Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

searchclick8 google redirect problem.


  • This topic is locked This topic is locked
29 replies to this topic

#1 greg55

greg55

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 08 February 2010 - 02:08 PM

Hi, for the past day i've been dealing with viruses and problems with my computer. I recently had a trojan horse but was able to eliminate it thanks to some anti virus programs friends recommended I use. Currently i have a problem using google search results. If I click a site google has found I always get redirected to Searchclick8. I have tried using malwarebytes anti-malware, SUPERantispyware, and avg (which I no longer have). SUPERanti spyware found the brower hijacker and said it removed it but the infection still remains. I'm not 100% on what to do and what i need to post to further assist any experts that may help me. I would really like this fixed asap. Here is my Hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:43 AM, on 2/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tucson.cox.net/cci/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.buy-internetsecurity10.com
O15 - Trusted Zone: http://*.buy-is2010.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.is10-soft-download.com
O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1238562626531
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C1C6A3F-EF9D-4540-AF2A-95F5E3868CF3}: NameServer = 83.149.115.157,4.2.2.1,68.105.28.11 68.105.29.11 68.105.28.12
O20 - AppInit_DLLs: wefojuho.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe

--
End of file - 6978 bytes

Edited by boopme, 08 February 2010 - 02:26 PM.
Moved by boopme


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 09 February 2010 - 10:26 AM

Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..




NEXT


Please download OTS by OldTimer and unzip it to your Desktop..

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • At the top, tick on Scan All Users section
  • At File Age set it to 90 Days
  • In the Processes, Modules, Services, Drivers and Registry section, please set on Safe List.
  • In the Files Created Within and Files Modified Within section, set it to File Age
  • At the bottom, tick on all Safe List and Use Company Name WhiteList option
  • Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
      Reg - Disabled MS Config Items
      Reg - Drivers32
      Reg - Ext
      Reg - IE Explorer Bar
      Reg - NetSvcs
      Reg - Safeboot Minimal
      Reg - Safeboot Network
      File - Lop Check
      File - Purity Scan
    • Please copy/paste below script into Custom Scans box
      CODE
      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      /md5stop
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
  • Do NOT change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..




NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results




ATTACH these logs in your next reply

1. OTS
2. GMER

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 10 February 2010 - 01:53 AM

When I run OTS and try to run fix, it tells me "no fix has been provided." I'll try and see what i am doing wrong.

So sorry disregard this message. I will post the logs soon.

Edited by greg55, 10 February 2010 - 02:11 AM.


#4 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 10 February 2010 - 03:09 AM

Thank you very much Fenzodah512 for your help and fast reply. Here are the logs you asked for.

Attached Files



#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 10 February 2010 - 06:12 AM

Please download The Avenger by Swandog46 and unzip it to your Desktop


Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..

CODE
Begin copying here:
Files to delete:
c:\d00265-001-001.exe
c:\kkalf.exe


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  • Now, click on Execute. Just say Yes at every prompted

The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply.



NEXT


OTS Fix

Open OTS.. Copy/paste below into Paste Fix Here and then click on the Run Fix button.. Let it finishes and reboot the computer.. Post the log here in your next reply..

CODE
[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> buy-internetsecurity10.com .[http] -> Trusted sites
YN -> buy-is2010.com .[http] -> Trusted sites
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-1085031214-484061587-839522115-1004\] > -> HKEY_USERS\S-1-5-21-1085031214-484061587-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> buy-internetsecurity10.com .[http] -> Trusted sites
YN -> buy-is2010.com .[http] -> Trusted sites
YN -> is10-soft-download.com .[http] -> Trusted sites
YN -> is-software-download.com .[http] -> Trusted sites
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YN -> wefojuho.dll ->
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
[Custom Scans]
YY ->  D00265-001-001.exe -> C:\D00265-001-001.exe
YY ->  kkalf.exe -> C:\kkalf.exe
[Empty Temp Folders]
[Start Explorer]
[Reboot]




Post these logs in your next reply..

1. The Avenger
2. OTS

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#6 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 10 February 2010 - 02:30 PM

Thanks a lot for your assistance. Here are the logs.

