Hi,
I have a client with a computer (Dell Vista 32 bit) that was very infected.
I've gone thru the CH process (see logs). SAS and MBAM found and cleaned several infections. I believe all is well now except that while surfing to some sites (Adobe downloads for example) both Chrome and IE get redirected to/by "antimalwarelist" showing a screen of a cop with a stop sign and 2 options.
I have not clicked on either option which I know will reinstall the Trojans again.
Any help in getting rid of this re-director would be appreciated.
Thanks
SUPERAntiSpyware Scan Log
http://www.superantispyware.comGenerated 10/30/2010 at 04:13 PM
Application Version : 4.45.1000
Core Rules Database Version : 5786
Trace Rules Database Version: 3598
Scan type : Quick Scan
Total Scan Time : 00:18:55
Memory items scanned : 823
Memory threats detected : 0
Registry items scanned : 2542
Registry threats detected : 1
File items scanned : 23208
File threats detected : 47
Adware.Tracking Cookie
C:\Users\Ken\AppData\Roaming\Microsoft\Windows\Cookies\ken@doubleclick[1].txt
2mdn.net [ C:\Users\Ken\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LEKV3WPQ ]
ads1.msn.com [ C:\Users\Ken\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LEKV3WPQ ]
bc.youporn.com [ C:\Users\Ken\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LEKV3WPQ ]
cdn4.specificclick.net [ C:\Users\Ken\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LEKV3WPQ ]
ia.media-imdb.com [ C:\Users\Ken\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LEKV3WPQ ]
interclick.com [ C:\Users\Ken\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LEKV3WPQ ]
media.amateurs-gone-wild.com [ C:\Users\Ken\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LEKV3WPQ ]
media.mtvnservices.com [ C:\Users\Ken\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LEKV3WPQ ]
media1.break.com [ C:\Users\Ken\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LEKV3WPQ ]
msnbcmedia.msn.com [ C:\Users\Ken\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LEKV3WPQ ]
naiadsystems.com [ C:\Users\Ken\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LEKV3WPQ ]
secure-us.imrworldwide.com [ C:\Users\Ken\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LEKV3WPQ ]
serving-sys.com [ C:\Users\Ken\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LEKV3WPQ ]
static.youporn.com [ C:\Users\Ken\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LEKV3WPQ ]
udn.specificclick.net [ C:\Users\Ken\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LEKV3WPQ ]
vitamine.networldmedia.net [ C:\Users\Ken\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LEKV3WPQ ]
www.sexyandfunny.com [ C:\Users\Ken\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LEKV3WPQ ]
wwwstatic.megaporn.com [ C:\Users\Ken\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LEKV3WPQ ]
media1.break.com [ C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NL4NG7GX ]
secure-us.imrworldwide.com [ C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NL4NG7GX ]
serving-sys.com [ C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NL4NG7GX ]
vitamine.networldmedia.net [ C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NL4NG7GX ]
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\
[email protected][1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\
[email protected][1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\
[email protected][1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\
[email protected][2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\
[email protected][2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\
[email protected][2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\
[email protected][1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bizzclick[1].txt
Rogue.WebMediaViewer
HKU\S-1-5-21-47103783-835471953-4048443338-1001\Software\WebMediaViewer
Trojan.Agent/Gen-MSFake
C:\WINDOWS\AVP.EXE
C:\WINDOWS\TEMP\SETUP.EXE
C:\WINDOWS\TEMP\SYSTEM.EXE
C:\WINDOWS\TEMP\WINAMP.EXE
C:\WINDOWS\TEMP\XBSCG92MXC.EXE
C:\WINDOWS\USER.EXE
C:\WINDOWS\WIN.EXE
Trojan.Agent/Gen-FakeAlert[HotFix]
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\ROAMING\HOTFIX.EXE
Trojan.Agent/Gen
C:\WINDOWS\SYSTEM32\FSC96H4.DLL
Trojan.Smitfraud Variant-Gen/Bensorty
C:\WINDOWS\SYSTEM32\XJCQHJME7.DLL
Trojan.Agent/Gen-FSG
C:\WINDOWS\TEMP\1083904053.EXE
C:\WINDOWS\TEMP\YF0RY.EXE
Trojan.Unclassified/IExplorer-Fake
C:\WINDOWS\TEMP\IEXPLORER.EXE
Trojan.SVCHost/Fake
C:\WINDOWS\TEMP\SVCHOST.EXE
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.orgDatabase version: 5008
Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18975
31/10/2010 3:13:29 PM
mbam-log-2010-10-31 (15-13-29).txt
Scan type: Quick scan
Objects scanned: 1
Time elapsed: 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:27:19 PM, on 31/10/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files\winsim\ConnectionManager\Simply.SystemTrayIcon.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\wscript.exe
C:\Users\Ken\Desktop\StandardCopy\Hijacgoodfor7.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.sympatico.ca/default.aspx?lang=en-CAR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe -hide
O4 - HKLM\..\Run: [ConnectionManager] C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [HandsFreeCApp] C:\Program Files\HandsFree\Client\capp.exe -r
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O16 - DPF: Garmin Communicator Plug-In -
https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CABO18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O18 - Protocol: intu-qt2009 - {03947252-2355-4E9B-B446-8CCC75C43370} - C:\Program Files\QuickTax 2009\ic2009pp.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c95ca58ab59120) (gupdate1c95ca58ab59120) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HandsFree Client - Unknown owner - C:\Program Files\HandsFree\Client\srvc.exe (file missing)
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB18 - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe
O23 - Service: Simply Accounting Database Connection Manager - Sage - C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe
O23 - Service: Simply Accounting Transaction Manager 2010 - CDN - Sage - C:\Program Files\Winsim\TransactionManager2010 - CDN\Sage_SA.TransactionManager.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 9575 bytes