Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Web


  • This topic is locked This topic is locked
4 replies to this topic

#1 Tadeusz5

Tadeusz5

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 24 June 2009 - 02:19 PM

Hello Good Guys;

Need your valuable assistance to fix my pc's search web problem-- it seems those bad, bad Internet ogres have done me in with some malicious software that results in being redirected to the wrong places.

when doing a web search and usong google, or yahoo, the search results in "jumping" , striking offers.com, right bulk select.com, best web choices, and ave99.com, cannot get rid of them using SpyBot, or any other internally loaded Yahoo online protection tools.

Followed the steps as explained in the tutorial, could not perform step #5 -configuring the windows xp Ics firewall, when Lan Advanced is displayedand I click on settings, windows firewall comes back with " Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start windows Firewall/Ics service ?? yes /no
If I click on yes than Firewall comes back with WF/ICS cannot start.


DDS (Ver_09-05-14.01) - NTFSx86
Run by User 1 at 13:47:10.93 on Wed 06/24/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.197 [GMT -5:00]

AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning enabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k sys
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
svchost
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User 1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://usatoday.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: AT&&T Yahoo! Sidebar: {51085e3d-a958-42a2-a6be-a6a9b0baf276} - c:\program files\yahoo!\browser\ysidebarIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [CaAvTray] "c:\program files\yahoo!\antivirus\CAVTray.exe"
mRun: [CAVRID] "c:\program files\yahoo!\antivirus\CAVRID.exe"
mRun: [YOP] c:\progra~1\yahoo!\yop\yop.exe /autostart
mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\uninstall.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R1 sysdrv;sysdrv;c:\program files\sys\sys.sys [2009-6-23 9344]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\Vet-Filt.sys [2007-9-4 21031]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\Vet-Rec.sys [2007-9-4 15478]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\VetEFile.sys [2007-9-4 879832]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\VetFDDNT.sys [2007-9-4 15735]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2007-9-4 26787]
R2 CAISafe;CAISafe;c:\program files\yahoo!\antivirus\iSafe.exe [2007-9-4 259184]
R2 sys;sys;c:\windows\system32\svchost.exe -k sys [2004-8-4 14336]
R2 VETMSGNT;VET Message Service;c:\program files\yahoo!\antivirus\VetMsg.exe [2007-9-4 201840]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\VetEBoot.sys [2007-9-4 108360]
S2 OcHealthMon;Windows Live OneCare Health Monitor;"c:\program files\microsoft windows onecare live\ochealthmon.exe" --> c:\program files\microsoft windows onecare live\OcHealthMon.exe [?]
S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};\??\c:\windows\temp\2e.tmp --> c:\windows\temp\2E.tmp [?]

=============== Created Last 30 ================

2009-06-24 00:54 279 a------- C:\Shortcut to Local Disk ©.lnk
2009-06-23 23:56 <DIR> --d----- c:\windows\pss
2009-06-23 23:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCPitstop
2009-06-23 23:08 <DIR> --d----- c:\program files\PCPitstop
2009-06-23 21:57 <DIR> --d----- c:\program files\sys
2009-06-23 21:57 13,824 a------- c:\windows\system32\iehelper.dll
2009-06-23 21:57 2 a------- c:\windows\010112010146118114.dat
2009-06-23 21:56 299,024 a------- c:\windows\sysguard.exe
2009-06-23 21:56 27,648 ----h--- c:\windows\ld10.exe

==================== Find3M ====================

2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 23:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 23:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-11-13 19:24 16,496 a------- c:\docume~1\alluse~1\applic~1\avexa.dat
2008-11-13 19:24 13,714 a------- c:\docume~1\user1~1\applic~1\ajivyzogo.exe
2008-11-13 18:51 19,386 a------- c:\program files\common files\byzoqagyxu.exe
2008-11-13 18:51 17,517 a------- c:\program files\common files\usisulu.ban
2008-11-13 18:51 11,717 a------- c:\docume~1\alluse~1\applic~1\ihefix.dll
2008-11-13 18:51 11,434 a------- c:\docume~1\alluse~1\applic~1\yfetysyqat.sys
2008-11-14 16:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111420081115\index.dat

============= FINISH: 13:48:06.31 ===============

Attached Files

  • Attached File  dds.txt   8.11KB   2 downloads
  • Attached File  dds.txt   8.11KB   4 downloads


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:35 PM

Posted 24 June 2009 - 02:27 PM

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Tadeusz5

Tadeusz5
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 24 June 2009 - 04:16 PM

Websearch; and Thank you for answering so quickly;

Here is the log from my Malware bytes and anti malware scan;

Tadeusz5.

Malwarebytes' Anti-Malware 1.38
Database version: 2330
Windows 5.1.2600 Service Pack 3

6/24/2009 3:59:29 PM
mbam-log-2009-06-24 (15-59-29).txt

Scan type: Quick Scan
Objects scanned: 96154
Time elapsed: 11 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 13
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\program files\sys\sys.dll (Rootkit.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{71848431-9c3e-4217-9f76-4772c41e44e5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{cf5c6a80-c938-478c-bc8b-8d7b00788154} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{343ce214-9998-4b21-a151-ffe970167297} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\{def85c80-216a-43ab-af70-1665edbe2780} (Spyware.Sinowal) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\antiviruspro2009 (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysdrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sysdrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\sys\sys.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\iehelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\sysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSosvn.dat (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\User 1\application data\microsoft\internet explorer\quick launch\AntivirusPro2009.lnk (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\ld10.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\Program Files\sys\sys.sys (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\TDSSfpmp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:35 PM

Posted 25 June 2009 - 02:51 AM

Hi,

Can you also post a new DDS log please? :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:35 PM

Posted 07 July 2009 - 07:29 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users