Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP ANTIMALWARE 2010 to Possible Browser Hijack?


  • This topic is locked This topic is locked
2 replies to this topic

#1 KcThrows

KcThrows

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 13 April 2010 - 12:25 PM

Alright, so I'll try and list the order of events. I'm not so bright, just good at following directions. This is how it started. Browsing on Firefox, possibly after doing some surveys (more specifically one's from PrizeRebel, and even more specific, after I downloaded one, /sigh) But anyway, I got a pop up for "XP ANTIMALWARE 2010". This was the first problem. So I scanned with Malwarebytes, it found some files. Deleted, Huzzah! I than scanned with Adaware free, and also AVG. No problems after that, maybe a little bit of a slower computer, nothing out of the norm. Next day, I get back on, not until night time I get the pop up again. But much worse. I can't uninstall, etc etc. I believe it went like this, scanned, restarted, still there except worse for these reason. I couldn't run any .exe programs, open the internet up, open task manager....nothing. So, I went on the main administrator account. (We use a separate account in my household). From there, I was able to open task manager and end some processes, mainly ave.exe and eventually download SpyWare Doctor I believe it was. That was the only thing that removed items, except it failed to remove all. So, restart back up, now I can do stuff again, run programs, etc etc. Except for one, which is SandBoxie. I downloaded this the day before after reading it works well with offers, and people who browse a lot. Anyway, I downloaded it after the first problem (didn't think much of it). Now it fails to run the browser part. So, scanned again with Spybot S+D once Malwarebytes came up with nothing, this found a few programs and deleted them. So, problem solved! Nope.....now, some sites are being redirected. Like this one for example. I am getting redirected to random websites and it is opening new tabs in Firefox. I ran regedit and tried to search for some of those URL's and nothing came up. I also have Hijack this DL'ed but I don't know how to use it. Also, Cwshredder, but nothing came up on that program. Last night I also ran ComboBreaker, not sure what I was doing...but anyway the problem is still there. Just want to add, I accidentally clicked on restore to last working settings and I revalidated my windows.

Now, the next part. I was using my desktop directly next to the infected one. I run on a modem, router which goes to those two and my wireless laptop. So, basically, I realized that had a problem next when my searches were being directed! /cry So I scanned, found some items, the one I remember most was "Coupon" and I went to restart after scan, well, lets just say it didn't make it all the way. I'm stuck at Verifying data pool.

So, basically, I'm lost, I tried whatever I could find. So it's either fresh install for both! Or, whatever help I can find here.

Thanks in advance!

:edit2: I checked all proxies for internet explorer and firefox, and they are not set to use a proxy, originally they were with first infection, but they have not gone back to that setting.

:edit:
The website redirecting occurs when I have a browser up in general. It works on searches, when I click a link, most commonly malware fix, but almost everything, and it will randomly open a tab with a random link, and also when I was watching a yahoo news video, it muted the sound, and opened up a "yahoo survey".
I will try and record some of the websites next time it occurs. Otherwise, no other problems except for sluggish running.

These, keep showing when I try and erase my files using "Advanced System Care V3 Pro" I realize they delete on start up, which I have done.

Marked for deletion when you restart computer: C:Documents and SettingsJERLocal SettingsHistoryHistory.IE5index.dat 32.00 KB
C:Documents and SettingsJERLocal SettingsHistorydesktop.ini 145 bytes
Marked for deletion when you restart computer: C:Documents and SettingsJERLocal SettingsTemporary Internet FilesContent.IE5index.dat 32.00 KB
Marked for deletion when you restart computer: C:Documents and SettingsJERCookiesindex.dat 32.00 KB
C:Documents and SettingsJERApplication DataMacromediaFlash Player#SharedObjectsAXHJZSA4d.yimg.comVolumePrefs.sol 55 bytes

If this helps also, I downloaded a "playsushi" game offer for credit on a survey website several times before using SandBoxie. This installed a unremovable addon in firefox. This was several days ago. I could delete the program from Program Files. It was also in "C:Documents and SettingsJERApplication DataMozillaExtensions{ec8030f7-c20a-464f-9b0e-13a3a9e97384}" and the following "C:WINDOWSPrefetch" as a "SetupPlaysushi" folder. These all deleted no problem after I used "OTM by Oldtimer" and "HostsXpert" than a Search Program....which, has seem to been removed.

