Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Redirect Problem


  • This topic is locked This topic is locked
3 replies to this topic

#1 CrimsonBinome

CrimsonBinome

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 06 August 2009 - 03:44 PM

Just got this today. Scanned a file that seemed to be safe, but it ended up giving me some sort of malware. Every now and then, when I click a new link, I get redirected to some ad website rather than having the actual page loaded. Most of the time it's the url: hxxp://117.skooble.com/ that redirects me to one of their ad sites. It's definitely an annoying problem.

Here's my highjackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:42:08 PM, on 06/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
H:\WINDOWS\system32\LEXBCES.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\LEXPPS.EXE
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\M-Audio\Install\EvoInst.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\system32\notepad.exe
H:\WINDOWS\explorer.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [XFILTER] "H:\Program Files\Filseclab\xfilter\xfilter.exe" -a
O4 - HKLM\..\Run: [MSConfig] H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MsnMsgr] "H:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Filseclab Messenger.lnk = H:\Program Files\Common Files\Filseclab\FilMsg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - H:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - H:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.77,85.255.112.206
O20 - AppInit_DLLs: H:\WINDOWS\system32\wbsys.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: M-Audio Installer (EvoInstallerService) - Unknown owner - H:\Program Files\M-Audio\Install\EvoInst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9a4c4673f8572) (gupdate1c9a4c4673f8572) - Google Inc. - H:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - H:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - H:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

--
End of file - 5312 bytes

And here's my ComboFix log:


ComboFix 09-08-06.01 - Bucky 06/08/2009 14:16.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1214.844 [GMT -6:00]
Running from: h:\documents and settings\Bucky\My Documents\Downloads\ComboFix.exe
FW: Filseclab Personal Firewall *disabled* {EB4DA513-3B0A-4FCB-86A7-F1243757EFF2}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

h:\windows\system32\drivers\ESQULphqfprbjoevxuuafucbnreaxwhdhirsu.sys
h:\windows\system32\ESQULndemuwkrpllboihewxdqrmcrsypqmprq.dll
h:\windows\system32\ESQULxlpttkbbjibhiutmwbspexrmvhylwlsf.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys
-------\Legacy_ESQULserv.sys


((((((((((((((((((((((((( Files Created from 2009-07-06 to 2009-08-06 )))))))))))))))))))))))))))))))
.

2009-08-06 19:58 . 2009-08-06 19:58 -------- d-----w- h:\program files\Trend Micro
2009-08-06 19:43 . 2009-08-06 19:43 -------- d-----w- h:\documents and settings\Bucky\Application Data\AVG8
2009-08-05 23:19 . 2009-08-05 23:19 -------- d-----w- h:\docume~1\ALLUSE~1\APPLIC~1\Acoustica
2009-08-05 23:01 . 2009-08-05 23:01 34308 ----a-w- h:\windows\system32\Chip.dll
2009-08-05 22:59 . 2009-08-05 23:20 -------- d-----w- h:\program files\Acoustica Mixcraft 4
2009-08-05 21:54 . 2009-08-05 23:29 -------- d-----w- h:\documents and settings\Bucky\Application Data\Antares
2009-08-05 21:54 . 2009-08-05 21:54 -------- d-----w- h:\program files\Antares Audio Technologies
2009-08-05 20:48 . 2009-08-05 20:48 -------- d-----w- h:\documents and settings\Bucky\Application Data\Acoustica
2009-08-05 20:48 . 2007-08-07 17:32 57344 ----a-w- h:\windows\system32\Wnaspint.dll
2009-08-05 20:48 . 2009-08-05 23:19 -------- d-----w- h:\program files\Acoustica Shared Effects

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-06 19:17 . 2008-10-09 16:33 -------- d-----w- h:\program files\URUSoft
2009-08-05 23:01 . 2009-08-05 23:01 22004 ----a-w- h:\windows\system32\Pvt.tmp
2009-08-04 22:21 . 2009-03-14 16:44 -------- d-----w- h:\docume~1\ALLUSE~1\APPLIC~1\Google Updater
2009-07-31 16:29 . 2008-05-29 22:41 -------- d-----w- h:\program files\Microsoft Silverlight
2009-07-01 03:07 . 2007-11-03 18:50 -------- d-----w- h:\program files\DivX
2009-07-01 03:07 . 2009-07-01 03:07 -------- d-----w- h:\program files\Common Files\DivX Shared
2009-06-26 16:18 . 2004-08-04 12:00 659456 ----a-w- h:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 12:00 81920 ------w- h:\windows\system32\ieencode.dll
2009-06-20 02:19 . 2007-10-15 06:46 -------- d--h--w- h:\program files\InstallShield Installation Information
2009-06-16 14:55 . 2004-08-04 12:00 82432 ------w- h:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 12:00 119808 ------w- h:\windows\system32\t2embed.dll
2009-06-03 19:27 . 2004-08-04 12:00 1290752 ----a-w- h:\windows\system32\quartz.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- h:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- h:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="h:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-07 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XFILTER"="h:\program files\Filseclab\xfilter\xfilter.exe" [2005-07-28 897284]
"MSConfig"="h:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"AlcxMonitor"="ALCXMNTR.EXE" - h:\windows\ALCXMNTR.EXE [2004-09-07 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="h:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

h:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Filseclab Messenger.lnk - h:\program files\Common Files\Filseclab\FilMsg.exe [2007-10-15 315652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-07 03:16 176128 ----a-w- h:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=h:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=evolusbn.dll
"midi4"=evolusbn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=h:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=h:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\H:^Documents and Settings^Bucky^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=h:\documents and settings\Bucky\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=h:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"h:\\Program Files\\Messenger\\msmsgs.exe"=
"h:\\Program Files\\uTorrent\\uTorrent.exe"=
"h:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\Program Files\\Starcraft\\StarCraft.exe"=
"h:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"h:\\Program Files\\World of Warcraft\\WoW-2.4.1.8125-to-2.4.2.8278-enUS-downloader.exe"=
"h:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"h:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"h:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"h:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"h:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"h:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 XPacket;Filseclab Packet Filter;h:\windows\system32\xpacket.sys [15/10/2007 4:05 PM 124752]
R2 EvoInstallerService;M-Audio Installer;h:\program files\M-Audio\Install\EvoInst.exe [15/10/2007 5:01 PM 90112]
R3 EVOLUSB;%EVOL_USB.SvcDesc%;h:\windows\system32\drivers\evolusb.sys [15/10/2007 5:01 PM 21984]
S2 gupdate1c9a4c4673f8572;Google Update Service (gupdate1c9a4c4673f8572);h:\program files\Google\Update\GoogleUpdate.exe [14/03/2009 10:46 AM 133104]
S2 PINNMB;MovieBox USB_B;h:\windows\system32\drivers\pinnmb.sys [05/08/2008 2:55 PM 31923]
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: h:\program files\Filseclab\xfilter\XFILTER.DLL
FF - ProfilePath - h:\docume~1\Bucky\APPLIC~1\Mozilla\Firefox\Profiles\wu91tuzz.default\
FF - prefs.js: browser.startup.homepage - google.ca
FF - plugin: h:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: h:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: h:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: h:\program files\Mozilla Firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----
h:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
h:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
h:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
h:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-06 14:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="h:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,fb,85,bd,df,59,
9f,71,51,c8,28,51,af,b0,29,a3,98,20,74,99,eb,5f,53,3c,2c,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="h:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,ca,da,7e,67,f0,
ec,84,ed,71,3b,04,66,8b,46,0d,96,6f,fa,57,75,3c,62,eb,e0,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="h:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,2b,fb,91,ff,f9,
86,ea,41,25,da,ec,7e,55,20,c9,26,d7,74,2b,96,db,a4,ec,8d,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="h:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,39,78,32,fb,3d,
cd,47,57,3e,1e,9e,e0,57,5a,93,61,e1,ea,9f,c9,be,78,f0,7a,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="h:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,f3,1f,62,81,11,
83,45,31,cd,44,cd,b9,a6,33,6c,cd,41,a4,8e,bd,dc,35,60,40,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="h:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,35,b8,89,88,91,
2c,24,42,b0,18,ed,a7,3f,8d,37,a4,66,ec,2f,7c,b5,e5,59,e4,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="h:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,01,a5,8b,48,7d,
e1,e2,de,31,77,e1,ba,b1,f8,68,02,18,bc,72,fd,00,83,be,84,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="h:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,49,71,d0,fa,b6,
2e,13,17,83,6c,56,8b,a0,85,96,ab,a6,8a,fb,6c,41,9e,df,fa,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="h:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,9b,5c,28,9b,43,
85,b7,be,51,fa,6e,91,28,9e,14,cc,78,af,01,ba,8e,c2,c5,11,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="h:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,24,70,63,23,ff,
3b,a1,45,b1,cd,45,5a,a8,c4,f8,b9,47,c9,a6,0e,36,9a,0f,4e,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="h:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,62,f9,13,2e,f0,
0c,a9,76,e3,0e,66,d5,eb,bc,2f,6b,d5,f5,60,2f,eb,5a,af,45,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="h:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,99,1c,98,b2,17,
b7,d9,d1,fa,ea,66,7f,d4,3b,6b,70,ec,8f,03,2a,50,bd,da,5e,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
h:\windows\system32\Ati2evxx.dll
h:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

- - - - - - - > 'lsass.exe'(720)
h:\program files\Filseclab\xfilter\XFILTER.DLL
.
Completion time: 2009-08-06 14:26
ComboFix-quarantined-files.txt 2009-08-06 20:25

Pre-Run: 8,005,378,048 bytes free
Post-Run: 10,448,306,176 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
h:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

255 --- E O F --- 2009-07-31 07:46

Hopefully one of you guys can solve my problem. Thanks (=

- Chris Schultz

Edited by teacup61, 06 August 2009 - 04:31 PM.
munged malicious link


BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:07:33 PM

Posted 16 August 2009 - 03:40 PM

Hello, CrimsonBinome.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first.

We need to run RSIT
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • Log.txt
  • info.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:07:33 PM

Posted 19 August 2009 - 04:05 AM

Hello CrimsonBinome
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:33 AM

Posted 22 August 2009 - 08:20 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users