Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect Problem


  • This topic is locked This topic is locked
11 replies to this topic

#1 john1999

john1999

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 16 February 2009 - 05:47 PM

Hi,
i am having a browser hijach that affects google search results in ie only. the hijack is not happening on firefox. i ran mcafee virus scan, spypod sd. i ran sdfix according to the tutorial and it is still happening. the hijackthis logfile is as follows:

--------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:34 PM, on 2/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\Explorer.EXE
C:\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6080611
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6080611
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6080611
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: (no name) - {C3C267A9-D113-494C-B8A5-B9D077D7E35B} - C:\WINDOWS\system32\bypass_id.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1220029147640
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231876200906
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E4144C2-2128-4E2C-BC79-7DC5FB7D0C6F}: NameServer = 130.108.1.20,130.108.128.200
O17 - HKLM\System\CS1\Services\Tcpip\..\{6E4144C2-2128-4E2C-BC79-7DC5FB7D0C6F}: NameServer = 130.108.1.20,130.108.128.200
O17 - HKLM\System\CS2\Services\Tcpip\..\{6E4144C2-2128-4E2C-BC79-7DC5FB7D0C6F}: NameServer = 130.108.1.20,130.108.128.200
O20 - AppInit_DLLs: TSCUGP.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\apache.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JTVNCProxy (JTVNCProxy_10.0) - Unknown owner - C:\Program Files\Freedom Scientific\JAWS\10.0\JTVNCProxy.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 11978 bytes

------------------------------------------------------------

do advise. thanks

Edited by john1999, 17 February 2009 - 02:02 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:50 AM

Posted 17 February 2009 - 03:10 AM

Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Edited by miekiemoes, 17 February 2009 - 03:10 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 john1999

john1999
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 17 February 2009 - 11:39 AM

Here is the log from combofix

------------------------------------

ComboFix 09-02-15.01 - User1 2009-02-17 11:35:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2595 [GMT -5:00]
Running from: c:\documents and settings\User1\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Cache

.
((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))
.

2009-02-16 17:12 . 2009-02-16 17:12 <DIR> d-------- c:\windows\ERUNT
2009-02-16 17:07 . 2009-02-16 17:21 <DIR> d-------- C:\SDFix
2009-02-16 16:46 . 2009-02-16 16:46 <DIR> d-------- c:\program files\Trend Micro
2009-02-16 12:08 . 2009-02-16 17:07 <DIR> d-------- C:\QUARANTINE
2009-02-11 14:00 . 2009-02-11 14:00 <DIR> d-------- c:\windows\SQL9_KB960089_ENU
2009-02-11 10:29 . 2009-02-16 10:10 <DIR> d-------- C:\Nationwide
2009-02-10 15:24 . 2009-02-10 15:24 <DIR> d-------- c:\windows\system32\IOSUBSYS
2009-02-10 15:20 . 2008-05-16 21:58 96,256 --a------ c:\windows\system32\bypass_id.dll
2009-02-09 13:50 . 2009-02-12 15:26 <DIR> d-------- C:\CCL
2009-02-06 12:56 . 2008-10-06 13:50 5,282 --a------ c:\windows\my.ini
2009-02-05 15:31 . 2009-02-05 15:31 <DIR> d-------- c:\program files\BBN
2009-02-05 15:29 . 2009-02-05 15:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\MySQL
2009-02-05 15:00 . 2009-02-05 15:04 <DIR> d-------- C:\SABRE
2009-02-05 14:51 . 2009-02-05 14:51 <DIR> d-------- c:\documents and settings\User1\Application Data\Leadertech
2009-02-05 13:13 . 2009-02-05 13:13 <DIR> d-------- C:\NeverwinterNights
2009-02-05 11:18 . 2009-02-05 11:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-05 11:12 . 2009-02-05 11:12 <DIR> d-------- c:\program files\Common Files\Control Panels
2009-02-05 11:09 . 2009-02-05 11:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2009-02-05 11:00 . 2007-02-20 16:04 2,463,976 --a------ c:\windows\system32\NPSWF32.dll
2009-02-05 11:00 . 2007-02-20 16:04 190,696 --a------ c:\windows\system32\NPSWF32_FlashUtil.exe
2009-02-05 10:51 . 2009-02-05 10:51 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-01-30 16:23 . 2009-01-30 16:23 <DIR> d-------- c:\documents and settings\User1\Application Data\QuosaDDM
2009-01-30 12:14 . 2009-02-11 14:52 <DIR> d-------- C:\nih
2009-01-27 10:45 . 2009-01-27 10:51 <DIR> d-------- C:\UPATWIN09
2009-01-26 17:04 . 2009-01-26 17:08 <DIR> d-------- C:\PROPOSALINFORMATION

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 20:27 --------- d-----w c:\documents and settings\User1\Application Data\Apple Computer
2009-02-12 18:43 --------- d-----w c:\program files\Port Explorer
2009-02-11 19:02 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-11 19:01 --------- d-----w c:\program files\Microsoft SQL Server
2009-02-10 20:24 --------- d-----w c:\program files\Google
2009-02-09 19:04 --------- d-----w c:\documents and settings\User1\Application Data\MySQL
2009-02-05 20:29 --------- d-----w c:\program files\MySQL
2009-02-05 20:08 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-05 18:15 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-05 16:12 --------- d-----w c:\program files\Common Files\Adobe
2009-01-17 02:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-14 19:52 --------- d-----w c:\program files\TechSmith
2009-01-14 19:52 --------- d-----w c:\program files\Common Files\TechSmith Shared
2009-01-13 19:47 --------- d-----w c:\program files\Microsoft Works
2009-01-13 19:46 --------- d-----w c:\program files\Microsoft.NET
2009-01-13 19:45 --------- d-----w c:\program files\Microsoft Visual Studio 8
2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr
2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3C267A9-D113-494C-B8A5-B9D077D7E35B}]
2008-05-16 21:58 96256 --a------ c:\windows\system32\bypass_id.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-10 68856]
"Google Update"="c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-13 8523776]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-11 1015808]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-10 29744]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-26 17920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2008-10-20 53248]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2008-10-20 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-02-05 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=TSCUGP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\xampp\\apache\\bin\\apache.exe"=
"c:\\Documents and Settings\\User1\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\TechSmith\\Morae\\MoraeRecorder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\NeverwinterNights\\NWN\\nwserver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 msfioyog;msfioyog;c:\windows\system32\drivers\msfioyog.sys [2004-08-11 23424]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2008-09-12 34592]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2008-06-14 17408]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2007-06-20 79168]
S3 JTVNCProxy_10.0;JTVNCProxy;c:\program files\Freedom Scientific\JAWS\10.0\JTVNCProxy.exe [2008-10-23 17176]
.
Contents of the 'Scheduled Tasks' folder

2009-02-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4187821104-4080160505-1192498674-1005.job
- c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 09:33]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6080611
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6080611
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {6E4144C2-2128-4E2C-BC79-7DC5FB7D0C6F} = 130.108.1.20,130.108.128.200
FF - ProfilePath - c:\documents and settings\User1\Application Data\Mozilla\Firefox\Profiles\aj52ei8g.default\
FF - plugin: c:\documents and settings\User1\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnipp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-17 11:35:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mysql]
"ImagePath"="c:\xampp\mysql\bin\mysqld-nt --defaults-file=c:\xampp\mysql\bin\my.cnf mysql"
.
Completion time: 2009-02-17 11:36:40
ComboFix-quarantined-files.txt 2009-02-17 16:36:38

Pre-Run: 468,379,316,224 bytes free
Post-Run: 468,369,022,976 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

177 --- E O F --- 2009-02-11 19:03:55

Edited by john1999, 17 February 2009 - 02:00 PM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:50 AM

Posted 17 February 2009 - 11:45 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\drivers\msfioyog.sys
c:\windows\system32\bypass_id.dll
Driver::
msfioyog
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3C267A9-D113-494C-B8A5-B9D077D7E35B}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 john1999

john1999
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 17 February 2009 - 12:05 PM

here is the log after using CFScript

----------------------------------------

ComboFix 09-02-15.01 - User1 2009-02-17 11:57:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2543 [GMT -5:00]
Running from: c:\documents and settings\User1\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User1\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated)
* Created a new restore point

FILE ::
c:\windows\system32\bypass_id.dll
c:\windows\system32\drivers\msfioyog.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bypass_id.dll
c:\windows\system32\drivers\msfioyog.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSFIOYOG
-------\Service_msfioyog


((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))
.

2009-02-16 17:12 . 2009-02-16 17:12 <DIR> d-------- c:\windows\ERUNT
2009-02-16 17:07 . 2009-02-16 17:21 <DIR> d-------- C:\SDFix
2009-02-16 16:46 . 2009-02-16 16:46 <DIR> d-------- c:\program files\Trend Micro
2009-02-16 12:08 . 2009-02-16 17:07 <DIR> d-------- C:\QUARANTINE
2009-02-11 14:00 . 2009-02-11 14:00 <DIR> d-------- c:\windows\SQL9_KB960089_ENU
2009-02-11 10:29 . 2009-02-16 10:10 <DIR> d-------- C:\Nationwide
2009-02-10 15:24 . 2009-02-10 15:24 <DIR> d-------- c:\windows\system32\IOSUBSYS
2009-02-09 13:50 . 2009-02-12 15:26 <DIR> d-------- C:\CCL
2009-02-06 12:56 . 2008-10-06 13:50 5,282 --a------ c:\windows\my.ini
2009-02-05 15:31 . 2009-02-05 15:31 <DIR> d-------- c:\program files\BBN
2009-02-05 15:29 . 2009-02-05 15:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\MySQL
2009-02-05 15:00 . 2009-02-05 15:04 <DIR> d-------- C:\SABRE
2009-02-05 14:51 . 2009-02-05 14:51 <DIR> d-------- c:\documents and settings\User1\Application Data\Leadertech
2009-02-05 13:13 . 2009-02-05 13:13 <DIR> d-------- C:\NeverwinterNights
2009-02-05 11:18 . 2009-02-05 11:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-05 11:12 . 2009-02-05 11:12 <DIR> d-------- c:\program files\Common Files\Control Panels
2009-02-05 11:09 . 2009-02-05 11:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2009-02-05 11:00 . 2007-02-20 16:04 2,463,976 --a------ c:\windows\system32\NPSWF32.dll
2009-02-05 11:00 . 2007-02-20 16:04 190,696 --a------ c:\windows\system32\NPSWF32_FlashUtil.exe
2009-02-05 10:51 . 2009-02-05 10:51 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-01-30 16:23 . 2009-01-30 16:23 <DIR> d-------- c:\documents and settings\User1\Application Data\QuosaDDM
2009-01-30 12:14 . 2009-02-11 14:52 <DIR> d-------- C:\nih
2009-01-27 10:45 . 2009-01-27 10:51 <DIR> d-------- C:\UPATWIN09
2009-01-26 17:04 . 2009-01-26 17:08 <DIR> d-------- C:\PROPOSALINFORMATION

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 20:27 --------- d-----w c:\documents and settings\User1\Application Data\Apple Computer
2009-02-12 18:43 --------- d-----w c:\program files\Port Explorer
2009-02-11 19:02 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-11 19:01 --------- d-----w c:\program files\Microsoft SQL Server
2009-02-10 20:24 --------- d-----w c:\program files\Google
2009-02-09 19:04 --------- d-----w c:\documents and settings\User1\Application Data\MySQL
2009-02-05 20:29 --------- d-----w c:\program files\MySQL
2009-02-05 20:08 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-05 18:15 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-05 16:12 --------- d-----w c:\program files\Common Files\Adobe
2009-01-14 19:52 --------- d-----w c:\program files\TechSmith
2009-01-14 19:52 --------- d-----w c:\program files\Common Files\TechSmith Shared
2009-01-13 19:47 --------- d-----w c:\program files\Microsoft Works
2009-01-13 19:46 --------- d-----w c:\program files\Microsoft.NET
2009-01-13 19:45 --------- d-----w c:\program files\Microsoft Visual Studio 8
.

((((((((((((((((((((((((((((( SnapShot@2009-02-17_11.36.16.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-02-17 16:21:41 225,259 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-02-17 16:59:32 225,260 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-10 68856]
"Google Update"="c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-13 8523776]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-11 1015808]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-10 29744]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-26 17920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2008-10-20 53248]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2008-10-20 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-02-05 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=TSCUGP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\xampp\\apache\\bin\\apache.exe"=
"c:\\Documents and Settings\\User1\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\TechSmith\\Morae\\MoraeRecorder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\NeverwinterNights\\NWN\\nwserver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2008-09-12 34592]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2008-06-14 17408]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2007-06-20 79168]
S3 JTVNCProxy_10.0;JTVNCProxy;c:\program files\Freedom Scientific\JAWS\10.0\JTVNCProxy.exe [2008-10-23 17176]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MSFIOYOG
.
Contents of the 'Scheduled Tasks' folder

2009-02-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4187821104-4080160505-1192498674-1005.job
- c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 09:33]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6080611
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6080611
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {6E4144C2-2128-4E2C-BC79-7DC5FB7D0C6F} = 130.108.1.20,130.108.128.200
FF - ProfilePath - c:\documents and settings\User1\Application Data\Mozilla\Firefox\Profiles\aj52ei8g.default\
FF - plugin: c:\documents and settings\User1\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnipp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-17 11:59:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mysql]
"ImagePath"="c:\xampp\mysql\bin\mysqld-nt --defaults-file=c:\xampp\mysql\bin\my.cnf mysql"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\xampp\mysql\bin\mysqld-nt.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wscntfy.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-17 12:02:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-17 17:02:01
ComboFix2.txt 2009-02-17 16:36:41

Pre-Run: 468,372,156,416 bytes free
Post-Run: 468,261,769,216 bytes free

199 --- E O F --- 2009-02-11 19:03:55

Edited by john1999, 17 February 2009 - 01:06 PM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:50 AM

Posted 17 February 2009 - 12:11 PM

Hi,

This looks OK again. I've forgot to include a file in the cfscript that I wanted to analyze. Anyway, no big deal since we can do this "manually".

Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\Windows\System32\TSCUGP.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

I don't think this file is malware related though, but I want to be sure.
In case the file is still present (because it could also be possible that it's not present anymore), rightclick it and let me know what it says in the file properties (company etc if present)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 john1999

john1999
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 17 February 2009 - 12:17 PM

here are the results:

------------------------

File TSCUGP.dll received on 02.17.2009 18:14:32 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/39 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.17 -
AhnLab-V3 5.0.0.2 2009.02.17 -
AntiVir 7.9.0.83 2009.02.17 -
Authentium 5.1.0.4 2009.02.17 -
Avast 4.8.1335.0 2009.02.16 -
AVG 8.0.0.237 2009.02.17 -
BitDefender 7.2 2009.02.17 -
CAT-QuickHeal 10.00 2009.02.17 -
ClamAV 0.94.1 2009.02.17 -
Comodo 982 2009.02.17 -
DrWeb 4.44.0.09170 2009.02.17 -
eSafe 7.0.17.0 2009.02.17 -
eTrust-Vet 31.6.6361 2009.02.17 -
F-Prot 4.4.4.56 2009.02.17 -
F-Secure 8.0.14470.0 2009.02.17 -
Fortinet 3.117.0.0 2009.02.17 -
GData 19 2009.02.17 -
Ikarus T3.1.1.45.0 2009.02.17 -
K7AntiVirus 7.10.630 2009.02.14 -
Kaspersky 7.0.0.125 2009.02.17 -
McAfee 5528 2009.02.16 -
McAfee+Artemis 5528 2009.02.16 -
Microsoft 1.4306 2009.02.17 -
NOD32 3862 2009.02.17 -
Norman 6.00.06 2009.02.17 -
nProtect 2009.1.8.0 2009.02.17 -
Panda 10.0.0.10 2009.02.17 -
PCTools 4.4.2.0 2009.02.17 -
Prevx1 V2 2009.02.17 -
Rising 21.17.12.00 2009.02.17 -
SecureWeb-Gateway 6.7.6 2009.02.17 -
Sophos 4.38.0 2009.02.17 -
Sunbelt 3.2.1855.2 2009.02.17 -
Symantec 10 2009.02.17 -
TheHacker 6.3.2.2.259 2009.02.17 -
TrendMicro 8.700.0.1004 2009.02.17 -
VBA32 3.12.8.13 2009.02.17 -
ViRobot 2009.2.17.1611 2009.02.17 -
VirusBuster 4.5.11.0 2009.02.17 -
Additional information
File size: 157256 bytes
MD5...: 8c6162f54f81e152a01039b534026e2d
SHA1..: 43055d9738e599f6acd9103aee4b0c99567e1380
SHA256: f0df353b7920847474f5da30ce663e74bda33a290bfc3bf51abf089036d27f71
SHA512: c4915278b9a9d20cdc1b839f0227c61fd5e47c5f41db57c8da28b8d03a94c7e8
dee87a3e3a027cf49339dc76f8de0dc59ff2c3456ae9e55f46f1772747d57ad8
ssdeep: 3072:wUM7sshiMXF3racf6wvh5bArfdURyg5fGAvHF:wbmcf6wzyfdwGUF
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x9d65
timedatestamp.....: 0x4672ec88 (Fri Jun 15 19:46:16 2007)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x16788 0x17000 6.65 2e2d658b88e20a01af101e28cf357e2a
.rdata 0x18000 0x6c1e 0x7000 5.25 3b1336f2d2bfa6dc081f2a285e63cb02
.data 0x1f000 0x4ce4 0x2000 2.77 24dbc0bc294b25bc8b379e7dc3b7d93b
.rsrc 0x24000 0x448 0x1000 3.78 9f688298b27900bf3251c2478cc16135
.reloc 0x25000 0x2686 0x3000 4.17 15c7a4302dbd973ce15869f3a7a9dc99

( 5 imports )
> KERNEL32.dll: SuspendThread, FlushInstructionCache, GetCurrentProcess, SetThreadContext, GetThreadContext, CreateSemaphoreW, CloseHandle, WaitForSingleObject, ReleaseSemaphore, InterlockedDecrement, GetCurrentProcessId, lstrcmpiW, GetPrivateProfileStringW, LoadLibraryW, FreeLibrary, LocalFree, WideCharToMultiByte, GetLastError, FlushFileBuffers, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, GetLocaleInfoA, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, GetConsoleMode, GetConsoleCP, SetFilePointer, InitializeCriticalSection, LoadLibraryA, ResumeThread, InterlockedCompareExchange, VirtualAlloc, VirtualProtect, VirtualQuery, SetLastError, DisableThreadLibraryCalls, GetModuleFileNameW, GetProcAddress, GetModuleHandleW, GetCurrentThread, MultiByteToWideChar, lstrlenW, lstrcmpW, GetCurrentThreadId, GetTickCount, IsBadWritePtr, IsBadReadPtr, InterlockedIncrement, WriteFile, HeapReAlloc, EnterCriticalSection, LeaveCriticalSection, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, GetSystemTimeAsFileTime, QueryPerformanceCounter, VirtualFree, RtlUnwind, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RaiseException, GetCommandLineA, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, GetModuleHandleA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, Sleep, HeapSize, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapDestroy, HeapCreate
> USER32.dll: SetRectEmpty, IsWindow, EqualRect, RegisterWindowMessageW, SendMessageTimeoutW, GetWindowLongW, GetParent, ScreenToClient, GetForegroundWindow, GetFocus, GetWindowThreadProcessId, GetAncestor, GetDesktopWindow, GetTitleBarInfo, GetWindowDC, ReleaseDC, IntersectRect, WindowFromDC, OffsetRect, IsWindowVisible, GetWindowRect
> GDI32.dll: GetCharABCWidthsW, GetCharWidth32W, GetFontLanguageInfo, GetCharacterPlacementW, GetDeviceCaps, GetViewportExtEx, GetCurrentObject, GetObjectW, GetTextMetricsW, GetTextExtentPoint32W, GetTextAlign, GetCurrentPositionEx, DPtoLP, LPtoDP, GetDCOrgEx, RectVisible
> MSIMG32.dll: AlphaBlend, TransparentBlt
> VERSION.dll: GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW

( 4 exports )
EndTextCapture, PauseTextCapture, ResumeTextCapture, StartTextCapture

#8 john1999

john1999
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 17 February 2009 - 12:44 PM

Hi,

This looks OK again. I've forgot to include a file in the cfscript that I wanted to analyze. Anyway, no big deal since we can do this "manually".

Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\Windows\System32\TSCUGP.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

I don't think this file is malware related though, but I want to be sure.
In case the file is still present (because it could also be possible that it's not present anymore), rightclick it and let me know what it says in the file properties (company etc if present)



TSCUGP.dll properties on right click:
company: TechSmith corporation
File version: 1.0.2.0
description: Techsmith Text Capture DLL

i guess it must be from a s/w called Morae from techsmith that we have on the comp.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:50 AM

Posted 17 February 2009 - 12:50 PM

Thanks for the feedback. Legitimate as I suspected. :thumbup2:

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now - if redirects are gone now....
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 john1999

john1999
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 17 February 2009 - 01:01 PM

Thanks for the feedback. Legitimate as I suspected. :)

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now - if redirects are gone now....


yup, doesnt look like the redirects are happening now. thanks a lot :thumbup2:

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:50 AM

Posted 17 February 2009 - 01:26 PM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:50 AM

Posted 21 February 2009 - 06:36 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users