I will update with a log file of common requests to save time in my next post.

My apologies, I should have posted this in "I am affected".

EDIT: I moved the thread to Am I Infected, no problem smile.gif ~ Hamluis.

This is the logfile from Hijackthis

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 2:42:22 PM, on 4/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesAVGAVG9avgchsvx.exe
C:Program FilesAVGAVG9avgrsx.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAVGAVG9avgcsrvx.exe
C:Program FilesIObitIObit SmartDefragIObit SmartDefrag.exe
C:Program FilesQuickTimeqttask.exe
C:Program FilesIObitAdvanced SystemCare 3Sup_SmartRAM.exe
C:Program FilesIObitAdvanced SystemCare 3AWC.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:WINDOWSsystem32hkcmd.exe
C:WINDOWSsystem32igfxpers.exe
C:Program FilesSandboxieSbieCtrl.exe
C:Program FilesAVGAVG9avgwdsvc.exe
C:WINDOWSsystem32inetsrvinetinfo.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesSandboxieSbieSvc.exe
C:WINDOWSSystem32tcpsvcs.exe
C:WINDOWSSystem32snmp.exe
C:Program FilesViewpointCommonViewpointService.exe
C:Program FilesCommon FilesMicrosoft SharedWindows LiveWLIDSVC.EXE
C:Program FilesCommon FilesMicrosoft SharedWindows LiveWLIDSvcM.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:WINDOWSexplorer.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesTrendMicroHiJackThisHiJackThis.exe

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page =
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page =
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:Program FilesEPSONEPSON Web-To-PageEPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:Program FilesEPSONEPSON Web-To-PageEPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:Program FilesSiber SystemsAI RoboFormroboform.dll
O4 - HKLM..Run: [SmartDefrag] "C:Program FilesIObitIObit SmartDefragIObit SmartDefrag.exe" /StartUp
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKCU..Run: [SmartRAM] "C:Program FilesIObitAdvanced SystemCare 3Sup_SmartRAM.exe" /m
O4 - HKCU..Run: [ccleaner] "C:Program FilesCCleanerccleaner.exe" /AUTO
O4 - HKCU..Run: [Advanced SystemCare 3] "C:Program FilesIObitAdvanced SystemCare 3AWC.exe" /startup
O4 - HKCU..Run: [igfxtray] C:WINDOWSsystem32igfxtray.exe
O4 - HKCU..Run: [igfxhkcmd] C:WINDOWSsystem32hkcmd.exe
O4 - HKCU..Run: [igfxpers] C:WINDOWSsystem32igfxpers.exe
O4 - HKCU..Run: [SandboxieControl] "C:Program FilesSandboxieSbieCtrl.exe"
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - HKUSS-1-5-18..RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS.DEFAULT..RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Customize Menu - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComSavePass.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:

This is the log file from ComboBreaker



ComboFix 10-04-13.02 - JER 04/13/2010 14:26:06.2.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.3039 [GMT -4:00]
Running from: c:documents and settingsJERMy DocumentsDownloadsComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:documents and settingsAll UsersApplication Datapragmamfeklnmal.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))
.

2010-04-13 16:45 . 2010-04-13 16:45 388096 ----a-r- c:documents and settingsJERApplication DataMicrosoftInstaller{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}HiJackThis.exe
2010-04-13 16:45 . 2010-04-13 16:45 -------- d-----w- c:program filesTrendMicro
2010-04-13 16:44 . 2010-04-13 16:44 -------- d-----w- c:program filesTrend Micro
2010-04-13 16:04 . 2010-04-13 16:04 17632 ----a-w- c:documents and settingsAll UsersApplication DataLavasoftAd-AwareUpdateWSCUpdate.dll
2010-04-13 15:00 . 2010-04-13 15:00 -------- d-----w- c:program filesSpybot - Search & Destroy
2010-04-13 15:00 . 2010-04-13 15:00 -------- d-----w- c:documents and settingsAll UsersApplication DataSpybot - Search & Destroy
2010-04-13 06:31 . 2010-04-13 06:31 -------- d-----w- c:documents and settingsAdministratorApplication DataMalwarebytes
2010-04-13 04:29 . 2010-04-13 04:29 -------- d-----w- c:documents and settingsAdministratorApplication DataIObit
2010-04-13 04:14 . 2006-08-15 14:15 110592 ----a-w- c:documents and settingsAdministratorApplication DataU3tempcleanup.exe
2010-04-13 03:59 . 2010-04-13 03:59 -------- d-----w- c:documents and settingsAdministratorApplication DataU3
2010-04-13 03:00 . 2010-04-13 05:32 181248 --sha-w- c:documents and settingsAdministratorLocal SettingsApplication Data3397709227.dll
2010-04-13 02:52 . 2010-04-13 02:52 181248 --sha-w- c:documents and settingsJERLocal SettingsApplication Data3397709227.dll
2010-04-13 02:34 . 2010-04-13 02:34 -------- d-----w- C:spoolerlogs
2010-04-12 22:12 . 2010-04-12 22:12 -------- d-----w- C:FOUND.003
2010-04-12 05:38 . 2008-04-03 12:36 49904 ----a-r- c:windowssystem32driversBVRPMPR5.SYS
2010-04-12 05:37 . 2010-04-12 05:37 -------- d-----w- C:Netgear
2010-04-12 05:30 . 2010-04-12 05:30 -------- d-----r- C:Sandbox
2010-04-12 05:29 . 2010-04-12 05:29 -------- d-----w- c:program filesSandboxie
2010-04-12 00:52 . 2010-04-12 00:52 -------- d-----w- C:FOUND.002
2010-04-11 23:09 . 2010-04-11 23:09 -------- d-----w- c:documents and settingsJERLocal SettingsApplication Dataesxiypimy
2010-04-10 18:45 . 2010-04-10 18:45 -------- d-----w- c:documents and settingsJERLocal SettingsApplication DataCool Smiley Emoticons
2010-04-10 01:30 . 2010-04-10 01:30 -------- d-----w- c:program filesConvertHelper
2010-04-09 05:22 . 2010-04-09 05:22 5918776 ----a-w- c:documents and settingsAll UsersApplication DataMalwarebytesMalwarebytes' Anti-Malwarembam-setup.exe
2010-04-06 20:32 . 2010-04-06 20:32 -------- d-----w- c:program filesMicrosoft
2010-04-06 20:25 . 2010-04-06 20:25 -------- d-----w- c:documents and settingsAll UsersApplication DataRoboForm
2010-04-06 20:25 . 2010-04-06 20:25 -------- d-----w- c:program filesSiber Systems
2010-03-31 21:10 . 2010-03-31 21:10 -------- d-----w- C:NGM
2010-03-31 19:43 . 2010-03-31 19:43 33824 ----a-w- c:windowssystem32driversoreans32.sys
2010-03-28 00:21 . 2008-03-21 17:57 14640 ------w- c:windowssystem32spmsgXP_2k3.dll
2010-03-28 00:21 . 2008-12-16 16:44 1112288 ----a-w- c:windowssystem32WdfCoInstaller01007.dll
2010-03-26 21:06 . 2010-02-17 20:19 15880 ----a-w- c:windowssystem32lsdelete.exe
2010-03-25 20:05 . 2010-03-25 20:05 -------- d--h--w- c:windowssystem32GroupPolicy
2010-03-25 17:10 . 2010-03-25 17:10 -------- d-----w- C:FOUND.001
2010-03-24 00:21 . 2010-03-24 00:21 -------- d-----w- c:documents and settingsJERLocal SettingsApplication DataPMB Files
2010-03-24 00:21 . 2010-03-24 00:21 -------- d-----w- c:documents and settingsAll UsersApplication DataPMB Files
2010-03-24 00:20 . 2010-03-24 00:20 -------- d-----w- c:program filesPando Networks
2010-03-17 00:03 . 2010-03-17 00:03 -------- d-----w- c:windowssystem32NtmsData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-13 06:47 . 2006-12-03 01:10 84984 ----a-w- c:documents and settingsJERLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2010-04-13 05:01 . 2008-01-20 03:35 84984 ----a-w- c:documents and settingsAdministratorLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2010-04-13 02:52 . 2006-12-02 00:00 664 ----a-w- c:windowssystem32d3d9caps.dat
2010-03-31 22:07 . 2008-11-25 00:51 98304 ----a-w- c:documents and settingsAll UsersApplication DataNexonUSNGMnpNxGameUS.dll
2010-03-31 22:07 . 2008-11-25 00:51 401408 ----a-w- c:documents and settingsAll UsersApplication DataNexonUSNGMNGMResource.dll
2010-03-31 22:07 . 2008-11-25 00:51 258352 ----a-w- c:documents and settingsAll UsersApplication DataNexonUSNGMunicows.dll
2010-03-31 22:07 . 2008-11-25 00:51 126976 ----a-w- c:documents and settingsAll UsersApplication DataNexonUSNGMnxgameus.dll
2010-03-31 22:07 . 2008-11-25 00:51 765952 ----a-w- c:documents and settingsAll UsersApplication DataNexonUSNGMNGMDll.dll
2010-03-30 04:46 . 2010-01-13 18:45 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-03-30 04:45 . 2010-01-13 18:45 20824 ----a-w- c:windowssystem32driversmbam.sys
2010-03-28 00:21 . 2010-03-28 00:21 0 ---ha-w- c:windowssystem32driversMsft_Kernel_nielprt_01007.Wdf
2010-03-28 00:21 . 2010-03-28 00:21 0 ---ha-w- c:windowssystem32driversMsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-03-26 19:33 . 2009-12-16 15:58 12464 ----a-w- c:windowssystem32avgrsstx.dll
2010-03-26 19:33 . 2009-12-16 15:58 29512 ----a-w- c:windowssystem32driversavgmfx86.sys
2010-03-26 19:33 . 2009-12-16 15:58 216200 ----a-w- c:windowssystem32driversavgldx86.sys
2010-03-24 02:06 . 2008-11-25 00:51 172032 ----a-w- c:documents and settingsAll UsersApplication DataNexonUSNGMNGM.exe
2010-03-11 12:38 . 2006-06-23 15:33 832512 ------w- c:windowssystem32wininet.dll
2010-03-11 12:38 . 2004-08-04 03:56 78336 ----a-w- c:windowssystem32ieencode.dll
2010-03-11 12:38 . 2002-08-29 16:00 17408 ------w- c:windowssystem32corpol.dll
2010-03-06 16:25 . 2010-03-06 16:25 -------- d-----w- c:documents and settingsJERApplication DataLeadertech
2010-03-06 16:25 . 2010-03-06 16:25 -------- d-----w- c:program filesIomega
2010-03-06 15:42 . 2010-03-06 15:42 -------- d-----w- c:program filesiPod
2010-03-06 15:40 . 2010-03-06 15:40 -------- d-----w- c:program filesQuickTime
2010-03-06 15:36 . 2010-03-06 15:36 72488 ----a-w- c:documents and settingsAll UsersApplication DataApple ComputerInstaller CacheiTunes 9.0.3.15SetupAdmin.exe
2010-03-04 04:01 . 2010-03-04 04:01 -------- d-----w- c:documents and settingsAll UsersApplication DataIObit
2010-03-03 20:26 . 2010-03-03 20:26 -------- d-----w- c:documents and settingsJERApplication Datacronometer
2010-03-02 07:12 . 2010-03-02 07:12 56 ---ha-w- c:windowssystem32ezsidmv.dat
2010-03-02 07:12 . 2010-03-02 07:12 -------- d-----w- c:documents and settingsJERApplication DataskypePM
2010-03-02 07:11 . 2010-03-02 07:11 -------- d-----w- c:documents and settingsJERApplication DataSkype
2010-03-02 07:11 . 2010-03-02 07:11 -------- d-----w- c:program filesCommon FilesSkype
2010-03-02 07:11 . 2010-03-02 07:11 -------- d-----r- c:program filesSkype
2010-03-02 07:11 . 2010-03-02 07:11 -------- d-----w- c:documents and settingsAll UsersApplication DataSkype
2010-02-28 01:03 . 2010-02-28 01:03 -------- d--h--w- c:documents and settingsJERApplication DataGTek
2010-02-28 01:01 . 2010-02-28 01:01 -------- d-----w- c:program filesDell
2010-02-28 00:13 . 2010-02-28 00:13 -------- d-----w- c:program filesSystemRequirementsLab
2010-02-23 22:41 . 2010-02-23 22:41 -------- d-----w- c:documents and settingsJERApplication Datavlc
2010-02-23 22:36 . 2010-02-23 22:36 -------- d-----w- c:program filesGraboid
2010-02-23 16:38 . 2010-02-23 16:38 -------- d-----w- c:documents and settingsJERApplication DataOffice Genuine Advantage
2010-02-23 04:07 . 2010-02-23 04:07 -------- d-----w- c:documents and settingsAll UsersApplication DataOffice Genuine Advantage
2010-02-17 21:19 . 2010-02-17 21:19 -------- d-----w- c:documents and settingsJERApplication DataIObit
2010-02-17 20:19 . 2010-02-17 20:19 95024 ----a-w- c:windowssystem32driversSBREDrv.sys
2010-02-17 20:19 . 2010-02-17 20:19 95024 ----a-w- c:documents and settingsAll UsersApplication DataLavasoftAd-AwareUpdateDriversSBREDrv.sys
2010-02-02 17:04 . 2010-02-02 17:03 126 ----a-w- c:documents and settingsJERLocal SettingsApplication Datafusioncache.dat
2006-05-27 15:09 . 2006-05-27 15:09 11079 ---h--w- c:program filesfolder.htt
.

