Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

mail.ru malware infected my browsers

This is a discussion on mail.ru malware infected my browsers within the Inactive Malware Help Topics forums, part of the Tech Support Forum category.


 
 
Thread Tools Search this Thread
Old 06-08-2011, 06:48 AM   #1
Registered Member
 
Join Date: Jun 2011
Posts: 1
OS: win vista Ultimate



Hello...
I recently downloaded a file that I thought was an audio driver for my computer, but it installed some malware which changed all my browsers search functions directed to a russian search site go.mail.ru. I have run numerous spyware programs and have not been able to remove it or change it. When I type something in the address bar of the browser, it used to search google. Now it switches and automatically searches the russian site. Please help!!! I do have access to my install disc.

Here is my DDS log...
------------------------------------------------------
.
DDS (Ver_2011-06-03.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Run by Ethan at 8:39:35 on 2011-06-08
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3934.1140 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\RtkAudioService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\AirPrint\airprint.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files (x86)\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\splwow64.exe
C:\Windows\system32\HPSIsvc.exe
C:\Program Files (x86)\LexisNexis\PMCommonAPI\PMCommonAPI.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\LexisNexis\Mobility\LexisNexis.PM.Mobility.AccessModule.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\Ethan\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files (x86)\Intuit\QuickBooks 2011\QBW32.EXE
C:\Users\Ethan\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Users\Ethan\Downloads\HijackThis.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\splwow64.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
C:\PROGRA~2\Intuit\QUICKB~1\QBDBMgr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\sysWow64\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.mail.ru/cnt/9134
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
uRun: [googletalk] C:\Users\Ethan\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
StartupFolder: C:\Users\Ethan\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Ethan\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Ethan\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\GOOGLE~1.LNK - C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INTUIT~1.LNK - C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~2.LNK - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~1.LNK - C:\Program Files (x86)\Intuit\QuickBooks 2011\QBW32.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {B66A992D-C262-496E-8328-2F14FD80443A} - hxxps://qbo.intuit.com/c1/v42.129/qboimax7.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{05703BE8-ACE1-4C23-8569-CC4163D90E1A} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{68E7B9D6-4279-44FA-943F-35BC65B302B6} : DhcpNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - C:\Program Files (x86)\Intuit\QuickBooks 2011\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun-x64: [(Default)]
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Ethan\AppData\Roaming\Mozilla\Firefox\Profiles\l5i0hh42.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://go.mail.ru/search?utf8in=1&fr=fftbUFix&q=
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Users\Ethan\AppData\Roaming\Mozilla\Firefox\Profiles\l5i0hh42.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys --> C:\Windows\system32\DRIVERS\Lbd.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 AirPrint;AirPrint;C:\Program Files (x86)\AirPrint\airprint.exe -s --> C:\Program Files (x86)\AirPrint\airprint.exe -s [?]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 HPSIService;HP SI Service;C:\Windows\system32\HPSIsvc.exe --> C:\Windows\system32\HPSIsvc.exe [?]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-5-25 2151128]
R2 LexisNexis Practice Management Common API;LexisNexis Practice Management Common API;C:\Program Files (x86)\LexisNexis\PMCommonAPI\PMCommonAPI.exe [2011-3-22 12104]
R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2010-12-8 373640]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2010-9-17 15928]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\Windows\system32\drivers\LMIRfsDriver.sys --> C:\Windows\system32\drivers\LMIRfsDriver.sys [?]
R2 LNPM_Mobility_DataService;LexisNexis Practice Management Mobility Data Service;C:\Program Files (x86)\LexisNexis\Mobility\LexisNexis.PM.Mobility.AccessModule.exe [2011-3-22 80248]
R2 MSSQL$TIMEMATTERS11;SQL Server (TIMEMATTERS11);C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
R2 QBVSS;QBIDPService;C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [2011-3-5 1257760]
R2 RtkAudioService;Realtek Audio Service;C:\Windows\RTKAUDIOSERVICE.EXE [2011-6-5 139808]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-6-5 1153368]
R3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2011-6-5 17152]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 NETw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw5v64.sys --> C:\Windows\system32\DRIVERS\NETw5v64.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 282616]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x64.sys --> C:\Windows\system32\DRIVERS\yk60x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-5-16 136176]
S2 HP LaserJet Service;HP LaserJet Service;C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [2010-10-25 145920]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-5-16 136176]
S3 HPFXBULKLEDM;HPFXBULKLEDM;C:\Windows\system32\drivers\hppdbulkio.sys --> C:\Windows\system32\drivers\hppdbulkio.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 30969208]
S3 mvusbews;USB EWS Device;C:\Windows\system32\Drivers\mvusbews.sys --> C:\Windows\system32\Drivers\mvusbews.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2011-2-17 89920]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-06-07 19:04:12 8718160 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4BF09DD2-2437-43B6-A5FD-833A28C82AAE}\mpengine.dll
2011-06-06 01:28:57 -------- d-----w- C:\Program Files (x86)\Exterminate It!
2011-06-06 00:47:10 -------- d-----w- C:\Program Files\Dolby
2011-06-06 00:45:39 139808 ----a-w- C:\Windows\RTKAUDIOSERVICE.EXE
2011-06-06 00:44:54 -------- d-----w- C:\Windows\SysWow64\RTCOM
2011-06-06 00:42:57 65024 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ISBEW64.exe
2011-06-06 00:42:57 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\Objectps.dll
2011-06-06 00:42:57 204800 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
2011-06-06 00:42:56 757760 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
2011-06-06 00:42:56 69715 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
2011-06-06 00:42:56 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
2011-06-06 00:42:56 274432 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
2011-06-06 00:42:55 200836 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2011-06-06 00:42:54 331908 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2011-06-06 00:37:28 -------- d-----w- C:\Program Files (x86)\Ffmpeg For Audacity
2011-06-06 00:36:45 -------- d-----w- C:\Program Files (x86)\Lame For Audacity
2011-06-06 00:36:25 -------- d-----w- C:\Program Files (x86)\Audacity
2011-06-06 00:34:05 -------- d-----w- C:\Program Files (x86)\Audacity 1.3 Beta (Unicode)
2011-06-05 22:25:52 49752 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2011-06-05 22:23:05 69376 ----a-w- C:\Windows\System32\drivers\Lbd.sys
2011-06-05 22:23:01 -------- d-----w- C:\Program Files (x86)\Lavasoft
2011-06-05 19:48:11 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-06-05 19:48:11 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2011-06-05 19:28:55 -------- d-----w- C:\Program Files (x86)\PC Tools Security
2011-06-05 19:27:38 -------- d-----w- C:\ProgramData\PC Tools
2011-06-05 18:52:30 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll
2011-06-05 18:43:02 -------- d-----w- C:\Users\Ethan\AppData\Roaming\DRPSu
2011-05-31 17:43:40 76288 ----a-w- C:\Windows\System32\drivers\risdsn64.sys
2011-05-29 01:37:14 -------- d-----w- C:\Users\Ethan\AppData\Local\Intuit_Inc
2011-05-26 16:23:22 63488 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\ISBEW64A.exe
2011-05-26 14:34:18 -------- d-----w- C:\Program Files\Common Files\Intuit
2011-05-26 14:30:26 -------- d-----w- C:\Users\Ethan\AppData\Local\Intuit
2011-05-26 14:22:58 -------- d-----w- C:\ProgramData\Nuance
2011-05-26 14:22:58 -------- d-----w- C:\ProgramData\Intuit
2011-05-26 14:22:58 -------- d-----w- C:\Program Files (x86)\Intuit
2011-05-26 14:22:58 -------- d-----w- C:\Program Files (x86)\Common Files\Intuit
2011-05-26 14:22:40 -------- d-----w- C:\ProgramData\SQL Anywhere 11
2011-05-26 14:22:39 -------- d-----w- C:\ProgramData\COMMON FILES
2011-05-26 14:19:29 -------- d-----w- C:\Windows\Intuit
2011-05-26 14:04:11 -------- d-----w- C:\Program Files (x86)\Akamai
2011-05-21 16:08:24 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-05-20 18:49:23 -------- d-----w- C:\ProgramData\{88223008-9F60-4144-8AB5-EEDEADCE4C23}
2011-05-20 08:27:57 601424 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A7924ABA-AC29-49BC-9A51-C552949DE1C0}\gapaengine.dll
2011-05-19 18:44:04 -------- d-----w- C:\Program Files (x86)\Common Files\SWF Studio
2011-05-16 22:11:45 53248 ------w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\msihook.dll
2011-05-16 22:11:45 32768 ------w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
