Hello, I've been hit with something which keeps redirecting searches to seemingly arbitrary sites and it also prevents Spybot from opening in the normal manner. I have to go into program files to open.
Here's the DDS file: Any help is greatly appreciated.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 16:06:07.29 on Wed
09/08/2010
Internet Explorer: 8.0.6001.18702
BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition
5.1.2600.3.1252.1.1033.18.2038.1243 [GMT
-3:00]
============== Running Processes
===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows
Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k
WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows
Defender\MSASCui.exe
C:\WINDOWS\system32\M-AudioTaskBarIcon.exe
C:\Program Files\Common Files\Java\Java
Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe
C:\Program Files\Sony\Sony Picture
Utility\PMBCore\SPUVolumeWatcher.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k
HTTPFilter
C:\Program Files\Mozilla
Firefox\firefox.exe
C:\Program Files\Spybot - Search &
Destroy\KDGVVMNQD.scr
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\My
Documents\Downloads\dds.scr
============== Pseudo HJT Report
===============
uSearch Page =
uSearch Bar =
mSearchAssistant =
BHO: Spybot-S&D IE Protection:
{53707962-6f74-2d53-2644-206d7942484f} -
c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper:
{dbc80044-a445-435b-bc74-9c25c1c588a9} -
c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class:
{e7e6f031-17ce-4c07-bc86-eabfe594f69c} -
c:\program
files\java\jre6\lib\deploy\jqs\ie\jqs_plugi
n.dll
TB: &Yahoo! Toolbar:
{ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {D4027C7F-154A-4066-A1AD-4243D8127440}
- No File
uRun: [ctfmon.exe]
c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program
files\spybot - search &
destroy\TeaTimer.exe
mRun: [Adobe Reader Speed Launcher]
"c:\program files\adobe\reader
8.0\reader\Reader_sl.exe"
mRun: [Windows Defender] "c:\program
files\windows defender\MSASCui.exe" -hide
mRun: [M-Audio Taskbar Icon]
c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program
files\common files\java\java
update\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder:
c:\docume~1\owner\startm~1\programs\startup
\erunta~1.lnk - c:\program
files\erunt\AUTOBACK.EXE
StartupFolder:
c:\docume~1\owner\startm~1\programs\startup
\pmbmed~1.lnk - c:\program files\sony\sony
picture
utility\pmbcore\SPUVolumeWatcher.exe
IE: Google Sidewiki... - c:\program
files\google\google
toolbar\component\GoogleToolbarDynamic_mui_
en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583}
- %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
- c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}
- {53707962-6F74-2D53-2644-206D7942484F} -
c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: plaxo.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83}
-
hxxp://upload.facebook.com/controls/2008.10
.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
-
hxxp://download.macromedia.com/pub/shockwav
e/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700}
-
hxxp://download.microsoft.com/download/E/5/
6/E5611B10-0D6D-4117-8430-A67417AA88CD/Legi
tCheckControl.cab
DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B}
-
hxxp://www.worldwinner.com/games/v46/bejewe
led/bejeweled.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
-
hxxp://www.update.microsoft.com/microsoftup
date/v6/V5Controls/en/x86/client/wuweb_site
.cab?1229555679958
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
-
hxxp://www.update.microsoft.com/microsoftup
date/v6/V5Controls/en/x86/client/muweb_site
.cab?1229555672927
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E}
-
hxxp://liveupdate.msi.com.tw/autobios/LOnli
ne/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.5.0/jinstall-1
_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
-
hxxp://fpdownload2.macromedia.com/get/shock
wave/cabs/flash/swflash.cab
DPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779}
-
hxxp://www.puppyred.com/jsp/cooper/inc/Nave
rAXGuide.cab
TCP: NameServer =
208.67.220.220,208.67.222.222
TCP: {BC849FAF-9C44-438C-859F-10595D25CA93}
= 208.67.220.220,208.67.222.222
Handler: bwfile-8876480 -
{9462A756-7B47-47BC-8C80-C34B9B80B32B} -
c:\program files\logitech\desktop
messenger\8876480\program\GAPlugProtocol-88
76480.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj -
{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware
ShellExecuteHook:
{091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} -
c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX
===================
FF - ProfilePath -
c:\docume~1\owner\applic~1\mozilla\firefox\
profiles\lerxm50e.default\
FF - prefs.js:
browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage -
yahoo.com
FF - plugin: c:\documents and
settings\owner\application
data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program
files\java\jre6\bin\new_plugin\npdeployJava
1.dll
FF - plugin: c:\program files\mozilla
firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET
Framework Assistant:
{20a82645-c095-46ed-80e3-08825760534b} -
c:\windows\microsoft.net\framework\v3.5\win
dows presentation
foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No
Registry Reference - c:\program
files\mozilla
firefox\extensions\{CAFEEFAC-0016-0000-0021
-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.xn--mgbaam7a8h"
, true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.xn--mgberp4a5d4
ar", true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.xn--p1ai",
true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.xn--mgbayh7gpa"
, true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla
firefox\greprefs\security-prefs.js -
pref("security.ssl.allow_unrestricted_reneg
o_everywhere__temporarily_available_pref",
true);
c:\program files\mozilla
firefox\greprefs\security-prefs.js -
pref("security.ssl.renego_unrestricted_host
s", "");
c:\program files\mozilla
firefox\greprefs\security-prefs.js -
pref("security.ssl.treat_unsafe_negotiation
_as_broken", false);
c:\program files\mozilla
firefox\greprefs\security-prefs.js -
pref("security.ssl.require_safe_negotiation
", false);
c:\program files\mozilla
firefox\greprefs\security-prefs.js -
pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla
firefox\defaults\pref\firefox-branding.js -
pref("app.update.url.manual",
"http://www.firefox.com");
============= SERVICES / DRIVERS
===============
R2
PDIHWCTL;PDIHWCTL;c:\windows\system32\drive
rs\pdihwctl.sys [2007-1-10 14416]
R2 WinDefend;Windows Defender;c:\program
files\windows defender\MsMpEng.exe
[2006-11-3 13592]
R3 MAUSBFASTTRACKULTRA;Service for M-Audio
Fast Track
Ultra;c:\windows\system32\drivers\MAudioFas
tTrackUltra.sys [2010-1-10 135816]
S3
Ambfilt;Ambfilt;c:\windows\system32\drivers
\Ambfilt.sys [2010-8-17 1684736]
S3 eyeonedp;eye-one
display;c:\windows\system32\drivers\EyeOneD
p.sys [2007-1-10 44344]
S3 i1display;i1
Display;c:\windows\system32\drivers\i1displ
ay.sys [2008-9-15 44344]
S3 MADFUFTU;Service for M-Audio
FastTrackUltra
DFU;c:\windows\system32\drivers\MAudioFastT
rackUltra_DFU.sys [2010-1-10 42120]
S3 MAUSBRI;M-Audio Fast Track Ultra
Service;c:\windows\system32\drivers\mausbft
u.sys -->
c:\windows\system32\drivers\mausbftu.sys
[?]
=============== Created Last 30
================
2010-09-03 10:29:15 423656 ----a-w-
c:\windows\system32\deployJava1.dll
2010-08-27 00:38:41 0 d-----w-
c:\program files\iPod
2010-08-18 14:01:32 21504 -c--a-w-
c:\windows\system32\dllcache\hidserv.dll
2010-08-18 14:01:32 21504 ----a-w-
c:\windows\system32\hidserv.dll
2010-08-18 14:01:29 14592 -c--a-w-
c:\windows\system32\dllcache\kbdhid.sys
2010-08-18 14:01:29 14592 ----a-w-
c:\windows\system32\drivers\kbdhid.sys
2010-08-17 21:11:50 0 d-----w-
c:\docume~1\owner\applic~1\Malwarebytes
2010-08-17 21:11:42 0 d-----w-
c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-17 20:51:07 920088 ----a-r-
c:\windows\system32\igxpun.exe
2010-08-17 20:51:07 0 d-----w-
c:\windows\system32\x64
2010-08-17 20:47:54 36864 ----a-r-
c:\windows\system32\RtkCoInstXP.dll
2010-08-17 20:46:52 73728 ----a-r-
c:\windows\system32\RtNicProp32.dll
2010-08-17 20:46:52 141568 ----a-r-
c:\windows\system32\drivers\Rtenicxp.sys
==================== Find3M
====================
2010-09-05 19:44:47 1984 ----a-w-
c:\windows\system32\d3d9caps.dat
2010-08-25 00:01:00 23576 ---ha-w-
c:\windows\system32\mlfcache.dat
2010-08-17 20:53:36 7680 ----a-w-
c:\windows\system32\drivers\ASACPI.sys
2010-06-30 12:31:35 149504 ----a-w-
c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w-
c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w-
c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w-
c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w-
c:\windows\system32\msxml3.dll
2004-10-01 19:00:16 40960 -c--a-w-
c:\program files\Uninstall_CDS.exe
2008-12-17 23:59:09 32768 -csha-w-
c:\windows\system32\config\systemprofile\lo
cal
settings\history\history.ie5\mshist01200812
1720081218\index.dat
============= FINISH: 16:07:37.79
===============
It appears I may have " rogue:Win32FakeSpypro", I found a couple items in my download folder which when clicked Defender picked up on. My symptoms appear consistent with this trojan but neither Spybot, windows defender, or Malwarebytes found anything during thier scans also performed in safe mode. Any advise how to remove this assuming that is the problem?
Here's the DDS file: Any help is greatly appreciated.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 16:06:07.29 on Wed
09/08/2010
Internet Explorer: 8.0.6001.18702
BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition
5.1.2600.3.1252.1.1033.18.2038.1243 [GMT
-3:00]
============== Running Processes
===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows
Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k
WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows
Defender\MSASCui.exe
C:\WINDOWS\system32\M-AudioTaskBarIcon.exe
C:\Program Files\Common Files\Java\Java
Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe
C:\Program Files\Sony\Sony Picture
Utility\PMBCore\SPUVolumeWatcher.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k
HTTPFilter
C:\Program Files\Mozilla
Firefox\firefox.exe
C:\Program Files\Spybot - Search &
Destroy\KDGVVMNQD.scr
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\My
Documents\Downloads\dds.scr
============== Pseudo HJT Report
===============
uSearch Page =
uSearch Bar =
mSearchAssistant =
BHO: Spybot-S&D IE Protection:
{53707962-6f74-2d53-2644-206d7942484f} -
c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper:
{dbc80044-a445-435b-bc74-9c25c1c588a9} -
c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class:
{e7e6f031-17ce-4c07-bc86-eabfe594f69c} -
c:\program
files\java\jre6\lib\deploy\jqs\ie\jqs_plugi
n.dll
TB: &Yahoo! Toolbar:
{ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {D4027C7F-154A-4066-A1AD-4243D8127440}
- No File
uRun: [ctfmon.exe]
c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program
files\spybot - search &
destroy\TeaTimer.exe
mRun: [Adobe Reader Speed Launcher]
"c:\program files\adobe\reader
8.0\reader\Reader_sl.exe"
mRun: [Windows Defender] "c:\program
files\windows defender\MSASCui.exe" -hide
mRun: [M-Audio Taskbar Icon]
c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program
files\common files\java\java
update\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder:
c:\docume~1\owner\startm~1\programs\startup
\erunta~1.lnk - c:\program
files\erunt\AUTOBACK.EXE
StartupFolder:
c:\docume~1\owner\startm~1\programs\startup
\pmbmed~1.lnk - c:\program files\sony\sony
picture
utility\pmbcore\SPUVolumeWatcher.exe
IE: Google Sidewiki... - c:\program
files\google\google
toolbar\component\GoogleToolbarDynamic_mui_
en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583}
- %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
- c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}
- {53707962-6F74-2D53-2644-206D7942484F} -
c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: plaxo.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83}
-
hxxp://upload.facebook.com/controls/2008.10
.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
-
hxxp://download.macromedia.com/pub/shockwav
e/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700}
-
hxxp://download.microsoft.com/download/E/5/
6/E5611B10-0D6D-4117-8430-A67417AA88CD/Legi
tCheckControl.cab
DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B}
-
hxxp://www.worldwinner.com/games/v46/bejewe
led/bejeweled.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
-
hxxp://www.update.microsoft.com/microsoftup
date/v6/V5Controls/en/x86/client/wuweb_site
.cab?1229555679958
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
-
hxxp://www.update.microsoft.com/microsoftup
date/v6/V5Controls/en/x86/client/muweb_site
.cab?1229555672927
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E}
-
hxxp://liveupdate.msi.com.tw/autobios/LOnli
ne/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.5.0/jinstall-1
_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
-
hxxp://fpdownload2.macromedia.com/get/shock
wave/cabs/flash/swflash.cab
DPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779}
-
hxxp://www.puppyred.com/jsp/cooper/inc/Nave
rAXGuide.cab
TCP: NameServer =
208.67.220.220,208.67.222.222
TCP: {BC849FAF-9C44-438C-859F-10595D25CA93}
= 208.67.220.220,208.67.222.222
Handler: bwfile-8876480 -
{9462A756-7B47-47BC-8C80-C34B9B80B32B} -
c:\program files\logitech\desktop
messenger\8876480\program\GAPlugProtocol-88
76480.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj -
{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware
ShellExecuteHook:
{091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} -
c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX
===================
FF - ProfilePath -
c:\docume~1\owner\applic~1\mozilla\firefox\
profiles\lerxm50e.default\
FF - prefs.js:
browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage -
yahoo.com
FF - plugin: c:\documents and
settings\owner\application
data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program
files\java\jre6\bin\new_plugin\npdeployJava
1.dll
FF - plugin: c:\program files\mozilla
firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET
Framework Assistant:
{20a82645-c095-46ed-80e3-08825760534b} -
c:\windows\microsoft.net\framework\v3.5\win
dows presentation
foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No
Registry Reference - c:\program
files\mozilla
firefox\extensions\{CAFEEFAC-0016-0000-0021
-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.xn--mgbaam7a8h"
, true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.xn--mgberp4a5d4
ar", true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.xn--p1ai",
true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.xn--mgbayh7gpa"
, true);
c:\program files\mozilla
firefox\greprefs\all.js -
pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla
firefox\greprefs\security-prefs.js -
pref("security.ssl.allow_unrestricted_reneg
o_everywhere__temporarily_available_pref",
true);
c:\program files\mozilla
firefox\greprefs\security-prefs.js -
pref("security.ssl.renego_unrestricted_host
s", "");
c:\program files\mozilla
firefox\greprefs\security-prefs.js -
pref("security.ssl.treat_unsafe_negotiation
_as_broken", false);
c:\program files\mozilla
firefox\greprefs\security-prefs.js -
pref("security.ssl.require_safe_negotiation
", false);
c:\program files\mozilla
firefox\greprefs\security-prefs.js -
pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla
firefox\defaults\pref\firefox-branding.js -
pref("app.update.url.manual",
"http://www.firefox.com");
============= SERVICES / DRIVERS
===============
R2
PDIHWCTL;PDIHWCTL;c:\windows\system32\drive
rs\pdihwctl.sys [2007-1-10 14416]
R2 WinDefend;Windows Defender;c:\program
files\windows defender\MsMpEng.exe
[2006-11-3 13592]
R3 MAUSBFASTTRACKULTRA;Service for M-Audio
Fast Track
Ultra;c:\windows\system32\drivers\MAudioFas
tTrackUltra.sys [2010-1-10 135816]
S3
Ambfilt;Ambfilt;c:\windows\system32\drivers
\Ambfilt.sys [2010-8-17 1684736]
S3 eyeonedp;eye-one
display;c:\windows\system32\drivers\EyeOneD
p.sys [2007-1-10 44344]
S3 i1display;i1
Display;c:\windows\system32\drivers\i1displ
ay.sys [2008-9-15 44344]
S3 MADFUFTU;Service for M-Audio
FastTrackUltra
DFU;c:\windows\system32\drivers\MAudioFastT
rackUltra_DFU.sys [2010-1-10 42120]
S3 MAUSBRI;M-Audio Fast Track Ultra
Service;c:\windows\system32\drivers\mausbft
u.sys -->
c:\windows\system32\drivers\mausbftu.sys
[?]
=============== Created Last 30
================
2010-09-03 10:29:15 423656 ----a-w-
c:\windows\system32\deployJava1.dll
2010-08-27 00:38:41 0 d-----w-
c:\program files\iPod
2010-08-18 14:01:32 21504 -c--a-w-
c:\windows\system32\dllcache\hidserv.dll
2010-08-18 14:01:32 21504 ----a-w-
c:\windows\system32\hidserv.dll
2010-08-18 14:01:29 14592 -c--a-w-
c:\windows\system32\dllcache\kbdhid.sys
2010-08-18 14:01:29 14592 ----a-w-
c:\windows\system32\drivers\kbdhid.sys
2010-08-17 21:11:50 0 d-----w-
c:\docume~1\owner\applic~1\Malwarebytes
2010-08-17 21:11:42 0 d-----w-
c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-17 20:51:07 920088 ----a-r-
c:\windows\system32\igxpun.exe
2010-08-17 20:51:07 0 d-----w-
c:\windows\system32\x64
2010-08-17 20:47:54 36864 ----a-r-
c:\windows\system32\RtkCoInstXP.dll
2010-08-17 20:46:52 73728 ----a-r-
c:\windows\system32\RtNicProp32.dll
2010-08-17 20:46:52 141568 ----a-r-
c:\windows\system32\drivers\Rtenicxp.sys
==================== Find3M
====================
2010-09-05 19:44:47 1984 ----a-w-
c:\windows\system32\d3d9caps.dat
2010-08-25 00:01:00 23576 ---ha-w-
c:\windows\system32\mlfcache.dat
2010-08-17 20:53:36 7680 ----a-w-
c:\windows\system32\drivers\ASACPI.sys
2010-06-30 12:31:35 149504 ----a-w-
c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w-
c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w-
c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w-
c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w-
c:\windows\system32\msxml3.dll
2004-10-01 19:00:16 40960 -c--a-w-
c:\program files\Uninstall_CDS.exe
2008-12-17 23:59:09 32768 -csha-w-
c:\windows\system32\config\systemprofile\lo
cal
settings\history\history.ie5\mshist01200812
1720081218\index.dat
============= FINISH: 16:07:37.79
===============
It appears I may have " rogue:Win32FakeSpypro", I found a couple items in my download folder which when clicked Defender picked up on. My symptoms appear consistent with this trojan but neither Spybot, windows defender, or Malwarebytes found anything during thier scans also performed in safe mode. Any advise how to remove this assuming that is the problem?
Last edited by a moderator: