Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

post combofix search engine hijack


  • This topic is locked This topic is locked
13 replies to this topic

#1 jazzmoe

jazzmoe

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 19 July 2010 - 04:35 PM

mellow.gif I have used rkill, Malwarebytes, SuperAntiSpyware, Hijack This, Trojan Romover and AVG. After all this failed I used Defogger, turned off AVG and used Combofix. My browser search is still hijacked. Someone please help! Here is my Combofix log...

ComboFix 10-07-19.01 - Joe 07/19/2010 16:14:18.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1020 [GMT -5:00]
Running from: c:\documents and settings\Joe\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-19 04:50 . 2010-03-17 16:35 309248 ----a-w- c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\7mxnvpfg.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
2010-07-19 04:44 . 2010-07-19 04:44 -------- d-----w- c:\program files\Common Files\Java
2010-07-19 04:44 . 2010-07-19 04:44 503808 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-14c3f1e6-n\msvcp71.dll
2010-07-19 04:44 . 2010-07-19 04:44 499712 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-14c3f1e6-n\jmc.dll
2010-07-19 04:44 . 2010-07-19 04:44 348160 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-14c3f1e6-n\msvcr71.dll
2010-07-19 04:44 . 2010-07-19 04:44 61440 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7e7c1451-n\decora-sse.dll
2010-07-19 04:44 . 2010-07-19 04:44 12800 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7e7c1451-n\decora-d3d.dll
2010-07-19 04:43 . 2010-06-22 09:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-19 04:38 . 2010-07-19 04:38 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-07-19 04:38 . 2010-07-19 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-19 02:03 . 2010-07-19 02:03 -------- d-----w- c:\documents and settings\Joe\Local Settings\Application Data\HandBrake
2010-07-19 02:03 . 2010-07-19 02:03 -------- d-----w- c:\documents and settings\Joe\Application Data\HandBrake
2010-07-19 02:03 . 2010-07-19 02:45 -------- d-----w- c:\program files\Handbrake
2010-07-18 20:42 . 2010-07-18 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\xml_param
2010-07-18 18:33 . 2010-07-19 20:50 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-18 18:19 . 2010-07-05 19:30 3687344 ----a-w- c:\documents and settings\Joe\Application Data\Simply Super Software\Trojan Remover\bwk1.exe
2010-07-18 18:11 . 2010-07-18 18:11 715152 ----a-w- c:\documents and settings\All Users\Application Data\Simply Super Software\Trojan Remover\Data\trunins.exe
2010-07-18 17:37 . 2010-07-18 18:04 -------- d-----w- c:\documents and settings\Joe\Local Settings\Application Data\fgbptojfy
2010-07-16 03:31 . 2010-07-16 03:31 -------- d-----w- c:\windows\Cache
2010-07-16 03:31 . 2010-07-16 03:31 -------- d-----w- c:\program files\Coupons
2010-07-15 14:06 . 2010-07-15 14:06 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 01:08 . 2010-07-15 01:08 -------- d-----w- c:\program files\iPod
2010-07-15 01:03 . 2010-07-15 01:03 -------- d-----w- c:\program files\Bonjour
2010-07-15 00:58 . 2010-07-15 00:58 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-07-15 00:39 . 2010-07-15 00:39 -------- d-----w- c:\documents and settings\Joe\.shsh
2010-07-14 20:30 . 2010-04-14 23:12 892928 ----a-w- c:\windows\system32\iconv.dll
2010-07-14 20:30 . 2010-07-19 04:54 -------- d-----w- c:\program files\iSkysoft
2010-07-01 19:06 . 2010-07-19 20:34 -------- d-----w- c:\program files\Steam
2010-06-28 20:58 . 2010-06-28 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-06-28 20:58 . 2010-06-28 20:58 -------- d-----w- c:\documents and settings\Joe\Application Data\Office Genuine Advantage
2010-06-22 04:58 . 2010-06-22 04:59 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-06-22 04:58 . 2010-06-22 04:59 -------- d-----w- c:\program files\DAEMON Tools Lite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-19 20:54 . 2009-12-03 07:58 0 ----a-w- c:\documents and settings\Joe\Local Settings\Application Data\prvlcl.dat
2010-07-19 04:43 . 2009-10-21 17:24 -------- d-----w- c:\program files\Java
2010-07-19 04:42 . 2009-09-14 22:22 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-19 04:39 . 2009-11-19 20:53 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-18 20:27 . 2009-09-14 03:31 -------- d-----w- c:\documents and settings\Joe\Application Data\uTorrent
2010-07-18 19:43 . 2009-11-09 00:59 120 ----a-w- c:\windows\Pwupah.dat
2010-07-18 18:26 . 2009-10-30 21:24 117760 ----a-w- c:\documents and settings\Joe\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-18 18:20 . 2009-12-14 21:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-18 18:13 . 2010-05-21 00:59 -------- d-----w- c:\program files\Trojan Remover1
2010-07-18 18:09 . 2010-05-21 00:47 -------- d-----w- c:\program files\CCleaner
2010-07-18 17:40 . 2009-11-09 00:59 0 ----a-w- c:\windows\Lkeyod.bin
2010-07-16 18:38 . 2009-11-09 01:07 -------- d-----w- c:\documents and settings\Joe\Application Data\AdobeUM
2010-07-15 14:06 . 2009-09-18 05:40 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 14:05 . 2009-09-18 05:40 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-15 01:08 . 2010-05-05 20:14 -------- d-----w- c:\program files\iTunes
2010-07-15 01:08 . 2009-10-02 06:02 -------- d-----w- c:\program files\Common Files\Apple
2010-07-14 08:01 . 2009-09-14 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-13 22:51 . 2010-02-19 19:34 -------- d-----w- c:\documents and settings\Joe\Application Data\vlc
2010-06-29 06:44 . 2009-11-11 15:52 -------- d-----w- c:\documents and settings\Joe\Application Data\dvdcss
2010-06-22 04:58 . 2010-05-18 15:19 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-06-14 14:31 . 2009-09-13 20:31 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 08:27 . 2009-09-14 03:31 -------- d-----w- c:\program files\uTorrent
2010-06-08 08:22 . 2009-10-20 15:37 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-02 14:14 . 2009-09-18 05:40 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-25 21:38 . 2009-09-13 21:14 85560 ----a-w- c:\documents and settings\Joe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-25 21:26 . 2010-05-25 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Cached Installations
2010-05-25 21:26 . 2009-09-14 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\ACI
2010-05-25 21:22 . 2009-09-14 02:04 -------- d-----w- c:\program files\ACI32
2010-05-25 21:21 . 2009-09-14 02:05 -------- d-----w- c:\program files\Common Files\ACI
2010-05-25 05:13 . 2009-10-30 21:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-21 00:59 . 2010-05-21 00:59 -------- d-----w- c:\documents and settings\Joe\Application Data\Simply Super Software
2010-05-21 00:59 . 2010-05-21 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-05-21 00:47 . 2010-05-21 00:47 -------- d-----w- c:\documents and settings\Joe\Application Data\Yahoo!
2010-05-21 00:47 . 2010-05-21 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-05-21 00:47 . 2009-09-13 21:24 -------- d-----w- c:\program files\Yahoo!
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2008-04-14 11:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2008-04-14 07:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 20:39 . 2009-10-30 21:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-10-30 21:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((( SnapShot_2010-07-19_02.34.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-19 21:11 . 2010-07-19 21:11 16384 c:\windows\Temp\Perflib_Perfdata_560.dat
+ 2010-07-19 04:39 . 2010-07-19 04:39 28160 c:\windows\Installer\33556e.msi
+ 2009-12-22 01:09 . 2009-12-22 01:09 16832 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\ViewerPS.dll
+ 2009-12-22 06:57 . 2009-12-22 06:57 35760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\reader_sl.exe
+ 2009-12-22 01:02 . 2009-12-22 01:02 79280 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlr.dll
+ 2009-12-22 04:21 . 2009-12-22 04:21 99776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\eula.exe
+ 2009-12-11 20:57 . 2009-12-11 20:57 70584 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\adobeextractfiles.dll
+ 2009-12-22 04:37 . 2009-12-22 04:37 27048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrotextextractor.exe
+ 2009-12-21 23:39 . 2009-12-21 23:39 15288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32Info.exe
+ 2009-12-21 23:27 . 2009-12-21 23:27 75200 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acroiehelpershim.dll
+ 2009-12-21 23:27 . 2009-12-21 23:27 61888 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroIEHelper.dll