2011-05-16 22:11:45 221184 ------w- C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
2011-05-16 22:11:44 217088 ------w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
2011-05-16 22:11:44 126976 ------w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\knlwrap.exe
2011-05-16 22:11:43 598016 ------w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ikernel.exe
2011-05-16 22:11:42 114688 ------w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\scpthdlr.dll
2011-05-16 22:11:29 -------- d-----w- C:\Program Files (x86)\Executive Software
2011-05-16 22:11:19 -------- d-----w- C:\Users\Ethan\AppData\Roaming\OUTLOOK.EXE
2011-05-16 21:50:47 -------- d-----w- C:\Program Files\CCleaner
2011-05-16 18:46:47 -------- d-----w- C:\Users\Ethan\AppData\Local\Apple Computer
2011-05-16 18:46:18 34152 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2011-05-16 18:46:18 126312 ----a-w- C:\Windows\System32\GEARAspi64.dll
2011-05-16 18:46:18 107368 ----a-w- C:\Windows\SysWow64\GEARAspi.dll
2011-05-16 18:45:35 -------- d-----w- C:\Program Files\iPod
2011-05-16 18:45:34 -------- d-----w- C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2011-05-16 18:45:34 -------- d-----w- C:\Program Files\iTunes
2011-05-16 18:45:34 -------- d-----w- C:\Program Files (x86)\iTunes
2011-05-16 18:42:45 -------- d-----w- C:\Program Files\Bonjour
2011-05-16 18:42:45 -------- d-----w- C:\Program Files (x86)\Bonjour
2011-05-16 18:01:53 -------- d-----w- C:\Program Files (x86)\Citrix
2011-05-16 18:01:23 72080 ----a-w- C:\Users\Ethan\g2mdlhlpx.exe
2011-05-15 23:12:44 -------- d-----w- C:\Windows\webapps
2011-05-15 21:07:45 -------- d-----w- C:\Users\Ethan\AppData\Roaming\Credenza
2011-05-15 21:07:45 -------- d-----w- C:\Users\Ethan\AppData\Local\IsolatedStorage
2011-05-15 20:56:52 -------- d-----w- C:\Windows\PCHEALTH
2011-05-15 20:53:46 -------- d-----w- C:\Program Files (x86)\Microsoft Visual Studio 8
2011-05-15 20:52:29 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services
2011-05-15 20:29:14 -------- d-----w- C:\Users\Ethan\AppData\Local\Microsoft_Corporation
2011-05-15 20:09:33 -------- d-----w- C:\Credenza
2011-05-15 20:08:42 -------- d-----w- C:\Program Files (x86)\Microsoft Synchronization Services
2011-05-15 20:08:42 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2011-05-14 05:07:39 -------- d-----w- C:\Users\Ethan\AppData\Roaming\Stamps.com Internet Postage
2011-05-14 05:05:51 -------- d-----w- C:\ProgramData\{4E417984-0B3D-48F3-9FA4-E1ABB0DA51B7}
2011-05-14 05:02:43 -------- d-----w- C:\ProgramData\{F74FAF01-6ED9-4DAC-8BD2-E5F7C218B43C}
2011-05-14 05:02:30 -------- d-----w- C:\ProgramData\{62A33D1A-DDB2-4FF1-AF7B-805941A55E7B}
2011-05-14 05:02:14 -------- d-----w- C:\Program Files (x86)\Stamps.com Internet Postage
2011-05-14 05:01:12 -------- d-----w- C:\Users\Ethan\AppData\Local\Seven Zip
2011-05-10 23:10:50 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat
2011-05-10 23:10:50 2409784 ----a-w- C:\Program Files (x86)\Windows Mail\OESpamFilter.dat
2011-05-09 19:52:32 -------- d-----w- C:\Windows\System32\appmgmt
2011-05-09 19:42:12 -------- d-----w- C:\Users\Ethan\AppData\Local\LexisNexis
2011-05-09 19:33:39 -------- d-----w- C:\Program Files\Microsoft SQL Server
2011-05-09 19:33:35 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server
2011-05-09 19:31:30 23360 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\tmfftb.dll
2011-05-09 19:30:14 -------- d-----w- C:\Program Files (x86)\LexisNexis
2011-05-09 19:30:12 -------- d-----w- C:\ProgramData\LexisNexis
.
==================== Find3M ====================
.
2011-06-06 00:43:20 525792 ----a-w- C:\Windows\DIFxAPI.dll
2011-06-06 00:43:06 315392 ----a-w- C:\Windows\HideWin.exe
2011-04-06 21:26:58 96544 ----a-w- C:\Windows\System32\dnssd.dll
2011-04-06 21:26:58 69408 ----a-w- C:\Windows\System32\jdns_sd.dll
2011-04-06 21:26:58 237856 ----a-w- C:\Windows\System32\dnssdX.dll
2011-04-06 21:26:58 119584 ----a-w- C:\Windows\System32\dns-sd.exe
2011-04-06 21:20:16 91424 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-04-06 21:20:16 75040 ----a-w- C:\Windows\SysWow64\jdns_sd.dll
2011-04-06 21:20:16 197920 ----a-w- C:\Windows\SysWow64\dnssdX.dll
2011-04-06 21:20:16 107808 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-03-12 22:52:03 1653760 ----a-w- C:\Windows\System32\XpsPrint.dll
2011-03-12 21:55:52 876032 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2011-03-10 17:18:03 1360384 ----a-w- C:\Windows\System32\mfc42u.dll
2011-03-10 17:18:02 1398784 ----a-w- C:\Windows\System32\mfc42.dll
2011-03-10 17:03:51 1162240 ----a-w- C:\Windows\SysWow64\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- C:\Windows\SysWow64\mfc42.dll
.
============= FINISH: 8:39:57.66 ===============
Attached Files
File Type: zip Attach.zip (3.0 KB, 11 views)

