Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Problem - Redirected Browser


  • This topic is locked This topic is locked
3 replies to this topic

#1 ideaguy

ideaguy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 18 November 2009 - 12:21 AM

Hello,
I have a browser that is redirecting my searches to: h**p://r9237242.cn -- and then that site forwards it to somewhere else.

I have done everything! I have used Spybot, Ad-Aware, SuperAntiSpyware, Hijack Retaliator. I have also upgraded to AVG version 9.
NOTHING worked.

I used hijackthis and removed anything that looked suspicious.

I then heard that Combofix would solve my problem as I have seen other posts with redirects going to h**p://r3953724.cn --- and Combofix solved those problems.

I ran Combofix and it told me to stop AVG... I could not stop it, so I ran combofix twice anyways... with no luck
THEN I UNINSTALLED AVG COMPLETELY just in case that was a problem and ran Combofix for a 3rd time.

Combofix still did not resolve the problem. Their website tells me to post the log on this site and or others. So if someone could look at the logs here and let me know what could resolve my problem I would appreciate it!.

HERE IS THE COMBO FIX LOG:
ComboFix 09-11-18.04 - Joy Smith 11/17/2009 19:39.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1545 [GMT -8:00]
Running from: c:\documents and settings\Joy Smith\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-10-18 to 2009-11-18 )))))))))))))))))))))))))))))))
.

