Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirect issues


  • This topic is locked This topic is locked
2 replies to this topic

#1 jamesgroff

jamesgroff

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 20 June 2010 - 10:07 AM

Okay so I've been having some issues with my computer. First off I keep getting redirected to other websites, tabs opening themselves, and after this started happening I started to get blue screens. I've been trying various ways to stop the problem myself but I've had no luck.

I would appreciate any help you can throw at me. Thanks in advance.












ComboFix 10-06-10.06 - hp 06/20/2010 10:33:46.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.810 [GMT -4:00]
Running from: c:\users\hp\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\%appdata%
c:\windows\system32\%appdata%\Microsoft\Windows\IETldCache\index.dat . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2010-05-20 to 2010-06-20 )))))))))))))))))))))))))))))))
.

2010-06-20 14:36 . 2010-06-20 14:36 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-20 14:36 . 2010-06-20 14:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-20 14:36 . 2010-06-20 14:39 -------- d-----w- c:\users\hp\AppData\Local\temp
2010-06-20 14:36 . 2010-06-20 14:36 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-06-17 20:25 . 2010-06-17 20:28 -------- d-----w- c:\users\hp\AppData\Roaming\DivX
2010-06-17 20:21 . 2010-06-17 20:25 -------- d-----w- c:\program files\DivX
2010-06-17 20:21 . 2010-06-17 20:25 -------- d-----w- c:\programdata\DivX
2010-06-13 14:37 . 2010-06-13 14:37 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-06-12 16:17 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-06-12 02:41 . 2010-06-12 02:41 -------- d-----w- c:\program files\CCleaner
2010-06-12 02:10 . 2010-06-12 02:10 -------- d-----w- c:\programdata\FrontLine Registry Cleaner
2010-06-12 01:33 . 2010-06-12 02:10 -------- d-----w- c:\program files\Frontline Registry Cleaner
2010-06-12 01:26 . 2010-06-12 01:26 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-12 01:08 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-12 01:08 . 2010-06-12 01:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-12 01:08 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-11 19:32 . 2010-06-12 00:24 -------- d-----w- c:\users\hp\Tracing
2010-06-11 19:30 . 2010-06-11 19:30 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-06-11 19:29 . 2010-06-11 19:32 -------- d-----w- c:\program files\Microsoft
2010-06-11 19:29 . 2010-06-11 19:31 -------- d-----w- c:\program files\Windows Live
2010-06-11 19:22 . 2010-06-11 19:22 -------- d-----w- c:\program files\Common Files\Windows Live
2010-06-10 20:33 . 2010-06-10 21:14 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-06-10 20:33 . 2010-06-10 20:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-31 01:32 . 2010-05-31 01:32 -------- d-----w- c:\program files\Conduit
2010-05-29 19:32 . 2010-05-31 00:36 -------- d-----w- c:\users\hp\AppData\Local\xbywcucob
2010-05-26 10:08 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-21 21:46 . 2010-05-21 21:48 -------- d-----w- c:\users\hp\AppData\Roaming\Audio Recorder Titanium
2010-05-21 21:44 . 2009-01-13 10:06 -------- d-----r- c:\users\Public\Audio Recorder Titanium 6.0.2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-20 14:39 . 2010-01-02 01:21 -------- d-----w- c:\users\hp\AppData\Roaming\WTablet
2010-06-20 14:13 . 2009-12-25 17:02 -------- d-----w- c:\program files\Blender Foundation
2010-06-20 02:42 . 2010-05-10 20:18 -------- d-----w- c:\users\hp\AppData\Roaming\Auslogics
2010-06-20 02:42 . 2010-05-10 20:12 -------- d-----w- c:\program files\Auslogics
2010-06-20 00:39 . 2009-12-01 00:47 1356 ----a-w- c:\users\hp\AppData\Local\d3d9caps.dat
2010-06-14 00:08 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-10 02:09 . 2009-12-02 22:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-10 02:08 . 2009-12-02 22:30 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-04 18:47 . 2009-12-25 17:34 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 10:03 . 2010-01-29 01:26 -------- d-----w- c:\programdata\NOS
2010-05-31 15:00 . 2010-03-21 22:05 -------- d-----w- c:\program files\VDownloader
2010-05-31 01:32 . 2009-12-03 01:48 -------- d-----w- c:\program files\DVDVideoSoft
2010-05-31 01:32 . 2010-05-31 01:32 101376 ----a-w- c:\users\hp\AppData\Roaming\Mozilla\Firefox\Profiles\5lt7ajrl.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\components\RadioWMPCore.dll
2010-05-31 01:32 . 2010-05-31 01:32 52224 ----a-w- c:\users\hp\AppData\Roaming\Mozilla\Firefox\Profiles\5lt7ajrl.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\components\FFExternalAlert.dll
2010-05-30 14:29 . 2010-03-08 22:48 -------- d-----w- c:\program files\Safari
2010-05-26 17:06 . 2010-06-12 16:18 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-12 16:18 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-06 14:36 . 2009-12-01 18:41 221568 ----a-w- c:\windows\system32\MpSigStub.exe
2010-05-04 05:59 . 2010-06-12 16:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-12 16:18 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-12 16:18 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-12 16:18 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-04-05 17:01 . 2010-06-12 16:18 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-03-30 22:15 . 2010-03-30 22:15 50354 ----a-w- c:\users\hp\AppData\Roaming\Facebook\uninstall.exe
2007-09-13 00:50 . 2007-09-13 00:04 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}"= "c:\program files\DVDVideoSoft\tbDVDV.dll" [2010-03-09 2355224]

