Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect/Random Tabs


  • This topic is locked This topic is locked
28 replies to this topic

#1 uga_dawgs24

uga_dawgs24

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 17 June 2010 - 01:27 PM

When we try and search something via google, often the link will redirect us to another site. Occasionally random tabs/windows will open. Sometimes it is the google site with some addition to the end (after .com, like .com/???/) other times it looks to be spam ads.

I ran both DDS and GMER. I have attached the two DDS logs but when I ran GMER it took around 3+ hours and then I got the BSOD with the title PFN_LIST_CORRUPT.

Thanks for any help.

Attached Files


Edited by uga_dawgs24, 17 June 2010 - 03:30 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:25 AM

Posted 22 June 2010 - 04:50 AM

Hi uga_dawgs24,

Welcome to Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

If the issue is not resolved please update me on the current condition of your computer.

#3 uga_dawgs24

uga_dawgs24
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 22 June 2010 - 07:06 AM

The condition is still the same. Still have google redirects, still have random popups, random firefox shutting down.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:25 AM

Posted 22 June 2010 - 07:55 AM

  1. Run GMER, uncheck all boxes except the box next to Sections (C drive should remain checked), click Scan.
    When it finished press Save to save the log and post it to your reply. It will not take more than a minute.

  2. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    CODE
    @echo off
    if exist mbr.log del mbr.log
    mbr.exe -t
    ping 1.1.1.1 -n 1 -w 1000 >nul
    start mbr.log

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A notepad opens, copy and paste the content (log.txt) to your reply.


#5 uga_dawgs24

uga_dawgs24
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 22 June 2010 - 08:29 AM

I have attached the GMER scan log.

When I try and download the MBR file I click on save as as the file says, but it doesn't give em an option of where to gave it. It just goes to the download window. The same thing happened for GMEr and I had to go in and manually move the file to the desktop, which I can't do here since I can't open the file.

Attached Files



#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:25 AM

Posted 22 June 2010 - 08:47 AM

No need for the other log.
  1. You can set Firefox to give you the option to save the downloads where you want. To do that:

    Open Firefox =>under Tools menu click on Options... => under General tab check Always ask me where to save files. Click OK.

  2. We are going to run this special tool.
    • Please download TDSSKiller.exe and save it to your desktop.
    • Run TDSSKiller.exe.
    • When it finished press any key to continue.
    • Let reboot if needed and tell me if it needed a reboot.
    • Also it makes a txt file on the C:\ directory (like TDSSKiller.2.3.2.0_Date_Time_log.txt). Please attach it to your replay.


#7 uga_dawgs24

uga_dawgs24
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 22 June 2010 - 09:48 AM

1. Thanks for showing me that.

2. Ran it and yes it needed a reboot. It said it found a TDSS rootkit and needed to be rebooted to remove it. I have also attached the log.

Attached Files



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:25 AM

Posted 22 June 2010 - 09:58 AM

The rootkit is taken care of and the issue should have been resolved. thumbup2.gif

But we need to do some additional steps to prevent reinfection.
  1. You have the latest version of Java (Java 6 Update 20) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Please unisntall the following:

    J2SE Runtime Environment 5.0 Update 6

  2. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  3. You AVG is not upgraded to to AVG 9 and this is a security risk. Do you have a subscription? Do you want to install a free version of AVG or free another antivirus? To upgrade you should download the latest version but not install it. Uninstall the old version and then install the downloaded version. Please tell me what you are going to do about it.


#9 uga_dawgs24

uga_dawgs24
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 22 June 2010 - 12:17 PM

Here is the scan:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4225

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/22/2010 1:11:55 PM
mbam-log-2010-06-22 (13-11-55).txt

Scan type: Quick scan
Objects scanned: 164066
Time elapsed: 13 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


In regards to AVG, we have a subscription. It expires the end up September. Is there a way to upgrade it without buying the new one quite yet? Or would we be better off just downloading the free one as well?

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:25 AM

Posted 22 June 2010 - 01:59 PM

Some antivirus vendors upgrade for free. You may contact AVG support or AVG forum.

There are still some entries on DDS log, they might be leftovers but we have to make sure.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#11 uga_dawgs24

uga_dawgs24
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 22 June 2010 - 04:11 PM

ComboFix 10-06-22.02 - Sally 06/22/2010 16:52:21.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1291 [GMT -4:00]
Running from: c:\documents and settings\Sally\Desktop\ComboFix.exe
AV: AVG Internet Security 3-pack *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sally\GoToAssistDownloadHelper.exe
c:\documents and settings\Sally\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Sally\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\Downloaded Program Files\CpnMgr.dll
c:\windows\xpsp1hfm.log
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 )))))))))))))))))))))))))))))))
.