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\d00265-001-001.exe" deleted successfully.
File "c:\kkalf.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


All Processes Killed
[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-internetsecurity10.com\\http deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-is2010.com\\http deleted successfully.
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-internetsecurity10.com not found.
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-is2010.com not found.
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is10-soft-download.com not found.
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download.com not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:wefojuho.dll deleted successfully.
[Custom Scans]
File/Folder C:\D00265-001-001.exe not found.
File/Folder C:\kkalf.exe not found.
[Empty Temp Folders]


User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2627 bytes
->FireFox cache emptied: 3078292 bytes

User: All Users

User: archie
->Temp folder emptied: 1092520404 bytes
->Temporary Internet Files folder emptied: 3623300 bytes
->Java cache emptied: 44257829 bytes
->FireFox cache emptied: 59130652 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1126405 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 61644 bytes
RecycleBin emptied: 2848769656 bytes

Total Files Cleaned = 3,865.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.20.1 fix logfile created on 02102010_122527

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 11 February 2010 - 07:00 AM

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

How's the computer now? Still got the browser hijacker? smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 11 February 2010 - 03:20 PM

I still have the google redirect and according to the ESET scan and nod32 I have kryptic trojan virus mad.gif I know you are helping alot but I don't understand how I still have this virus when some programs claim to delete it from my registry. Here is the ESET online scanner log.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=cce3ed3629417a4a854e48bbd2a413da
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-11 08:14:30
# local_time=2010-02-11 01:14:30 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 176785 176785 0 0
# compatibility_mode=1024 16777215 100 0 43636669 43636669 0 0
# compatibility_mode=8194 67108181 100 100 0 0 0 0
# scanned=42297
# found=4
# cleaned=4
# scan_time=2077
# nod_component=NOD32MOD_WINNT_ENGLISH_BASE Build:0x11081627
# nod_component=NOD32MOD_WINNT_ENGLISH_INET Build:0x11081627
# nod_component=NOD32MOD_WINNT_ENGLISH_STANDARD Build:0x11081627
C:\Qoobox\Quarantine\C\Program Files\InternetSecurity2010\IS2010.exe.vir a variant of Win32/Kryptik.CGI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\helper32.dll.vir a variant of Win32/Kryptik.CHJ trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\wapifiwa.dll.vir a variant of Win32/Kryptik.CFX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\00005e39.tmp.vir a variant of Win32/Kryptik.CDM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


#9 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 11 February 2010 - 03:46 PM

Hey I've done some research on the Win32/kryptic JX virus and alot of people are confirming that it is a false alarm made by nod32. Here are some links on the issue. I want to make sure its just a false alarm and not an infection.

http://www.thepatri0t.net/2009/03/09/nod32...n32-kryptik-jx/

http://computerhaven.info/forum/fb.ashx?m=88642

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 12 February 2010 - 05:06 AM

Nope, ESET already deal with it and the thing that ESET deleted was malware..

I can see you've run ComboFix before.. Bear in mind that normally if user's run ComboFix on their own and somehow their computer got screwed, you're on your own.. visit below link.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

QUOTE
You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.


Okay, now I need you to delete your version of ComboFix >> download a fresh one from above link >> run it and post the log here

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 12 February 2010 - 01:45 PM

alright i successfully ran a new combofix. Here is the log

ComboFix 10-02-11.04 - archie 02/12/2010 11:25:44.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.150 [GMT -7:00]
Running from: c:\documents and settings\archie\My Documents\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((( Files Created from 2010-01-12 to 2010-02-12 )))))))))))))))))))))))))))))))
.

2010-02-12 18:11 . 2010-02-12 18:11 -------- d-----w- c:\windows\system32\LogFiles
2010-02-10 19:25 . 2010-02-10 19:25 -------- d-----w- C:\_OTS
2010-02-10 06:38 . 2010-02-10 06:39 -------- d-----w- c:\program files\ERUNT
2010-02-08 18:33 . 2010-02-08 18:33 -------- d-----w- c:\program files\Trend Micro
2010-02-08 07:30 . 2010-02-08 07:30 52224 ----a-w- c:\documents and settings\archie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-08 07:30 . 2010-02-08 07:30 117760 ----a-w- c:\documents and settings\archie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-08 07:30 . 2010-02-08 07:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-08 07:29 . 2010-02-08 07:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-08 07:29 . 2010-02-08 07:29 -------- d-----w- c:\documents and settings\archie\Application Data\SUPERAntiSpyware.com
2010-02-08 07:28 . 2010-02-08 07:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-08 07:14 . 2010-02-08 07:13 298104 ----a-w- c:\windows\system32\imon.dll
2010-02-08 07:14 . 2010-02-08 07:13 512096 ----a-w- c:\windows\system32\drivers\amon.sys
2010-02-08 07:14 . 2010-02-08 07:13 15424 ----a-w- c:\windows\system32\drivers\nod32drv.sys
2010-02-08 07:13 . 2010-02-11 19:36 -------- d-----w- c:\program files\ESET
2010-02-08 06:27 . 2010-02-08 06:27 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2010-02-08 06:25 . 2010-02-11 11:00 -------- d-----w- c:\documents and settings\archie\Application Data\Xfire
2010-02-08 06:25 . 2010-02-11 11:33 -------- d-----w- c:\program files\Xfire
2010-02-08 04:52 . 2010-02-08 04:52 -------- d-----w- c:\documents and settings\archie\Application Data\Malwarebytes
2010-02-08 04:52 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-08 04:52 . 2010-02-08 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-08 04:52 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-08 02:35 . 2010-02-08 06:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-08 02:35 . 2010-02-08 06:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-08 00:15 . 2010-02-08 04:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-07 20:00 . 2010-02-07 20:00 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-02-07 19:06 . 2010-02-07 19:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2010-02-07 19:05 . 2010-02-07 19:05 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-02-07 19:00 . 2010-02-07 19:00 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-07 19:00 . 2010-02-07 19:00 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-02-07 06:51 . 2010-02-07 06:51 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-02-07 05:22 . 2010-02-07 05:22 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-02-04 16:15 . 2010-02-04 16:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-01-22 01:37 . 2010-01-22 01:37 41872 ----a-w- c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-08 06:39 . 2008-09-14 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-02-07 05:22 . 2010-02-07 05:22 8 ----a-w- c:\documents and settings\All Users\Application Data\mswintmp.dat
2009-12-31 16:50 . 2002-09-03 17:04 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-23 08:43 . 2009-05-04 04:58 -------- d-----w- c:\program files\DivX
2009-12-23 08:42 . 2009-05-04 04:58 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-21 19:14 . 2002-09-03 17:12 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 11:25 . 2009-12-17 11:25 47964 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-17 11:19 . 2009-12-17 11:17 -------- d-----w- c:\documents and settings\archie\Application Data\Apple Computer
2009-12-17 11:16 . 2009-12-17 11:15 -------- d-----w- c:\program files\iTunes
2009-12-17 11:16 . 2009-12-17 11:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-17 11:15 . 2009-12-17 11:15 -------- d-----w- c:\program files\iPod
2009-12-17 11:15 . 2009-12-17 11:11 -------- d-----w- c:\program files\Common Files\Apple
2009-12-17 11:15 . 2009-12-17 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-17 11:14 . 2009-12-17 11:14 -------- d-----w- c:\program files\Bonjour
2009-12-17 11:14 . 2009-12-17 11:13 -------- d-----w- c:\program files\QuickTime
2009-12-17 11:12 . 2009-12-17 11:12 -------- d-----w- c:\program files\Apple Software Update
2009-12-17 11:11 . 2009-12-17 11:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-16 18:43 . 2008-09-07 02:49 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2002-09-03 16:29 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2002-09-03 16:50 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2002-09-03 16:42 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2002-09-03 16:53 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2001-08-17 22:36 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2002-09-03 16:46 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2002-09-03 16:46 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2002-09-03 16:27 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-21 15:51 . 2002-09-03 16:26 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-18 00:15 . 2009-11-18 00:15 744 ----a-w- c:\documents and settings\archie\Application Data\filterclsid.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-02-07_22.08.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-12 18:33 . 2010-02-12 18:33 16384 c:\windows\Temp\Perflib_Perfdata_3e4.dat
+ 2009-11-27 17:11 . 2009-11-27 17:11 17920 c:\windows\system32\dllcache\msyuv.dll
+ 2002-09-03 16:46 . 2009-11-27 16:07 28672 c:\windows\system32\dllcache\msvidc32.dll
+ 2009-11-27 16:07 . 2009-11-27 16:07 11264 c:\windows\system32\dllcache\msrle32.dll
+ 2009-11-27 16:07 . 2009-11-27 16:07 48128 c:\windows\system32\dllcache\iyuv_32.dll
+ 2009-12-14 07:08 . 2009-12-14 07:08 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2009-06-10 14:13 . 2009-11-27 16:07 84992 c:\windows\system32\dllcache\avifil32.dll
- 2009-06-10 14:13 . 2009-06-10 14:13 84992 c:\windows\system32\dllcache\avifil32.dll
+ 2010-02-08 07:29 . 2010-02-08 07:29 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2010-02-08 07:29 . 2010-02-08 07:29 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-11-27 17:11 . 2009-11-27 17:11 17920 c:\windows\Driver Cache\i386\msyuv.dll
+ 2009-11-27 16:07 . 2009-11-27 16:07 48128 c:\windows\Driver Cache\i386\iyuv_32.dll
+ 2009-11-27 16:07 . 2009-11-27 16:07 8704 c:\windows\system32\dllcache\tsbyuv.dll
+ 2010-02-08 07:29 . 2010-02-08 07:29 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2009-11-27 16:07 . 2009-11-27 16:07 8704 c:\windows\Driver Cache\i386\tsbyuv.dll
+ 2002-09-03 16:59 . 2009-12-08 09:23 474112 c:\windows\system32\shlwapi.dll
- 2002-09-03 16:59 . 2008-04-14 12:42 474112 c:\windows\system32\shlwapi.dll
+ 2008-10-16 03:45 . 2009-12-31 16:50 353792 c:\windows\system32\dllcache\srv.sys
- 2006-09-23 20:12 . 2006-09-23 20:12 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2006-09-23 20:12 . 2009-12-08 09:23 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2009-12-16 18:43 . 2009-12-16 18:43 343040 c:\windows\system32\dllcache\mspaint.exe
+ 2008-11-13 01:33 . 2009-12-04 18:22 455424 c:\windows\system32\dllcache\mrxsmb.sys
+ 2010-02-12 18:04 . 2010-02-12 18:04 237568 c:\windows\ERDNT\AutoBackup\2-12-2010\Users\00000002\UsrClass.dat
+ 2010-02-12 18:04 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\2-12-2010\ERDNT.EXE
+ 2010-02-11 16:54 . 2010-02-11 16:54 237568 c:\windows\ERDNT\AutoBackup\2-11-2010\Users\00000002\UsrClass.dat
+ 2010-02-11 16:54 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\2-11-2010\ERDNT.EXE
+ 2010-02-10 16:08 . 2010-02-10 16:08 237568 c:\windows\ERDNT\AutoBackup\2-10-2010\Users\00000002\UsrClass.dat
+ 2010-02-10 16:08 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\2-10-2010\ERDNT.EXE
+ 2010-02-10 06:40 . 2010-02-10 06:40 237568 c:\windows\ERDNT\2-9-2010\Users\00000002\UsrClass.dat
+ 2010-02-10 06:40 . 2005-10-20 19:02 163328 c:\windows\ERDNT\2-9-2010\ERDNT.EXE
+ 2008-11-13 01:33 . 2009-12-04 18:22 455424 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-05-07 05:12 . 2009-11-27 17:11 1291776 c:\windows\system32\dllcache\quartz.dll
- 2008-10-16 03:44 . 2009-08-05 03:44 2189184 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-10-16 03:44 . 2009-12-08 19:27 2189184 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-10-16 03:44 . 2009-12-08 18:43 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
- 2008-10-16 03:44 . 2009-08-04 14:20 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
- 2008-10-16 03:44 . 2009-08-04 14:20 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-16 03:44 . 2009-12-08 18:43 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2008-10-16 03:44 . 2009-08-04 15:13 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-10-16 03:44 . 2009-12-08 19:26 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2010-02-08 07:29 . 2010-02-08 07:29 1583616 c:\windows\Installer\8aa84.msi
+ 2010-02-12 18:04 . 2010-02-12 18:04 3616768 c:\windows\ERDNT\AutoBackup\2-12-2010\Users\00000001\NTUSER.DAT
+ 2010-02-11 16:54 . 2010-02-11 16:54 3600384 c:\windows\ERDNT\AutoBackup\2-11-2010\Users\00000001\NTUSER.DAT
+ 2010-02-10 16:08 . 2010-02-10 16:08 3584000 c:\windows\ERDNT\AutoBackup\2-10-2010\Users\00000001\NTUSER.DAT
+ 2010-02-10 06:40 . 2010-02-10 06:40 3551232 c:\windows\ERDNT\2-9-2010\Users\00000001\NTUSER.DAT
+ 2008-10-16 03:44 . 2009-12-08 19:27 2189184 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2008-10-16 03:44 . 2009-08-05 03:44 2189184 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-16 03:44 . 2009-12-08 18:43 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-16 03:44 . 2009-08-04 14:20 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-16 03:44 . 2009-08-04 14:20 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-16 03:44 . 2009-12-08 18:43 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-16 03:44 . 2009-08-04 15:13 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-10-16 03:44 . 2009-12-08 19:26 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2010-02-10 09:21 . 2010-02-01 18:26 30364104 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-05-19 3561720]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-03-02 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-20 185872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2010-02-08 949376]

