Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: Pop-ups and can't fully update (Possible Vundo)

  1. #11
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    I disabled those links. Please, don't post more of them since some may be malicious infecting careless clickers.

    Do you connect internet through a router (which model)?


    Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
    @echo off
    ipconfig /all >c:\ipExport.txt

    Double-click on fixes.bat file to execute it. Post back contents of c:\ipExport.txt file.


    Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt). Note: Do not run Option #2 yet.

    Post also a fresh dds.txt log.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  2. #12
    Junior Member
    Join Date
    May 2009
    Posts
    11

    Default

    Sorry about the links, I didn't really think it through.

    Here's the fixes.bat log:



    Windows IP Configuration



    Host Name . . . . . . . . . . . . : Dante

    Primary Dns Suffix . . . . . . . :

    Node Type . . . . . . . . . . . . : Unknown

    IP Routing Enabled. . . . . . . . : No

    WINS Proxy Enabled. . . . . . . . : No

    DNS Suffix Search List. . . . . . : muohio.edu



    Ethernet adapter Local Area Connection 3:



    Connection-specific DNS Suffix . : muohio.edu

    Description . . . . . . . . . . . : Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC

    Physical Address. . . . . . . . . : 00-1D-7D-D4-84-F7

    Dhcp Enabled. . . . . . . . . . . : Yes

    Autoconfiguration Enabled . . . . : Yes

    IP Address. . . . . . . . . . . . : 134.53.123.73

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 134.53.123.254

    DHCP Server . . . . . . . . . . . : 134.53.13.1

    DNS Servers . . . . . . . . . . . : 134.53.13.17

    134.53.13.1

    Lease Obtained. . . . . . . . . . : Thursday, May 07, 2009 10:59:55

    Lease Expires . . . . . . . . . . : Thursday, May 07, 2009 22:59:51

    Here's the Gooredfix log:

    GooredFix v1.92 by jpshortstuff
    Log created at 14:55 on 07/05/2009 running Option #1 (Carmagnoli)
    Firefox version 3.0.10 (en-US)

    =====Suspect Goored Entries=====

    C:\Program Files\Mozilla Firefox\extensions\{D1BFB2B8-33AB-4C48-A768-53FD6E1F4D02}

    C:\Program Files\Mozilla Firefox\extensions\{90145FBB-E9B5-4719-9680-7C32DC0D8549}

    C:\Program Files\Mozilla Firefox\extensions\{65250933-0801-4AD4-8486-805418726309}

    =====Dumping Registry Values=====

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
    "Plugins"="C:\Program Files\Mozilla Firefox\plugins"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
    "Components"="C:\Program Files\Mozilla Firefox\components"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
    "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
    "{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"


    And here is my (fresh) DDS log:


    DDS (Ver_09-03-16.01) - NTFSx86
    Run by Carmagnoli at 15:00:06.00 on Thu 05/07/2009
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1322 [GMT -4:00]

    AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Windows Home Server\WHSConnector.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\Windows Home Server\WHSTrayApp.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\Carmagnoli\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = https://mymiami.muohio.edu/webapps/portal/frameset.jsp
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [C-Media Mixer] Mixer.exe /startup
    mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
    mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\carmag~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\carmag~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgentLauncher.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\KEM.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\windows\installer\{21e49794-7c13-4e84-8659-55bd378267d5}\WHSTrayApp.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231391463453
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\carmag~1\applic~1\mozilla\firefox\profiles\o0nvr439.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
    FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
    FF - prefs.js: browser.startup.homepage - hxxps://mymiami.muohio.edu/webapps/portal/frameset.jsp
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
    FF - component: c:\program files\mozilla firefox\components\WWShow.dll
    FF - plugin: c:\program files\cambridgesoft\chemoffice2008\chem3d\npChem3DPlugin.dll
    FF - plugin: c:\program files\cambridgesoft\chemoffice2008\chemdraw\NPCDP32.DLL
    FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

    ============= SERVICES / DRIVERS ===============

    R0 $sys$cor;$sys$cor;c:\windows\system32\drivers\$sys$cor.sys [2004-10-6 18432]
    R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-22 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
    R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-4-30 104000]
    R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2006-11-30 144960]
    R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2006-11-30 54872]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-4 24652]
    R2 WHSConnector;Windows Home Server Connector Service;c:\program files\windows home server\WHSConnector.exe [2007-9-6 302112]
    R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
    R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-4-30 72264]
    R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-4-30 34152]
    R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-4-30 168776]
    S0 m5228;m5228;c:\windows\system32\drivers\m5228.sys --> c:\windows\system32\drivers\m5228.sys [?]
    S0 m5281;m5281;c:\windows\system32\drivers\m5281.sys --> c:\windows\system32\drivers\m5281.sys [?]
    S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys --> c:\windows\system32\drivers\viasraid.sys [?]
    S1 $sys$crater;$sys$crater;c:\windows\system32\$sys$filesystem\crater.sys [2004-10-7 11904]
    S2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-2-26 29183504]
    S3 DCamUSBUVT;ICM532A;c:\windows\system32\drivers\usbuvt.sys [2006-1-22 95744]
    S3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5bv.sys [2005-10-28 45568]
    S3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5b.sys [2005-1-10 44544]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
    S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
    S3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [2004-7-30 56576]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
    S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

    =============== Created Last 30 ================

    2009-05-06 14:21 <DIR> --d----- C:\ComboFix
    2009-05-05 17:11 161,792 a------- c:\windows\SWREG.exe
    2009-05-05 17:11 98,816 a------- c:\windows\sed.exe
    2009-05-05 15:49 <DIR> --d-h--- c:\windows\PIF
    2009-05-05 14:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    2009-05-04 21:21 <DIR> --d----- c:\program files\Matlab
    2009-05-04 21:21 <DIR> --d----- C:\temp
    2009-05-04 21:17 <DIR> --d----- C:\MatLabStudentInstallR2008a
    2009-05-04 20:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
    2009-05-04 20:10 <DIR> --d----- c:\program files\Bonjour
    2009-05-04 19:22 <DIR> --d----- c:\program files\Viewpoint
    2009-05-04 19:22 <DIR> --d----- c:\program files\common files\AOL
    2009-05-04 19:21 364 a---h--- C:\IPH.PH
    2009-05-02 01:58 73,728 a------- c:\windows\system32\javacpl.cpl
    2009-04-30 09:31 280 a------- c:\windows\system32\epoPGPsdk.dll.sig
    2009-04-30 09:30 168,776 a------- c:\windows\system32\drivers\mfehidk.sys
    2009-04-30 09:30 72,264 a------- c:\windows\system32\drivers\mfeavfk.sys
    2009-04-30 09:30 64,360 a------- c:\windows\system32\drivers\mfeapfk.sys
    2009-04-30 09:30 52,136 a------- c:\windows\system32\drivers\mfetdik.sys
    2009-04-30 09:30 34,152 a------- c:\windows\system32\drivers\mfebopk.sys
    2009-04-30 09:30 <DIR> --d----- c:\program files\McAfee
    2009-04-30 09:30 <DIR> --d----- c:\program files\common files\McAfee
    2009-04-30 00:48 <DIR> --d----- c:\windows\ie8updates
    2009-04-30 00:42 <DIR> --d----- c:\windows\system32\URTTEMP
    2009-04-30 00:14 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll
    2009-04-29 18:09 <DIR> a-dshr-- C:\cmdcons
    2009-04-29 17:22 67 a------- c:\windows\wininit.ini
    2009-04-28 23:51 <DIR> --dsh--- c:\documents and settings\carmagnoli\IECompatCache
    2009-04-28 23:50 <DIR> --dsh--- c:\documents and settings\carmagnoli\PrivacIE
    2009-04-28 23:45 <DIR> --dsh--- c:\documents and settings\carmagnoli\IETldCache
    2009-04-28 23:27 <DIR> -cd-h--- c:\windows\ie8
    2009-04-28 22:47 <DIR> --d----- c:\docume~1\carmag~1\applic~1\HouseCall 6.6
    2009-04-14 22:36 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
    2009-04-14 22:36 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
    2009-04-14 22:36 110,592 -c------ c:\windows\system32\dllcache\services.exe
    2009-04-14 22:36 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
    2009-04-14 22:36 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
    2009-04-14 22:36 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
    2009-04-14 22:36 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
    2009-04-14 22:36 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
    2009-04-14 22:36 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
    2009-04-14 22:12 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
    2009-04-14 22:12 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
    2009-04-14 22:12 2,560 -------- c:\windows\system32\xpsp4res.dll

    ==================== Find3M ====================

    2009-05-02 01:57 410,984 a------- c:\windows\system32\deploytk.dll
    2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
    2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
    2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
    2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
    2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
    2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
    2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
    2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
    2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
    2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
    2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
    2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
    2009-02-20 13:51 107,888 a------- c:\windows\system32\CmdLineExt.dll
    2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
    2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
    2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
    2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
    2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys

    ============= FINISH: 15:00:59.84 ===============

    Once again, thanks for all of your help!

  3. #13
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    IP export results look ok.

    Please double-click GooredFix.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt). Post also a fresh dds.txt log and let me know if redirections still occur.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  4. #14
    Junior Member
    Join Date
    May 2009
    Posts
    11

    Default

    And about my internet connection: I get internet through Miami university of ohio (muohio) and I'm sure they have a router but I'm not sure of what kind/model. All (PC) users are required to log in through Cisco Clean Access Agent and we are all required to have McAfee antivirus software. I'm not really sure what else I can say about it. I leave to go back home tomorrow (finals are this week) and I can tell you more about my connection when I get back home if you want it but I do not know a lot about Miami's internet. :/

  5. #15
    Junior Member
    Join Date
    May 2009
    Posts
    11

    Default

    Used Gooredfix as instructed. Here is the log:

    GooredFix v1.92 by jpshortstuff
    Log created at 15:15 on 07/05/2009 running Option #2 (Carmagnoli)
    Firefox version 3.0.10 (en-US)

    =====Goored Deletions=====
    C:\Program Files\Mozilla Firefox\extensions\{D1BFB2B8-33AB-4C48-A768-53FD6E1F4D02}
    ->Backing up folder... Done.
    ->Emptying folder... Done.
    ->Deleting folder... Done.
    C:\Program Files\Mozilla Firefox\extensions\{90145FBB-E9B5-4719-9680-7C32DC0D8549}
    ->Backing up folder... Done.
    ->Emptying folder... Done.
    ->Deleting folder... Done.
    C:\Program Files\Mozilla Firefox\extensions\{65250933-0801-4AD4-8486-805418726309}
    ->Backing up folder... Done.
    ->Emptying folder... Done.
    ->Deleting folder... Done.

    =====Dumping Registry Values=====

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
    "Plugins"="C:\Program Files\Mozilla Firefox\plugins"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
    "Components"="C:\Program Files\Mozilla Firefox\components"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
    "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
    "{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"


    Here is a fresh DDS log:


    DDS (Ver_09-03-16.01) - NTFSx86
    Run by Carmagnoli at 15:15:41.15 on Thu 05/07/2009
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1502 [GMT -4:00]

    AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated)

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Windows Home Server\WHSConnector.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\Windows Home Server\WHSTrayApp.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\Carmagnoli\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = https://mymiami.muohio.edu/webapps/portal/frameset.jsp
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [C-Media Mixer] Mixer.exe /startup
    mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
    mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\carmag~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\carmag~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgentLauncher.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\KEM.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\windows\installer\{21e49794-7c13-4e84-8659-55bd378267d5}\WHSTrayApp.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231391463453
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\carmag~1\applic~1\mozilla\firefox\profiles\o0nvr439.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
    FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
    FF - prefs.js: browser.startup.homepage - hxxps://mymiami.muohio.edu/webapps/portal/frameset.jsp
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
    FF - component: c:\program files\mozilla firefox\components\WWShow.dll
    FF - plugin: c:\program files\cambridgesoft\chemoffice2008\chem3d\npChem3DPlugin.dll
    FF - plugin: c:\program files\cambridgesoft\chemoffice2008\chemdraw\NPCDP32.DLL
    FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

    ============= SERVICES / DRIVERS ===============

    P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2006-11-30 144960]
    R0 $sys$cor;$sys$cor;c:\windows\system32\drivers\$sys$cor.sys [2004-10-6 18432]
    R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-22 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
    R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-4-30 104000]
    R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2006-11-30 54872]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-4 24652]
    R2 WHSConnector;Windows Home Server Connector Service;c:\program files\windows home server\WHSConnector.exe [2007-9-6 302112]
    R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
    R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-4-30 72264]
    R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-4-30 34152]
    R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-4-30 168776]
    S0 m5228;m5228;c:\windows\system32\drivers\m5228.sys --> c:\windows\system32\drivers\m5228.sys [?]
    S0 m5281;m5281;c:\windows\system32\drivers\m5281.sys --> c:\windows\system32\drivers\m5281.sys [?]
    S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys --> c:\windows\system32\drivers\viasraid.sys [?]
    S1 $sys$crater;$sys$crater;c:\windows\system32\$sys$filesystem\crater.sys [2004-10-7 11904]
    S2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-2-26 29183504]
    S3 DCamUSBUVT;ICM532A;c:\windows\system32\drivers\usbuvt.sys [2006-1-22 95744]
    S3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5bv.sys [2005-10-28 45568]
    S3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5b.sys [2005-1-10 44544]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
    S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
    S3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [2004-7-30 56576]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
    S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

    =============== Created Last 30 ================

    2009-05-06 14:21 <DIR> --d----- C:\ComboFix
    2009-05-05 17:11 161,792 a------- c:\windows\SWREG.exe
    2009-05-05 17:11 98,816 a------- c:\windows\sed.exe
    2009-05-05 15:49 <DIR> --d-h--- c:\windows\PIF
    2009-05-05 14:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    2009-05-04 21:21 <DIR> --d----- c:\program files\Matlab
    2009-05-04 21:21 <DIR> --d----- C:\temp
    2009-05-04 21:17 <DIR> --d----- C:\MatLabStudentInstallR2008a
    2009-05-04 20:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
    2009-05-04 20:10 <DIR> --d----- c:\program files\Bonjour
    2009-05-04 19:22 <DIR> --d----- c:\program files\Viewpoint
    2009-05-04 19:22 <DIR> --d----- c:\program files\common files\AOL
    2009-05-04 19:21 364 a---h--- C:\IPH.PH
    2009-05-02 01:58 73,728 a------- c:\windows\system32\javacpl.cpl
    2009-04-30 09:31 280 a------- c:\windows\system32\epoPGPsdk.dll.sig
    2009-04-30 09:30 168,776 a------- c:\windows\system32\drivers\mfehidk.sys
    2009-04-30 09:30 72,264 a------- c:\windows\system32\drivers\mfeavfk.sys
    2009-04-30 09:30 64,360 a------- c:\windows\system32\drivers\mfeapfk.sys
    2009-04-30 09:30 52,136 a------- c:\windows\system32\drivers\mfetdik.sys
    2009-04-30 09:30 34,152 a------- c:\windows\system32\drivers\mfebopk.sys
    2009-04-30 09:30 <DIR> --d----- c:\program files\McAfee
    2009-04-30 09:30 <DIR> --d----- c:\program files\common files\McAfee
    2009-04-30 00:48 <DIR> --d----- c:\windows\ie8updates
    2009-04-30 00:42 <DIR> --d----- c:\windows\system32\URTTEMP
    2009-04-30 00:14 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll
    2009-04-29 18:09 <DIR> a-dshr-- C:\cmdcons
    2009-04-29 17:22 67 a------- c:\windows\wininit.ini
    2009-04-28 23:51 <DIR> --dsh--- c:\documents and settings\carmagnoli\IECompatCache
    2009-04-28 23:50 <DIR> --dsh--- c:\documents and settings\carmagnoli\PrivacIE
    2009-04-28 23:45 <DIR> --dsh--- c:\documents and settings\carmagnoli\IETldCache
    2009-04-28 23:27 <DIR> -cd-h--- c:\windows\ie8
    2009-04-28 22:47 <DIR> --d----- c:\docume~1\carmag~1\applic~1\HouseCall 6.6
    2009-04-14 22:36 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
    2009-04-14 22:36 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
    2009-04-14 22:36 110,592 -c------ c:\windows\system32\dllcache\services.exe
    2009-04-14 22:36 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
    2009-04-14 22:36 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
    2009-04-14 22:36 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
    2009-04-14 22:36 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
    2009-04-14 22:36 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
    2009-04-14 22:36 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
    2009-04-14 22:12 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
    2009-04-14 22:12 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
    2009-04-14 22:12 2,560 -------- c:\windows\system32\xpsp4res.dll

    ==================== Find3M ====================

    2009-05-02 01:57 410,984 a------- c:\windows\system32\deploytk.dll
    2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
    2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
    2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
    2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
    2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
    2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
    2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
    2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
    2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
    2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
    2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
    2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
    2009-02-20 13:51 107,888 a------- c:\windows\system32\CmdLineExt.dll
    2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
    2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
    2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
    2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
    2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys

    ============= FINISH: 15:15:48.28 ===============

  6. #16
    Junior Member
    Join Date
    May 2009
    Posts
    11

    Default

    Still getting pop-ups, no redirections yet.

  7. #17
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    What kind of popups those are and when do they occur?

    Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    • Please post contents of that file in your next reply.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  8. #18
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Due to inactivity, this thread will now be closed.

    Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

    If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •