View Full Version : Redirect problem
Jaylegger
2010-09-08, 22:17
Hello, I've been hit with something which keeps redirecting searches to seemingly arbitrary sites and it also prevents Spybot from opening in the normal manner. I have to go into program files to open.
Here's the DDS file: Any help is greatly appreciated.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 16:06:07.29 on Wed
09/08/2010
Internet Explorer: 8.0.6001.18702
BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition
5.1.2600.3.1252.1.1033.18.2038.1243 [GMT
-3:00]
============== Running Processes
===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows
Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k
WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows
Defender\MSASCui.exe
C:\WINDOWS\system32\M-AudioTaskBarIcon.exe
C:\Program Files\Common Files\Java\Java
Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe
C:\Program Files\Sony\Sony Picture
Utility\PMBCore\SPUVolumeWatcher.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k
HTTPFilter
C:\Program Files\Mozilla
Firefox\firefox.exe
C:\Program Files\Spybot - Search &
Destroy\KDGVVMNQD.scr
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\My
Documents\Downloads\dds.scr
============== Pseudo HJT Report
===============
uSearch Page =
uSearch Bar =
mSearchAssistant =
BHO: Spybot-S&D IE Protection:
{53707962-6f74-2d53-2644-206d7942484f} -
c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper:
{dbc80044-a445-435b-bc74-9c25c1c588a9} -
c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class:
{e7e6f031-17ce-4c07-bc86-eabfe594f69c} -
c:\program
files\java\jre6\lib\deploy\jqs\ie\jqs_plugi
n.dll
TB: &Yahoo! Toolbar:
{ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {D4027C7F-154A-4066-A1AD-4243D8127440}
- No File
uRun: [ctfmon.exe]
c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program
files\spybot - search &
destroy\TeaTimer.exe
mRun: [Adobe Reader Speed Launcher]
"c:\program files\adobe\reader
8.0\reader\Reader_sl.exe"
mRun: [Windows Defender] "c:\program
files\windows defender\MSASCui.exe" -hide
mRun: [M-Audio Taskbar Icon]
c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program
files\common files\java\java
update\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder:
c:\docume~1\owner\startm~1\programs\startup
\erunta~1.lnk - c:\program
files\erunt\AUTOBACK.EXE
StartupFolder:
c:\docume~1\owner\startm~1\programs\startup
\pmbmed~1.lnk - c:\program files\sony\sony
picture
utility\pmbcore\SPUVolumeWatcher.exe
IE: Google Sidewiki... - c:\program
files\google\google
toolbar\component\GoogleToolbarDynamic_mui_
en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583}
- %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
- c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}
- {53707962-6F74-2D53-2644-206D7942484F} -
c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi (http://www.msi)
Trusted Zone: plaxo.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83}
-
hxxp://upload.facebook.com/controls/2008.10
.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
-
hxxp://download.macromedia.com/pub/shockwav
e/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700}
-
hxxp://download.microsoft.com/download/E/5/
6/E5611B10-0D6D-4117-8430-A67417AA88CD/Legi
tCheckControl.cab
DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B}
-
hxxp://www.worldwinner.com/games/v46/bejewe
led/bejeweled.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
-
hxxp://www.update.microsoft.com/microsoftup
date/v6/V5Controls/en/x86/client/wuweb_site
.cab?1229555679958
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
-
hxxp://www.update.microsoft.com/microsoftup
date/v6/V5Controls/en/x86/client/muweb_site
.cab?1229555672927
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E}
-
hxxp://liveupdate.msi.com.tw/autobios/LOnli
ne/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.5.0/jinstall-1
_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
-
hxxp://fpdownload2.macromedia.com/get/shock
wave/cabs/flash/swflash.cab
DPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779}
-
hxxp://www.puppyred.com/jsp/cooper/inc/Nave
rAXGuide.cab
TCP: NameServer =
208.67.220.220,208.67.222.222
TCP: {BC849FAF-9C44-438C-859F-10595D25CA93}
= 208.67.220.220,208.67.222.222
Handler: bwfile-8876480 -
{9462A756-7B47-47BC-8C80-C34B9B80B32B} -
c:\program files\logitech\desktop
messenger\8876480\program\GAPlugProtocol-88
76480.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj -
{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware
ShellExecuteHook:
{091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} -
c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
================= FIREFOX
===================
FF - ProfilePath -
c:\docume~1\owner\applic~1\mozilla\firefox\
profiles\lerxm50e.default\
FF - prefs.js:
browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage -
yahoo.com
FF - plugin: c:\documents and
settings\owner\application
data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program
files\java\jre6\bin\new_plugin\npdeployJava
1.dll
FF - plugin: c:\program files\mozilla
firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET
Framework Assistant:
{20a82645-c095-46ed-80e3-08825760534b} -
c:\windows\microsoft.net\framework\v3.5\win
dows presentation
foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No
Registry Reference - c:\program
files\mozilla
firefox\extensions\{CAFEEFAC-0016-0000-0021
-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.xn--mgbaam7a8h"
, true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.xn--mgberp4a5d4
ar", true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.xn--p1ai",
true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.xn--mgbayh7gpa"
, true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla
firefox\greprefs\security-prefs.js -
pref("security.ssl.allow_unrestricted_reneg
o_everywhere__temporarily_available_pref",
true);
c:\program files\mozilla
firefox\greprefs\security-prefs.js -
pref("security.ssl.renego_unrestricted_host
s", "");
c:\program files\mozilla
firefox\greprefs\security-prefs.js -
pref("security.ssl.treat_unsafe_negotiation
_as_broken", false);
c:\program files\mozilla
firefox\greprefs\security-prefs.js -
pref("security.ssl.require_safe_negotiation
", false);
c:\program files\mozilla
firefox\greprefs\security-prefs.js -
pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla
firefox\defaults\pref\firefox-branding.js -
pref("app.update.url.manual",
"http://www.firefox.com");
============= SERVICES / DRIVERS
===============
R2
PDIHWCTL;PDIHWCTL;c:\windows\system32\drive
rs\pdihwctl.sys [2007-1-10 14416]
R2 WinDefend;Windows Defender;c:\program
files\windows defender\MsMpEng.exe
[2006-11-3 13592]
R3 MAUSBFASTTRACKULTRA;Service for M-Audio
Fast Track
Ultra;c:\windows\system32\drivers\MAudioFas
tTrackUltra.sys [2010-1-10 135816]
S3
Ambfilt;Ambfilt;c:\windows\system32\drivers
\Ambfilt.sys [2010-8-17 1684736]
S3 eyeonedp;eye-one
display;c:\windows\system32\drivers\EyeOneD
p.sys [2007-1-10 44344]
S3 i1display;i1
Display;c:\windows\system32\drivers\i1displ
ay.sys [2008-9-15 44344]
S3 MADFUFTU;Service for M-Audio
FastTrackUltra
DFU;c:\windows\system32\drivers\MAudioFastT
rackUltra_DFU.sys [2010-1-10 42120]
S3 MAUSBRI;M-Audio Fast Track Ultra
Service;c:\windows\system32\drivers\mausbft
u.sys -->
c:\windows\system32\drivers\mausbftu.sys
[?]
=============== Created Last 30
================
2010-09-03 10:29:15 423656 ----a-w-
c:\windows\system32\deployJava1.dll
2010-08-27 00:38:41 0 d-----w-
c:\program files\iPod
2010-08-18 14:01:32 21504 -c--a-w-
c:\windows\system32\dllcache\hidserv.dll
2010-08-18 14:01:32 21504 ----a-w-
c:\windows\system32\hidserv.dll
2010-08-18 14:01:29 14592 -c--a-w-
c:\windows\system32\dllcache\kbdhid.sys
2010-08-18 14:01:29 14592 ----a-w-
c:\windows\system32\drivers\kbdhid.sys
2010-08-17 21:11:50 0 d-----w-
c:\docume~1\owner\applic~1\Malwarebytes
2010-08-17 21:11:42 0 d-----w-
c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-17 20:51:07 920088 ----a-r-
c:\windows\system32\igxpun.exe
2010-08-17 20:51:07 0 d-----w-
c:\windows\system32\x64
2010-08-17 20:47:54 36864 ----a-r-
c:\windows\system32\RtkCoInstXP.dll
2010-08-17 20:46:52 73728 ----a-r-
c:\windows\system32\RtNicProp32.dll
2010-08-17 20:46:52 141568 ----a-r-
c:\windows\system32\drivers\Rtenicxp.sys
==================== Find3M
====================
2010-09-05 19:44:47 1984 ----a-w-
c:\windows\system32\d3d9caps.dat
2010-08-25 00:01:00 23576 ---ha-w-
c:\windows\system32\mlfcache.dat
2010-08-17 20:53:36 7680 ----a-w-
c:\windows\system32\drivers\ASACPI.sys
2010-06-30 12:31:35 149504 ----a-w-
c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w-
c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w-
c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w-
c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w-
c:\windows\system32\msxml3.dll
2004-10-01 19:00:16 40960 -c--a-w-
c:\program files\Uninstall_CDS.exe
2008-12-17 23:59:09 32768 -csha-w-
c:\windows\system32\config\systemprofile\lo
cal
settings\history\history.ie5\mshist01200812
1720081218\index.dat
============= FINISH: 16:07:37.79
===============
It appears I may have " rogue:Win32FakeSpypro", I found a couple items in my download folder which when clicked Defender picked up on. My symptoms appear consistent with this trojan but neither Spybot, windows defender, or Malwarebytes found anything during thier scans also performed in safe mode. Any advise how to remove this assuming that is the problem?
Hi,
First make sure word wrap is disabled in notepad.
After that, please run DDS again and post back both dds.txt and attach.txt contents without doing any formatting to its contents. The one you posted is really hard to read.
Jaylegger
2010-09-11, 17:34
Thanks for the reply. I've unwrapped notepad, I thought things looked not quite correct.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 11:16:14.56 on Sat 09/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1225 [GMT -3:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\M-AudioTaskBarIcon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msfeedssync.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds(2).scr
============== Pseudo HJT Report ===============
uSearch Page =
uSearch Bar =
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: plaxo.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229555679958
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229555672927
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779} - hxxp://www.puppyred.com/jsp/cooper/inc/NaverAXGuide.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {BC849FAF-9C44-438C-859F-10595D25CA93} = 208.67.220.220,208.67.222.222
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\lerxm50e.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
============= SERVICES / DRIVERS ===============
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [2007-1-10 14416]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 MAUSBFASTTRACKULTRA;Service for M-Audio Fast Track Ultra;c:\windows\system32\drivers\MAudioFastTrackUltra.sys [2010-1-10 135816]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-8-17 1684736]
S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [2007-1-10 44344]
S3 i1display;i1 Display;c:\windows\system32\drivers\i1display.sys [2008-9-15 44344]
S3 MADFUFTU;Service for M-Audio FastTrackUltra DFU;c:\windows\system32\drivers\MAudioFastTrackUltra_DFU.sys [2010-1-10 42120]
S3 MAUSBRI;M-Audio Fast Track Ultra Service;c:\windows\system32\drivers\mausbftu.sys --> c:\windows\system32\drivers\mausbftu.sys [?]
=============== Created Last 30 ================
2010-09-09 22:56:45 36 ----a-w- c:\documents and settings\owner\RoomEQWizardV5-Path
2010-09-09 22:56:45 0 d-----w- c:\program files\Room EQ Wizard V5
2010-09-09 22:56:38 0 d-----w- c:\documents and settings\owner\applogs
2010-09-09 22:56:37 0 d--h--w- C:\jexepackres
2010-09-08 23:58:48 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-08 23:21:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-08 23:21:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-08 23:21:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-03 10:29:15 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-27 00:38:41 0 d-----w- c:\program files\iPod
2010-08-18 14:01:32 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-08-18 14:01:32 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-08-18 14:01:29 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-08-18 14:01:29 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-08-17 21:11:50 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-08-17 21:11:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-17 20:51:07 920088 ----a-r- c:\windows\system32\igxpun.exe
2010-08-17 20:51:07 0 d-----w- c:\windows\system32\x64
2010-08-17 20:47:54 36864 ----a-r- c:\windows\system32\RtkCoInstXP.dll
2010-08-17 20:46:52 73728 ----a-r- c:\windows\system32\RtNicProp32.dll
2010-08-17 20:46:52 141568 ----a-r- c:\windows\system32\drivers\Rtenicxp.sys
==================== Find3M ====================
2010-09-05 19:44:47 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-25 00:01:00 23576 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-17 20:53:36 7680 ----a-w- c:\windows\system32\drivers\ASACPI.sys
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2004-10-01 19:00:16 40960 -c--a-w- c:\program files\Uninstall_CDS.exe
2008-12-17 23:59:09 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121720081218\index.dat
============= FINISH: 11:19:09.65 ===============
Hi,
Please download Rootkit Unhooker (http://www.rootkit.com/vault/DiabloNova/RKUnhookerLE.EXE) Save it to your desktop.
Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.
Note** you may get this warning it is ok, just ignore
Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?
Jaylegger
2010-09-12, 03:07
Hi, thanks again for your assistance in this matter.
Here's the report:
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB9125000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 5959680 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xA8891000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 5263360 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
0xBF26A000 C:\WINDOWS\System32\igxpdx32.DLL 3235840 bytes (Intel Corporation, DirectDraw(R) Driver for Intel(R) Graphics Technology)
0xBF04F000 C:\WINDOWS\System32\igxpdv32.DLL 2207744 bytes (Intel Corporation, Component GHAL Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB9E48000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA8445000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB8FF9000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA8578000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA0784000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA0513000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA0853000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9E1B000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 176128 bytes (Intel Corporation, Intel Graphics 2D Driver)
0x9E90C000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA84B5000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB90E9000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA8528000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xA8502000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA886D000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB90A2000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB907F000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB90C6000 C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys 143360 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
0xA84E0000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9F11000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x9EA02000 C:\WINDOWS\system32\DRIVERS\MAudioFastTrackUltra.sys 131072 bytes (Avid Technology, Inc., M-Audio USB Audio Driver (WDM))
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9E01000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xA85E4000 C:\WINDOWS\System32\Drivers\InCDfs.SYS 102400 bytes (Nero AG, InCD File System Driver)
0xB9F31000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB9EE8000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB9068000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA0A10000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB9111000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA85D1000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB9ED5000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xB9EFF000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB9057000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xA2790000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA218000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA1F8000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBA2D8000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA228000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA2206000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA2C8000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA1E8000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA248000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA268000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA308000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA208000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA258000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA108000 uagp35.sys 45056 bytes (Microsoft Corporation, MS AGPv3.5 Filter)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA2A8000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA0F8000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xBA288000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xB9744000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xA6568000 C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xBA278000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA2F8000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0x9FF30000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xB9764000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA470000 C:\WINDOWS\system32\DRIVERS\ASACPI.sys 32768 bytes (-, ATK0110 ACPI Utility)
0xBA488000 C:\WINDOWS\System32\DRIVERS\InCDPass.sys 32768 bytes (Nero AG, Ahead RW Filter Driver)
0xBA3B8000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xA74EF000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA468000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA338000 videX32.sys 32768 bytes (VIA Technologies, Inc., VIA Generic PCI IDE Bus Driver)
0xBA3A0000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA480000 C:\WINDOWS\System32\Drivers\incdrm.SYS 28672 bytes (Nero AG, Ahead MRW Filter Driver)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA4B0000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBA478000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA388000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA460000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA3A8000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA3B0000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA378000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA380000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBA348000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xA2291000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA548000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA884D000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB9DC5000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xA217A000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xA8861000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB9DC1000 C:\WINDOWS\System32\Drivers\InCDrec.SYS 12288 bytes (Nero AG, InCD File System Recognizer)
0xA885D000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9855000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xA089C000 C:\WINDOWS\system32\drivers\pdihwctl.sys 12288 bytes (Portrait Displays, Inc., PdiHwCtl NT kernel-mode driver)
0xB9DBD000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBFF50000 C:\WINDOWS\System32\TSDDD.dll 12288 bytes (Microsoft Corporation, Framebuffer Display Driver)
0xB986D000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xBA60E000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA60C000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA610000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA612000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5AE000 speedfan.sys 8192 bytes
0xBA600000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA604000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AC000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA6D1000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA735000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA671000 giveio.sys 4096 bytes
0xBA744000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x8A4D6AF1 ?_empty_? 1295 bytes
0x8A4D6ECC unknown_irp_handler 308 bytes
!!!!!!!!!!!Hidden driver: 0x8A48CC40 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0xB9F31000 WARNING: suspicious driver modification [atapi.sys::0x8A4D6AF1]
WARNING: Virus alike driver modification [acpiec.sys]
WARNING: Virus alike driver modification [cpqdap01.sys]
WARNING: Virus alike driver modification [nikedrv.sys]
WARNING: Virus alike driver modification [rio8drv.sys]
WARNING: Virus alike driver modification [riodrv.sys]
WARNING: Virus alike driver modification [ws2ifsl.sys]
WARNING: Virus alike driver modification [fsvga.sys]
WARNING: Virus alike driver modification [cbidf2k.sys]
WARNING: Virus alike driver modification [smclib.sys]
WARNING: Virus alike driver modification [tsbvcap.sys]
WARNING: Virus alike driver modification [i1.sys]
WARNING: Virus alike driver modification [cinemst2.sys]
WARNING: Virus alike driver modification [purendis.sys]
WARNING: Virus alike driver modification [i1io2.sys]
WARNING: Virus alike driver modification [atmepvc.sys]
0xBA488000 WARNING: Virus alike driver modification [InCDPass.sys], 32768 bytes
WARNING: Virus alike driver modification [rawwan.sys]
WARNING: Virus alike driver modification [atmuni.sys]
WARNING: Virus alike driver modification [wpdusb.sys]
WARNING: Virus alike driver modification [tosdvd.sys]
WARNING: Virus alike driver modification [nwlnkspx.sys]
WARNING: Virus alike driver modification [vdmindvd.sys]
WARNING: Virus alike driver modification [rootmdm.sys]
WARNING: Virus alike driver modification [nwlnknb.sys]
WARNING: Virus alike driver modification [parvdm.sys]
WARNING: Virus alike driver modification [mcd.sys]
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0006ECBE, Type: Inline - RelativeJump 0x80545CBE-->80545CC5 [ntkrnlpa.exe]
[1968]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[1968]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[1968]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[1968]explorer.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->00000000 [shimeng.dll]
[1968]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[1968]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[1968]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->00000000 [shimeng.dll]
[1968]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
[3688]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[3688]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[3688]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[3688]explorer.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->00000000 [shimeng.dll]
[3688]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[3688]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[3688]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->00000000 [shimeng.dll]
[3688]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
Hi,
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Jaylegger
2010-09-12, 17:45
I've performed all activities noted but Combofix will not run. When I click on the desktop icon I do get the "Windows Open File Security Warning" prompt but when I click "run" nothing happens except for the prompt disappearing. Same thing happens when I try to run Spybot or Malwarebytes, the hour glass appears for a brief moment then disappears and nothing opens or commences after.
Hi,
Rename ComboFix.exe file to changed.exe and try to run it (protection software disabled). If it still fails try in safe mode.
Jaylegger
2010-09-12, 20:06
Hi,
Ok things are moving along nicely, here's the DDS log and attached is the combofix log.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 14:03:25.06 on Sun 09/12/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1516 [GMT -3:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds(3).scr
============== Pseudo HJT Report ===============
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: plaxo.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229555679958
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229555672927
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779} - hxxp://www.puppyred.com/jsp/cooper/inc/NaverAXGuide.cab
TCP: {BC849FAF-9C44-438C-859F-10595D25CA93} = 208.67.220.220,208.67.222.222
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\lerxm50e.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
============= SERVICES / DRIVERS ===============
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [2007-1-10 14416]
R3 MAUSBFASTTRACKULTRA;Service for M-Audio Fast Track Ultra;c:\windows\system32\drivers\MAudioFastTrackUltra.sys [2010-1-10 135816]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-8-17 1684736]
S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [2007-1-10 44344]
S3 i1display;i1 Display;c:\windows\system32\drivers\i1display.sys [2008-9-15 44344]
S3 MADFUFTU;Service for M-Audio FastTrackUltra DFU;c:\windows\system32\drivers\MAudioFastTrackUltra_DFU.sys [2010-1-10 42120]
S3 MAUSBRI;M-Audio Fast Track Ultra Service;c:\windows\system32\drivers\mausbftu.sys --> c:\windows\system32\drivers\mausbftu.sys [?]
=============== Created Last 30 ================
2010-09-12 16:37:42 0 d-sha-r- C:\cmdcons
2010-09-12 16:28:40 98816 ----a-w- c:\windows\sed.exe
2010-09-12 16:28:40 77312 ----a-w- c:\windows\MBR.exe
2010-09-12 16:28:40 256512 ----a-w- c:\windows\PEV.exe
2010-09-12 16:28:40 161792 ----a-w- c:\windows\SWREG.exe
2010-09-09 22:56:45 36 ----a-w- c:\documents and settings\owner\RoomEQWizardV5-Path
2010-09-09 22:56:45 0 d-----w- c:\program files\Room EQ Wizard V5
2010-09-09 22:56:38 0 d-----w- c:\documents and settings\owner\applogs
2010-09-09 22:56:37 0 d-----w- C:\jexepackres
2010-09-08 23:58:48 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-03 10:29:15 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-27 00:38:41 0 d-----w- c:\program files\iPod
2010-08-18 14:01:32 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-08-18 14:01:32 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-08-18 14:01:29 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-08-18 14:01:29 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-08-17 21:11:50 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-08-17 21:11:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-17 20:51:07 920088 ----a-r- c:\windows\system32\igxpun.exe
2010-08-17 20:51:07 0 d-----w- c:\windows\system32\x64
2010-08-17 20:47:54 36864 ----a-r- c:\windows\system32\RtkCoInstXP.dll
2010-08-17 20:46:52 73728 ----a-r- c:\windows\system32\RtNicProp32.dll
2010-08-17 20:46:52 141568 ----a-r- c:\windows\system32\drivers\Rtenicxp.sys
==================== Find3M ====================
2010-09-05 19:44:47 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-25 00:01:00 23576 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-17 20:53:36 7680 ----a-w- c:\windows\system32\drivers\ASACPI.sys
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2004-10-01 19:00:16 40960 -c--a-w- c:\program files\Uninstall_CDS.exe
2008-12-17 23:59:09 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121720081218\index.dat
============= FINISH: 14:03:37.79 ===============
Hi again,
Uninstall this old Java:
J2SE Runtime Environment 5.0 Update 10
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report & a fresh dds.txt log.
Jaylegger
2010-09-13, 18:16
Hi,
Scan completed, here's a new DDS and attached below is the scan report:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 12:09:48.23 on Wed 10/13/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1227 [GMT -3:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\M-AudioTaskBarIcon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds(4).scr
============== Pseudo HJT Report ===============
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_21.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: plaxo.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229555679958
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229555672927
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779} - hxxp://www.puppyred.com/jsp/cooper/inc/NaverAXGuide.cab
TCP: {BC849FAF-9C44-438C-859F-10595D25CA93} = 208.67.220.220,208.67.222.222
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\lerxm50e.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
============= SERVICES / DRIVERS ===============
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [2007-1-10 14416]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 MAUSBFASTTRACKULTRA;Service for M-Audio Fast Track Ultra;c:\windows\system32\drivers\MAudioFastTrackUltra.sys [2010-1-10 135816]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-8-17 1684736]
S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [2007-1-10 44344]
S3 i1display;i1 Display;c:\windows\system32\drivers\i1display.sys [2008-9-15 44344]
S3 MADFUFTU;Service for M-Audio FastTrackUltra DFU;c:\windows\system32\drivers\MAudioFastTrackUltra_DFU.sys [2010-1-10 42120]
S3 MAUSBRI;M-Audio Fast Track Ultra Service;c:\windows\system32\drivers\mausbftu.sys --> c:\windows\system32\drivers\mausbftu.sys [?]
=============== Created Last 30 ================
==================== Find3M ====================
2010-09-12 18:19:49 111688 ----a-w- c:\documents and settings\owner\x.exe
2010-09-08 23:58:16 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-05 19:44:47 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-25 00:01:00 23576 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-17 20:53:36 7680 ----a-w- c:\windows\system32\drivers\ASACPI.sys
2004-10-01 19:00:16 40960 -c--a-w- c:\program files\Uninstall_CDS.exe
2008-12-17 23:59:09 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121720081218\index.dat
============= FINISH: 12:10:21.20 ===============
Good. Those two first Kaspersky findings can be ignored. Other findings will be removed when ComboFix is uninstalled and system restore reseted.
Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Download and run Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) and fix its findings.
Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:
Antivir (http://free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html)
Avast! (http://www.avast.com/eng/download-avast-home.html)
Good commercial ones are from:
Kaspersky (http://www.kaspersky.com/homeuser) and
ESET (http://www.eset.com/products/index.php)
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html) or Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Jaylegger
2010-09-13, 23:24
Hi,
All symptoms (re-directs) and other annoyances have been resolved. My system is running beautifully and I can't thank you, your expertise, and professionalism enough. I did, however, encounter one UBD error (user brain dead). Prior to your last post I sent combofix to the recycle bin and emptied it therefore I could not perform the uninstall procedure as you described. Should I therefore download and run combo fix one more time to perform the, final virus removing, uninstall?
You definitely are the man.:crowned:
Hi,
Should I therefore download and run combo fix one more time to perform the, final virus removing, uninstall?
Download ComboFix.exe file to your desktop and run uninstallation like instructed :)
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.