Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browsrer redirects and random browser windows open


  • This topic is locked This topic is locked
11 replies to this topic

#1 Seajay14

Seajay14

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 06 June 2010 - 03:13 PM

Hi Guys.
I have a problem where I.E. keeps getting redirected when I click a search result. The sites which I get redirected to seem to be random but Ask Jeeves is a regular. By hitting the back button I return to my search results and it will take 6 or 7 attempts before the browser opens the correct site. If I copy and paste the url into the search bar the correct site opens. Many of the redirection url's have a blue number 2 at the front. The following is a screen shot grabbed when the redirection occurs....


After a number of redirections I get a fake virus scan which has the following screen......


A number of weeks ago my system appeared to get infected with Antivirus malware. Following another thread I got rid of the virus which only permitted my browser to open a site selling a virus removal programme [scam, i did not buy]. However the problem of redirecting remains with my browser.

I have copied the DDS.txt file below and attached the Attach.txt file.
When running GMER the programme appeared to start a scan automatically and not give me an option to decline a scan request. I have attached the resultant scan report. If I then change the settings as detailed in your preparation guide when I press scan the system hangs.

Hope you can help. Thank you.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Chris at 19:04:45.68 on 11/05/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.48 [GMT 1:00]

AV: Panda Global Protection 2010 *On-access scanning enabled* (Updated) {8BF935E7-731F-4115-B7A5-789FF5087595}
FW: Panda Personal Firewall 2010 *enabled* {7B090DC0-8905-4BAF-8040-FD98A41C8FB8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Panda Security\Panda Global Protection 2010\TPSrv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRAM FILES\PANDA SECURITY\PANDA GLOBAL PROTECTION 2010\WebProxy.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\KutinSoft\CoordinationService\KutinSoftCoordinationService.exe
C:\WINDOWS\system32\svchost -k Panda
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\PsCtrls.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
c:\program files\panda security\panda global protection 2010\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Global Protection 2010\PsImSvc.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\PskSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\pavsrv51.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJE.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\APVXDWIN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\PIXELA\ImageMixer for HDD Camcorder\IMx3Launcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\SRVLOAD.EXE
C:\Program Files\Panda Security\Panda Global Protection 2010\PavBckPT.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\progra~1\wanadoo\wsbar\WSBar.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [PowerBar]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SMSystemAnalyzer] "c:\program files\iolo\system mechanic 6\SMSystemAnalyzer.exe"
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [EPSON Stylus Photo R340 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAJE.EXE /P30 "EPSON Stylus Photo R340 Series" /O6 "USB002" /M "Stylus Photo R340"
mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Openwares LiveUpdate] c:\program files\liveupdate\LiveUpdate.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [APVXDWIN] "c:\program files\panda security\panda global protection 2010\APVXDWIN.EXE" /s
mRun: [SCANINICIO] "c:\program files\panda security\panda global protection 2010\Inicio.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
dRun: [jsojftmi] c:\documents and settings\networkservice\local settings\application data\nrjgxnlcj\fqylerftssd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer for hdd camcorder\IMx3Launcher.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.astonmartin.com/configurator/v8vantage_load.html
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://www.gamehouse.com/games/gamehouse/ghplayer.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://www.gamehouse.com/games/mjolauncher.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - hxxp://help.broadbandassist.com/prequal/MotivePreQual.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {A8126911-4705-4B01-9662-093B662B7DA3} = 195.92.195.94,195.92.195.95
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: avldr - avldr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli scecli
mASetup: {B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\xu8jd4i3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mystart.incredigames.com/
FF - prefs.js: keyword.URL - hxxp://mystart.incredigames.com/?loc=FF_Incredigame_AddressBar&search=
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-10-18 28544]
R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [2009-10-21 73728]
R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [2009-10-21 52992]
R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [2009-10-21 22072]
R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [2009-10-21 193792]
R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [2009-10-21 158848]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-3-15 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-3-15 116328]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [2009-10-21 41144]
R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [2009-10-21 46720]
R2 CommonUsersFolderService;KutinSoft Common Users Folder;c:\program files\common files\kutinsoft\coordinationservice\KutinSoftCoordinationService.exe [2008-3-13 1348608]
R2 Gwmsrv;Panda Goodware Cache Manager;c:\windows\system32\svchost -k panda --> c:\windows\system32\svchost -k Panda [?]
R2 Panda Software Controller;Panda Software Controller;c:\program files\panda security\panda global protection 2010\PsCtrlS.exe [2009-10-21 173312]
R2 PAVDRV;pavdrv;c:\windows\system32\drivers\pavdrv51.sys [2009-10-21 84024]
R2 PAVFNSVR;Panda Function Service;c:\program files\panda security\panda global protection 2010\PavFnSvr.exe [2009-10-21 169216]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [2009-10-21 177416]
R2 PavPrSrv;Panda Process Protection Service;c:\program files\common files\panda security\pavshld\PavPrSrv.exe [2009-10-21 62768]
R2 PAVSRV;Panda On-Access Anti-Malware Service;c:\program files\panda security\panda global protection 2010\PAVSRV51.EXE [2009-10-21 290048]
R2 PskSvcRetail;Panda PSK service;c:\program files\panda security\panda global protection 2010\psksvc.exe [2009-10-21 28928]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-3-15 779496]
R3 ComFiltr;Panda Anti-Dialer;c:\windows\system32\drivers\COMFiltr.sys [2009-10-21 13880]
R3 DsAudioDevice_310;DsAudioDevice_310;c:\windows\system32\drivers\DsAudioDevice_310.sys [2009-7-12 16640]
R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [2009-7-11 3768]
R3 NETIMFLT01060034;PANDA NDIS IM Filter Miniport v1.6.0.34;c:\windows\system32\drivers\neti1634.sys [2009-10-21 197888]
R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\pavtpk.sys --> c:\windows\system32\PavTPK.sys [?]
S2 gupdate1c9afd09bae40;Google Update Service (gupdate1c9afd09bae40);c:\program files\google\update\GoogleUpdate.exe [2009-3-28 133104]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
S3 gel90xne;gel90xne;\??\c:\docume~1\chris\locals~1\temp\gel90xne.sys --> c:\docume~1\chris\locals~1\temp\gel90xne.sys [?]
S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\pavsrk.sys --> c:\windows\system32\PavSRK.sys [?]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2009-7-11 184320]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-7-11 16640]

============== File Associations ===============

JSEFile=c:\progra~1\pandas~2\pandag~1\PAVSCRIP.EXE "%1" %*
VBEFile=c:\progra~1\pandas~2\pandag~1\PAVSCRIP.EXE "%1" %*
VBSFile=c:\progra~1\pandas~2\pandag~1\PAVSCRIP.EXE "%1" %*

=============== Created Last 30 ================

2010-05-02 09:43:51 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-28 22:36:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Documents
2010-04-25 22:28:58 0 d-----w- C:\Panda Software
2010-04-25 15:00:20 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-04-25 15:00:17 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-04-25 15:00:17 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-04-25 15:00:14 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-04-25 15:00:06 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-04-25 14:07:52 0 d-----w- c:\windows\system32\MpEngineStore
2010-04-22 10:06:50 204 ----a-w- c:\windows\system32\MRT.INI
2010-04-16 20:32:12 0 ----a-w- c:\documents and settings\chris\defogger_reenable

==================== Find3M ====================

2010-05-11 16:21:11 1132 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG.bck
2010-05-11 16:21:11 1132 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG
2010-05-11 16:19:27 13880 ----a-w- c:\windows\system32\drivers\COMFiltr.sys
2010-05-03 21:45:47 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-05-03 19:12:51 313700 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT.bck
2010-05-03 19:12:51 313700 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT
2010-03-29 23:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-20 23:20:51 123201026 ----a-w- C:\backup.reg
2010-02-17 08:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2009-09-28 19:28:44 170 ----a-w- c:\program files\1bomb.ini
2007-11-25 22:57:32 3580 ----a-w- c:\program files\INSTALL.LOG
2006-07-14 21:03:29 278528 ----a-w- c:\program files\common files\FDEUnInstaller.exe
2006-01-10 19:19:39 774144 ----a-w- c:\program files\RngInterstitial.dll
2005-03-31 22:17:42 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2001-09-28 17:00:28 164864 ----a-w- c:\program files\UNWISE.EXE
2001-08-22 13:15:48 245760 ----a-w- c:\windows\inf\i386\viceo.dll
2001-08-22 13:13:38 32768 ----a-w- c:\windows\inf\i386\Pmicro.dll
2001-08-22 13:13:30 61440 ----a-w- c:\windows\inf\i386\gl.dll
2001-08-03 18:29:18 13824 ----a-w- c:\windows\inf\i386\Usbscan.sys
1999-07-18 20:05:04 15716 ----a-w- c:\windows\inf\i386\Pmxscan.sys
2009-01-21 19:47:04 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012120090122\index.dat

============= FINISH: 19:08:41.32 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:27 AM

Posted 09 June 2010 - 06:42 AM

Hi Seajay14,

Welcome to our Malware Removal forum.

