Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacker Infection?


  • Please log in to reply
9 replies to this topic

#1 ktorian

ktorian

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 03 June 2010 - 10:19 AM

I believe I have some sort of a browser hijacker infection. When I attempt to do a google search and click on a link in the results list, my browser is being redirected to incorrect sites. I'm not sure how this happened, but I have done scans with McAfee, Adaware, Malwarebytes' Anti-Malware, Spyware Doctor, and Hijack This with no luck. I am still trying to run a GMER log, but it keeps crashing and rebooting before it finishes scanning. I will post it as soon as I am able to get it to work. Here is my DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Keith at 21:13:42.42 on Wed 06/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.218 [GMT -4:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\StorageSync\StrgSync.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Amazon\Kindle For PC\KindleForPC.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Spyware Doctor\Alert.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Keith\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hamptonroads.com/pilotonline/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://start.earthlink.net/AL/Search
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Webshots Toolbar: {c17590d2-ecb4-4b15-8820-f58798dcc118} - c:\program files\webshots\WSToolbar4IE.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No File
TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [PMCS] "c:\program files\pinnacle\shared files\programs\mediacenterservice\PMC.Service.Main.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Tunebite] c:\program files\rapidsolution\tunebite\Tunebite.exe -tray
uRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p7 /q c:\docume~1\keith\locals~1\tempor~1\content.ie5\f7x6twqq\__ord_~1.sh! c:\docume~1\keith\locals~1\tempor~1\content.ie5\f7x6twqq\index_~2.sh! c:\docume~1\keith\locals~1\tempor~1\content.ie5\uf6ou88w\no_con~1.sh! c:\docume~1\keith\locals~1\tempor~1\content.ie5\f7x6twqq\dw_pas~2.sh! c:\docume~1\keith\locals~1\tempor~1\content.ie5\uf6ou88w\app_1_~1.sh! c:\docume~1\keith\locals~1\tempor~1\content.ie5\uf6ou88w\dw_pas~1.sh! c:\docume~1\keith\locals~1\tempor~1\content.ie5\uf6ou88w\dw_pas~2.sh! c:\docume~1\keith\locals~1\tempor~1\content.ie5\f7x6twqq\DC_1_~1.SH!
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [gStart] c:\garmin\gStart.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ShowLOMControl] 1 (0x1)
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\2\printray.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [lxcjmon.exe] "c:\program files\lexmark 8300 series\lxcjmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 8300 series\ezprint.exe"
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
mRun: [Pinnacle WebUpdater] "c:\program files\pinnacle\shared files\programs\webupdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles
mRun: [PMCRemote] c:\program files\pinnacle\shared files\programs\remote\Remoterm.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [StrgSync.exe] c:\program files\storagesync\StrgSync.exe -w
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [LXCJCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCJtime.dll,_RunDLLEntry@16
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\docume~1\keith\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\network usb hub control center\Connect.exe
StartupFolder: c:\docume~1\keith\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
IE: &Webshots Photo Search - c:\program files\webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: westlaw.com
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
DPF: Garmin Internet Explorer Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {83BDD371-8346-4F7E-8483-32DF6E28B0ED} - hxxps://webmail.norfolk.gov/owa/X-PlusPack/bin/ASInstX.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} -
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {621FCD24-4498-4324-A81E-07D331376EDF} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\keith\applic~1\mozilla\firefox\profiles\lxxpiuc5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.hamptonroads.com/pilotonline/
FF - component: c:\documents and settings\keith\application data\mozilla\firefox\profiles\lxxpiuc5.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\keith\application data\mozilla\firefox\profiles\lxxpiuc5.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-5 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-6-2 218592]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-4-28 214664]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-6-2 112592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1314704]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-30 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-12-14 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-4-28 144704]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-6-2 366840]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-6-2 1142224]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-4-28 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-4-28 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-4-28 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-4-28 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-4-28 40552]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2007-12-25 74624]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2006-7-9 15104]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-1 135664]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;c:\windows\system32\drivers\sustucam.sys [2006-4-12 38016]
S3 SUSTUCAP;Susteen USB Cable Port Driver;c:\windows\system32\drivers\sustucap.sys [2006-4-12 38016]
S3 SUSTUCAU;Susteen USB Cable USB Driver;c:\windows\system32\drivers\sustucau.sys [2006-4-12 20096]