((((((((((((((((((((((((((((( SnapShot@2010-04-13_07.07.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-13 17:49 . 2010-04-13 17:49 16384 c:windowsTEMPPerflib_Perfdata_840.dat
+ 2010-04-13 17:49 . 2010-04-13 17:49 16384 c:windowsTEMPPerflib_Perfdata_1bc.dat
+ 2010-04-13 16:03 . 2010-04-13 16:04 32768 c:windowsSYSTEM32configsystemprofileLocal SettingsTemporary Internet FilesContent.IE5index.dat
+ 2006-05-29 12:11 . 2010-04-13 16:04 32768 c:windowsSYSTEM32configsystemprofileLocal SettingsHistoryHistory.IE5index.dat
- 2006-05-29 12:11 . 2010-03-26 19:37 32768 c:windowsSYSTEM32configsystemprofileLocal SettingsHistoryHistory.IE5index.dat
+ 2010-04-13 16:03 . 2010-04-13 16:04 16384 c:windowsSYSTEM32configsystemprofileCookiesindex.dat
- 2006-05-29 12:11 . 2010-03-26 19:37 16384 c:windowsSYSTEM32configsystemprofileCookiesindex.dat
+ 2007-01-18 19:00 . 2010-04-13 17:49 224563 c:windowsSYSTEM32inetsrvMetaBase.bin
+ 2010-04-13 16:45 . 2010-04-13 16:45 1093632 c:windowsInstaller1ab53c.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"SmartRAM"="c:program filesIObitAdvanced SystemCare 3Sup_SmartRAM.exe" [2010-01-22 200280]
"ccleaner"="c:program filesCCleanerccleaner.exe" [2010-03-29 1654584]
"Advanced SystemCare 3"="c:program filesIObitAdvanced SystemCare 3AWC.exe" [2010-03-29 2343120]
"igfxtray"="c:windowssystem32igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:windowssystem32hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:windowssystem32igfxpers.exe" [2006-03-24 118784]
"SandboxieControl"="c:program filesSandboxieSbieCtrl.exe" [2010-02-03 394984]
"SpybotSD TeaTimer"="c:program filesSpybot - Search & DestroyTeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"SmartDefrag"="c:program filesIObitIObit SmartDefragIObit SmartDefrag.exe" [2010-03-26 2708312]
"QuickTime Task"="c:program filesQuickTimeqttask.exe" [2009-11-11 417792]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyavgrsstarter]
2010-03-26 19:33 12464 ----a-w- c:windowsSYSTEM32avgrsstx.dll

