Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect from clicked link in Google search results


  • Please log in to reply
8 replies to this topic

#1 desco1

desco1

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 26 December 2009 - 09:18 PM

OS XP Pro - SP 3
Browser Firefox 3.5 or IE 6 as backup browser
Any URL supplied by Google search and clicked to select offered web page results in the browser being redirected to "newserversearch.com" and reported as no-existant.
Error Message dialog usually reports another random url name. Doing a block, copy and paste to word processing replaces the displayed domain name with newserversearch.com while the remainder of the copied error dialog reproduces correctly.

Referred here from 'Am I infected? What do I do?' forum. Topic link: http://www.bleepingcomputer.com/forums/t/280563/redirect-from-google-search-hijack/ ~ OB

DDS (Ver_09-12-01.01) - NTFSx86
Run by user one at 20:45:13.43 on Sat 12/26/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2036.1139 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PAYCLOCK\BTENG32M.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PAYCLOCK\PCSCMGR.EXE
C:\PAYCLOCK\PC50\PCTSCMGR.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\igfxsrvc.exe
M:\Program Files\Karen's Power Tools\Replicator\PTReplicator.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\sol.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Tmp\tools\Spyware\Dos Screen Window\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [PayClockServer] c:\payclock\PCSCMGR.EXE
mRun: [PayClockTerminalService] c:\payclock\pc50\PCTSCMGR.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
dRun: [WinCalendar] "c:\program files\sapro systems wincalendar\WinCalendar_SysTray.exe" /q /c
StartupFolder: c:\docume~1\useron~1\startm~1\programs\startup\karen'~1.lnk - m:\program files\karen's power tools\replicator\PTReplicator.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\useron~1\applic~1\mozilla\firefox\profiles\p9c1svbr.default\
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL -
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-29 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-29 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-29 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-12-20 353672]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-29 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-29 297752]
R2 PayClockServer;PayClock Database Service;c:\payclock\Bteng32m.exe [2009-8-22 208955]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
S2 PayClockTerminalServer;PayClock Terminal Service;d:\payclock\pc50\bteng32m.exe /scn:payclockterminalserver --> d:\payclock\pc50\BTENG32M.EXE [?]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2006-4-22 32512]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;c:\windows\system32\drivers\sustucam.sys [2009-1-7 47360]
S4 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-12-20 30192]

=============== Created Last 30 ================

2009-12-26 21:50:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Sony Corporation
2009-12-26 21:49:40 0 d-----w- c:\program files\common files\Sony Shared
2009-12-26 21:46:53 0 d-----w- c:\program files\Sony
2009-12-23 16:58:57 0 d-----w- C:\DoctorWeb
2009-12-23 02:06:29 0 d-----w- C:\Other_comp_bkup
2009-12-22 00:35:09 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-22 00:35:04 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-22 00:35:04 0 d-----w- c:\docume~1\useron~1\applic~1\SUPERAntiSpyware.com
2009-12-22 00:34:44 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-21 19:24:05 0 d-sha-r- C:\cmdcons
2009-12-21 18:43:51 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2009-12-21 18:43:51 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-12-21 18:38:19 98816 ----a-w- c:\windows\sed.exe
2009-12-21 18:38:19 77312 ----a-w- c:\windows\MBR.exe
2009-12-21 18:38:19 261632 ----a-w- c:\windows\PEV.exe
2009-12-21 18:38:19 161792 ----a-w- c:\windows\SWREG.exe
2009-12-21 14:18:33 60196 ----a-w- C:\cc_20091221_091824.reg
2009-12-21 14:09:56 0 d-----w- c:\program files\CCleaner
2009-12-21 12:38:36 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-12-21 12:33:45 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-20 19:21:35 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-12-20 19:21:35 0 d-----w- c:\program files\Zone Labs
2009-12-20 19:21:34 350192 ----a-w- c:\windows\system32\vsconfig.xml
2009-12-18 19:22:34 59 ----a-w- c:\windows\LTDLG13N.INI
2009-12-14 19:23:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-12-14 19:23:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-13 12:55:35 132096 --sha-r- c:\windows\system32\rasautob.dll
2009-12-11 23:10:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-12-11 23:02:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Karen's Power Tools
2009-12-11 16:27:14 0 d-----w- c:\program files\WinDirStat
2009-12-11 16:01:17 0 d-----w- c:\program files\Unlocker
2009-12-11 15:38:57 0 d-----w- c:\program files\Disk Investigator
2009-12-03 19:40:34 0 d-----w- c:\docume~1\useron~1\applic~1\Free Sound Recorder
2009-12-03 19:40:22 479232 ----a-w- c:\windows\system32\NCTAudioVisualization2.dll
2009-12-03 19:40:22 417792 ----a-w- c:\windows\system32\NCTTextToAudio2.dll
2009-12-03 19:40:22 348160 ----a-w- c:\windows\system32\NCTWMAFile2.dll
2009-12-03 19:40:22 113486 ----a-w- c:\windows\system32\NCTWMAProfiles.prx
2009-12-03 19:40:21 880640 ----a-w- c:\windows\system32\NCTAudioEditor2.dll
2009-12-03 19:40:21 835584 ----a-w- c:\windows\system32\NCTAudioCDGrabber2.dll
2009-12-03 19:40:21 602112 ----a-w- c:\windows\system32\NCTAudioTransform2.dll
2009-12-03 19:40:21 458752 ----a-w- c:\windows\system32\NCTAudioRecord2.dll
2009-12-03 19:40:21 458752 ----a-w- c:\windows\system32\NCTAudioPlayer2.dll
2009-12-03 19:40:21 344064 ----a-w- c:\windows\system32\msvcr70.dll
2009-12-03 19:40:21 1986560 ----a-w- c:\windows\system32\NCTAudioFile2.dll
2009-12-03 19:40:21 1212416 ----a-w- c:\windows\system32\NCTAudioInformation2.dll
2009-12-03 19:40:20 0 d-----w- c:\program files\Free Sound Recorder
2009-11-29 17:11:15 0 d-----w- c:\program files\CONEXANT
2009-11-29 17:11:10 90112 ----a-w- c:\windows\system32\mdmxsdk.dll
2009-11-29 17:11:10 687488 ----a-w- c:\windows\system32\drivers\HSF_USR.sys
2009-11-29 17:11:10 27786 ----a-w- c:\windows\system32\HSFCI007.dll
2009-11-29 17:11:10 22631 ----a-w- c:\windows\system32\drivers\usrhsfi.cty
2009-11-29 17:11:10 207616 ----a-w- c:\windows\system32\drivers\USR_BSC2.sys
2009-11-29 17:11:10 11043 ----a-w- c:\windows\system32\drivers\mdmxsdk.sys
2009-11-29 17:11:10 1041152 ----a-w- c:\windows\system32\drivers\USR_MDM.sys
2009-11-27 20:14:22 0 d-----w- c:\program files\AskBarDis
2009-11-27 20:14:04 0 d-----w- c:\docume~1\useron~1\applic~1\Foxit

==================== Find3M ====================

2009-12-20 19:21:44 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-11 21:34:43 47360 ----a-w- c:\windows\system32\drivers\sustucam.sys
2009-10-29 05:38:23 667136 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 20:45:35.17 ===============
=================================================/*/*/*//*

Attached Files


Edited by Orange Blossom, 26 December 2009 - 09:20 PM.


BC AdBot (Login to Remove)

 


#2 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:39 PM

Posted 29 December 2009 - 11:23 AM

Hi there,

Sorry about the delay. We appear to be up against a fairly new infection which is currently undetected by the majority of our tools. To help us find out where it is loading from, please download and run this tool:
http://jpshortstuff.247fixes.com/Kenco.exe
It will only take a few moments, please post the log it produces.

Thanks.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#3 desco1

desco1
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 29 December 2009 - 11:42 AM

And I had attributed the delay in response to the holidays. :-)
Thanks for the response regardless.

Kenco by jpshortstuff (29.12.09.2)
Log created at 11:35 on 29/12/2009 (user one)

C:\WINDOWS\Tasks\FTAP.job -> Unlocked

========== C:\WINDOWS\Tasks ==========
FTAP.job

-=E.O.F=-

#4 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:39 PM

Posted 29 December 2009 - 11:49 AM

Excellent, that worked a charm, now we can kill it.

Please download OTM by OldTimer.
  • Save it to your desktop.
  • Please click OTM and then click >> run.
  • Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Processes
explorer.exe

:files
C:\WINDOWS\Tasks\FTAP.job
c:\windows\system32\rasautob.dll

:Commands
[emptytemp]
[Reboot]
  • Return to OTM, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Let me know if you are still getting redirected after that reboots, and please post a fresh DDS log as well.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#5 desco1

desco1
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 29 December 2009 - 12:42 PM

Bingo! Corrected the redirect when clicking on a google search supplied link!

Following is OldTimer log
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
C:\WINDOWS\Tasks\FTAP.job moved successfully.
LoadLibrary failed for c:\windows\system32\rasautob.dll
c:\windows\system32\rasautob.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 207442495 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 3304386 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: user one
->Temp folder emptied: 46675889 bytes
->Temporary Internet Files folder emptied: 10732635 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 1617975342 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 3925009 bytes
Windows Temp folder emptied: 739 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,805.00 mb


OTM by OldTimer - Version 3.1.4.0 log created on 12292009_121505

Files moved on Reboot...
C:\Documents and Settings\user one\Local Settings\Temp\~DF5501.tmp moved successfully.
File C:\WINDOWS\temp\ZLT06297.TMP not found!

Registry entries deleted on Reboot...
=================================/*/*/*
Following is dds log:
DDS (Ver_09-12-01.01) - NTFSx86
Run by user one at 12:28:43.34 on Tue 12/29/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2036.1454 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PAYCLOCK\BTENG32M.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PAYCLOCK\PCSCMGR.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\PAYCLOCK\PC50\PCTSCMGR.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
M:\Program Files\Karen's Power Tools\Replicator\PTReplicator.exe
C:\Tmp\tools\Spyware\Dos Screen Window\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [PayClockServer] c:\payclock\PCSCMGR.EXE
mRun: [PayClockTerminalService] c:\payclock\pc50\PCTSCMGR.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
dRun: [WinCalendar] "c:\program files\sapro systems wincalendar\WinCalendar_SysTray.exe" /q /c
StartupFolder: c:\docume~1\useron~1\startm~1\programs\startup\karen'~1.lnk - m:\program files\karen's power tools\replicator\PTReplicator.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\useron~1\applic~1\mozilla\firefox\profiles\p9c1svbr.default\
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL -
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-29 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-29 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-29 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-12-20 353672]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-29 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-29 297752]
R2 PayClockServer;PayClock Database Service;c:\payclock\Bteng32m.exe [2009-8-22 208955]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 PayClockTerminalServer;PayClock Terminal Service;d:\payclock\pc50\bteng32m.exe /scn:payclockterminalserver --> d:\payclock\pc50\BTENG32M.EXE [?]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2006-4-22 32512]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;c:\windows\system32\drivers\sustucam.sys [2009-1-7 47360]
S4 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-12-20 30192]