=============== Created Last 30 ================

2100-02-08 20:04:08 40960 ----a-w- c:\program files\ACMonitor_X83.exe
2010-06-03 01:11:05 0 ----a-w- c:\documents and settings\keith\defogger_reenable
2010-06-03 00:50:38 0 d-----w- c:\program files\Trend Micro
2010-06-03 00:12:44 767952 ----a-w- c:\windows\BDTSupport.dll
2010-06-03 00:12:43 882 ----a-w- c:\windows\RegSDImport.xml
2010-06-03 00:12:43 879 ----a-w- c:\windows\RegISSImport.xml
2010-06-03 00:12:43 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-06-03 00:12:43 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-06-03 00:12:43 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-06-03 00:12:43 131 ----a-w- c:\windows\IDB.zip
2010-06-03 00:12:43 1152444 ----a-w- c:\windows\UDB.zip
2010-06-03 00:11:22 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-06-03 00:11:22 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-06-03 00:11:13 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-06-03 00:11:13 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-06-03 00:11:13 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-06-03 00:11:13 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-03 00:10:43 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-06-03 00:10:43 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-06-03 00:10:31 0 d-----w- c:\program files\common files\PC Tools
2010-06-03 00:10:30 0 d-----w- c:\program files\Spyware Doctor
2010-06-03 00:10:30 0 d-----w- c:\docume~1\keith\applic~1\PC Tools
2010-06-03 00:10:30 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-06-02 02:46:07 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-02 02:42:53 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-01 18:25:45 0 d-----w- c:\program files\MWARE
2010-05-13 20:38:54 0 d-----w- c:\program files\Amazon
2010-05-13 20:25:40 0 d-----w- c:\docume~1\keith\applic~1\Barnes & Noble
2010-05-13 20:25:33 0 d-----w- c:\program files\Barnes & Noble

==================== Find3M ====================

2100-04-08 15:45:26 69632 ----a-w- c:\windows\system32\Lxasmdm.dll
2010-06-02 02:45:51 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-01-23 16:27:31 104 -csh--r- c:\windows\system32\7458CA9CC1.sys
2010-01-23 16:28:16 5852 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-04 19:54:42 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-08-23 15:30:22 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat

============= FINISH: 21:17:32.89 ===============

Here's the GMER file.

And the attach.txt file. Sorry, I thought I uploaded this previously.

Here's my hijack this log as well if it helps. THANKS for any help. This is very frustrating.

Merged 4 posts. ~ OB

Attached Files


Edited by Orange Blossom, 03 June 2010 - 06:02 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:36 AM

Posted 05 June 2010 - 09:41 PM

Hi and welcome. smile.gif

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 ktorian

ktorian
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 06 June 2010 - 06:07 PM

I am still having the same problem with my browser being redirected to undesired sights. I have uninstalled firefox and reset internet explorer to default settings. I have uninstalled and reinstalled mcafee security suite which required help from tech support as it would not reinstall for me initially. I performed a full mcafee virus scan with no infections found, but the browser redirect problem still occurs. I have tried repeatedly to run gmer again, but it always ends with a blue screen and a hard error message, requiring a reboot. I will keep trying to run gmer, and will post if/when successful. I have repeated the other logs and will attach them now.

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:36 AM

Posted 06 June 2010 - 06:43 PM

Hello.

I see what we can do here.

First Disable your McAfee completely: http://computermalwaresecurity.blogspot.co...completely.html

Then, let's start with Combofix.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 ktorian

ktorian
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 06 June 2010 - 06:56 PM

I will try combofix now. Also, to let you know, I have repeatedly gotten a windows shut down message when running gmer involving the pxtdqpob.sys file. It indicates "page fault in nonpaged area." STOP: 0x00000050 (0xf777cb30, 0x00000001, 0x9bb02fa6,0x00000000) pxtdqpob.sys address 9bb02fa6 base at 9baf7000, datestamp 4b274f8d. I have tried to google this file to see what this might be, but everytime I click on one of the search results, my browser is redirected to another site. I'll let you know what happens with combofix shortly.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:36 AM

Posted 06 June 2010 - 06:58 PM

Hello.

That pxtdqpob.sys is related to GMER's drive that it use. It's randomly named. Don't worry about GMER, it crashes a lot of times either the computer settings, security or malware and many more, but in this case I would believe it's related to malware as there are some infections active.

Let me know how Combofix goes.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 ktorian

ktorian
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 06 June 2010 - 07:45 PM

Combofix reported that it fixed something. The log is attached.

Attached Files



#8 ktorian

ktorian
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 07 June 2010 - 10:08 AM

So far it appears that this has corrected the problem. My browser is no longer being redirected. Please advise if there are any further steps I need to take. On reboot, I am still getting a black screen asking if I want to start in safe mode or something to that effect. It only lasts a second or two, then proceeds to boot normally. This isn't a problem, but it didn't do that before, and I don't know if I need to do anything to return my system to normal. Thanks for your help!!!

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:36 AM

Posted 08 June 2010 - 09:14 PM

Hello.

No problem, Combofix disinfected the driver I mentioned earlier about the infection you had which caused the brower redirection. Looking better.

The thing you see at start up with the blank screen with 2 seconds is the boot up where Combofix installed the Windows Recovery Console. Some information over here. No need to worry about that. ;)

Let's do some final checkups.

Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:36 AM

Posted 17 June 2010 - 08:37 PM

Are you still there?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users