+ 2010-07-19 04:44 . 2010-07-19 04:44 231888 c:\windows\system32\Macromed\Flash\FlashUtil10h_Plugin.exe
+ 2010-07-19 04:43 . 2010-06-22 09:36 153376 c:\windows\system32\javaws.exe
+ 2010-07-19 04:43 . 2010-06-22 09:36 145184 c:\windows\system32\javaw.exe
- 2009-10-21 17:24 . 2009-10-21 17:24 145184 c:\windows\system32\javaw.exe
+ 2010-07-19 04:43 . 2010-06-22 09:36 145184 c:\windows\system32\java.exe
- 2009-10-21 17:24 . 2009-10-21 17:24 145184 c:\windows\system32\java.exe
+ 2010-07-19 04:44 . 2010-07-19 04:44 180224 c:\windows\Installer\33566b.msi
+ 2009-12-11 20:57 . 2009-12-11 20:57 326056 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\readerupdater.exe
+ 2009-12-21 23:35 . 2009-12-21 23:35 378264 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\pdfshell.dll
+ 2009-12-22 01:05 . 2009-12-22 01:05 116168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlrShim.exe
+ 2009-12-21 23:34 . 2009-12-21 23:34 103864 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\nppdf32.dll
+ 2009-11-10 00:18 . 2009-11-10 00:18 684032 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JP2KLib.dll
+ 2009-12-22 01:02 . 2009-12-22 01:02 542168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AdobeCollabSync.exe
+ 2009-12-11 20:57 . 2009-12-11 20:57 948672 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\adobearm.exe
+ 2009-12-21 23:43 . 2009-12-21 23:43 120240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRdIF.dll
+ 2009-12-22 06:57 . 2009-12-22 06:57 349616 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.exe
+ 2009-12-21 23:15 . 2009-12-21 23:15 660912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroPDF.dll
+ 2009-12-22 00:32 . 2009-12-22 00:32 280024 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobroker.exe
+ 2009-12-11 20:57 . 2009-12-11 20:57 326056 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobatupdater.exe
+ 2009-12-22 00:15 . 2009-12-22 00:15 251296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\a3dutility.exe
+ 2009-07-18 03:21 . 2010-07-19 04:44 5612496 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2010-06-20 08:01 . 2010-06-20 08:01 8040960 c:\windows\Installer\33565c.msp
+ 2010-07-19 04:42 . 2010-07-19 04:42 3940352 c:\windows\Installer\33565b.msi
+ 2009-12-21 23:29 . 2009-12-21 23:29 2409880 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\rt3d.dll
+ 2009-12-22 00:00 . 2009-12-22 00:00 1298996 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JSByteCodeWin.bin
+ 2009-12-22 04:31 . 2009-12-22 04:31 5713920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AGM.dll
+ 2010-04-04 06:54 . 2010-04-04 06:54 11850240 c:\windows\Installer\33565d.msp
+ 2009-12-22 04:21 . 2009-12-22 04:21 20436408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\bc40ce9c-e019-4c91-a60a-90e92a8d239a.exe" [2009-10-13 2000112]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"Steam"="c:\program files\Steam\Steam.exe" [2010-07-01 1238352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"C-Media Mixer"="Mixer.exe" [2003-04-06 1818624]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-08-14 98304]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-08-27 398672]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-06-11 3618104]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"TrojanScanner"="c:\program files\Trojan Remover1\Trjscan.exe" [2010-07-18 1167296]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 14:06 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Trojan Remover1\\Rmvtrjan.exe"=
"c:\\Program Files\\Trojan Remover1\\trupd.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\moon base alpha\\Binaries\\Win32\\MoonBaseAlphaGame.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Joe\\My Documents\\umbrella-4.00.80.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/18/2009 12:40 AM 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/18/2009 12:40 AM 243024]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/12/2009 9:24 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 61440]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 9:06 AM 308136]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 9:27 AM 136176]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 12872]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/18/2010 10:19 AM 691696]
.
Contents of the 'Scheduled Tasks' folder

2010-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 14:27]

2010-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 14:27]

2010-07-19 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.my.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster
IE: Lookup on Wikipedia
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\7mxnvpfg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.my.yahoo.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 5555
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\7mxnvpfg.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {9F763DBE-F00C-49CA-888F-866AEC8A5FE7} - c:\documents and settings\Joe\Local Settings\Application Data\{9F763DBE-F00C-49CA-888F-866AEC8A5FE7}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-19 16:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8996DEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f11852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
NDIS: NVIDIA nForce 10/100/1000 Mbps Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xb9e1dbb0
PacketIndicateHandler -> NDIS.sys @ 0xb9e2aa21
SendHandler -> NDIS.sys @ 0xb9e0887b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\WININET.dll
.
Completion time: 2010-07-19 16:24:45
ComboFix-quarantined-files.txt 2010-07-19 21:24
ComboFix2.txt 2010-07-19 06:01
ComboFix3.txt 2010-07-19 05:18
ComboFix4.txt 2010-07-19 03:57
ComboFix5.txt 2010-07-19 21:05

Pre-Run: 853,742,866,432 bytes free
Post-Run: 853,749,248,000 bytes free

- - End Of File - - 2AFFBB68B7D6C53D6224C8E5003AD869

Edited by jazzmoe, 19 July 2010 - 04:53 PM.


BC AdBot (Login to Remove)

 


#2 jazzmoe

jazzmoe
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 23 July 2010 - 10:48 AM

I really need someone to help me. I posted this 4 days ago and now my computer is starting to freeze up on me.

#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:24 PM

Posted 25 July 2010 - 01:52 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 jazzmoe

jazzmoe
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 26 July 2010 - 11:18 AM

Thank you!!!!!! here are the files...

Attached Files



#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:24 PM

Posted 26 July 2010 - 01:18 PM

Hi,

please run a scan wit TDSSKiller next:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 jazzmoe

jazzmoe
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 26 July 2010 - 01:24 PM

Do you want me to reboot my computer as asked to by TDSkiller?

Attached Files



#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:24 PM

Posted 26 July 2010 - 04:33 PM

Hi,

yes please reboot. Then let me know if the redirects stop.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 jazzmoe

jazzmoe
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 26 July 2010 - 04:56 PM

Whooohooo!!!! All fixed, thank you! I will be donating $5.00 for your time. Thank you very much!

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:24 PM

Posted 26 July 2010 - 05:17 PM

Hi,

Thanks! And I'm very happy to hear that! smile.gif

Please don't leave just yet, I would like to make sure that nothing is still lurking on the PC as to prevent reinfecting it again.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 jazzmoe

jazzmoe
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 26 July 2010 - 09:03 PM

Done. I did not delete Quarentined files or uninstall. I just clicked finish, I hope that was ok. Here is the log file...

Attached Files

  • Attached File  eset.txt   1008bytes   2 downloads


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:24 PM

Posted 27 July 2010 - 01:47 AM

Hi,

the files Eset found were previously quarantined by other tools and not part of the infection.

Is everything else running fine?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 jazzmoe

jazzmoe
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 27 July 2010 - 09:22 AM

Everything is running smooth now. Thank you very much!

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:24 PM

Posted 27 July 2010 - 12:20 PM

Hi,

great, all that is left to do is to remove the programs we used:

Please do the following to clean up your PC:
  1. Delete the tools used during the disinfection:
  2. Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTC from the following mirror and save it to your desktop:
    • Double click on
    • Push the large "Cleanup" button.
    • Allow your system to reboot.
  3. If OTC faild to remove all programs from your Desktop, please delete the rest manually.
Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.
Some more links you might find of interest:Have a nice day
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:24 PM

Posted 06 August 2010 - 04:35 AM

Since the issue seems resolved, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users