Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser gets redirected from google, bing and other search results


  • This topic is locked This topic is locked
12 replies to this topic

#1 pn123

pn123

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 30 April 2010 - 05:19 PM

Both Firefox (v3.6.3) and IE 8 get redirected from the google and bing search pages. When I click on links they get redirected to other sites. Also, randomly the speakers start blaring advertisements. Task Manager shows instances of IE running in the background. Killing the IE process stops the ads from the speakers.

I disabled using Defogger, then ran the DDS utility and am supplying the two logs. The GMER utility does not run to completion. It closes before I can save the logs. I saved a log in the middle of the scan and am attaching it. Not sure if it is useful.

Additionally, I ran TDSSkiller and it indicated that I had a 'Driver "atapi" infected by TDSS rootkit!' but it could not cure the problem.

I have also run MalwareBytes and Spybot Search and Destroy and both now provide clean scans but the browser redirect problem still exists.

Please help.

________________
DDS.log:
_______________


DDS (Ver_10-03-17.01) - NTFSx86
Run by Compaq_Administrator at 12:07:25.09 on Fri 04/30/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.295 [GMT -4:00]

AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\QosServM.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uWindow Title = Windows Internet Explorer provided by Comcast
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AvayaIEHlprObj Class: {e6df0b46-7d6f-407a-a6a2-62d17a021a9a} - c:\program files\avaya\avaya ip softphone\AvayaWebDial.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [cdloader] "c:\documents and settings\compaq_administrator\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [CanonMyPrinter] "c:\program files\canon\myprinter\BJMyPrt.exe" /logon
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
mRun: [<NO NAME>]
mRun: [PWRESET] c:\program files\avaya\avaya ip softphone\ip service provider\pwreset.exe
mRun: [FPCCSMiddleware] c:\program files\fisher-price\computer cool school\FPCCSMiddleware.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [RunNarrator] Narrator.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: wellington.com\neovpn
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} - hxxp://prod-td.wellmanage.com:8080/qcbin/Spider80.ocx
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://neovpn.wellington.com/Citrix/ICAWEB/en/ica32/wficat.cab,DanaInfo=citrix.wellmanage.com+
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://neovpn.wellington.com/llclient/netscreen2/winxp/,DanaInfo=confidence.wellmanage.com+AXXPEE.dll
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204173775796
DPF: {6F750200-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {7F9B30F1-5129-4F5C-A76C-CE264A6C7D10} - hxxps://neovpn.wellington.com/References_and_Training/IS_Technologies/Applications_and_Tools/Application_Installations/Exceed_onDemand_6/Packages/,DanaInfo=intranet.wellmanage.com+DeployRun.eng.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {9F31B7A4-F438-48B8-AAF5-1C29A8A2B6C1} - hxxp://download.bigflicks.com/cabs/bigflicks_1_0_0_5.cab
DPF: {A8561647-E93C-11D3-AC3B-CE6078F7B616} - hxxp://prod-sentinel/sentinel/3rdParty/vsprint7.cab
DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} - hxxp://www.ooxtv.com/livetv.ocx
DPF: {C0A63B86-4B21-11D3-BD95-D426EF2C7949} - hxxp://prod-sentinel/sentinel/3rdParty/vsflex7l.cab
DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} - hxxp://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://download.bigflicks.com/cabs/Entriq_3_6_0_15_Silent.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.tvucricket.com/player/vjocx-en-black.cab
DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://spinpalace.microgaming.com/freeplay/FlashAX.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://neovpn.wellington.com/dana-cached/sc/JuniperSetupClient.cab
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WRNotifier - WRLogonNTF.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\0wxt5318.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\documents and settings\compaq_administrator\application data\mozilla\firefox\profiles\0wxt5318.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\compaq_administrator\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpKsl44918bce;MpKsl44918bce;c:\documents and settings\all users\application data\microsoft\onecare protection\definition updates\{fa1f114a-a028-40e7-9449-65a761c06078}\MpKsl44918bce.sys [2010-4-30 28752]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2010-2-5 26120]
R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2008-2-27 53168]
R3 XIRLINK;IBM PC Camera;c:\windows\system32\drivers\C-itNT.sys [2005-12-29 503768]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-12-26 29744]

=============== Created Last 30 ================

2010-04-30 16:05:56 0 ----a-w- c:\documents and settings\compaq_administrator\defogger_reenable
2010-04-30 04:11:47 24576 ----a-w- c:\windows\system32\drivers\ymjjhgur.sys
2010-04-29 03:57:41 18 ---ha-w- C:\SYSREST
2010-04-29 02:58:04 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-29 02:58:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-29 02:24:56 0 d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes
2010-04-29 02:24:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 02:24:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 02:24:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-29 02:24:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 02:16:19 0 d-----w- c:\program files\SpywareBlaster
2010-04-29 01:16:35 6832946 ----a-w- C:\regbackup04292010.reg
2010-04-27 20:01:17 50990 ----a-w- c:\windows\system32\przwlfwjrbm.exe
2010-04-24 11:33:52 552 ----a-w- c:\windows\system32\DO_NOT_DELETE.backupSetID
2010-04-20 03:28:06 0 d-----w- c:\program files\iPod
2010-04-20 03:27:58 0 d-----w- c:\program files\iTunes
2010-04-20 03:27:58 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-20 03:21:24 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 15:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 15:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2006-03-11 13:31:31 4789792 ----a-w- c:\program files\picasa2-current.exe
2008-07-28 14:57:19 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072820080729\index.dat

============= FINISH: 12:09:35.52 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:08 PM

Posted 03 May 2010 - 08:00 PM



Hello pn123 smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.














Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 pn123

pn123
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 03 May 2010 - 10:45 PM

Thanks theWall. Really appreciate your help. I ran the ComboFix utility and here is the log:



ComboFix 10-05-03.03 - Compaq_Administrator 05/03/2010 23:30:17.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.484 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Compaq_Administrator\Recent\Thumbs.db
c:\program files\Internet Explorer\SET208.tmp
c:\program files\Internet Explorer\SET209.tmp
c:\program files\Internet Explorer\SET20B.tmp
c:\program files\Internet Explorer\SET3A2.tmp
c:\program files\Internet Explorer\SET3A3.tmp
c:\program files\Internet Explorer\SET3A5.tmp
c:\program files\WindowsUpdate
C:\Thumbs.db
c:\windows\system32\Thumbs.db
D:\Autorun.inf
K:\autorun.inf

Infected copy of c:\windows\system32\drivers\kbdclass.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.