2094-02-01 17:05 . 1998-07-27 15:12 138 ----a-r- C:\FIX2000.SYS
2094-02-01 16:55 . 2094-02-01 16:55 -------- d-----w- C:\joy
2009-11-18 02:46 . 2009-11-18 02:46 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\TeamViewer
2009-11-18 01:07 . 2009-11-18 01:27 117760 ----a-w- c:\documents and settings\Joy Smith\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-18 01:06 . 2009-11-18 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-18 01:06 . 2009-11-18 01:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-18 01:06 . 2009-11-18 01:06 -------- d-----w- c:\documents and settings\Joy Smith\Application Data\SUPERAntiSpyware.com
2009-11-18 01:05 . 2009-11-18 01:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-18 00:43 . 2009-11-18 00:43 -------- d-----w- c:\program files\Zamaan's Software
2009-11-18 00:19 . 2009-11-03 04:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-18 00:16 . 2009-11-18 00:16 -------- d-----w- c:\program files\Windows Defender
2009-11-18 00:08 . 2009-11-18 00:08 -------- d-----w- c:\documents and settings\Joy Smith\Local Settings\Application Data\Mozilla
2009-11-17 21:12 . 2009-11-17 21:24 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-11-17 21:12 . 2009-11-17 21:12 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-11-17 21:12 . 2009-11-17 21:24 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-11-17 21:12 . 2009-11-17 21:12 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-11-17 19:41 . 2009-11-18 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-17 18:19 . 2009-11-17 17:32 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-17 17:34 . 2009-11-17 17:34 -------- d-----w- c:\documents and settings\LocalService\Application Data\TeamViewer
2009-11-17 17:32 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-17 17:32 . 2009-11-17 17:32 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-17 17:32 . 2009-11-17 17:32 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-11-17 17:32 . 2009-11-17 17:32 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-11-17 17:32 . 2009-11-17 17:32 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2009-11-17 17:32 . 2009-11-17 17:32 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-11-17 17:32 . 2009-11-17 17:32 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-11-17 17:31 . 2009-11-17 17:32 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-11-17 17:31 . 2009-11-17 17:31 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-11-17 17:31 . 2009-11-17 17:31 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2009-11-17 17:31 . 2009-11-17 17:31 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Vipre.dll
2009-11-17 17:31 . 2009-11-17 17:31 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-11-17 17:31 . 2009-11-17 17:31 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-11-17 17:31 . 2009-11-17 17:31 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-11-17 17:31 . 2009-11-17 17:31 1223976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2009-11-17 17:31 . 2009-11-17 17:31 242984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2009-11-17 17:30 . 2009-11-17 17:30 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-17 17:30 . 2009-11-17 17:30 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-17 17:30 . 2009-11-17 17:30 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-17 17:30 . 2009-11-17 17:30 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-11-17 17:30 . 2009-11-17 17:30 640608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-17 17:29 . 2009-11-17 17:29 815760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-17 17:29 . 2009-11-17 17:29 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-17 17:29 . 2009-11-17 17:29 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-17 17:29 . 2009-11-17 17:29 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-17 17:29 . 2009-11-17 17:29 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-17 17:26 . 2009-11-17 17:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-17 17:26 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-17 17:26 . 2009-11-17 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-16 19:28 . 2009-11-16 19:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-18 00:58 . 2004-01-20 02:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-17 23:19 . 2008-05-07 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-17 19:41 . 2009-05-28 19:52 -------- d-----w- c:\program files\AVG
2009-11-17 18:55 . 2005-08-18 15:29 -------- d-----w- c:\program files\Common Files\AOL
2009-11-17 18:35 . 2004-06-08 00:53 -------- d-----w- c:\program files\Lavasoft
2009-11-17 17:34 . 2008-05-08 04:47 -------- d-----w- c:\program files\TeamViewer3
2009-09-11 14:18 . 2008-05-07 14:26 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-05-07 14:25 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2008-05-07 14:27 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2008-05-07 14:28 247326 ----a-w- c:\windows\system32\strmdll.dll
2005-06-06 15:41 . 2005-06-06 15:45 233472 ----a-w- c:\program files\Uninstall WeatherBug Browser Bar.dll
2002-10-06 15:40 . 2002-10-06 15:40 11079 ---ha-w- c:\program files\folder.htt
1999-02-06 15:42 . 1999-02-06 15:42 0 ---ha-r- c:\program files\Common Files\MSCREATE.DIR
1997-03-29 22:54 . 1999-02-06 04:58 25682 ----a-w- c:\program files\JPEG.BMP
2008-09-08 21:05 . 2008-09-08 21:05 0 --sha-w- c:\windows\All Users\DRM\Cache\Indiv01.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-11-18_01.56.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-07 14:48 . 2009-11-18 03:34 32768 c:\windows\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-07 14:48 . 2009-11-18 01:23 32768 c:\windows\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-07 14:48 . 2009-11-18 01:23 32768 c:\windows\System32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-07 14:48 . 2009-11-18 03:34 32768 c:\windows\System32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-11-16 19:28 . 2009-11-18 01:23 16384 c:\windows\System32\config\systemprofile\IETldCache\index.dat
+ 2009-11-16 19:28 . 2009-11-18 03:34 16384 c:\windows\System32\config\systemprofile\IETldCache\index.dat
+ 2008-05-07 14:48 . 2009-11-18 03:34 16384 c:\windows\System32\config\systemprofile\Cookies\index.dat
- 2008-05-07 14:48 . 2009-11-18 01:23 16384 c:\windows\System32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-06-17 19:02 8461312 ----a-w- c:\windows\System32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-11 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-27 141848]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2007-11-09 409600]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-06-11 153136]
"QuickTime Task"="c:\windows\System32\qttask.exe" [2008-02-14 385024]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"BHR"="c:\program files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe" [2006-10-25 9375744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="c:\windows\system32\spool\migrate.dll" [2006-02-28 30208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\System32\sistray.exe [2005-6-5 331776]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"OmniPage"=c:\program files\Caere\OmniPagePro90\opware32.exe
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"CountrySelection"=pctptt.exe
"SoundMan"=SOUNDMAN.EXE
"PTSNOOP"=ptsnoop.exe
"AVG7_CC"=c:\progra~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
"AVG7_EMC"=c:\progra~1\GRISOFT\AVG7\AVGEMC.EXE
"AVG7_AMSVR"=c:\progra~1\GRISOFT\AVG7\AVGAMSVR.EXE
"mdac_runonce"=c:\windows\System32\RUNONCE.EXE
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.EXE -startup
"ISUSScheduler"="c:\program files\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\issch.exe" -start
"CanonMyPrinter"=c:\program files\Canon\MyPrinter\BJMyPrt.exe /logon
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
"StillImageMonitor"=c:\windows\System32\STIMON.EXE
"QuickTime Task"="c:\windows\System32\qttask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Netscape\\Communicator\\Program\\AIM\\aim.exe"=
"c:\\WINDOWS\\System32\\ntvdm.exe"=
"c:\\Program Files\\Nortel Networks\\Extranet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"110:TCP"= 110:TCP:svchost

R0 Lbd;Lbd;c:\windows\System32\DRIVERS\Lbd.sys [11/17/2009 9:32 AM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480]
R2 TeamViewer;TeamViewer 3;c:\program files\TeamViewer3\TeamViewer_Host.exe [05/05/2008 5:27 AM 181544]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/03/2006 7:19 PM 13592]
R3 Eacfilt;Eacfilt Miniport;c:\windows\System32\DRIVERS\eacfilt.sys [05/07/2008 1:45 PM 24521]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/24/2009 3:17 AM 1179232]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\System32\DRIVERS\ipsecw2k.sys [05/07/2008 1:45 PM 155184]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/19/2008 2:41 PM 24652]

--- Other Services/Drivers In Memory ---

*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\program files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\program files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"c:\program files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\program files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\program files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"c:\program files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
c:\windows\System32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder

2009-11-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 17:29]

2009-11-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-07 22:35]

2009-11-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]

2009-11-18 c:\windows\Tasks\Uninstall Expiration Reminder.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-05-07 00:12]

2009-11-17 c:\windows\Tasks\User_Feed_Synchronization-{F312786E-02CC-42C5-A9FF-ED6D8F8924D5}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0B541685-ACB8-48C2-8556-D56CE15EA800} - hxxp://www.bookingbuilder.com/files/BBWebGDS.CAB
FF - ProfilePath - c:\documents and settings\Joy Smith\Application Data\Mozilla\Firefox\Profiles\d9y3gk9c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npaudio.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npavi32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPBeatSP.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPDocBox.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npdrmv2.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npdsplay.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npnul32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nppdf32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nppl3260.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPSVGVw.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npwmsdrm.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npwtplug.dll
FF - plugin: c:\program files\VIEWPOINT\VIEWPOINT MEDIA PLAYER\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-17 19:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89B3F170]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74c6852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf745fbb0
PacketIndicateHandler -> NDIS.sys @ 0xf746ca21
SendHandler -> NDIS.sys @ 0xf744a87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(828)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3308)
c:\windows\system32\WININET.dll
c:\program files\TeamViewer3\tv.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-17 19:50
ComboFix-quarantined-files.txt 2009-11-18 03:50
ComboFix2.txt 2009-11-18 02:15
ComboFix3.txt 2009-11-18 01:59

Pre-Run: 147,519,365,120 bytes free
Post-Run: 147,499,679,744 bytes free

- - End Of File - - 0CE8BEA54360D8A60647E1CD5B8445FD

----------------------------------------------------------------------------------------------------------
HERE IS A HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:16 PM, on 11/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\sistray.exe
C:\Program Files\IDT\572008124405\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TeamViewer3\TeamViewer_Host.exe
C:\Program Files\TeamViewer3\TeamViewer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Joy Smith\Desktop\HijackThis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BHR] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\system32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\system32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\System32\sistray.exe
O16 - DPF: {0B541685-ACB8-48C2-8556-D56CE15EA800} (BBWebGDS.GDSInterface) - http://www.bookingbuilder.com/files/BBWebGDS.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Program Files\IDT\572008124405\STacSV.exe
O23 - Service: TeamViewer 3 (TeamViewer) - TeamViewer GmbH - C:\Program Files\TeamViewer3\TeamViewer_Host.exe

--
End of file - 3101 bytes


-----------------------------------
THANK YOU FOR ANY HELP YOU CAN PROVIDE ME!!

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:57 AM

Posted 27 November 2009 - 12:36 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 ideaguy

ideaguy
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 28 November 2009 - 01:34 PM

Thank you for your reply. I didnt hear back from you for a while so I tried running COMBOFIX again (for the 4th time) and this time Combofix found an update. After combofix updated I ran it again and it fixed the problem! So at this time my problem has been resolved.

I appreciate you getting back to me..... at this time we can close this thread.

Best Regards,

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,958 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:57 AM

Posted 29 November 2009 - 08:21 PM

Hello,

Thank you for posting back. I feel the need to point out that just because symptoms are gone does not mean the infection is gone. However, since this issue seems to be resolved, this thread will now be closed.

Concerning Combofix, please read this topic: http://www.bleepingcomputer.com/forums/t/273628/combofix-usage-questions-help-look-here/ This program should not be run unless under the supervision of someone who has been trained in its use. The topic I linked to explains just why that is.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users