__________________
esk1020 is offline  
Old 06-10-2011, 12:17 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,349
OS: XP SP3; Win7 32/64-bit



Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Due to the restrictions on Vista, all tools should be started by right-click > Run as Administrator

------------------------------------------------------

It appears that you have two antivirus programs installed and running, Ad-Watch and Security Essentials. While this may seem like better protection, they can actually conflict with one another and cause system instability or even system hangs. Please choose one to keep and uninstall the other via Programs and Features in your Control Panel.

------------------------------------------------------

While Spybot's TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click Advanced mode if not already selected.
  • Choose Yes at the Warning prompt.
  • Expand the Tools menu.
  • Click Resident.
  • Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
  • If TeaTimer gives you a warning that changes were made, click the Allow Change box when prompted.
  • In the File menu click Exit to exit Spybot Search & Destroy.
------------------------------------------------------

If for some reason during these fixes you receive prompts from Spybot about whether to Allow or Deny any changes, please Allow them all.

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

------------------------------------------------------

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
DDS::
uStart Page = hxxp://www.mail.ru/cnt/9134

Firefox::
FF - ProfilePath - C:\Users\Ethan\AppData\Roaming\Mozilla\Firefox\Profiles\l5i0hh42.default\
FF - prefs.js: keyword.URL - hxxp://go.mail.ru/search?utf8in=1&fr=fftbUFix&q=
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 06-13-2011, 05:42 PM   #3
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,349
OS: XP SP3; Win7 32/64-bit



Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Infections / Malware / rundll32.exe error
My computer was last used by someone to download games and watch videos on the internet. The next thing I know, there were pop-ups. I am constantly getting these fake spyware removal pop ups. I tried going into control panel/add-remove programs and I get a 'rundll32.exe' error message. I used...
6one9 Resolved HJT Threads 54 05-16-2011 06:06 AM
"The memory could not be written"
Hi. I appreciate any help you could provide. Recently, I started getting an error that popped up when I run Real Player. Now, anytime I try to install a program I get an application error referencing memory at "0x71ab4a07" and am unable to complete installation. Here is the specific message when...
calbum2 Inactive Malware Help Topics 6 05-09-2011 07:32 AM
Windows 7 Recovery Problem
Hello, I first got this about a month ago as "Win 7 2011 Security Alert" which wouldn't let me open internet explorer, disabled malwarebytes and caused general chaos. I managed to get malware bytes open by running an antivirus scan (Panda) and then malware bytes could update and detect/remove...
RichieFth Virus/Trojan/Spyware Help 21 04-28-2011 01:08 PM
"Internet Protection" malware problem. Help
Hello I have a problem with my laptop which is running on Windows 7. I do not have access to the windows disc/boot disc. Two days ago a small window popped up with the title of "Internet Protection" and in the small window of it, it looked like this program was running a scan and finding...
poorscousertomy Resolved HJT Threads 11 04-17-2011 10:21 AM
XP security center
Hi, using XP SP3, with up to date AVG free. Using other PC to post this. I got the XP security center malware while browsing. I can not open exe files (but get no prompts like for missing associations for example, anything I have tried like Firefox, etc. I can navigate in windows explorer...
rgmm Resolved HJT Threads 16 04-09-2011 08:00 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 11:14 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts