Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect---Logs Prepared/Virus Infection/Worm/


  • Please log in to reply
18 replies to this topic

#1 ErikinColorado

ErikinColorado

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 02 June 2010 - 04:28 PM

I am sooo glad to have found this site! I have read many strings where you grand volunteers have helped others get rid of this nasty malware/virus. I have tried all the basic programs (malwarebytes, avast, symantec, ad-aware) that others have tried and to the same result: Some infections found, dealt with but the Google Redirect persists.

What happens exactly is what you've read before: A Google search works just fine and then when I go to click on the link it starts out in a new window going to the appropriate site and then mid-stream gets "hijacked" and RE-DIRECTS me to some random ad site! UGH!

Below is the logs that the Preperation Guide said to create:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Erik.Martin at 14:20:01.37 on Wed 06/02/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.102 [GMT -7:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\lxdjcoms.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\WaHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Lexmark 1400 Series\lxdjamon.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\Watcher.exe
C:\Program Files\Sierra Wireless Inc\WebUpdater\SwiApiMux.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Download Guard for Internet Explorer\DownloadGuard.exe
C:\Documents and Settings\erik.martin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://us.mc300.mail.yahoo.com/mc/welcome?.rand=2f8dli3a2tb46
uSearch Bar = hxxp://intranet.wfinet.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Download Guard for Internet Explorer: {20c1a7f0-528e-444f-bac5-5804a61cca7f} - c:\program files\lavasoft\download guard for internet explorer\DownloadGuardBHO.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [TRUUpdater] "c:\program files\sierra wireless inc\webupdater\TRUUpdater.exe" /bkground
mRun: [AirCardEnabler]
mRun: [WatcherHelper] "c:\program files\sierra wireless inc\3g watcher\WaHelper.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [lxdjmon.exe] "c:\program files\lexmark 1400 series\lxdjmon.exe"
mRun: [lxdjamon] "c:\program files\lexmark 1400 series\lxdjamon.exe"
mRun: [LXDJCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXDJtime.dll,_RunDLLEntry@16
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203021014471
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203033133244
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37934.6753703704
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-2 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-2 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-2 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-2 40384]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-1-23 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-1-23 108392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1314704]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-1-23 2177464]
R3 ACGPRS;Sierra Wireless 3G Adapter;c:\windows\system32\drivers\acgprs.sys [2007-3-26 103936]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-2 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-2 40384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-26 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2008-2-14 88192]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100601.023\NAVENG.SYS [2010-6-1 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100601.023\NAVEX15.SYS [2010-6-1 1347504]
R3 scrswi;Sierra Wireless Smart Card Reader;c:\windows\system32\drivers\scrswi.sys [2008-4-2 44288]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [2007-3-26 20352]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-25 136176]
S4 vsdatant;vsdatant;a --> a [?]

=============== Created Last 30 ================

2010-06-02 07:30:05 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-02 07:29:52 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-02 07:14:18 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CCE9E666-4D7C-4946-A98B-CFDE0A0C1706}
2010-06-02 07:13:10 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-02 07:11:45 0 d-----w- c:\program files\Lavasoft
2010-06-02 07:04:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-06-02 07:01:24 0 d-----w- c:\docume~1\erik~1.mar\applic~1\Malwarebytes
2010-06-02 07:01:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-02 07:01:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-02 07:01:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-02 07:01:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-07 19:04:38 0 d-----w- c:\docume~1\erik~1.mar\applic~1\j2 Global
2010-05-07 19:03:17 0 d-----w- c:\docume~1\erik~1.mar\applic~1\eFax Messenger
2010-05-07 19:03:01 0 d-----w- c:\docume~1\alluse~1\applic~1\eFax Messenger 4.4 Output
2010-05-07 19:03:01 0 ----a-w- c:\windows\system32\eFax_4_4_Port
2010-05-07 19:01:26 0 d-----w- c:\program files\eFax Messenger 4.4
2010-05-04 23:36:26 215040 ----a-w- c:\windows\system32\CNMLM8V.DLL
2010-05-04 23:34:19 0 d-----w- c:\program files\Canon

==================== Find3M ====================

2010-06-02 17:18:38 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-06-02 08:39:36 56680 ----a-w- c:\windows\system32\rpcnet.dll
2010-03-22 12:20:47 111920 ----a-w- c:\windows\xobglu32.dll
2010-03-22 12:20:46 63488 ----a-w- c:\windows\xobglu16.dll
2009-04-08 23:51:57 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009040820090409\index.dat

============= FINISH: 14:21:10.82 ===============




There ya go!!! THANK YOU THANK YOU THANK YOU...in advance!!!!! :-D

Attached Files



BC AdBot (Login to Remove)

 


#2 ErikinColorado

ErikinColorado
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 02 June 2010 - 07:33 PM

I appreciate all you magikal machine mechanics helping out us greenies who have found ourselves lost in some malicious wilderness! THANK YOU!

#3 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:53 PM

Posted 06 June 2010 - 08:23 AM

We will get a download to use. Its called Combofix. There is a short guide to read first. Read through the guide then apply the directions on your machine. Post the Combofix log in your reply.

Guide to using Combofix

How Can I Reduce My Risk to Malware?


#4 ErikinColorado

ErikinColorado
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 06 June 2010 - 04:33 PM

Hello Shelf Life!

THANK YOU for helping out here. First off, though, we need to figure something out. The only reason I even found YOUR reply/help here is that I posted another request for this new issue of attachments in Hotmail not opening earlier today with an inquiry about not getting help with the Google Redirect issue when some kind soul directed me to THIS link. Soooo...how do I KNOW when you're responding to this string?!?!

I thought it would alert me in my hotmail account if not in my Bleepingcomputer account but I got NO NOTIFICATION AT EITHER LOCATION! Can you tell me if I have something set wrong in my account or WHERE I need to check on your replies?

I REALLY appreciate your input and help!!!

Erik

#5 ErikinColorado

ErikinColorado
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 06 June 2010 - 04:36 PM

P.S. I'm running the ComboFix protocols and will post them in the next thread as you requested!

Thanks, again!

#6 ErikinColorado

ErikinColorado
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 06 June 2010 - 06:03 PM

OK. ComboFix done. Here's the log Shelf Life....

ComboFix 10-06-06.01 - Erik.Martin 06/06/2010 15:58:21.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.187 [GMT -7:00]
Running from: c:\documents and settings\erik.martin\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\erik.martin\Local Settings\Application Data\Windows Server
c:\documents and settings\erik.martin\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\erik.martin\Local Settings\Application Data\Windows Server\uses32.dat
C:\feed.txt
c:\windows\system32\hlp.dat

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ws2_32.dll

Infected copy of c:\windows\system32\autochk.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\autochk.exe

.
((((((((((((((((((((((((( Files Created from 2010-05-06 to 2010-06-06 )))))))))))))))))))))))))))))))
.

2010-06-06 22:54 . 2010-06-06 22:54 -------- d-sha-r- \cmdcons
2010-06-06 11:29 . 2010-06-06 23:23 -------- d-----w- \Config.Msi
2010-06-02 07:14 . 2010-06-02 07:14 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CCE9E666-4D7C-4946-A98B-CFDE0A0C1706}
2010-06-02 07:13 . 2010-06-02 07:13 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-02 07:11 . 2010-06-02 07:14 -------- d-----w- c:\program files\Lavasoft
2010-06-02 07:04 . 2010-06-06 11:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-02 07:04 . 2010-06-02 07:04 -------- d-----w- c:\program files\Alwil Software
2010-06-02 07:01 . 2010-06-02 07:01 -------- d-----w- c:\documents and settings\erik.martin\Application Data\Malwarebytes
2010-06-02 07:01 . 2010-06-02 07:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-02 07:01 . 2010-06-02 07:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-02 07:11 . 2008-02-15 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-18 18:22 . 2010-03-25 23:53 -------- d-----w- c:\program files\Google
2010-05-12 01:38 . 2009-05-19 19:36 -------- d-----w- c:\program files\lx_cats
2010-05-07 19:04 . 2010-05-07 19:04 -------- d-----w- c:\documents and settings\erik.martin\Application Data\j2 Global
2010-05-07 19:03 . 2010-05-07 19:01 -------- d-----w- c:\program files\eFax Messenger 4.4
2010-05-07 19:03 . 2010-05-07 19:03 -------- d-----w- c:\documents and settings\erik.martin\Application Data\eFax Messenger
2010-05-07 19:03 . 2010-05-07 19:03 -------- d-----w- c:\documents and settings\All Users\Application Data\eFax Messenger 4.4 Output
2010-05-05 03:34 . 2009-04-03 04:30 -------- d-----w- c:\documents and settings\erik.martin\Application Data\dvdcss
2010-05-04 23:40 . 2010-05-04 23:34 -------- d-----w- c:\program files\Canon
2010-05-04 23:36 . 2010-05-04 23:36 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-05-04 23:35 . 2010-05-04 23:35 -------- d--h--w- c:\program files\CanonBJ
2010-03-22 12:20 . 2010-03-22 12:20 111920 ----a-w- c:\windows\xobglu32.dll
2010-03-22 12:20 . 2010-03-22 12:20 63488 ----a-w- c:\windows\xobglu16.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-23 115560]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-19 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-19 696320]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
"TRUUpdater"="c:\program files\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe" [2008-06-13 525592]
"WatcherHelper"="c:\program files\Sierra Wireless Inc\3G Watcher\WaHelper.exe" [2008-08-27 124184]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"lxdjamon"="c:\program files\Lexmark 1400 Series\lxdjamon.exe" [2007-03-06 20480]
"LXDJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDJtime.dll" [2007-02-09 102400]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-2-15 1425424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-04-03 03:25 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\3G Watcher\\SwiApiMux.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\WebUpdater\\SwiApiMux.exe"=
"c:\\WINDOWS\\system32\\lxdjcoms.exe"=
"c:\\Program Files\\Lexmark 1400 Series\\App4R.exe"=
"c:\\Program Files\\Lexmark 1400 Series\\lxdjamon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdjpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdjjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdjtime.exe"=

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-25 136176]
R3 ACGPRS;Sierra Wireless 3G Adapter;=\\DRIVERS\acgprs.sys [x]
R3 scrswi;Sierra Wireless Smart Card Reader;=\\DRIVERS\scrswi.sys [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-06-05 64288]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-06-05 1352320]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-26 102448]
S3 GTIPCI21;GTIPCI21;=\\DRIVERS\gtipci21.sys [x]
S3 swivsp;AC8xx Virtual Serial Port;=\\DRIVERS\swivspnt.sys [x]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.mc300.mail.yahoo.com/mc/welcome?.rand=2f8dli3a2tb46
uLocal Page = c:\windows\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AirCardEnabler - (no file)
HKLM-Run-lxdjmon.exe - c:\program files\Lexmark 1400 Series\lxdjmon.exe
SafeBoot-Symantec Antvirus



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-06 16:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDJCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXDJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\smss.exe
c:\windows\system32\csrss.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\services.exe
c:\windows\system32\lsass.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\System32\svchost.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\windows\System32\svchost.exe
c:\windows\system32\svchost.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\spoolsv.exe
c:\windows\System32\SCardSvr.exe
c:\windows\System32\svchost.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\lxdjcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rpcnet.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\wbem\wmiprvse.exe
c:\windows\System32\alg.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\wuauclt.exe
c:\windows\system32\wuauclt.exe
c:\windows\system32\wbem\wmiprvse.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-06-06 16:46:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-06 23:45

Pre-Run: 21,479,710,720 bytes free
Post-Run: 21,908,267,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - D3DC993725FD132AFE2920591D940AA9


I await your instructions!



#7 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:53 PM

Posted 06 June 2010 - 08:47 PM

hi,

Ok your welcome. How is the re-direct situation now?
QUOTE
WHERE I need to check on your replies?

you can just check back here in the thread once or twice a day to see if i have replied.

Please check Malwarebytes for updates then do a scan with it and post its log;


click the MBAM icon on your desktop. Once the program has loaded, click the Update tab, then check for updates. Select Scanner tab, Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items. If prompted please chose yes to restart your computer.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.


How Can I Reduce My Risk to Malware?


#8 ErikinColorado

ErikinColorado
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 06 June 2010 - 10:57 PM

OK. Here's the latest MBAB log:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4174

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/6/2010 9:51:24 PM
mbam-log-2010-06-06 (21-51-24).txt

Scan type: Full scan (C:\|)
Objects scanned: 189517
Time elapsed: 1 hour(s), 23 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\config\Software.LOG (Trojan.Dropper) -> Delete on reboot.



Let me know if there is anything else you think I should do or any suggestions on how to keep these varmits from getting on my machine in the first place. I mean, I have Ad-Aware, Malwarebytes, Avast, Symantec AND the Windows Firewall! I would think that combination would do the trick but more seem to get through. UGH!! mad.gif

THANKS AGAIN!!! thumbup.gif

#9 ErikinColorado

ErikinColorado
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 07 June 2010 - 03:06 PM

Are you still there?

I have the other issue of my HOTMAIL ATTACHMENTS BEING REDIRECTED TO AD SITES WHEN I TRY TO OPEN/RETRIEVE/DOWNLOAD THEM and wonder if this is related? I assume it's NOT since I am not having the Google redirect issue any more (at least at the moment) but still can't get my doctor's attachments (I had them resend the entire email again this morning)!

Whatcha think about this SERIOUS issue? The google issue was unnerving but not debilitating (I could cut & paste the link in another window). THIS issue keeps me from actually receiving data/correspondance!

Should I RE-SUBMIT a new help request post or can you help with this issue?

THANK YOU for helping me with these infuriating invasions, Shelf Life!!!

#10 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:53 PM

Posted 07 June 2010 - 07:56 PM

Ok so when you click a E-mail attachment you get re-directed? Really i wounldnt open any attachments unless you are positive of the sender and you where expecting the attachment.

How Can I Reduce My Risk to Malware?


#11 ErikinColorado

ErikinColorado
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 07 June 2010 - 08:42 PM

I don't open attachments from unknowns. Learned that one a long time ago. These are forms from my doctor's office. I don't know if I told you (if it was in this string) but I also noticed that usually when you go to download attachments in Hotmail there appears an icon that says it is scanning said attachments. This is NOT happening now. Hmm?

In doing more research some have suggested that I have them zip the documents and/or send them to another email provider. I will do those things during business hours tomorrow.

So, what do you think? Any idears? It's just the weirdest thing. I never had this issue before but this is the first set of attachments I've had since the Google Redirect issue (which appears to be gone).

Hmm...?

#12 ErikinColorado

ErikinColorado
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 07 June 2010 - 08:47 PM

BTW:

This is what comes up under Properties for all these attachments:

General:

java script:;

__________________

Protocoal: Unknown Protocol

Type: Not Available

Address: java script:;
(URL)



Thought that might help.

#13 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:53 PM

Posted 07 June 2010 - 09:06 PM

QUOTE
Avast, Symantec
Looks like you have two AV installed. Two is not better than one. For anti-malware apps yes you can have 2 or 3. Antivirus, only one per computer. I would remove one via the add/remove programs panel and reboot the computer after the uninstall.

Was it G-mail that was scanning the attachments? or your own AV? Getting them to send them to a another E-mail address might be a good idea for now anyway.
So you where expecting the attachments from a doctor you download the attachments and then opened them, and then what happens? Iam confused.

Typically during the week Iam only on line later in the day. I may not be back on until tomorrow afternoon.

How Can I Reduce My Risk to Malware?


#14 ErikinColorado

ErikinColorado
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 07 June 2010 - 09:48 PM

The attachments are in the email from the doc and when I go to click on them (either individually or all at once) to downlaod to my computer (this is where HOTMAIL would usually scan them...not an AV on my machine) a new window opens up (usually this would be the "Download File" window that asks where you want to put the file or open etc....you know it) but instead of downloading it opens up an advertisement site!?!? That's why this is soooo weird. I can't even GET the attachment out of the email!

Does that make more sense? That's why I sent what Properties the attachments have because they're "not right" either.

I hope you can get back to me tonight but it's really not a problem getting back tomorrow. I'm just grateful you all are helping me in the first place! Like I said, I'll try those other options (zipped/other email acct) and maybe it's just this particular form or email.

THANKS AGAIN, Shelf Life!!!

#15 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:53 PM

Posted 08 June 2010 - 04:15 PM

hi,

ok thanks for the info. Get the documents sent to another E-mail address. There is no (good) reason for a E-mail to contain javascript. only spam would open up a adverttisment.
change the e-mail login password for your hotmail account. Guidelines for strong passwords:


At least fifteen (15) characters in length.
# Does not contain your user name, real name, organization name, family member's names or names of your pets.
# Does not contain your birth date.
# Does not contain a complete dictionary word.
# Is significantly different from your previous password.


Should contain three (3) of the following character types.

* Lowercase Alphabetical (a, b, c, etc.)
* Uppercase Alphabetical (A, B, C, etc.)
* Numerics (0, 1, 2, etc.)
* Special Characters (@, %, !, etc.)

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users