• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
GreenWoman

Redirected searches and slow PC

34 posts in this topic

Hello~

 

I have an issue with a slow PC and searches getting redirected. This happens on both firefox and IE. When I click one of the links returned from a search, I get redirected to different places. Sometimes the search is hijacked to another site, and sometimes another tab opens to a survey. One example of redirection is to proxymate.com. I ran malwarebytes and it found a couple things, which I quarantined. However we continue to have problems. I ran it again and it found nothing. I also have McAffee installed but it does not find anything. I then ran hijackthis , results below. Below the hijackthis results are the latest malwareybytes results.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:28:18 PM, on 12/19/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18319)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\taskeng.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\wermgr.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\Freecorder\FLVSrvc.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\Intuit\QuickBooks 2008\qbw32.exe

C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgr.exe

C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.greenmanconstruction.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll

O1 - Hosts: ::1 localhost

O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (file missing)

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (file missing)

O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe

O4 - HKLM\..\Run: [Freecorder FLV Service] "C:\Program Files\Freecorder\FLVSrvc.exe" /run

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q c:\users\heather\appdata\local\temp\VBE.SH! c:\users\heather\appdata\local\temp\Excel8.SH! (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q c:\users\heather\appdata\local\temp\VBE.SH! c:\users\heather\appdata\local\temp\Excel8.SH! (User 'Default user')

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_5F1A57F0B9B89E2E.dll/cmsidewiki.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O15 - Trusted Zone: *.isqft.com

O15 - Trusted Zone: http://*.mcafee.com

O16 - DPF: {0BCADE60-1E93-11D8-ABDA-0004759647B3} (FastBid1 Class) - http://www.bxwa.com/fastbid/fastbidx1.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)

O23 - Service: Adobe Version Cue CS3 - Unknown owner - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe (file missing)

O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe

O23 - Service: Google Update Service (gupdate1c9e9728e6723c1) (gupdate1c9e9728e6723c1) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

 

--

End of file - 10090 bytes

 

And the malwareybytes scan: (run before firefox was installed)

 

Malwarebytes' Anti-Malware 1.42

Database version: 3386

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

 

12/18/2009 5:23:42 PM

mbam-log-2009-12-18 (17-23-42).txt

 

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 363893

Time elapsed: 5 hour(s), 7 minute(s), 7 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

 

I appreciate any help you can provide. Thank you, Heather

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

 

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi,

I'm nasdaq and will be helping you.

 

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

Link 1

Link 2

 

 

**Note: It is important that it is saved directly to your desktop**

 

IMPORTANT....

 

1. Close any open browsers.

 

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

 

3. Do not install any other programs until this if fixed.

 

How to : Disable Anti-virus and Firewall...

http://www.bleepingcomputer.com/forums/topic114351.html

 

Double click on ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

Note:

Do not mouse click combofix's window while it's running. That may cause it to stall

 

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Share this post


Link to post
Share on other sites

Hi,

I'm nasdaq and will be helping you.

 

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

Link 1

Link 2

 

 

**Note: It is important that it is saved directly to your desktop**

 

IMPORTANT....

 

1. Close any open browsers.

 

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

 

3. Do not install any other programs until this if fixed.

 

How to : Disable Anti-virus and Firewall...

http://www.bleepingcomputer.com/forums/topic114351.html

 

Double click on ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

Note:

Do not mouse click combofix's window while it's running. That may cause it to stall

 

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Share this post


Link to post
Share on other sites

Nasdaq,

 

Appreciate the help, thank you. I ran combofix and the results are below. Tried running hijackthis again and got the following error msg, "illegal operation on a registry key that has been marked for deletion". I receive this same error message for many programs including Mcafee (which I can not turn back on), Quickbooks, photoshop, IE, Firefox,adobe reader...) I'm a little concerned, hopefully you can help address this. Combofix log below:

 

ComboFix 09-12-21.08 - Heather 12/22/2009 9:52.2.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3061.2019 [GMT -8:00]

Running from: c:\users\Heather\Desktop\ComboFix.exe

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\$recycle.bin\S-1-5-21-1064375775-3630071985-961242188-500

c:\$recycle.bin\S-1-5-21-2773397201-2855733099-4214572315-500

c:\windows\jestertb.dll

c:\windows\system32\ndisapi.dll

c:\windows\system32\oem8.inf

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Service_Ndisrd

 

 

((((((((((((((((((((((((( Files Created from 2009-11-22 to 2009-12-22 )))))))))))))))))))))))))))))))

.