c:\documents and settings\archie\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56234:TCP"= 56234:TCP:Pando Media Booster
"56234:UDP"= 56234:UDP:Pando Media Booster
"57113:TCP"= 57113:TCP:Pando Media Booster
"57113:UDP"= 57113:UDP:Pando Media Booster

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2/8/2010 12:14 AM 15424]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2010-02-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://tucson.cox.net/cci/home
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is10-soft-download.com
TCP: {9C1C6A3F-EF9D-4540-AF2A-95F5E3868CF3} = 83.149.115.157,4.2.2.1,68.105.28.11 68.105.29.11 68.105.28.12
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\archie\Application Data\Mozilla\Firefox\Profiles\f904z411.default\
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-12 11:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(688)
c:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(1916)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Eset\nod32krn.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-12 11:38:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-12 18:38
ComboFix2.txt 2010-02-08 04:25
ComboFix3.txt 2010-02-07 22:13
ComboFix4.txt 2010-02-07 21:48

Pre-Run: 55,922,319,360 bytes free
Post-Run: 55,885,426,688 bytes free

- - End Of File - - CECD332A593AEB359458852814E20BF2


#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 14 February 2010 - 06:55 AM

Please download GooredFix and save it to your Desktop.
* Ensure all Firefox windows are closed.
* To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
* When prompted to run the scan, click Yes.
* GooredFix will check for infections, and then a log will appear.
Post the log here in your next reply



Please download TDSSKiller.zip and unzip it to your Desktop

Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)

The log shall be named something like this one..

(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)




Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O15 - Trusted Zone: http://*.buy-internetsecurity10.com
O15 - Trusted Zone: http://*.buy-is2010.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.is10-soft-download.com
O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.



Run HijackThis once again.. Post these logs here.. Still getting the redirect issue? smile.gif

1. GooredFix
2. TDSSKiller
3. HijackThis

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 14 February 2010 - 08:39 PM

thanks for your continous help and I still have the searchclick8 google redirect after everything i've just done. In the Hijackthis fix I did find the 1st four O15's listed. I did not see these two to delete:
O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)

GooredFix by jpshortstuff (08.01.10.1)
Log created at 18:21 on 14/02/2010 (archie)
Firefox version 3.0.17 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:14 23/09/2008]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [23:53 19/10/2008]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [19:01 06/04/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [16:06 06/08/2009]

C:\Documents and Settings\archie\Application Data\Mozilla\Firefox\Profiles\f904z411.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [07:36 04/01/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [19:00 06/04/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [19:30 14/08/2009]

-=E.O.F=-


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:35 PM, on 2/14/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tucson.cox.net/cci/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1238562626531
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C1C6A3F-EF9D-4540-AF2A-95F5E3868CF3}: NameServer = 83.149.115.157,4.2.2.1,68.105.28.11 68.105.29.11 68.105.28.12
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe

--
End of file - 6614 bytes

Attached Files



#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 14 February 2010 - 09:24 PM

Ok, lets try to reset your router..

First of all, if your computer is behind a router (connected through a router), please reset the router back to its factory setting.. Refer below if you do not know how..

http://www.ehow.com/how_2110924_router-bac...t-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html

After you successfully reset the router, please tell me if you're still getting redirected or not.. One other thing.. Is this a personal computer or company computer? The reason I asked is because of this line..

O17 - HKLM\System\CCS\Services\Tcpip\..\{9C1C6A3F-EF9D-4540-AF2A-95F5E3868CF3}: NameServer = 83.149.115.157,4.2.2.1,68.105.28.11 68.105.29.11 68.105.28.12

I haven't determine yet whether its bad or good..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 15 February 2010 - 01:52 PM

Thanks alot. I reset our router and so far I have no google redirect :D. Also this is a personal computer.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users