Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I tried Combofix


  • This topic is locked This topic is locked
2 replies to this topic

#1 KewlSteveDude

KewlSteveDude

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 15 May 2010 - 01:17 PM

Hello
I was also having issues with redirecting form search engines and came across this useful forum so I decided to try the combofx.
I generally use IE and have tried numerous searches with yahoo, google and a few others and so far all is fine, and no redirecting crap.
Here is my Log:

ComboFix 10-05-15.01 - Monster 05/15/2010 13:33:24.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1839 [GMT -4:00]
Running from: c:\users\Monster\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Monster\MICROS~2.001
c:\windows\system32\AbaleZip.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

Infected copy of c:\windows\system32\drivers\rdpencdd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-15 to 2010-05-15 )))))))))))))))))))))))))))))))
.

2010-05-13 12:59 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-05 21:40 . 2010-05-05 21:40 -------- d-----w- c:\program files\P2PFilter
2010-04-25 18:40 . 2010-04-25 18:40 -------- d-----w- c:\users\Monster\AppData\Roaming\Apple Computer
2010-04-22 02:44 . 2010-04-22 18:11 -------- d-----w- c:\windows\Downloaded Installations
2010-04-22 02:25 . 2010-04-22 02:25 -------- d-----w- c:\users\Monster\AppData\Roaming\InstallShield
2010-04-22 00:05 . 2010-04-27 02:07 -------- d-----w- c:\program files\QuickTime
2010-04-22 00:05 . 2010-04-27 02:07 -------- d-----w- c:\programdata\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-15 16:39 . 2010-02-16 07:15 -------- d-----w- c:\users\Monster\AppData\Roaming\vlc
2010-05-15 15:31 . 2010-03-27 02:44 -------- d-----w- c:\users\Monster\AppData\Roaming\IP-TV Player
2010-05-15 05:50 . 2009-08-29 19:59 680 ----a-w- c:\users\Monster\AppData\Local\d3d9caps.dat
2010-05-15 04:06 . 2009-08-29 20:21 -------- d-----w- c:\users\Monster\AppData\Roaming\BitTorrent
2010-05-14 07:05 . 2009-08-29 20:19 -------- d-----w- c:\program files\Allok Video Joiner
2010-05-13 12:59 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-13 12:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-05-11 02:46 . 2009-08-30 13:23 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2010-05-06 14:36 . 2009-10-02 23:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-22 18:11 . 2007-11-10 05:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-20 22:51 . 2010-01-25 08:21 -------- d-----w- c:\program files\Veetle
2010-04-19 16:26 . 2010-03-27 02:44 -------- d-----w- c:\program files\IP-TV-PLAYER-a.t.a
2010-04-03 22:03 . 2007-11-10 05:47 -------- d-----w- c:\program files\Common Files\Java
2010-04-03 22:03 . 2007-11-10 05:47 -------- d-----w- c:\program files\Java
2010-03-31 04:49 . 2010-03-31 04:49 -------- d-----w- c:\users\Monster\AppData\Roaming\Tano
2010-03-31 02:04 . 2009-10-23 23:21 -------- d-----w- c:\programdata\NOS
2010-03-17 06:17 . 2010-02-25 12:57 -------- d-----w- c:\users\Monster\AppData\Roaming\RayV
2010-03-10 21:33 . 2009-11-16 12:50 548 ----a-w- c:\users\Monster\AppData\Roaming\wklnhst.dat
2010-03-09 16:25 . 2010-03-30 18:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42 . 2010-03-30 18:29 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 08:28 . 2009-08-29 20:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-04 17:33 . 2010-04-14 18:42 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-28 09:47 . 2010-02-28 09:47 0 ----a-w- c:\windows\nsreg.dat
2010-02-24 10:01 . 2009-08-29 19:01 72760 ----a-w- c:\users\Monster\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-23 11:10 . 2010-04-14 18:42 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:10 . 2010-04-14 18:42 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:10 . 2010-04-14 18:42 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-20 23:06 . 2010-03-10 01:49 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-10 01:49 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-10 01:49 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-19 08:53 . 2010-02-19 08:53 325216 ----a-w- c:\programdata\Real\RealPlayer\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-02-19 08:53 . 2010-02-19 08:53 329312 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-02-19 08:53 . 2010-02-19 08:53 300616 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-02-19 08:53 . 2010-02-19 08:53 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-02-19 08:53 . 2010-02-19 08:53 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-02-19 08:53 . 2010-02-19 08:53 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-02-19 08:53 . 2010-02-19 08:53 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-02-19 08:53 . 2010-02-19 08:53 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-02-19 08:53 . 2010-02-19 08:53 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-02-18 14:07 . 2010-04-14 18:42 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-18 14:07 . 2010-04-14 18:42 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-18 14:07 . 2010-04-14 18:42 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-18 13:30 . 2010-04-14 18:42 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-02-18 11:28 . 2010-04-14 18:42 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-01-05 09:59 . 2010-01-05 09:59 23804080 ----a-w- c:\program files\DivXInstaller.exe
2007-11-10 05:06 . 2007-11-10 05:01 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2008-09-26 16:02 2356088 ----a-r- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2009-10-01 20:20 3634024 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-09 00:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-10-04 02:02 1783136 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
2007-04-18 15:01 65536 ----a-w- c:\hp\support\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launcher]
2007-10-09 18:02 44168 ----a-w- c:\windows\SMINST\Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-07-07 01:45 8466432 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-07-07 01:45 81920 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2007-07-07 01:45 86016 ----a-w- c:\windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OsdMaestro]
2007-02-15 11:59 118784 ----a-w- c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-09-19 14:50 4702208 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateReg]
2009-08-29 20:07 55072 ----a-w- c:\windows\System32\jureg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-02-19 08:53 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uninstall Adobe Download Manager]
2010-03-22 19:51 68000 ----a-w- c:\program files\NOS\bin\getPlus_Helper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-11 06:28 2153472 ----a-w- c:\windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:ee,55,c7,e7,79,29,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3761131791-137491397-900281630-1000]
"EnableNotificationsRef"=dword:00000002

R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-29 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-08-29 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-08-29 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-29 297752]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2007-10-01 1129344]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = local
DPF: LetsSync Publisher - hxxp://letssync.com/on2latest/plugins/letssync_publisher.CAB
DPF: {444785F1-DE89-4295-863A-D46C3A781394} - hxxp://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
FF - ProfilePath - c:\users\Monster\AppData\Roaming\Mozilla\Firefox\Profiles\zr8imcou.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\RayV\RayV\plugins\nprayvplugin.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
MSConfigStartUp-isCfgWiz - c:\program files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-15 13:43
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3084)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\DRIVERS\xaudio.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\WUDFHost.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\hp\kbd\kbd.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-05-15 13:50:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-15 17:50

Pre-Run: 145,915,961,344 bytes free
Post-Run: 145,888,325,632 bytes free

- - End Of File - - D8B95DAC6EF0CAE218AFCC4E442A9174


Thanks and any advice would be great.

Steve

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:24 PM

Posted 16 May 2010 - 06:53 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:24 PM

Posted 21 May 2010 - 08:18 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users