 

2009-12-21 20:13 . 2009-12-21 20:13 -------- d-----w- C:\HJT

2009-12-19 21:27 . 2009-12-19 21:27 -------- d-----w- c:\program files\Trend Micro

2009-12-18 20:12 . 2009-12-18 20:12 4844296 ----a-w- c:\users\Heather\malwarebytesbam-setup.exe

2009-12-17 05:44 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-17 05:44 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-17 05:06 . 2009-12-17 05:06 -------- d-----w- c:\users\Heather\AppData\Local\Mozilla

2009-12-16 03:37 . 2009-12-16 03:37 -------- d-----w- c:\users\Heather\AppData\Roaming\Malwarebytes

2009-12-16 03:37 . 2009-12-16 03:37 -------- d-----w- c:\programdata\Malwarebytes

2009-12-16 03:37 . 2009-12-18 20:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-13 20:49 . 2009-12-13 20:49 -------- d-----w- c:\windows\Sun

2009-12-03 08:14 . 2009-12-17 05:24 -------- d-----w- c:\program files\Conduit

2009-12-03 08:14 . 2009-12-22 08:39 -------- d-----w- c:\users\Heather\AppData\Local\FLVService

2009-12-03 08:14 . 2009-12-17 05:24 -------- d-----w- c:\program files\Freecorder

2009-12-03 08:14 . 2009-12-03 08:14 -------- d-----w- c:\windows\Freecorder

2009-11-29 23:34 . 2009-11-29 23:34 -------- d-----w- c:\program files\UVMapper Professional Demo

2009-11-24 20:36 . 2009-11-24 20:36 -------- d-----w- c:\program files\Sound Forge

2009-11-24 19:46 . 2009-10-29 09:41 2048 ----a-w- c:\windows\system32\tzres.dll

2009-11-24 18:22 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\system32\msxml6.dll

2009-11-24 18:22 . 2009-08-10 11:00 1257472 ----a-w- c:\windows\system32\msxml3.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-19 06:52 . 2008-08-27 10:57 -------- d-----w- c:\program files\Google

2009-12-19 05:33 . 2008-11-17 05:36 -------- d-----w- c:\users\Heather\AppData\Roaming\Move Networks

2009-12-17 05:25 . 2008-08-27 13:28 304920 ----a-w- c:\windows\system32\drivers\iaStor.sys

2009-12-17 05:24 . 2008-12-31 02:58 -------- d-----w- c:\users\Heather\AppData\Roaming\vlc

2009-12-17 05:24 . 2009-11-01 07:10 -------- d-----w- c:\program files\Common Files\DAZ

2009-12-17 05:24 . 2009-06-16 20:18 -------- d-----w- c:\program files\MyPublisher

2009-12-17 00:01 . 2008-08-27 10:54 -------- d-----w- c:\programdata\Microsoft Help

2009-12-16 03:56 . 2009-12-16 03:56 1547 ----a-w- c:\program files\mbam-log-2009-12-15 (19-56-30).txt

2009-12-14 05:52 . 2008-10-10 00:54 -------- d-----w- c:\users\Heather\AppData\Roaming\Apple Computer

2009-12-14 05:52 . 2008-10-10 00:54 -------- d-----w- c:\program files\iTunes

2009-12-03 14:36 . 2009-11-10 04:51 -------- d-----w- c:\programdata\NOS

2009-12-03 04:28 . 2008-08-27 10:57 -------- d-----w- c:\program files\Common Files\Adobe

2009-12-01 09:39 . 2009-10-27 14:23 -------- d-----w- c:\users\Heather\AppData\Roaming\FileZilla

2009-11-28 23:36 . 2008-08-27 10:46 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-11-28 23:36 . 2008-09-03 21:33 -------- d-----w- c:\program files\Sirius

2009-11-28 23:14 . 2008-08-27 10:47 -------- d-----w- c:\program files\Creative

2009-11-28 22:44 . 2008-11-11 16:52 -------- d-----w- c:\program files\Common Files\ArcSoft

2009-11-28 22:44 . 2008-11-11 16:52 -------- d-----w- c:\program files\ArcSoft

2009-11-23 00:15 . 2008-09-22 21:47 1356 ----a-w- c:\users\Heather\AppData\Local\d3d9caps.dat

2009-11-20 21:15 . 2008-08-27 10:57 -------- d-----w- c:\program files\McAfee

2009-11-15 06:10 . 2009-11-08 04:59 -------- d-----w- c:\program files\DAZ

2009-11-15 05:50 . 2009-11-06 07:07 -------- d-----w- c:\programdata\FLEXnet

2009-11-13 22:54 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail

2009-11-12 06:42 . 2008-09-02 22:19 64912 ----a-w- c:\users\Heather\AppData\Local\GDIPFONTCACHEV1.DAT

2009-11-10 04:52 . 2009-11-10 04:52 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-11-08 00:25 . 2008-10-10 00:54 -------- d-----w- c:\program files\iPod

2009-11-08 00:23 . 2009-11-07 04:25 -------- d-----w- c:\program files\Bonjour

2009-11-07 04:20 . 2009-11-07 04:20 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2009-11-07 03:53 . 2009-11-07 03:53 -------- d-----w- c:\program files\Windows Installer Clean Up

2009-11-07 03:52 . 2009-02-02 23:39 -------- d-----w- c:\program files\MSECache

2009-11-07 03:52 . 2009-11-07 03:52 359656 ----a-w- c:\users\Heather\msicuu2.exe

2009-11-07 02:23 . 2008-08-27 10:47 -------- d-----w- c:\program files\Dell

2009-11-07 02:21 . 2009-10-24 14:34 -------- d-----w- c:\program files\Mixxx

2009-11-07 02:13 . 2009-11-07 02:13 -------- d-----w- c:\program files\discreet

2009-11-06 21:44 . 2009-10-25 21:26 -------- d-----w- c:\program files\MioNet

2009-11-06 21:36 . 2008-08-27 10:57 -------- d-----w- c:\programdata\McAfee

2009-11-04 13:21 . 2008-08-27 10:55 -------- d-----w- c:\program files\Microsoft Works

2009-11-01 21:12 . 2009-11-01 21:12 -------- d-----w- c:\users\Heather\AppData\Roaming\PCF-VLC

2009-11-01 08:34 . 2009-11-01 08:34 -------- d-----w- c:\programdata\OptiTex

2009-11-01 07:10 . 2009-11-01 07:10 -------- d-----w- c:\users\Heather\AppData\Roaming\DAZ 3D

2009-11-01 07:09 . 2009-11-01 07:09 -------- d-----w- c:\program files\DAZ 3D

2009-11-01 06:37 . 2009-11-01 06:37 -------- d-----w- c:\programdata\McAfee Security Scan

2009-11-01 06:37 . 2009-11-01 06:37 -------- d-----w- c:\program files\McAfee Security Scan

2009-11-01 06:29 . 2009-11-01 06:29 -------- d-----w- c:\users\Heather\AppData\Roaming\Participatory Culture Foundation

2009-11-01 04:15 . 2009-11-01 04:15 -------- d-----w- c:\users\Heather\AppData\Roaming\Blender Foundation

2009-11-01 04:15 . 2009-11-01 04:15 -------- d-----w- c:\program files\Blender Foundation

2009-10-28 05:30 . 2009-10-28 05:29 -------- d-----w- c:\program files\Photoshop

2009-10-28 05:23 . 2009-10-28 05:22 318 ----a-w- c:\windows\PowerReg.dat

2009-10-27 14:23 . 2009-10-27 14:23 -------- d-----w- c:\program files\FileZilla FTP Client

2009-10-26 15:24 . 2009-10-26 15:24 2149888 ----a-w- c:\windows\system32\python26.dll

2009-10-25 21:37 . 2009-05-13 03:41 -------- d-----w- c:\users\Heather\AppData\Roaming\WD

2009-10-25 21:29 . 2009-05-13 03:30 -------- d-----w- c:\program files\Western Digital

2009-10-25 21:25 . 2009-05-13 03:31 -------- d-----w- c:\program files\Common Files\eSellerate

2009-10-25 21:25 . 2009-10-25 21:25 -------- d-----w- c:\program files\WD

2009-10-25 11:43 . 2009-10-25 11:21 -------- d-----w- c:\program files\AV Vcs 7.0 DIAMOND

