11-11 17:33 -------- d--h--w- c:\program files\Zero G Registry
2010-11-11 17:29 . 2010-11-11 17:29 -------- d-----w- c:\program files\Sports Interactive
2010-11-11 17:28 . 2010-11-11 17:28 -------- d--h--w- c:\documents and settings\Agnieszka Podolecka\InstallAnywhere

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 11:23 . 2009-07-30 21:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2009-07-30 21:55 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2009-07-30 21:55 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2009-07-30 21:55 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2009-07-30 21:55 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2009-07-30 21:55 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2009-07-30 21:55 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
.

((((((((((((((((((((((((((((( SnapShot@2010-11-29_15.40.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-06 23:43 . 2010-12-06 23:43 16384 c:\windows\temp\Perflib_Perfdata_390.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-18 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2009-06-02 3153408]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"SUPBackground"="c:\program files\Samsung\Samsung Update Plus\SUPBackground.exe" [2009-05-21 298664]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
TPSvc.dll [BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [07/12/2009 16:59 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [12/05/2010 17:01 59280]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [31/07/2010 18:29 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [31/07/2010 18:29 17744]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [21/10/2010 17:26 117504]
R3 RTL819xp;Realtek RTL8190\RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\rtl819xp.sys [30/07/2009 22:37 517504]
R3 VMC33F;Vimicro Camera Service VMC33F;c:\windows\system32\drivers\VMC33F.sys [30/07/2009 22:37 237952]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [07/12/2009 16:59 61328]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [16/08/2010 14:02 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [30/07/2009 22:35 1684736]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [21/10/2010 17:26 100992]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [03/08/2010 17:55 40060]
.
Contents of the 'Scheduled Tasks' folder

2010-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-16 14:02]

2010-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-16 14:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Free YouTube Download - c:\documents and settings\Agnieszka Podolecka\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Agnieszka Podolecka\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
FF - ProfilePath - c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
FF - Extension: Illimitux: illimitux@illimitux.net - c:\documents and settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\illimitux@illimitux.net
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-06 23:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2616)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\iS3\Anti-Spyware\SZServer.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-12-06 23:47:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-06 23:47
ComboFix2.txt 2010-12-04 03:23
ComboFix3.txt 2010-11-30 13:47
ComboFix4.txt 2010-11-29 15:44

Pre-Run: 25,305,071,616 bytes free
Post-Run: 25,341,140,992 bytes free

- - End Of File - - CD2EA2A7CF8EDB38A1F32D428FC46A47
beanscool
Active Member
 
Posts: 13
Joined: November 14th, 2010, 11:21 am

Re: need help

Unread postby vict0r » December 7th, 2010, 5:37 pm

Hi

Please post the contents of this file along with your update on the redirection issue: C:\Qoobox\ComboFix-quarantined-files.txt

I'd appreciate if you can post this information within 24 hours.
vict0r
Regular Member
 
Posts: 1043
Joined: December 3rd, 2008, 3:00 pm

Re: need help

Unread postby beanscool » December 8th, 2010, 9:11 am

2010-11-30 13:38:37 . 2010-12-06 23:35:41 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2010-11-29 15:43:11 . 2010-11-29 15:43:11 484 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-TPSvc.reg.dat
2010-11-29 15:42:53 . 2010-11-29 15:42:53 152 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SunJavaUpdateSched.reg.dat
2010-11-29 15:34:38 . 2010-11-29 15:34:38 276 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_NPF.reg.dat
2010-11-29 15:34:27 . 2010-12-06 23:39:41 9,967 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-11-29 15:24:21 . 2010-12-06 23:32:50 357 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-08-25 22:14:17 . 2010-10-27 09:53:58 669 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\SearchHelper\install.rdf.vir
2010-08-25 22:14:17 . 2010-10-27 09:53:58 111,616 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\SearchHelper\SearchBHO.dll.vir
2010-08-25 22:14:17 . 2010-10-27 09:53:58 353 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\SearchHelper\content\firefoxOverlay.xul.vir
2010-08-25 22:14:17 . 2010-10-27 09:53:58 1,989 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\SearchHelper\content\overlay.js.vir
2010-08-25 22:14:17 . 2010-10-27 09:53:58 192 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Agnieszka Podolecka\Application Data\Mozilla\Firefox\Profiles\2dwfqpyr.default\extensions\SearchHelper\chrome.manifest.vir
2010-08-16 20:49:23 . 2010-08-16 20:49:24 201,544 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Agnieszka Podolecka\My Documents\Pobieranie\XvidSetup.exe.vir
2009-07-30 21:55:57 . 2005-10-27 04:18:06 24,576 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\SEC\StartMem.exe.vir
2009-07-30 21:55:57 . 2008-08-28 08:29:11 1,490 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\SEC\SECINSTALL.INI.vir
2009-07-30 21:55:57 . 2004-11-19 04:37:22 28,672 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\SEC\SECINSTALL.EXE.vir
2009-07-30 21:55:57 . 2005-03-10 21:33:00 1,718 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\SEC\Region.vbs.vir
2009-07-30 21:55:55 . 2004-08-11 23:52:46 12,652,784 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\SEC\MP10ENG.exe.vir
2009-07-30 21:55:53 . 2005-10-27 04:18:05 6,803 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\SEC\MEMIO.vxd.vir
2009-07-30 21:55:52 . 2005-10-27 04:18:05 4,300 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\SEC\MEMIO.sys.vir
2009-07-30 21:55:52 . 2005-10-27 04:18:05 24,576 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\SEC\Marker.exe.vir
2009-07-30 21:55:51 . 2004-11-03 21:15:00 14,989,328 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\SEC\JRE150.exe.vir
2009-07-30 21:55:51 . 2006-04-05 08:56:57 93 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\SEC\DelMt.cmd.vir
2009-07-30 21:55:24 . 2008-04-14 12:00:00 574,976 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ntfs.sys.vir
2008-10-04 16:42:13 . 2008-10-04 16:42:11 334,088 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Agnieszka Podolecka\My Documents\My Music\ALBUMS\Setup.exe.vir


so far it hasnt directed once:):) is my computer fixed?
beanscool
Active Member
 
Posts: 13
Joined: November 14th, 2010, 11:21 am

Re: need help

Unread postby vict0r » December 9th, 2010, 9:17 am

I'm sorry for the delay again. I will post as soon as possible. :oops:
vict0r
Regular Member
 
Posts: 1043
Joined: December 3rd, 2008, 3:00 pm
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 52 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware