Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox Redirect Issue (Suspected Rootkit/Backdoor Trjoan Issue)


  • This topic is locked This topic is locked
8 replies to this topic

#1 ArrimanTheKid

ArrimanTheKid

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:04:03 AM

Posted 19 June 2009 - 04:28 PM

Whenever I click on a link in google, I get sent to over click and other sites such as <http://www.info.com/gimp?cmp=3770&cb=21&affiliate=13a59019f8461962f782aebbe6e47417> throgh a bunch of sites that have a green globe as a favicon and overclick sometimes.

My logs are below. I use Windows XP Home Edition and have the latest Java BTW.

DDS:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Jonathan at 17:03:23.29 on Fri 06/19/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.98 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\SweetIM\Messenger\SweetIM.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jonathan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.orbitdownloader.com
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: SweetIM ToolbarURLSearchHook Class: {eee6c35d-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgHelper.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Megaupload Toolbar: {4e7bd74f-2b8d-469e-ccb0-b130eedbe97c} - c:\progra~1\megaup~1\MEGAUP~1.DLL
BHO: {5553B538-864C-4ECC-9A3B-97AF436DDC4A} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SweetIM Toolbar Helper: {eee6c35c-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
TB: Megaupload Toolbar: {4e7bd74f-2b8d-469e-ccb0-b130eedbe97c} - c:\progra~1\megaup~1\MEGAUP~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: SweetIM Toolbar for Internet Explorer: {eee6c35b-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [SunKistEM] c:\program files\emachines bay reader\shwiconem.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [CHotkey] zHotkey.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SweetIM] c:\program files\sweetim\messenger\SweetIM.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/229?b032402a04534693bccedef6e688d306
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/230?b032402a04534693bccedef6e688d306
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192896316064
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v4.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192897361134
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
Notify: mlJDwTno - mlJDwTno.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\tuvWMCst

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jonathan\applic~1\mozilla\firefox\profiles\3u6api12.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-10 11608]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2009-2-1 33824]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-10 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-10 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-10 55640]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-31 55152]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 dump_wmimmc;dump_wmimmc;\??\c:\program files\9dragons\gameguard\dump_wmimmc.sys --> c:\program files\9dragons\gameguard\dump_wmimmc.sys [?]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 npkycryp;npkycryp;\??\c:\program files\gravity\ro\npkycryp.sys --> c:\program files\gravity\ro\npkycryp.sys [?]
S3 XDva189;XDva189;\??\c:\windows\system32\xdva189.sys --> c:\windows\system32\XDva189.sys [?]

=============== Created Last 30 ================

2009-06-19 16:50 <DIR> --d----- c:\program files\Trend Micro
2009-06-11 16:40 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-11 16:40 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-04 11:49 2,784,285 a------- c:\windows\system32\GameMon.des
2009-06-04 11:24 <DIR> --d----- c:\program files\9Dragons
2009-06-04 11:17 1,146,004,100 a------- c:\documents and settings\jonathan\9DSetup_US_v79.exe
2009-06-04 11:17 258,352 a------- c:\documents and settings\jonathan\unicows.dll
2009-06-03 23:24 <DIR> --d----- C:\Downloads
2009-06-03 23:23 <DIR> --d----- c:\program files\Orbitdownloader
2009-05-31 12:36 <DIR> --d----- c:\documents and settings\jonathan\Tracing
2009-05-31 12:34 55,152 a------- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-05-31 12:28 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-05-31 12:21 <DIR> --d----- c:\program files\Microsoft
2009-05-31 12:21 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-05-31 12:14 <DIR> --d----- c:\program files\common files\Windows Live
2009-05-30 19:10 <DIR> --dsh--- c:\documents and settings\jonathan\PrivacIE
2009-05-30 19:09 <DIR> --d----- c:\program files\SweetIM
2009-05-30 19:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SweetIM
2009-05-30 16:56 23,600 a------- c:\windows\system32\drivers\TVICHW32.SYS
2009-05-25 13:07 <DIR> --dsh--- c:\documents and settings\jonathan\IETldCache
2009-05-25 13:04 <DIR> --d----- c:\windows\ie8updates
2009-05-25 13:03 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-25 13:00 <DIR> -cd-h--- c:\windows\ie8
2009-05-23 10:51 49,152 a------- c:\windows\system32\ChCfg.exe
2009-05-23 10:49 <DIR> --d----- c:\program files\Realtek AC97
2009-05-23 10:49 10,528,768 a------- c:\windows\system32\RTLCPL.exe
2009-05-23 10:49 147,456 a------- c:\windows\system32\RtlCPAPI.dll
2009-05-23 10:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters

==================== Find3M ====================

2009-06-19 16:41 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-22 23:34 935,768 a------- c:\windows\system32\rn.tmp
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-09 18:17 65,536 a------- c:\windows\IFinst27.exe
2008-08-03 14:53 23 a------- c:\documents and settings\jonathan\jagex_runescape_preferences.dat
2007-08-22 16:34 41,848 ----hr-- c:\program files\IFU59.inf
2007-07-19 01:18 41,826 ----hr-- c:\program files\IFU45.inf
2008-12-28 00:27 710,793 a--sh--- c:\windows\system32\tsCMWvut.ini2
2008-07-12 20:51 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071220080713\index.dat

============= FINISH: 17:06:33.50 ===============


Attached is the Attach file.

Attached Files


Edited by ArrimanTheKid, 20 June 2009 - 09:33 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:03 AM

Posted 20 June 2009 - 04:26 PM

Hello ArrimanTheKid,

Uninstall these old verson of Java, as old veriosn are malware magnets
Java™ 6 Update 4
Java™ 6 Update 5
Java™ 6 Update 7



Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

*****************


We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by SifuMike, 20 June 2009 - 04:35 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ArrimanTheKid

ArrimanTheKid
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:04:03 AM

Posted 20 June 2009 - 06:56 PM

Thanks for your quick response, although the problem at hand persists.
I hope you guys will be able to help.
Here is what you asked for.

Security Check:

Results of screen317's Security Check version 0.98.4
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
AviraAntiVirPersonal-FreeAntivirus
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Windows Defender
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner (remove only)
Java™ 6 Update 14
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Windows Defender MSMpEng.exe
Windows Defender MSASCui.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 0 seconds.
`````````End of Log```````````


MBAM Log:

Malwarebytes' Anti-Malware 1.38
Database version: 2317
Windows 5.1.2600 Service Pack 3

6/20/2009 7:41:55 PM
mbam-log-2009-06-20 (19-41-55).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 233044
Time elapsed: 55 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1e5b2693-d348-4ca7-8364-4f5e51bf9c6d} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\WINDOWS\system32\SysRestore.dll (Adware.Ascentive) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Jonathan\local settings\Temp\ownxasrmce.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysRestore.dll (Adware.Ascentive) -> Quarantined and deleted successfully.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:03 AM

Posted 20 June 2009 - 07:04 PM

Hi ArrimanTheKid,

This computer is heavily infected so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Avira Antivir Antivirus and Windows Defender before running ComboFix, as they will prevent it from running.

To disable Avira Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.


To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 ArrimanTheKid

ArrimanTheKid
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:04:03 AM

Posted 20 June 2009 - 07:19 PM

Is it a problem that my mouse is connected to a USB slot (it is a USB mouse)?

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:03 AM

Posted 20 June 2009 - 08:26 PM

No. It should work OK.

Edited by SifuMike, 20 June 2009 - 08:39 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 ArrimanTheKid

ArrimanTheKid
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:04:03 AM

Posted 20 June 2009 - 09:20 PM

Sorry I took so long. Here is the ComboFix log you requested
Apparently, I did indeed have MANY trojans and rootkit infections
Thankfully, the redirects no longer occur, thanks to you and kick*** ComboFix.
(Don't want to use profanity now, do I?)


ComboFix 09-06-20.02 - Jonathan 06/20/2009 21:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.193 [GMT -4:00]
Running from: c:\documents and settings\Jonathan\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1433678514-3411340332-2596020146-1003
c:\recycler\S-1-5-21-515967899-1580436667-725345543-1003
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\SKYNETiuypiqwh.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SKYNETdmwqbxmg.dat
c:\windows\system32\SKYNETkrumkhmi.dat
c:\windows\system32\SKYNEToptalklt.dll
c:\windows\system32\SKYNETqxovcxdb.dll
c:\windows\system32\wpcap.dll
c:\docume~1\Jonathan\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\Jonathan\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\Jonathan\Local Settings\Temporary Internet Files\fbk.sts
c:\recycler\S-1-5-21-1433678514-3411340332-2596020146-1003\desktop.ini
c:\recycler\S-1-5-21-1433678514-3411340332-2596020146-1003\INFO2
c:\recycler\S-1-5-21-515967899-1580436667-725345543-1003\desktop.ini
c:\recycler\S-1-5-21-515967899-1580436667-725345543-1003\INFO2
c:\windows\system32\drivers\SKYNETiuypiqwh.sys
c:\windows\system32\jpqhdjpa.ini
c:\windows\system32\SKYNETdmwqbxmg.dat
c:\windows\system32\SKYNETkrumkhmi.dat
c:\windows\system32\SKYNEToptalklt.dll
c:\windows\system32\SKYNETqxovcxdb.dll
c:\windows\system32\tsCMWvut.ini
c:\windows\system32\tsCMWvut.ini2
c:\windows\system32\vmncksaj.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETldnbmqxs
-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2009-05-21 to 2009-06-21 )))))))))))))))))))))))))))))))
.

2009-06-20 22:43 . 2009-06-20 22:43 -------- d-----w- c:\documents and settings\Jonathan\Application Data\Malwarebytes
2009-06-20 22:43 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-20 22:43 . 2009-06-20 22:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 22:43 . 2009-06-20 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-20 22:43 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-20 13:30 . 2009-06-20 13:30 -------- d-sh--w- c:\documents and settings\Milly\PrivacIE
2009-06-20 02:26 . 2009-06-20 02:26 -------- d-----w- c:\documents and settings\Jonathan\dwhelper
2009-06-19 23:19 . 2009-06-20 19:26 -------- d-----w- c:\documents and settings\Milly\Application Data\Orbit
2009-06-19 20:50 . 2009-06-19 20:50 -------- d-----w- c:\program files\Trend Micro
2009-06-11 20:40 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 20:40 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 20:34 . 2009-06-19 20:40 152576 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-04 15:24 . 2009-06-17 22:05 -------- d-----w- c:\program files\9Dragons
2009-06-04 15:17 . 2009-05-05 22:56 1146004100 ----a-w- c:\documents and settings\Jonathan\9DSetup_US_v79.exe
2009-06-04 15:17 . 2004-12-07 14:11 258352 ----a-w- c:\documents and settings\Jonathan\unicows.dll
2009-06-04 03:24 . 2009-06-14 02:04 -------- d-----w- C:\Downloads
2009-06-04 03:23 . 2009-06-04 03:23 -------- d-----w- c:\program files\Orbitdownloader
2009-06-04 03:23 . 2009-06-21 02:11 -------- d-----w- c:\documents and settings\Jonathan\Application Data\Orbit
2009-06-03 22:11 . 2009-06-03 22:11 1 ----a-w- c:\documents and settings\Milly\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-03 22:11 . 2009-06-03 22:11 -------- d-----w- c:\documents and settings\Milly\Application Data\OpenOffice.org
2009-06-03 22:06 . 2009-06-03 22:06 -------- d-sh--w- c:\documents and settings\Milly\IETldCache
2009-05-31 16:36 . 2009-05-31 16:36 -------- d-----w- c:\documents and settings\Jonathan\Tracing
2009-05-31 16:34 . 2009-02-06 22:08 55152 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-05-31 16:32 . 2009-05-31 16:32 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-05-31 16:28 . 2009-05-31 16:28 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-05-31 16:21 . 2009-05-31 16:21 -------- d-----w- c:\program files\Microsoft
2009-05-31 16:21 . 2009-05-31 16:21 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-05-31 16:14 . 2009-05-31 16:14 -------- d-----w- c:\program files\Common Files\Windows Live
2009-05-30 23:10 . 2009-05-30 23:10 -------- d-sh--w- c:\documents and settings\Jonathan\PrivacIE
2009-05-30 23:09 . 2009-05-30 23:09 -------- d-----w- c:\program files\SweetIM
2009-05-30 23:09 . 2009-05-30 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SweetIM
2009-05-30 20:56 . 2009-05-30 20:57 -------- d-----w- c:\documents and settings\Jonathan\Local Settings\Application Data\eSupport.com
2009-05-30 20:56 . 2009-05-30 20:56 23600 ----a-w- c:\windows\system32\drivers\TVICHW32.SYS
2009-05-25 17:44 . 2009-05-25 17:44 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-05-25 17:07 . 2009-05-25 17:07 -------- d-sh--w- c:\documents and settings\Jonathan\IETldCache
2009-05-25 17:04 . 2009-06-12 02:06 -------- d-----w- c:\windows\ie8updates
2009-05-25 17:03 . 2009-04-25 05:30 102400 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-05-25 17:00 . 2009-05-25 17:03 -------- dc-h--w- c:\windows\ie8
2009-05-23 14:51 . 2006-08-01 19:02 49152 ----a-w- c:\windows\system32\ChCfg.exe
2009-05-23 14:49 . 2009-05-23 14:49 -------- d-----w- c:\program files\Realtek AC97
2009-05-23 14:49 . 2006-12-08 19:20 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
2009-05-23 14:49 . 2006-10-18 06:53 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
2009-05-23 14:41 . 2009-05-23 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-05-23 14:40 . 2009-05-23 14:40 -------- d-----w- c:\documents and settings\Jonathan\Local Settings\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-21 02:09 . 2008-06-21 20:49 -------- d-----w- c:\program files\DNA
2009-06-21 02:09 . 2008-06-21 20:49 -------- d-----w- c:\documents and settings\Jonathan\Application Data\DNA
2009-06-20 22:35 . 2004-05-12 10:24 -------- d-----w- c:\program files\Java
2009-06-19 21:48 . 2009-01-15 21:56 -------- d-----w- c:\documents and settings\Jonathan\Application Data\gtk-2.0
2009-06-19 20:41 . 2008-12-01 23:05 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-09 23:03 . 2008-11-06 01:26 1 ----a-w- c:\documents and settings\Jonathan\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-03 22:07 . 2007-11-01 16:14 40512 ----a-w- c:\documents and settings\Milly\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-31 16:35 . 2007-10-20 18:08 40512 ----a-w- c:\documents and settings\Jonathan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-31 16:34 . 2008-03-14 00:26 -------- d-----w- c:\program files\Windows Live
2009-05-31 16:33 . 2007-10-20 18:26 -------- d-----w- c:\program files\Windows Live Toolbar
2009-05-23 18:22 . 2004-05-12 09:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-23 14:48 . 2004-05-12 09:54 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-13 05:15 . 2006-06-23 15:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-10 18:59 . 2009-05-10 18:59 -------- d-----w- c:\program files\Avira
2009-05-10 18:59 . 2009-05-10 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-09 20:24 . 2009-03-25 02:01 -------- d-----w- c:\documents and settings\Jonathan\Application Data\BitTorrent
2009-05-09 03:01 . 2009-05-09 03:01 -------- d-----w- c:\program files\AhnLab
2009-05-09 02:47 . 2007-10-20 20:17 -------- d-----w- c:\program files\Google
2009-05-07 15:32 . 2004-05-12 09:42 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-23 03:34 . 2009-04-22 02:42 935768 ----a-w- c:\windows\system32\rn.tmp
2009-04-18 16:18 . 2009-04-18 16:18 45056 ----a-r- c:\documents and settings\Jonathan\Application Data\Microsoft\Installer\{5E06C076-E4E7-4239-A886-B3D8AC84C166}\NewShortcut2_1619669F516F4E609B6F837EFE21307A_7.exe
2009-04-18 16:18 . 2009-04-18 16:18 45056 ----a-r- c:\documents and settings\Jonathan\Application Data\Microsoft\Installer\{5E06C076-E4E7-4239-A886-B3D8AC84C166}\NewShortcut1_1619669F516F4E609B6F837EFE21307A_5.exe
2009-04-17 12:26 . 2004-05-12 09:43 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-05-12 10:05 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-09 22:17 . 2008-01-01 21:25 65536 ----a-w- c:\windows\IFinst27.exe
2009-03-31 21:23 . 2009-03-31 21:23 152576 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-30 14:33 . 2009-05-10 19:00 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-03-24 20:08 . 2009-05-10 19:00 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2007-08-22 20:34 . 2008-01-07 00:30 41848 ---h--r- c:\program files\IFU59.inf
2007-07-19 05:18 . 2008-01-07 00:30 41826 ---h--r- c:\program files\IFU45.inf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2008-10-08 16:22 1172792 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@="{30351346-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 16:35 536576 ----a-w- c:\program files\TortoiseSVN\bin\TortoiseSVN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@="{30351347-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 16:35 536576 ----a-w- c:\program files\TortoiseSVN\bin\TortoiseSVN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@="{30351348-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 16:35 536576 ----a-w- c:\program files\TortoiseSVN\bin\TortoiseSVN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 16:35 536576 ----a-w- c:\program files\TortoiseSVN\bin\TortoiseSVN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 16:35 536576 ----a-w- c:\program files\TortoiseSVN\bin\TortoiseSVN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 16:35 536576 ----a-w- c:\program files\TortoiseSVN\bin\TortoiseSVN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 16:35 536576 ----a-w- c:\program files\TortoiseSVN\bin\TortoiseSVN.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-02-24 3558136]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-03-25 321344]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-22 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="c:\program files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 135168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2009-04-27 111928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-19 148888]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2003-06-03 496640]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2009-6-3 1719496]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\OGPlanet\\CABAL Online\\cabal.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/10/2009 3:00 PM 108289]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [5/31/2009 12:34 PM 55152]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 dump_wmimmc;dump_wmimmc;\??\c:\program files\9Dragons\GameGuard\dump_wmimmc.sys --> c:\program files\9Dragons\GameGuard\dump_wmimmc.sys [?]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 npkycryp;npkycryp;\??\c:\program files\Gravity\RO\npkycryp.sys --> c:\program files\Gravity\RO\npkycryp.sys [?]
S3 XDva189;XDva189;\??\c:\windows\system32\XDva189.sys --> c:\windows\system32\XDva189.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-06-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5553B538-864C-4ECC-9A3B-97AF436DDC4A} - (no file)
Notify-mlJDwTno - mlJDwTno.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.orbitdownloader.com
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?b032402a04534693bccedef6e688d306
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?b032402a04534693bccedef6e688d306
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-20 22:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2672)
c:\windows\system32\WININET.dll
c:\program files\TortoiseSVN\bin\tortoisesvn.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1801_x-ww_5eed8217\MSVCR80.dll
c:\program files\TortoiseSVN\bin\intl3_svn.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\cisvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\wanmpsvc.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Orbitdownloader\orbitnet.exe
c:\windows\system32\cidaemon.exe
.
**************************************************************************
.
Completion time: 2009-06-21 22:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-21 02:16

Pre-Run: 10,110,124,032 bytes free
Post-Run: 18,929,405,952 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

298 --- E O F --- 2009-06-18 14:15

Edited by ArrimanTheKid, 20 June 2009 - 09:55 PM.


#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:03 AM

Posted 20 June 2009 - 10:00 PM

Hi ArrimanTheKid,

Now we look for lingering malware.

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Edited by SifuMike, 20 June 2009 - 10:15 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:03 AM

Posted 27 June 2009 - 09:49 PM

This thread will now be closed due to lack of feedback.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users