2010-05-02 21:20 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\67802482.sys
2010-05-02 21:20 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\6780248.sys
2010-05-02 21:20 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\67802481.sys
2010-05-02 14:16 . 2010-05-02 14:16 24576 ----a-w- c:\windows\system32\drivers\aoerdrmw.sys
2010-05-01 23:50 . 2010-05-01 23:50 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-05-01 23:50 . 2010-05-01 23:50 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-01 23:13 . 2009-09-07 18:02 27944 ----a-w- c:\windows\system32\sbbd.exe
2010-05-01 23:13 . 2009-08-05 19:58 93872 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-01 23:13 . 2010-05-02 01:55 -------- d-----w- C:\VIPRERESCUE
2010-05-01 22:51 . 2010-05-01 22:51 -------- d-----w- C:\ea
2010-05-01 05:46 . 2010-05-01 22:29 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-01 04:45 . 2010-05-01 04:45 24576 ----a-w- c:\windows\system32\drivers\lzsovxyh.sys
2010-04-30 23:28 . 2010-04-30 23:28 -------- d-sh--w- c:\documents and settings\Compaq_Administrator\IECompatCache
2010-04-30 04:59 . 2010-04-30 05:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-30 04:11 . 2010-04-30 04:11 24576 ----a-w- c:\windows\system32\drivers\ymjjhgur.sys
2010-04-30 00:41 . 2010-04-30 00:41 6153352 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-29 02:58 . 2010-04-29 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-29 02:58 . 2010-04-29 03:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-29 02:24 . 2010-04-29 02:24 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes
2010-04-29 02:24 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 02:24 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 02:24 . 2010-04-29 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-29 02:24 . 2010-04-30 00:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 02:16 . 2010-05-02 13:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-29 02:16 . 2010-05-02 13:36 -------- d-----w- c:\program files\SpywareBlaster
2010-04-29 01:16 . 2010-04-29 01:16 6832946 ----a-w- C:\regbackup04292010.reg
2010-04-29 01:06 . 2010-04-29 01:06 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-27 20:01 . 2010-04-29 01:04 50990 ----a-w- c:\windows\system32\przwlfwjrbm.exe
2010-04-20 03:28 . 2010-04-20 03:28 -------- d-----w- c:\program files\iPod
2010-04-20 03:27 . 2010-04-20 03:29 -------- d-----w- c:\program files\iTunes
2010-04-20 03:27 . 2010-04-20 03:29 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-20 03:24 . 2010-04-20 03:25 -------- d-----w- c:\program files\QuickTime
2010-04-20 03:21 . 2010-04-20 03:21 -------- d-----w- c:\program files\Bonjour
2010-04-20 03:20 . 2010-04-20 03:20 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-20 03:17 . 2010-04-20 03:17 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 03:13 . 2008-02-28 03:24 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2010-05-02 21:35 . 2004-08-10 19:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-30 14:09 . 2005-12-16 19:50 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-20 03:28 . 2009-12-26 03:15 -------- d-----w- c:\program files\Common Files\Apple
2010-04-20 03:19 . 2010-02-18 23:34 -------- d-----w- c:\program files\Safari
2010-03-10 06:15 . 2004-08-10 19:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-10 19:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-10 19:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-18 23:33 . 2010-02-18 23:33 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-02-16 14:08 . 2004-08-04 13:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 12:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 15:46 . 2010-02-12 15:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46 . 2010-02-12 15:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33 . 2004-08-10 19:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-10 19:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2006-03-11 13:31 . 2006-03-11 13:29 4789792 ----a-w- c:\program files\picasa2-current.exe
2008-09-05 00:52 . 2007-12-26 05:31 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Compaq_Administrator\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-22 1191936]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-05 29744]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2010-02-05 65256]
"PWRESET"="c:\program files\Avaya\Avaya IP Softphone\IP Service Provider\pwreset.exe" [2007-09-06 45056]
"FPCCSMiddleware"="c:\program files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe" [2008-10-10 538432]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\
setup_9.0.0.722_02.05.2010_23-25.lnk - c:\documents and settings\Compaq_Administrator\Desktop\Virus Removal Tool\setup_9.0.0.722_02.05.2010_23-25\startup.exe [2010-5-2 72208]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-11 02:04 59392 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 13:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2005-02-26 05:34 245760 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IcoSet]
1999-11-07 07:11 27136 ----a-w- c:\hp\bin\cloaker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2005-05-11 00:50 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]
2005-05-10 08:26 53248 ----a-w- c:\program files\PC-Doctor 5 for Windows\RunProfiler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2005-01-24 09:56 544768 ----a-w- c:\windows\sm56hlpr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:torrents

R0 67802482;67802482 Boot Guard Driver;c:\windows\system32\drivers\67802482.sys [5/2/2010 5:20 PM 37392]
R1 67802481;67802481;c:\windows\system32\drivers\67802481.sys [5/2/2010 5:20 PM 128016]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/1/2010 7:13 PM 93872]
R1 setup_9.0.0.722_02.05.2010_23-25drv;setup_9.0.0.722_02.05.2010_23-25drv;c:\windows\system32\drivers\6780248.sys [5/2/2010 5:20 PM 315408]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2/5/2010 5:19 PM 26120]
R3 XIRLINK;IBM PC Camera;c:\windows\system32\drivers\C-itNT.sys [12/29/2005 11:20 AM 503768]
S1 MpKsl44918bce;MpKsl44918bce;\??\c:\documents and settings\All Users\Application Data\Microsoft\OneCare Protection\Definition Updates\{FA1F114A-A028-40E7-9449-65A761C06078}\MpKsl44918bce.sys --> c:\documents and settings\All Users\Application Data\Microsoft\OneCare Protection\Definition Updates\{FA1F114A-A028-40E7-9449-65A761C06078}\MpKsl44918bce.sys [?]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/26/2007 1:31 AM 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder

2010-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
Trusted Zone: wellington.com\neovpn
DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} - hxxp://prod-td.wellmanage.com:8080/qcbin/Spider80.ocx
DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://neovpn.wellington.com/llclient/netscreen2/winxp/,DanaInfo=confidence.wellmanage.com+AXXPEE.dll
DPF: {7F9B30F1-5129-4F5C-A76C-CE264A6C7D10} - hxxps://neovpn.wellington.com/References_and_Training/IS_Technologies/Applications_and_Tools/Application_Installations/Exceed_onDemand_6/Packages/,DanaInfo=intranet.wellmanage.com+DeployRun.eng.cab
DPF: {A8561647-E93C-11D3-AC3B-CE6078F7B616} - hxxp://prod-sentinel/sentinel/3rdParty/vsprint7.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://neovpn.wellington.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\0wxt5318.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\0wxt5318.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
SafeBoot-klmdb.sys
SafeBoot-svcWRSSSDK
MSConfigStartUp-URLLSTCK - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-03 23:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-05-03 23:41:44
ComboFix-quarantined-files.txt 2010-05-04 03:41