The system is infected with a rootkit.
  1. You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    1. First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup
      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    2. Then download ResetTeaTimer.exe to your desktop.
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.

  2. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

  3. Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.

    Double-click to run TDLfix.exe, type the following in the command window and press Enter:

    mbr

    A log file opens up. please post the content to your reply.


#3 Seajay14

Seajay14
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 09 June 2010 - 03:48 PM

Hi farbar,
Thank you for the reply.

First off a point of note, when following the link for TDLfix.exe the following warning appears


Not sure if this is Panda or other issuing the warning but I needed to click the "disregard and download unsafe file (not recommended)" option.

here is the log, and thanks again.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x83730A9A]<<
kernel: MBR read successfully
user & kernel MBR OK


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:27 AM

Posted 09 June 2010 - 03:57 PM

Well done. It should be Panda. Some less known antiviruses flag the tool on the basis of a false positive on the compiler used to compile the tool. At the beginning they were many and most of them have fixed it. See this:http://forum.bitdefender.com

Please run GMER, uncheck all the options except "Sections" (C:\ should remain checked). Click Scan. It will give you a log within a minute or so. Save it and post it to your reply.

Edited by farbar, 09 June 2010 - 04:06 PM.
Added the link


#5 Seajay14

Seajay14
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 10 June 2010 - 02:08 PM

farbar, reply was quicker than i expected. nice one.
However, GMER hangs when I scan. It runs through a few files and hangs the system when scanning
Sections: C:\WINDOWS\system32\drivers\atapi.sys

I have to turn pc off manually

These are the properties of atapi.sys


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:27 AM

Posted 10 June 2010 - 03:55 PM

Thanks for the nice screen shots but no need for them unless requested.

We are going to run this special tool.
  • Please download TDSSKiller.exe and save it to your desktop.
  • Run TDSSKiller.exe.
  • When it finished press any key to continue.
  • Let reboot if needed and tell me if it needed a reboot.
  • Also it makes a txt file on the C:\ directory (like TDSSKiller.2.3.2.0_Date_Time_log.txt). Please attach it to your replay.


#7 Seajay14

Seajay14
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 10 June 2010 - 05:05 PM

TDSSKiller required a reboot.
log file attached
Thank you

Attached Files



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:27 AM

Posted 10 June 2010 - 05:22 PM

The rootkit is taken care of and the redirection should have been stopped.
  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  2. Please download OTC and save it to Desktop.
    • Make sure you have internet connection.
    • Double-click OTC. In Windows Vista right-click to run it as administrator.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.


  3. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  4. Tell me how is your computer running now.


#9 Seajay14

Seajay14
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 12 June 2010 - 05:06 AM

System now seems to be running fine. No more redirection and the Local area connection icon has returned to the task bar, I had completely forgotted that it had disappeared.
Lookin good, thank you.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/06/2010 09:09:16
mbam-log-2010-06-12 (09-09-16).txt

Scan type: Quick scan
Objects scanned: 162113
Time elapsed: 1 hour(s), 6 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32\(default) (Hijack.Tray) -> Bad: (C:\DOCUME~1\Chris\LOCALS~1\Temp\5827728413.dll) Good: (stobject.dll) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:27 AM

Posted 12 June 2010 - 06:50 AM

It looks good. thumbup2.gif
  1. Run TDLfix, type del and press Enter. This will delete the quarantined infected file and mbr.exe. Delete the tool from your desktop.

    Also remove any tool or log we used from your computer.

  2. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.

Happy Surfing Seajay14. smile.gif

#11 Seajay14

Seajay14
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 12 June 2010 - 04:28 PM

Thank you farbar.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:27 AM

Posted 12 June 2010 - 05:15 PM

You are welcome Seajay14. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users