=============== Created Last 30 ================

2009-12-29 17:15:05 0 d-----w- C:\_OTM
2009-12-27 02:15:06 1623 ----a-w- C:\rootReveal-log.zip
2009-12-27 02:13:26 3767 ----a-w- C:\attach.zip
2009-12-26 21:50:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Sony Corporation
2009-12-26 21:49:40 0 d-----w- c:\program files\common files\Sony Shared
2009-12-26 21:46:53 0 d-----w- c:\program files\Sony
2009-12-23 16:58:57 0 d-----w- C:\DoctorWeb
2009-12-23 02:06:29 0 d-----w- C:\Other_comp_bkup
2009-12-22 00:35:09 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-22 00:35:04 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-22 00:35:04 0 d-----w- c:\docume~1\useron~1\applic~1\SUPERAntiSpyware.com
2009-12-22 00:34:44 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-21 19:24:05 0 d-sha-r- C:\cmdcons
2009-12-21 18:43:51 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2009-12-21 18:43:51 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-12-21 18:38:19 98816 ----a-w- c:\windows\sed.exe
2009-12-21 18:38:19 77312 ----a-w- c:\windows\MBR.exe
2009-12-21 18:38:19 261632 ----a-w- c:\windows\PEV.exe
2009-12-21 18:38:19 161792 ----a-w- c:\windows\SWREG.exe
2009-12-21 14:18:33 60196 ----a-w- C:\cc_20091221_091824.reg
2009-12-21 14:09:56 0 d-----w- c:\program files\CCleaner
2009-12-21 12:38:36 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-12-21 12:33:45 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-20 19:21:35 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-12-20 19:21:35 0 d-----w- c:\program files\Zone Labs
2009-12-20 19:21:34 350192 ----a-w- c:\windows\system32\vsconfig.xml
2009-12-18 19:22:34 59 ----a-w- c:\windows\LTDLG13N.INI
2009-12-14 19:23:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-12-14 19:23:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-11 23:10:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-12-11 23:02:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Karen's Power Tools
2009-12-11 16:27:14 0 d-----w- c:\program files\WinDirStat
2009-12-11 16:01:17 0 d-----w- c:\program files\Unlocker
2009-12-11 15:38:57 0 d-----w- c:\program files\Disk Investigator
2009-12-03 19:40:34 0 d-----w- c:\docume~1\useron~1\applic~1\Free Sound Recorder
2009-12-03 19:40:22 479232 ----a-w- c:\windows\system32\NCTAudioVisualization2.dll
2009-12-03 19:40:22 417792 ----a-w- c:\windows\system32\NCTTextToAudio2.dll
2009-12-03 19:40:22 348160 ----a-w- c:\windows\system32\NCTWMAFile2.dll
2009-12-03 19:40:22 113486 ----a-w- c:\windows\system32\NCTWMAProfiles.prx
2009-12-03 19:40:21 880640 ----a-w- c:\windows\system32\NCTAudioEditor2.dll
2009-12-03 19:40:21 835584 ----a-w- c:\windows\system32\NCTAudioCDGrabber2.dll
2009-12-03 19:40:21 602112 ----a-w- c:\windows\system32\NCTAudioTransform2.dll
2009-12-03 19:40:21 458752 ----a-w- c:\windows\system32\NCTAudioRecord2.dll
2009-12-03 19:40:21 458752 ----a-w- c:\windows\system32\NCTAudioPlayer2.dll
2009-12-03 19:40:21 344064 ----a-w- c:\windows\system32\msvcr70.dll
2009-12-03 19:40:21 1986560 ----a-w- c:\windows\system32\NCTAudioFile2.dll
2009-12-03 19:40:21 1212416 ----a-w- c:\windows\system32\NCTAudioInformation2.dll
2009-12-03 19:40:20 0 d-----w- c:\program files\Free Sound Recorder

==================== Find3M ====================

2009-12-20 19:21:44 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-11 21:34:43 47360 ----a-w- c:\windows\system32\drivers\sustucam.sys
2009-10-29 05:38:23 667136 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 12:28:51.64 ===============
=================================/*/*/*/*
the dds generated 'attach.log is attached in zip format.

Any indication that other files or data may have been compromised?
No unknown requests for internet access has been allowed via ZoneAlarm and many known programs are routinely denied access.
Many thanks again.

Attached Files



#6 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:39 PM

Posted 29 December 2009 - 04:24 PM

Looks to be good as far as I can see. I recommend you give your system a full scan with MalwareBytes' or AVG (or both) just to be sure. I can see some traces of ComboFix on your system, do you still have the program on there?
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#7 desco1

desco1
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 29 December 2009 - 04:38 PM

Yes I do have Combofix.

#8 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:39 PM

Posted 29 December 2009 - 04:58 PM

Click Start >> Run, and then type ComboFix /Uninstall and hit enter.

Let me know if you have any more problems or if you receive any warnings/notifications of Malware on your system.

Edited by jpshortstuff, 29 December 2009 - 04:58 PM.

Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#9 desco1

desco1
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 29 December 2009 - 05:25 PM

Thanks very much!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users