Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Results being redirected


  • This topic is locked This topic is locked
8 replies to this topic

#1 Goose29us

Goose29us

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 31 January 2010 - 03:15 PM

When Iclick on results of a search in Google or Bing, some results go to the website indicated, others lead to various other sites including leapfish.com, http://r9237242.cn/, or myoptumhealth.com to name a few. Clicking the back button on the browser and then the same search result redirects to a different site each time. Have tried searching with Yahoo and have not had any redirecting.

Also when the web browser is open, a new window will sometimes open to what seems a ramdom site, for example (http://www.endocrineweb.com/diabetes/control.html).

Any help identifying the problem and correcting it would be greatly appreciated.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Daddy at 13:32:18.62 on Sun 01/31/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1470.734 [GMT -6:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\Daddy\Local Settings\Temporary Internet Files\Content.IE5\AR7PYG17\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uSearch Bar = hxxp://www.google.com/ie_rsearch.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [TPSMain] TPSMain.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} - hxxp://www.worldwinner.com/games/v67/swapit/swapit.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\,ziwupumi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: IE Component Categories cache daemon: {553858a7-4922-4e7e-b1c1-97140c1c16ef} - c:\windows\system32\ieframe.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
LSA: Notification Packages = scecli hakurevi.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-10-22 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-22 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-22 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-22 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-10-23 297752]
R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\oracle.exe xe --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
R2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\bin\TNSLSNR.EXE [2006-2-2 204800]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2008-7-29 39424]
S3 lredbooo;lredbooo;\??\c:\docume~1\daddy\locals~1\temp\lredbooo.sys --> c:\docume~1\daddy\locals~1\temp\lredbooo.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe xe --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe XE [?]

=============== Created Last 30 ================

2010-01-31 19:13:33 0 d-----w- c:\program files\Trend Micro
2010-01-29 02:42:47 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-28 04:52:31 0 d-----w- c:\program files\schtml
2010-01-28 04:36:28 36 ----a-w- c:\program files\skynet.dat
2010-01-19 02:45:49 0 d-----w- C:\Chaps
2010-01-12 22:51:09 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-03 14:11:38 0 d-----w- c:\docume~1\daddy\applic~1\iShell

==================== Find3M ====================

2010-01-28 04:35:57 0 ----a-w- c:\program files\inst32.log
2010-01-27 13:46:03 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-07 22:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-02-15 21:58:52 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021520090216\index.dat

============= FINISH: 13:34:18.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:04 PM

Posted 02 February 2010 - 11:41 PM


Hello Goose29us smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.














Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 Goose29us

Goose29us
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 03 February 2010 - 01:36 AM

Thank you so much for taking my case. I ran the ComboFix program and installed the Windows Console Recovery as well.

So far, so good. I have not experienced any redirected sites or new browsers opening since running ComboFix.

Here is the log file created:

ComboFix 10-02-02.02 - Daddy 02/03/2010 0:05.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1470.876 [GMT -6:00]
Running from: c:\documents and settings\Daddy\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2369461160-35945199-3371764974-1003
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\EventSystem.log
c:\windows\system32\4F3X
c:\windows\system32\reboot.txt

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-01-03 to 2010-02-03 )))))))))))))))))))))))))))))))
.

2010-01-31 19:13 . 2010-01-31 19:13 -------- d-----w- c:\program files\Trend Micro
2010-01-31 17:03 . 2010-01-31 17:18 152576 ----a-w- c:\documents and settings\Administrator.SCHOOL012606\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-31 17:03 . 2010-01-31 17:18 79488 ----a-w- c:\documents and settings\Administrator.SCHOOL012606\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-30 00:09 . 2010-01-31 14:36 -------- d-----w- c:\windows\BDOSCAN8
2010-01-29 22:19 . 2010-01-29 22:21 -------- d-----w- c:\documents and settings\Daddy\Local Settings\Application Data\Temp
2010-01-29 02:42 . 2010-01-31 17:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-28 04:52 . 2010-01-28 04:52 -------- d-----w- c:\program files\schtml
2010-01-28 04:36 . 2010-01-28 04:36 36 ----a-w- c:\program files\skynet.dat
2010-01-28 03:58 . 2010-01-28 03:58 -------- d-sh--w- c:\documents and settings\Administrator.SCHOOL012606\IECompatCache
2010-01-28 02:17 . 2010-01-28 02:17 -------- d-sh--w- c:\documents and settings\Administrator.SCHOOL012606\PrivacIE
2010-01-27 15:56 . 2010-01-27 15:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-01-27 04:53 . 2010-01-27 04:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-19 02:45 . 2010-01-19 02:46 -------- d-----w- C:\Chaps
2010-01-12 22:51 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-28 21:41 . 2009-12-06 04:24 -------- d-----w- c:\program files\Pando Networks
2010-01-28 04:35 . 2010-01-28 04:35 0 ----a-w- c:\program files\inst32.log
2010-01-28 04:15 . 2008-01-30 03:24 -------- d-----w- c:\program files\RegCure
2010-01-28 00:35 . 2009-05-12 05:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-27 13:46 . 2004-08-03 22:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-24 04:01 . 2006-02-05 04:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-07 22:07 . 2009-05-12 05:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2009-05-12 05:29 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 14:11 . 2010-01-03 14:11 -------- d-----w- c:\documents and settings\Daddy\Application Data\iShell
2009-12-29 20:37 . 2008-01-16 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-28 15:00 . 2009-06-01 17:03 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{FF5233DA-795C-451C-B01E-8F32CCCF523E}
2009-12-25 15:35 . 2009-12-25 15:35 -------- d-----w- c:\program files\LEGO Software
2009-12-25 15:35 . 2009-12-25 15:35 -------- d-----w- c:\program files\National Instruments
2009-12-25 15:35 . 2009-12-25 15:35 -------- d-----w- c:\program files\IVI Foundation
2009-12-25 15:35 . 2009-12-25 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\National Instruments
2009-12-21 19:14 . 2005-11-05 00:53 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 03:38 . 2009-12-17 22:30 -------- d-----w- c:\documents and settings\Daddy\Application Data\InfraRecorder
2009-12-17 22:30 . 2009-12-17 22:30 -------- d-----w- c:\program files\InfraRecorder
2009-12-06 13:20 . 2009-12-06 13:20 -------- d-----w- c:\documents and settings\Daddy\Application Data\Turbine
2009-12-06 13:20 . 2006-01-22 22:30 128 ----a-w- c:\documents and settings\Daddy\Local Settings\Application Data\fusioncache.dat
2009-12-06 05:39 . 2009-12-06 05:39 -------- d-----w- c:\program files\Turbine
2009-11-21 15:51 . 2005-11-05 00:52 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:02 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-11-25 352256]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-11-4 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-23 14:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AGRSMMSG"=AGRSMMSG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [10/22/2009 10:40 AM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/22/2009 10:40 AM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/22/2009 10:40 AM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/23/2009 8:52 AM 297752]
R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
R2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE [2/2/2006 12:49 AM 204800]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [7/29/2008 2:09 PM 39424]
S3 lredbooo;lredbooo;\??\c:\docume~1\Daddy\LOCALS~1\Temp\lredbooo.sys --> c:\docume~1\Daddy\LOCALS~1\Temp\lredbooo.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2007-12-14 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 23:52]

2007-12-14 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2006-11-22 01:08]

2010-01-31 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2010-01-24 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2010-01-31 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2009-12-28 c:\windows\Tasks\The Reader's Edge Updates.job
- c:\windows\Installer\The Reader's Edge Updates for All Users.lnk [2009-06-01 17:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-03 00:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f8,93,28,a2,f2,85,01,4a,88,cb,d3,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f8,93,28,a2,f2,85,01,4a,88,cb,d3,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(508)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(364)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\TPSMain.exe
c:\windows\system32\TPSBattM.exe
.
**************************************************************************
.
Completion time: 2010-02-03 00:26:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-03 06:26

Pre-Run: 18,928,414,720 bytes free
Post-Run: 19,035,942,912 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 16A3AA824611D41353E6F8D73AE2579B


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:04 PM

Posted 03 February 2010 - 12:38 PM

You're welcome, glad to know the redirections are gone. I would like to run the following which will help us determine if anything is lingering ComboFix may have missed:



It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.


If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 Goose29us

Goose29us
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 03 February 2010 - 06:28 PM

After running the Kaspersky scan, there are a couple of threats still detected.

Here is the report:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, February 3, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, February 03, 2010 14:25:14
Records in database: 3401930
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
Z:\

Scan statistics:
Objects scanned: 129438
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 04:19:28


File name / Threat / Threats count
C:\Documents and Settings\Daddy\Application Data\Sun\Java\Deployment\cache\6.0\1\1f29cc41-29107744 Infected: Trojan-Downloader.Java.OpenStream.ae 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.y 1

Selected area has been scanned.


#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:04 PM

Posted 03 February 2010 - 07:33 PM

One of those is from Qoobox which is the quarantine are of ComboFix. It will be gone when we do an uninstall.

The other is in the Java cache and you need to upgrade your Java anyway. You have some older versions which are highly vulnerable to Malware exploitation. Let's take care of that and updating your Adobe Reader at the same time then let me know if everything seems OK.






Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 18 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 18 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u18 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.






Please uninstall older version of Adobe Reader before installing the latest version

* Click Start
* Control Panel
* Double clicking on Add/Remove Programs
* Locate older version of Adobe Reader and click on Change/Remove to uninstall it
* Click HERE to download the latest version of Adobe Acrobat Reader.
* Select your Windows version and click onDownload. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
* Close your Internet browser and open it again.


If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 Goose29us

Goose29us
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 03 February 2010 - 08:49 PM

Thanks again for helping me out. I have not experienced any search redirects or new browsers opening. I knew the out dated Java could be part of the problem, but until your help, I was unable to update the software. The update would just start up and shut down then say Java could not be updated. Both Java and Adobe Reader are successfully updated now.

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:04 PM

Posted 03 February 2010 - 09:06 PM

Good deal all the way around. Looks like things are OK now so we can go ahead and finish up.



Uninstall Combofix
  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    <Notice the space between the "x" and "/".>

  • The following will implement some very important cleanup procedures as well as reset System Restore points.




You can also remove DDS and RootRepeal is they are still present on your machine.



Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  1. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  2. Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  3. Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  4. Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  5. Finally, this is very important. It is absolutely essential to keep all of your security programs up to date




If you have any other questions or issues feel free to ask as I will be checking back on this topic.



Other than that if there is nothing else I can do for you then I wish you good luck in the future and thank you for using our forum. smile.gif


thewall



If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:04 PM

Posted 07 February 2010 - 03:07 PM

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users