2009-10-25 11:16 . 2009-10-25 11:16 -------- d-----w- c:\program files\Screaming Bee

2001-12-04 01:09 . 2008-09-04 02:40 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll

2008-08-27 13:24 . 2008-08-27 13:23 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-10 2331672]

 

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

2009-11-10 02:38 2331672 ----a-w- c:\program files\Freecorder\tbFree.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-10 2331672]

 

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-10 2331672]

 

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-05-04 167936]

"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2009-11-15 158752]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-04 1394000]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2008-08-27 11:04 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

 

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup

backupExtension=.CommonStartup

 

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup

backupExtension=.CommonStartup

 

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan.lnk

backup=c:\windows\pss\McAfee Security Scan.lnk.CommonStartup

backupExtension=.CommonStartup

 

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup

backupExtension=.CommonStartup

 

[HKLM\~\startupfolder\C:^Users^Heather^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\users\Heather\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup

backupExtension=.Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2007-05-11 06:46 624248 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2009-09-04 20:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-10-03 12:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]

2008-03-11 17:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]

2008-02-29 04:18 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]

2008-02-20 01:05 591696 ------w- c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON64022E]

2008-03-04 22:00 188928 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATIEKA.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2008-03-06 07:58 166424 ----a-w- c:\windows\System32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]

2007-03-21 18:00 174872 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2008-03-06 07:58 141848 ----a-w- c:\windows\System32\igfxtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-10-29 04:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]

2008-03-04 05:05 36864 ----a-w- c:\windows\OEM02Mon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

2007-12-21 15:58 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2008-03-06 07:58 133656 ----a-w- c:\windows\System32\igfxpers.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Anywhere Backup]

2008-11-07 19:20 197856 ----a-w- c:\program files\WD\WD Anywhere Backup\MemeoLauncher2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Drive Manager]

2008-07-24 22:22 450560 ----a-w- c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

 

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [8/27/2008 5:28 AM 111616]

R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\System32\drivers\WSDPrint.sys [1/20/2008 6:23 PM 16896]

R3 WSDScan;WSD Scan Support via UMB;c:\windows\System32\drivers\WSDScan.sys [1/20/2008 6:23 PM 19968]

S2 gupdate1c9e9728e6723c1;Google Update Service (gupdate1c9e9728e6723c1);c:\program files\Google\Update\GoogleUpdate.exe [6/9/2009 6:24 PM 133104]

S4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [8/26/2008 9:32 PM 73728]

S4 MemeoBackgroundService;MemeoBackgroundService;c:\program files\WD\WD Anywhere Backup\MemeoBackgroundService.exe [11/7/2008 11:20 AM 25824]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://mail.greenmanconstruction.net/

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_5F1A57F0B9B89E2E.dll/cmsidewiki.html

Trusted Zone: internet

Trusted Zone: isqft.com

Trusted Zone: isqft.com\www

Trusted Zone: mcafee.com

Trusted Zone: real.com\rhap-app-4-0

Trusted Zone: real.com\rhapreg

Trusted Zone: isqft.com\www

FF - ProfilePath - c:\users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\zexm5b5u.default\

FF - prefs.js: browser.startup.homepage - mail.greenmanconstruction.net

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\users\Heather\AppData\Roaming\Move Networks\plugins\npqmp071505000010.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

 

MSConfigStartUp-Adobe_ID0EYTHM - c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

MSConfigStartUp-ArcSoft Connection Service - c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

MSConfigStartUp-MioNet - c:\program files\MioNet\MioNetLauncher.exe

MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

AddRemove-Adobe_4dcfd9b7e901b57f81f667144603236 - c:\program files\Common Files\Adobe\Installers\4dcfd9b7e901b57f81f667144603236\Setup.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-22 10:05

Windows 6.0.6001 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'Explorer.exe'(6036)

c:\users\Heather\AppData\Local\FLVService\lib\FLVSrvLib.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\WLTRYSVC.EXE

c:\windows\system32\WLANExt.exe

c:\program files\Common Files\EPSON\eEBAPI\eEBSVC.exe

c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\program files\McAfee\MSK\MskSrver.exe

c:\windows\system32\STacSV.exe

c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\windows\ehome\ehmsas.exe

c:\program files\DellTPad\ApMsgFwd.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\DellTPad\HidFind.exe

c:\windows\system32\WerCon.exe

c:\program files\DellTPad\Apntex.exe

c:\windows\system32\wermgr.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\windows\servicing\TrustedInstaller.exe

.

**************************************************************************

.

Completion time: 2009-12-22 10:23:48 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-22 18:23

 

Pre-Run: 94,896,279,552 bytes free

Post-Run: 96,036,528,128 bytes free

 

- - End Of File - - 040B62A774E017275B2CF9C41F918150

Edited by GreenWoman

Share this post


Link to post
Share on other sites

Let's use this online scanner (don't worry, it doesn't delete anything, it only detects).

 

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

 

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

 

Click Yes, when prompted to install its ActiveX component.

(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

The program launches and downloads the latest definition files.

  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended

      [*]Scan Options:

      • Scan Archives

      • Scan Mail Bases

    [*] Click OK and, under select a target to scan, select My Computer

When the scan is done, in the Scan is completed window (below), any infection is displayed.

There is no option to clean/disinfect, however, we need to analyze the information on the report.

Kas-SaveReport-1.gif

Kas-Savetxt.gif

To obtain the report:

Click on: Save Report As (above - red blinking arrow)

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar

In Save as type, click the drop arrow and select: Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in your reply.

*/*

Share this post


Link to post
Share on other sites

Let's use this online scanner (don't worry, it doesn't delete anything, it only detects).

 

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

 

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

 

Click Yes, when prompted to install its ActiveX component.

(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

The program launches and downloads the latest definition files.

  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended

      [*]Scan Options:

      • Scan Archives

      • Scan Mail Bases

    [*] Click OK and, under select a target to scan, select My Computer

When the scan is done, in the Scan is completed window (below), any infection is displayed.

There is no option to clean/disinfect, however, we need to analyze the information on the report.

Kas-SaveReport-1.gif

Kas-Savetxt.gif

To obtain the report:

Click on: Save Report As (above - red blinking arrow)

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar

In Save as type, click the drop arrow and select: Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in your reply.

*/*

Share this post


Link to post
Share on other sites

Can your post the log generated by the scan?

Share this post


Link to post
Share on other sites

Sorry, yes, working on it. Accidentally hit send. It was odd... I was getting an error when I tried to open any program, but then rebooted my PC and now all is fine. Working on Kapersky now... do I need to disable McAfee again?

Share this post


Link to post
Share on other sites

Nasdaq - free virus scan is currently unavailable, unless I'm missing something

"Coming soon:

A new, improved version of the

Kaspersky Online Scanner

The current Kaspersky Online Scanner is unavailable - we apologize for the inconvenience. While you are waiting for the improved Online Scanner, why not try a free trial of Kaspersky Internet Security 2010, which has everything you need to keep your computer safe." Suggestions?

Share this post


Link to post
Share on other sites

I'm a dork. Hijackthis is now working, as my other programs are. Here is the log, hopefully this helps:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:07:15 PM, on 12/22/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18319)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\taskeng.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\WLTRAY.EXE

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\Freecorder\FLVSrvc.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\system32\WerFault.exe

C:\Program Files\Internet Explorer\ieuser.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Windows\system32\wermgr.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.greenmanconstruction.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll

O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (file missing)

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (file missing)

O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe

O4 - HKLM\..\Run: [Freecorder FLV Service] "C:\Program Files\Freecorder\FLVSrvc.exe" /run

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_5F1A57F0B9B89E2E.dll/cmsidewiki.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O15 - Trusted Zone: *.isqft.com

O15 - Trusted Zone: http://*.mcafee.com

O16 - DPF: {0BCADE60-1E93-11D8-ABDA-0004759647B3} (FastBid1 Class) - http://www.bxwa.com/fastbid/fastbidx1.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)

O23 - Service: Adobe Version Cue CS3 - Unknown owner - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe (file missing)

O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe

O23 - Service: Google Update Service (gupdate1c9e9728e6723c1) (gupdate1c9e9728e6723c1) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

 

--

End of file - 8875 bytes

Share this post


Link to post
Share on other sites

Glad to see that all is well.

 

Just one last security check.

 

Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

===

 

Please read this Prevention page with lots of info and tips how to prevent this in the future.

How did I get infected in the first place?

http://spywareinfoforum.com/index.php?showtopic=60955

 

Time for some housekeeping


  • The following will implement some cleanup procedures as well as reset System Restore points:
     
    Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
     
    ComboFix /Uninstall

===

Share this post


Link to post
Share on other sites

Nasdaq: security check results below. Still odd... my google searches are now getting hijacked a different way... a new tab opens in firefox whereas previously the search was redirected in the same tab. In a yahoo search, the search is redirected in the same tab. In both google and yahoo, the search often gets redirected not with the first result I click on, but after I go 'back' to the search results and then click on another link. In google, a new tab also opens sometimes to a survey for whatever site I'm on. For example, when I do a google search in IE, a new tab opens with 'google survey'. If I searched for routers, a new page would open saying 'router survey'. This also happened in IE when I was not actively searching. I had my browser open and was not on the PC, and a new tab just randomly opened. This was after I ran hijack this, spybot, combofix, etc. This does not happen firefox.

 

Anyway... here are the security check results:

 

Results of screen317's Security Check version 0.99.1

Windows Vista Service Pack 1 (UAC is enabled)

Out of date service pack!!

``````````````````````````````

Antivirus/Firewall Check:

McAfee Security Scan

McAfee SecurityCenter

WMIC entry does not exist for antivirus; attempting automatic update.

``````````````````````````````

Anti-malware/Other Utilities Check:

HijackThis 2.0.2

Java 6 Update 5

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 9.2

``````````````````````````````

Process Check:

objlist.exe by Laurent

``````````````````````````````

DNS Vulnerability Check:

Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

 

`````````End of Log```````````

 

Appreciate all your assistance...thank you so much for helping me!

 

Heather

Share this post


Link to post
Share on other sites

Please download JavaRa

 

If you get this message:

Problems with the download? Please use this direct link or try another mirror.

 

Select the Direct link download unzip it to your Desktop.

 

Double click JavaRa.exe then click Remove Older Versions.

 

Follow any prompts; a log will popup (JavaRa.log)-- please post the contents of this log.

 

Next, open JavaRa.exe again, and select Search For Updates.

 

Select Update Using Sun Java's Website --> Search, and continue the instructions for downloading and installing the latest Java version. Download this one JRE 6 Update 17.

 

In Vista and Windows 7 run the tool as Administrator.

 

ADOBE - Reader and Flash Players.

 

Visit Link to ADOBE

and download the latest version of Acrobat Reader.

Having the latest updates ensures there are no security vulnerabilities in your system.

 

Adobe has confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions

http://www.adobe.com/support/security/advisories/apsa09-07.html

Adobe plans to make available an update to Adobe Reader and Acrobat by January 12, 2010 to resolve the issue.

 

Customers who are not able to utilize the JavaScript Blacklist functionality can mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat using the instructions below:

1. Launch Acrobat or Adobe Reader.

2. Select Edit>Preferences

3. Select the JavaScript Category

4. Uncheck the 'Enable Acrobat JavaScript' option

5. Click OK

 

===

 

Security updates available for Adobe Flash Player.

http://www.adobe.com/support/security/bulletins/apsb09-19.html

 

Adobe recommends all users of Adobe Flash Player 10.0.32.18 and earlier versions upgrade to the newest version 10.0.42.34 by downloading it from the Flash Player Download Center or by using the auto-update mechanism within the product when prompted...

Adobe Flash Player version 10.0.42.34

http://get.adobe.com/flashplayer/

 

p.s. If you do not want the Free McAfee Security Scan (optional) make sure you remove the mark in the check box.

===

 

Please download GMER from http://www2.gmer.net/tmp/gmer.exe

 

Close any open programs/windows!

 

Open the program and click on the Rootkit/Malware tab.

 

Make sure all the boxes on the right of the screen are checked, apart from 'Show All'.

2wg8via.gif

 

Click on Scan (1).

jijosi.gif

 

When the scan has run click Copy (2) and paste the results (if any) into this thread.

Share this post


Link to post
Share on other sites

Nasdaq,

 

I could not find the JavaRa.log files anywhere, and they did not auto pop open. I did update to the latest version of Java, disabled the java per instructions in adobe and upgraded adobe flash. As I'm typing this, Malwarebytes just popped up saying that it blocked access to a suspicious IP... two different IP's have come up in this alert, which in this case, happened when I was on a webpage, not doing a google or yahoo search (sometimes Malwareybytes stops the browser redirect and sometimes not) In any case... here is the GMER results:

 

GMER 1.0.15.15252 - http://www.gmer.net

Rootkit quick scan 2009-12-25 22:20:36

Windows 6.0.6001 Service Pack 1

Running: gmer.exe; Driver: C:\Users\Heather\AppData\Local\Temp\kwlorkob.sys

 

 

---- System - GMER 1.0.15 ----

 

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x99D1779E]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x99D17738]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x99D1774C]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x99D177DC]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x99D1781F]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x99D17710]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x99D17724]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x99D177B2]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x99D17847]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x99D17833]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x99D1778A]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x99D17776]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x99D1780B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x99D177F2]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x99D177C8]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x99D17762]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

 

---- Devices - GMER 1.0.15 ----

 

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

 

AttachedDevice mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\tdx \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

 

Device -> \Driver\iaStor \Device\Harddisk0\DR0 85717618

 

---- Files - GMER 1.0.15 ----

 

File C:\Windows\system32\drivers\iaStor.sys suspicious modification

 

---- EOF - GMER 1.0.15 ----

 

Thank you again!

Share this post


Link to post
Share on other sites

Looks like the iaStor.sys file was modified. Let see if you have other copies on your computer.

 

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:
     

    :filefind
    iaStor.sys
     
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Share this post


Link to post
Share on other sites

Thanks, Nasdaq. Firefox browser was left open during SystemLook Scan...please advise if I need to run again with browser closed. Following are the results:

 

SystemLook v1.0 by jpshortstuff (29.08.09)

Log created at 12:15 on 26/12/2009 by Heather (Administrator - Elevation successful)

 

========== filefind ==========

 

Searching for "iaStor.sys"

C:\Drivers\storage\R166200\iastor.sys --a--- 304920 bytes [13:20 27/08/2008] [16:43 06/09/2007] 997E8F5939F2D12CD9F2E6B395724C16

C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 381720 bytes [10:52 27/08/2008] [17:59 21/03/2007] 9D7ED4275702E2FC409F2CC563245740

C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys --a--- 304920 bytes [10:52 27/08/2008] [17:58 21/03/2007] 997E8F5939F2D12CD9F2E6B395724C16

C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_3a63e5a6\iaStor.sys --a--- 304920 bytes [13:28 27/08/2008] [16:43 06/09/2007] 997E8F5939F2D12CD9F2E6B395724C16

C:\Windows\System32\DriverStore\FileRepository\iastor.inf_5f6e7be5\iaStor.sys --a--- 304920 bytes [13:28 27/08/2008] [16:43 06/09/2007] 997E8F5939F2D12CD9F2E6B395724C16

C:\Windows\System32\drivers\iaStor.sys --a--- 304920 bytes [13:28 27/08/2008] [05:25 17/12/2009] 997E8F5939F2D12CD9F2E6B395724C16

 

-=End Of File=-

Share this post


Link to post
Share on other sites

Please submit the file in bold to the following link for a scan, then post the results in your next message for me to see.

http://virusscan.jotti.org/

 

C:\Windows\System32\drivers\iaStor.sys

Share this post


Link to post
Share on other sites

Here you go, thank you:

 

Filename: iaStor.sys

Status:

Scan finished. 0 out of 21 scanners reported malware.

Scan taken on: Sun 27 Dec 2009 19:22:27 (CET) Permalink

 

File size: 304920 bytes

Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit

MD5: 997e8f5939f2d12cd9f2e6b395724c16

SHA1: 31901f9ced1659e73d001ef9b729d7ed4e110797

Share this post


Link to post
Share on other sites

Stay with me I conferencing with the experts to so what my next step is.

Share this post


Link to post
Share on other sites

Please follow these directives. Make sure your use the Copy and Paste function so as to not make any mistake in the transcript.

 

Click START > RUN > type cmd and hit OK

At the prompt Copy&Paste the complete text in BOLD below and hit ENTER:

 

Copy C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys C:\IaStor.sys <- Find a good copy first.

 

next:

 

Please download The Avenger by Swandog46 to your Desktop.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

 

Copy all the text in Bold contained in the code box below (including the first line, which is a command to the tool Files to delete: to your Clipboard by highlighting it and pressing (Ctrl+C):

 

Files to move:

C:\IaStor.sys | C:\windows\System32\drivers\IaStor.sys

 

-- Now, DoubleClick avenger.exe on your desktop to run it

-- Read the Warning Prompt and press OK

-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste

-- Press Execute

-- Answer YES to the confirmation prompts and allow your computer to reboot.

In some cases, The Avenger will reboot your machine a second time. No worries.

-- After reboot, The Avenger should open a log - please post that for me and let me know if that had any affect on the problem.

 

As in post no 14 please run GMER again and include the results in your next post.

 

Let me know if the problem persists.

Share this post


Link to post
Share on other sites

Nasdaq, when I type Copy C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys C:\IaStor.sys I get an error message that the system cannot find the file specified.

 

I did look in my program files...found the file and verified the path is correct.

 

Not sure if it helps, but I tried several variations of the copy command in DOS... Copy from [C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys] to [C:\IaStor.sys] and Copy C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys to C:\IaStor.sys. Also tried it without the [], same error.

 

Please advise, thank you.

Share this post


Link to post
Share on other sites

Try this. I removed the \ after C:

 

Copy C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys C:IaStor.sys

Share this post


Link to post
Share on other sites

C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys

 

Look at the property of the file and remove any restrictions set on it.

Share this post


Link to post
Share on other sites

I changed permissions on both the C drive and subfolders and the specific folder for IaStor sys for both admin and user (me) to have full access. Same error in DOS, even after I rebooted. Am I doing something wrong? right click on file, properties. ensure attributes for hidden and read only are UN checked, and that on 'security' tab, full control and all options (except special permissions) are allowed. Cannot check 'special permissions for system, admin or user.

Share this post


Link to post
Share on other sites

Try this again.

 

Click START > RUN > type cmd and hit OK

At the prompt Copy&Paste the complete text in BOLD below and hit ENTER:

 

Copy C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys C:\IaStor.sys

 

If the file exists then accept the copy.

 

Do you see the file in C: ?

Share this post


Link to post
Share on other sites

Same error message... "the system cannot find the file specified". I double checked the path name and it is correct. Can I just copy the file from its current path to c:/ in windows rather than in DOS?

Share this post


Link to post
Share on other sites

No luck.. I get an error message reading, "Ox80070522" "A required privilege is not held by the client".

 

Given the error messages in DOS trying to copy the file ("system cannot find specified file") I tried looking for the files via the directory command.

 

When I entered Dir C:\, DOS found the subfolders. But when I entered Dir C:\Program Files I got a 'file not found' message.

 

I'm taking a stab in the dark here... I don't know much about PC's and am flying blindly on google searches and your advice. I don't even know if I'm doing the DOS commands correctly, really. Shouldn't the program files folder show up in DOS? I also tried Dir C:\Program Files\Intel\Intel Matrix Storage Manager and got the 'system cannot find the path specified' message.

Share this post


Link to post
Share on other sites

Open your computer and navigate to the Program Files folder.

 

Look at the properties.

Under the General Tab Remove the Read Only attribute if set, click the apply button.

 

Under the Security Tab

For both the Administrator and User

Click the Edit button.

Click the full control box and click the apply button.

Do this for the Admin and User.

 

We do we stand now?

Share this post


Link to post
Share on other sites

Nasdaq,

 

I encountered problems with the security tab - the allow and deny boxes were grayed out even after I clicked edit and highlighted 'admin' or 'user'. I just wanted to thank you for your help... I ended up calling a local IT company who ran a couple diagnostics remotely (one of which was combofix... also noticed gmer and HJT as part of his arsenal) and he too thought it was the IaStor.sys file. I'm sure I don't need to tell you this, but I wanted to thank you for your time and assistance, and for whatever its worth, I think you were right on the money with the problem. I'm having the IT guy come onsite for a complete fix. Thank you again for your help. At least I know I'm justified spending the cash to have it fixed. I'll shoot for a donation once my PC is fixed... now I'm paranoid about key logging. Thank you again, and please keep the site going.

 

Heather

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0