Pre-Run: 115,770,810,368 bytes free
Post-Run: 115,954,159,616 bytes free

- - End Of File - - 98103FD5B318B2A428B65D0247AAF53F


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:08 PM

Posted 04 May 2010 - 05:42 PM

No problem, you're welcome.

  • Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    CODE
    http://www.bleepingcomputer.com/forums/t/313867/browser-gets-redirected-from-google-bing-and-other-search-results/?p=1743027
  • Click Browse and select the c:\windows\system32\drivers\67802482.sys
  • Under the comments section, say that thewall asked for the submission.
  • Then select Send File to send it
  • After that you should get a confirmation if it was uploaded successfully.
Let me know when you have uploaded the log.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 pn123

pn123
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 04 May 2010 - 06:17 PM

I have uploaded the requested file. Let me know what you find. Thanks.

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:08 PM

Posted 04 May 2010 - 07:06 PM

I got it, thanks. Looked alright.



It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the ... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the ... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the ... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 pn123

pn123
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 05 May 2010 - 06:34 AM

Here is the scan Report from KasperSky Online Virus Scanner:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, May 5, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, May 04, 2010 21:19:52
Records in database: 4049719
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\
H:\
I:\
J:\
K:\

Scan statistics:
Objects scanned: 142794
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:38:06


File name / Threat / Threats count
C:\Downloads\VirtualDubFilters\warpsharp.vdf Infected: not-a-virus:FraudTool.Win32.InternetSecurity2010.bw 1

Selected area has been scanned.


#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:08 PM

Posted 05 May 2010 - 11:39 AM

We don't have to be concerned with the one entry. Kaspersky just reports on it.



You have one old version of Java on your machine which needs taking off and I have provided you with an update link for the newest version of Java. If you do not wish to install it make sure you remove the old version I have listed below due to it being susceptible to Malware exploitation:

J2SE Runtime Environment 5.0



Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.







When completed give me a rundown on how your computer is performing.


If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 pn123

pn123
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 05 May 2010 - 06:50 PM

I removed the Java 5.0 version

The browser links redirect problem looks to be resolved. I tried both IE and Firefox and both seem are working fine. Thanks!

Overall system performance seems slower.

Are there any other things I need to worry about? How can I protect for the future.

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:08 PM

Posted 06 May 2010 - 11:07 AM

I looked back over the logs and don't see anything which would be causing a slowdown in your performance but let's run one other type of scan just to be on the safe side. This one shouldn't take as long as Kaspersky but you never really know.




I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push


If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 pn123

pn123
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 06 May 2010 - 11:12 PM

Here are the results of the ESET scan:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\2\1f3f8202-2d6ce0ee a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmseria.jar-1e421c5d-44af5442.zip a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmseria.jar-2cc9027-41129e96.zip a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\PhotoDex ProShow Gold\PhotoDex ProShow Gold v3.0.1935.7z a variant of Win32/HackTool.Patcher.A application deleted - quarantined
C:\PhotoDex ProShow Gold\Photodex ProShow Gold v3.0.1974 senw@rez\Keygen\psgold_BLACKLISTREMOVER.exe a variant of Win32/HackTool.Patcher.A application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\kbdclass.sys.vir Win32/Patched.EQ trojan deleted - quarantined
K:\Backup 10252009\PhotoDex ProShow Gold\PhotoDex ProShow Gold v3.0.1935.7z a variant of Win32/HackTool.Patcher.A application deleted - quarantined
K:\Backup 10252009\PhotoDex ProShow Gold\Photodex ProShow Gold v3.0.1974 senw@rez\Keygen\psgold_BLACKLISTREMOVER.exe a variant of Win32/HackTool.Patcher.A application cleaned by deleting - quarantined


#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:08 PM

Posted 07 May 2010 - 06:54 PM

That found a few things. Some of it was already in quarantine but it was worth running. If everything seems to be cleared up we will close up in our next post.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:08 PM

Posted 12 May 2010 - 09:51 AM

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact my by PM. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users