Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google & Yahoo Links Redirecting/Hijacked


  • This topic is locked This topic is locked
2 replies to this topic

#1 bundy462

bundy462

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 11 April 2010 - 03:22 AM

Hello,

I'm posting to see if anyone can help me with a problem where any links from my google and yahoo searches are being redirected/hijacked. To this point, I have attempted a Windows restore, Malwarebytes, AVG virus scans, checking my browser add ons, checking my hosts file, checking browser proxy settings, and a ComboFix run. All have been unsuccessful. Some examples of where I'm being redirected are findstuff.com, endocrineweb.com, bandwithplace.com among others. I'd really appreciate some advice with this problem. I will include the ComboFix log below.

Thanks!

ComboFix 10-04-10.02 - Bundy 04/11/2010 3:39.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1268 [GMT -4:00]
Running from: c:\documents and settings\Bundy\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Bundy\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\Bundy\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\Jill\Application Data\Install.dat
c:\program files\AVI Codec Pack
c:\program files\AVI Codec Pack\AC3\ac3filter.ax
c:\program files\AVI Codec Pack\AC3\dialog_patch.exe
c:\program files\AVI Codec Pack\LAYER-3\L3CODECP.ACM
c:\program files\AVI Codec Pack\LAYER-3\RaMp3Cfg.exe
c:\program files\AVI Codec Pack\uninstall.exe
c:\windows\system32\Data
c:\windows\Tasks\yzewiyif.job

.
((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.

2010-04-11 06:21 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-11 06:20 . 2010-04-11 06:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-11 06:20 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-11 06:20 . 2010-04-11 06:20 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-11 06:09 . 2010-04-11 06:09 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-11 06:09 . 2010-04-11 06:09 -------- d-----w- c:\program files\NOS
2010-04-11 05:54 . 2010-04-11 05:54 -------- d-----w- c:\program files\Trend Micro
2010-04-09 02:34 . 2010-04-09 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-05 01:44 . 2010-04-05 01:45 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-04-05 01:44 . 2010-03-22 19:53 32576 ----a-w- c:\documents and settings\Bundy\Application Data\Mozilla\Firefox\Profiles\gluv3u6a.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-04-05 01:44 . 2010-03-22 19:53 29984 ----a-w- c:\documents and settings\Bundy\Application Data\Mozilla\Firefox\Profiles\gluv3u6a.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-04-03 01:12 . 2010-04-03 01:12 -------- d-----w- c:\program files\Common Files\Java
2010-04-01 14:32 . 2010-04-01 14:32 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-01 14:32 . 2010-04-01 14:32 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-01 14:32 . 2010-04-01 14:32 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-04-01 14:32 . 2010-04-01 14:32 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-01 14:32 . 2010-04-01 14:32 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-01 14:32 . 2010-04-01 14:32 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-01 14:32 . 2010-04-01 14:32 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-01 14:32 . 2010-04-01 14:32 341272 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxch32.dll
2010-04-01 14:32 . 2010-04-01 14:32 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-01 14:32 . 2010-04-01 14:32 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-01 14:32 . 2010-04-01 14:32 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-01 14:32 . 2010-04-01 14:32 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-01 14:31 . 2010-04-01 14:31 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-01 14:31 . 2010-04-01 14:31 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-15 05:49 . 2010-03-15 05:49 411928 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2010-03-15 05:49 . 2010-03-15 05:49 710424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcsrvx.exe
2010-03-15 05:49 . 2010-03-15 05:49 395032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgclitx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 06:09 . 2009-06-07 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-10 04:26 . 2005-12-02 03:41 -------- dc--a-w- c:\program files\Miscellaneous
2010-04-10 00:47 . 2005-11-30 06:23 25112 -c--a-w- c:\documents and settings\Bundy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-06 06:02 . 2005-11-30 00:05 -------- dc--a-w- c:\program files\Sports
2010-04-03 01:11 . 2008-12-03 03:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-07 21:15 . 2010-02-09 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-07 19:39 . 2008-07-22 13:51 -------- d-----w- c:\documents and settings\Bundy\Application Data\LimeWire
2010-03-07 19:12 . 2005-11-30 00:12 -------- dc--a-w- c:\program files\Casino Chips
2010-03-06 01:20 . 2010-03-06 01:20 -------- d-----w- c:\documents and settings\Bundy\Application Data\AVG9
2010-03-05 13:57 . 2010-02-09 01:27 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-05 13:57 . 2010-03-05 13:57 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-05 13:57 . 2010-02-09 01:26 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-05 13:57 . 2010-02-09 01:26 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-05 13:57 . 2010-02-09 01:27 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-02-26 05:43 . 2005-08-16 10:18 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-20 01:32 . 2010-02-20 01:32 -------- d-----w- c:\program files\Singularity Software
2010-02-10 13:41 . 2005-11-29 23:49 -------- dc----w- c:\program files\Music
2010-02-07 16:56 . 2010-02-07 16:56 36 ----a-w- c:\program files\skynet.dat
2010-01-28 00:23 . 2010-01-28 00:23 503808 ----a-w- c:\documents and settings\Bundy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-51dbb1e3-n\msvcp71.dll
2010-01-28 00:23 . 2010-01-28 00:23 499712 ----a-w- c:\documents and settings\Bundy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-51dbb1e3-n\jmc.dll
2010-01-28 00:23 . 2010-01-28 00:23 348160 ----a-w- c:\documents and settings\Bundy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-51dbb1e3-n\msvcr71.dll
2010-01-28 00:23 . 2010-01-28 00:23 61440 ----a-w- c:\documents and settings\Bundy\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1487630c-n\decora-sse.dll
2010-01-28 00:23 . 2010-01-28 00:23 12800 ----a-w- c:\documents and settings\Bundy\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1487630c-n\decora-d3d.dll
2005-12-01 01:38 . 2005-11-30 12:53 56 -csh--r- c:\windows\system32\D56C4F1468.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\366\g2mstart.exe" [2010-02-09 31552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2007-6-16 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-05 13:57 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk
backup=c:\windows\pss\dlbcserv.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-03 00:23 102400 ------w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2005-02-15 22:10 57344 -c----w- c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 16:44 249856 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 16:44 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-04-27 13:41 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-11-25 14:03 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 07:00 90112 -c----w- c:\windows\Updreg.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\ehome\\ehrecvr.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2/8/2010 9:27 PM 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/8/2010 9:26 PM 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/8/2010 9:27 PM 242696]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/5/2010 9:57 AM 308064]
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\drivers\SaiHFF0C.sys [5/21/2007 9:15 PM 56576]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\drivers\saiuFF0C.sys [5/21/2007 9:15 PM 19584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell4me.com/myway
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - hxxp://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
FF - ProfilePath - c:\documents and settings\Bundy\Application Data\Mozilla\Firefox\Profiles\gluv3u6a.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-vptray - c:\program files\NavNT\vptray.exe
MSConfigStartUp-GoToMeeting - c:\program files\Citrix\GoToMeeting\190\g2mstart.exe
MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1133497633\ee\AOLSoftware.exe
MSConfigStartUp-LWBMOUSE - c:\program files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
MSConfigStartUp-VoiceCenter - c:\program files\Creative\VoiceCenter\AndreaVC.exe
MSConfigStartUp-vptray - c:\program files\NavNT\vptray.exe
MSConfigStartUp-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
AddRemove-AVI Codec Pack - c:\program files\AVI Codec Pack\uninstall.exe
AddRemove-LiveReg - c:\program files\Common Files\Symantec Shared\LiveReg\VcSetup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 03:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A694AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f11852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\NavLogon.dll

- - - - - - - > 'explorer.exe'(3896)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
c:\docume~1\Bundy\LOCALS~1\Temp\clclean.0001
c:\windows\eHome\ehmsas.exe
c:\program files\Citrix\GoToMeeting\366\g2mcomm.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\Citrix\GoToMeeting\366\g2mlauncher.exe
c:\program files\AVG\AVG9\avgscanx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2010-04-11 04:09:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-11 08:09

Pre-Run: 60,836,495,360 bytes free
Post-Run: 61,579,407,360 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 74839EF79A900654376D7EA3EA9C3737

EDIT: Moved from XP to more appropriate malware forum ~ Hamluis.

Edited by hamluis, 11 April 2010 - 05:57 AM.


BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:50 PM

Posted 14 April 2010 - 06:34 AM

Hello, bundy462

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


I wouldn't reccomend using ComboFix unless instructed to do so, its a very powerful tool and is not for everday use. From your log however, it looks to me like your infected with TDL3. Let's do the following:

TDSS Killer
  1. Go to this page and Download TDSSKiller.zip to your Desktop.
  2. Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  3. Click Start, then Run. Type "cmd" into the box that appears and hit enter. Now copy and paste the following line into the screen that appears:

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  4. If TDSSKiller alerts you that the system needs to reboot, please consent.
  5. When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:50 PM

Posted 18 April 2010 - 05:15 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users