2010-06-14 12:39 . 2010-06-14 12:38 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-11 12:39 . 2010-06-11 12:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-06-11 00:31 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-11 00:31 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-11 00:31 . 2010-06-11 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-09 06:24 . 2010-06-09 23:47 -------- d-----w- c:\documents and settings\Sally\Local Settings\Application Data\hrjvway
2010-05-31 11:22 . 2010-05-31 11:22 501872 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb2704.tmp.exe
2010-05-29 11:15 . 2010-05-29 11:15 501872 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb1C42.tmp.exe
2010-05-28 13:30 . 2010-05-28 13:30 501872 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb1410.tmp.exe
2010-05-27 14:50 . 2010-05-27 14:50 -------- d-----w- c:\documents and settings\Sally\Application Data\VirtualStore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-22 19:07 . 2008-08-14 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-22 16:56 . 2008-04-08 23:38 -------- d-----w- c:\program files\Common Files\Java
2010-06-22 14:44 . 2004-08-04 03:59 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys
2010-06-19 14:53 . 2009-04-06 15:36 2829 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2010-06-18 12:20 . 2008-04-27 14:08 -------- d-----w- c:\documents and settings\Sally\Application Data\U3
2010-06-18 09:53 . 2008-04-20 19:24 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-17 14:33 . 2008-04-08 23:47 -------- d-----w- c:\program files\Google
2010-06-15 20:32 . 2008-04-08 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-14 12:38 . 2008-04-08 23:38 -------- d-----w- c:\program files\Java
2010-06-12 12:52 . 2008-04-10 21:31 73600 ----a-w- c:\documents and settings\Sally\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-11 00:23 . 2010-04-29 23:56 -------- d-----w- c:\program files\NCH Software
2010-06-11 00:21 . 2010-04-29 23:56 -------- d-----w- c:\documents and settings\Sally\Application Data\NCH Software
2010-05-30 15:15 . 2008-05-24 02:02 -------- d-----w- c:\program files\Coupons
2010-05-26 22:33 . 2008-04-08 23:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-26 22:33 . 2009-04-09 12:34 -------- d-----w- c:\documents and settings\Sally\Application Data\Cogniview
2010-05-26 22:33 . 2009-04-09 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Cogniview
2010-05-26 22:32 . 2008-04-08 23:47 -------- d-----w- c:\program files\Dell
2010-05-26 22:30 . 2010-04-29 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2010-05-23 07:33 . 2010-05-23 07:33 61440 ----a-w- c:\documents and settings\Sally\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-63693c37-n\decora-sse.dll
2010-05-23 07:33 . 2010-05-23 07:33 503808 ----a-w- c:\documents and settings\Sally\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-32bde041-n\msvcp71.dll
2010-05-23 07:33 . 2010-05-23 07:33 499712 ----a-w- c:\documents and settings\Sally\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-32bde041-n\jmc.dll
2010-05-23 07:33 . 2010-05-23 07:33 348160 ----a-w- c:\documents and settings\Sally\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-32bde041-n\msvcr71.dll
2010-05-23 07:33 . 2010-05-23 07:33 12800 ----a-w- c:\documents and settings\Sally\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-63693c37-n\decora-d3d.dll
2010-05-09 16:55 . 2010-05-09 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\muvee Technologies
2010-04-06 11:16 . 2009-04-12 18:46 211720 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2010-04-06 11:16 . 2009-04-12 18:46 1352968 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-08 68856]
"Upromise Update"="c:\program files\Upromise\dca-ua.exe" [2009-07-01 81920]
"Upromise Tray"="c:\program files\Upromise\UpromiseTray.exe" [2009-07-01 167936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-14 16384]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-17 2046816]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-12-22 1092872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-05-01 185640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"BellSouthReportingAgent"="c:\program files\Common Files\Motive\McciBootStrapper.exe" [2004-06-25 204800]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-8 24576]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-6 147456]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-2-2 984352]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-30 13:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\HPZipm12.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/19/2009 8:11 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/19/2009 8:11 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/19/2009 8:11 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/24/2009 8:53 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/19/2009 8:11 PM 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [4/24/2009 8:53 AM 1370488]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [5/1/2009 2:35 PM 181544]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [1/19/2009 8:10 PM 29208]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/20/2009 7:55 PM 135664]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [1/19/2009 8:10 PM 29208]
.
Contents of the 'Scheduled Tasks' folder

2010-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2008-07-13 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p officejet 6100 series5E771253C1676EBED677BF361FDFC537825E15B8207863851.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 04:52]

2010-06-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-08 11:46]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-20 23:54]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-20 23:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wsbtv.com/index.html
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_AE31856476A4FE41.dll/cmsidewiki.html
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Sally\Application Data\Mozilla\Firefox\Profiles\kdlp4qhg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wsbtv.com/index.html
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-wrqxhrehbmqpqx - c:\documents and settings\sally\local settings\application data\hrjvway\lfjhcwu.exe
HKLM-Run-wrqxhrehbmqpqx - c:\documents and settings\sally\local settings\application data\hrjvway\lfjhcwu.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-22 17:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3308)
c:\windows\system32\WININET.dll
c:\program files\Google\Google Desktop Search\GoogleDesktopCommon.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-06-22 17:07:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-22 21:07

Pre-Run: 466,297,982,976 bytes free
Post-Run: 466,799,267,840 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - DFE20729B6819DC6981B66FF16E48078


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:25 AM

Posted 22 June 2010 - 04:19 PM

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


CODE
@ECHO OFF
rm /s/q "c:\documents and settings\Sally\Local Settings\Application Data\hrjvway" >nul
dir /a/b "c:\documents and settings\Sally\Local Settings\Application Data\hrjvway" >log.txt 2>&1
START log.txt

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: look.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate look.bat on the desktop. It should look like this:
  • Double-click to run it.
  • A notepad opens, copy and paste the content (log.txt) to your reply.


#13 uga_dawgs24

uga_dawgs24
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 22 June 2010 - 04:25 PM

When the log popped up there was nothing in it. It says log but the notepad itself is completely blank.

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:25 AM

Posted 22 June 2010 - 04:47 PM

It looks good. thumbup2.gif
  1. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  2. You may delete any tool or log we used from your computer.

Happy Surfing uga_dawgs24. smile.gif

#15 uga_dawgs24

uga_dawgs24
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 22 June 2010 - 06:50 PM

Thanks.

When I tried to unistall combofix I got a lot of little popups saying it couldn't do something, I forgot what they said. It seems to be gone now.

There seems to be a new problem though. My sound is not working now. I have just noticed this happen after I removed combofix and some of the other stuff. Sounds is turned on, it just isn't working.

Here is another dds log if it might help.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users