[HKEY_CLASSES_ROOT\clsid\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}]
2010-03-09 15:06 2355224 ----a-w- c:\program files\DVDVideoSoft\tbDVDV.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}"= "c:\program files\DVDVideoSoft\tbDVDV.dll" [2010-03-09 2355224]

[HKEY_CLASSES_ROOT\clsid\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{E9911EC6-1BCC-40B0-9993-E0EEA7F6953F}"= "c:\program files\DVDVideoSoft\tbDVDV.dll" [2010-03-09 2355224]

[HKEY_CLASSES_ROOT\clsid\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-23 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-23 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-23 154136]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-09 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-05-04 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-03-05 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-05-04 312240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

c:\users\hp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-12-2 113664]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-12-2 113664]
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2009-12-2 884838]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:35,77,f3,e4,2d,72,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2049247289-2342886433-196952500-1000]
"EnableNotificationsRef"=dword:00000001

R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-26 99248]
R3 DNINDIS4;DNINDIS4 NDIS Protocol Driver;c:\windows\system32\DNINDIS4.SYS [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
S0 amacpi;Microsoft Away Mode System;c:\windows\system32\DRIVERS\null.sys [2008-01-19 4608]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-04-26 537520]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-07-15 4408616]
S2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [2009-07-15 112936]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2009-01-30 15656]
S3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\DRIVERS\WacomVTHid.sys [2009-05-20 13224]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111.sys [2005-09-26 362944]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-06-12 c:\windows\Tasks\FrontLine Registry Cleaner Scheduled Scan - hp.job
- c:\program files\Frontline Registry Cleaner\REGCLEANER.exe [2010-05-08 20:06]

2010-06-20 c:\windows\Tasks\User_Feed_Synchronization-{09DEE350-5C92-410D-A38B-3BCF57CDFA85}.job
- c:\windows\system32\msfeedssync.exe [2010-06-12 04:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?FORM=Z9FD1
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
FF - ProfilePath - c:\users\hp\AppData\Roaming\Mozilla\Firefox\Profiles\5lt7ajrl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.thedailybeast.com/
FF - plugin: c:\users\hp\AppData\Local\Yahoo!\BrowserPlus\2.8.1\Plugins\npybrowserplus_2.8.1.dll
FF - plugin: c:\users\hp\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-20 10:39
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x84E60EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x883a1d24
\Driver\ACPI -> acpi.sys @ 0x82891d68
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\program files\WTouch\WTouchUser.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-06-20 10:49:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-20 14:49
ComboFix2.txt 2010-06-20 13:44
ComboFix3.txt 2010-06-12 02:05
ComboFix4.txt 2009-07-15 07:46
ComboFix5.txt 2010-06-20 14:32

Pre-Run: 122,504,753,152 bytes free
Post-Run: 122,394,148,864 bytes free

- - End Of File - - DD8A2D2E614AA957C900F5B5E4635FF7



BC AdBot (Login to Remove)

 


#2 jamesgroff

jamesgroff
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 21 June 2010 - 10:33 AM

You can close this topic. I'm currently being helped at another forum.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:01 PM

Posted 21 June 2010 - 04:41 PM

Topic closed at member request.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users