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalLavasoft Ad-Aware Service]
@="Service"

[HKLM~startupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^NaturalColorLoad.lnk]
backup=c:windowspssNaturalColorLoad.lnkCommon Startup

[HKLM~startupfolderC:^Documents and Settings^JER^Start Menu^Programs^Startup^Iomega Product Registration.lnk]
backup=c:windowspssIomega Product Registration.lnkStartup

[HKLM~startupfolderC:^Documents and Settings^JER^Start Menu^Programs^Startup^Last.fm Helper.lnk]
backup=c:windowspssLast.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregDVDLauncher]
2005-02-23 19:19 53248 ------w- c:program filesCyberLinkPowerDVDDVDLauncher.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregInk Monitor]
2001-12-07 05:48 258118 ------w- c:program filesEPSONInk MonitorInkMonitor.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregMSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:program filesMessengermsmsgs.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregQuickTime Task]
2009-11-11 03:08 417792 ----a-w- c:program filesQuickTimeQTTask.exe

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%system32sessmgr.exe"=
"c:WINDOWSSystem32mqsvc.exe"=
"c:Program FilesCommon FilesAOLLoaderaolload.exe"=
"%windir%Network Diagnosticxpnetdiag.exe"=
"c:WINDOWSSystem32dpvsetup.exe"=
"c:Program FilesMicrosoft OfficeOffice12OUTLOOK.EXE"=
"c:Program FilesMicrosoft OfficeOffice12GROOVE.EXE"=
"c:Program FilesMicrosoft OfficeOffice12ONENOTE.EXE"=
"c:Documents and SettingsAll UsersApplication DataNexonUSNGMNGM.exe"=
"c:Program FilesAVGAVG9avgupd.exe"=
"c:Program FilesAIMaim.exe"=
"c:Program FilesJavaJRE6BINJAVA.EXE"=
"c:Program FilesSkypePlugin ManagerskypePM.exe"=
"c:Program FilesiTunesiTunes.exe"=
"c:Program FilesPando NetworksMedia BoosterPMB.exe"=
"c:NexonCombat ArmsNMService.exe"=
"c:NexonCombat ArmsEngine.exe"=
"c:NGMNGM.exe"=
"c:Program FilesSkypePhoneSkype.exe"=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"56359:TCP"= 56359:TCP:Pando Media Booster
"56359:UDP"= 56359:UDP:Pando Media Booster
"56966:TCP"= 56966:TCP:Pando Media Booster
"56966:UDP"= 56966:UDP:Pando Media Booster
"57569:TCP"= 57569:TCP:Pando Media Booster
"57569:UDP"= 57569:UDP:Pando Media Booster

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileIcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:windowsSYSTEM32DRIVERSLbd.sys [2/17/2010 4:19 PM 64288]
R0 tffsport;M-Systems DiskOnChip 2000;c:windowsSYSTEM32DRIVERStffsport.sys [5/29/2006 10:06 AM 149376]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowsSYSTEM32DRIVERSavgldx86.sys [12/16/2009 11:58 AM 216200]
R1 oreans32;oreans32;c:windowsSYSTEM32DRIVERSoreans32.sys [3/31/2010 3:43 PM 33824]
R2 avg9wd;AVG Free WatchDog;c:program filesAVGAVG9avgwdsvc.exe [12/16/2009 11:57 AM 308064]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:program filesViewpointCommonViewpointService.exe [10/24/2007 3:44 PM 24652]
S0 nielprt;Nielsen Patch Service;c:windowssystem32DRIVERSnielprt.sys --> c:windowssystem32DRIVERSnielprt.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program filesLavasoftAd-AwareAAWService.exe [2/4/2010 10:52 AM 1265264]
S3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:windowsSYSTEM32DRIVERSlne100v5.sys [12/1/2006 7:19 PM 36224]
S3 NielGfx;Nielsen USB GFX;c:windowssystem32driversnielgfx.sys --> c:windowssystem32driversnielgfx.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:windowssystem32GameMon.des -service --> c:windowssystem32GameMon.des -service [?]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2010-04-03 c:windowsTasksAppleSoftwareUpdate.job
- c:program filesApple Software UpdateSoftwareUpdate.exe [2008-07-30 16:34]

2010-04-13 c:windowsTasksOGALogon.job
- c:windowssystem32OGAEXEC.exe [2009-08-03 19:07]

2010-04-13 c:windowsTasksAWC AutoSweep.job
- c:program filesIObitAdvanced SystemCare 3AutoSweep.exe [2010-02-17 18:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Customize Menu - file://c:program filesSiber SystemsAI RoboFormRoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:progra~1MICROS~2Office12EXCEL.EXE/3000
IE: Fill Forms - file://c:program filesSiber SystemsAI RoboFormRoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:program filesSiber SystemsAI RoboFormRoboFormComShowToolbar.html
IE: Save Forms - file://c:program filesSiber SystemsAI RoboFormRoboFormComSavePass.html
DPF: DirectAnimation Java Classes - file://c:windowsJavaclassesdajava.cab
DPF: Microsoft XML Parser for Java - file://c:windowsJavaclassesxmldso.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
FF - ProfilePath - c:documents and settingsJERApplication DataMozillaFirefoxProfileslph1q6bk.default
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=
FF - component: c:documents and settingsJERApplication DataMozillaFirefoxProfileslph1q6bk.defaultextensionspiclens@cooliris.comcomponentscoolirisstub.dll
FF - component: c:program filesSiber SystemsAI RoboFormFirefoxcomponentsrfproxy_31.dll
FF - plugin: c:documents and settingsAll UsersApplication DataNexonUSNGMnpNxGameUS.dll
FF - plugin: c:documents and settingsJERApplication DataMozillaFirefoxProfileslph1q6bk.defaultextensionsmoveplayer@movenetworks.complatformWINNT_x86-msvcpluginsnpmnqmp071303000006.dll
FF - plugin: c:documents and settingsJERApplication DataMozillaFirefoxProfileslph1q6bk.defaultextensionspiclens@cooliris.compluginsnpcoolirisplugin.dll
FF - plugin: c:program filesViewpointViewpoint Experience TechnologynpViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsMicrosoft.NETFrameworkv3.5Windows Presentation FoundationDotNetAssistantExtension

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:program filesMozilla Firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("ui.use_native_popup_windows", false);
c:program filesMozilla Firefoxgreprefsall.js - pref("browser.enable_click_image_resizing", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:program filesMozilla Firefoxgreprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesMozilla Firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesMozilla Firefoxgreprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:program filesMozilla Firefoxgreprefsall.js - pref("browser.formfill.debug", false);
c:program filesMozilla Firefoxgreprefsall.js - pref("browser.formfill.agedWeight", 2);
c:program filesMozilla Firefoxgreprefsall.js - pref("browser.formfill.bucketSize", 1);
c:program filesMozilla Firefoxgreprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:program filesMozilla Firefoxgreprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:program filesMozilla Firefoxgreprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:program filesMozilla Firefoxgreprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:program filesMozilla Firefoxgreprefsall.js - pref("html5.enable", false);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesMozilla Firefoxdefaultspreffirefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:program filesMozilla Firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:program filesMozilla Firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("lightweightThemes.update.enabled", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("toolbar.customization.usesheet", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.enable", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-13 14:34
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8ACB0AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
DriverDisk -> CLASSPNP.SYS @ 0xba8ecf28
DriverACPI -> ACPI.sys @ 0xba77fcb8
Driveratapi -> atapi.sys @ 0xba711852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> 0x8a9381b0
DeviceHarddisk0DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> 0x8a9381b0
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> NDIS.sys @ 0xba660bb0
PacketIndicateHandler -> NDIS.sys @ 0xba66da21
SendHandler -> NDIS.sys @ 0xba64b87b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINESystemControlSet004Servicesnpggsvc]
"ImagePath"="c:windowssystem32GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:windowssystem32WININET.dll

- - - - - - - > 'lsass.exe'(876)
c:windowssystem32WININET.dll
.
Completion time: 2010-04-13 14:38:34
ComboFix-quarantined-files.txt 2010-04-13 18:38
ComboFix2.txt 2010-04-13 07:12

Pre-Run: 16,001,499,136 bytes free
Post-Run: 15,974,367,232 bytes free

- - End Of File - - 362763762D893B93EFF663053C67D73D

Edited by boopme, 13 April 2010 - 01:57 PM.
moved to Virus,Trojan and Malware Removal Logs~~boopme


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:07 PM

Posted 18 April 2010 - 05:05 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:07 PM

Posted 26 April 2010 - 02:07 PM

Due to lack of feedback, this topic will now be closed.

If you are the original topic starter and you need it reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users