Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect again


  • This topic is locked This topic is locked
7 replies to this topic

#1 Blinje

Blinje

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 12 September 2010 - 09:46 AM

Hi there, first time poster here. I won't pretend to know anything whatsoever about computers, bleeping or otherwise but I've been through the preparation guide for this board so hopefully won't infuriate any of the experts!

I've also looked at similar posts about this same phenomenon; of Google search results redirecting to other search engines and sites (one of which was a blatant phishing site). The reason I've made my own post is because I'm pretty much terrified of following the steps for someone else's computer incase i break my own.

While following the instructions, I've also encountered a problem with Gmer. After following the instructions carefully I tried scanning for rootkits with it twice. Both attempts led to a flash of blue-screen and the system restarting.
I'd greatly appreciate someone guiding me through this =].

DDS (Ver_10-03-17.01) - NTFSx86
Run by Any Authorised User at 12:33:19.48 on 12/09/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.67 [GMT 1:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\WINDOWS\system32\PMSveH.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\PMHandler.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Any Authorised User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Any Authorised User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Any Authorised User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Any Authorised User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Any Authorised User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Any Authorised User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Any Authorised User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Any Authorised User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Any Authorised User\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.lenovo.com/us/en/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.lenovo.com/us/en/
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [Frontier]
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Bdowaderirifej] rundll32.exe "c:\windows\msnadg.dll",Startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [oponolsys] rundll32.exe "cbbaya.dll",s
mRun: [Rdacamaz] rundll32.exe "c:\windows\eyoxusumocare.dll",Startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [opqrpqsys] rundll32.exe "cbbaya.dll",s
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Save YouTube Video as MP3 - c:\program files\common files\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: Send to &Bluetooth Device... - c:\program files\lenovo\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com/lib/portsmouth/support/plugins/ebraryRdr.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183818025343
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {F11BFF96-CC7A-4482-819B-91EAE4C454EF} - hxxp://www.inquiero.com/inquiero/mod/setup/ntractivex116_14.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: tphotkey - tphklock.dll
AppInit_DLLs: c:\documents and settings\any authorised user\local settings\application data\desktop cleanup wizard\dskclnwiz.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 cbbaya.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-22 64288]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2009-2-17 33792]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1355928]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2010-09-12 11:31:05 0 ----a-w- c:\documents and settings\any authorised user\defogger_reenable
2010-09-08 13:47:54 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-08 13:27:55 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-07 14:29:06 0 d-----w- c:\docume~1\anyaut~1\applic~1\VBA-M
2010-09-07 14:25:59 235856 ----a-w- c:\windows\system32\xactengine3_3.dll
2010-09-07 14:24:49 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-09-07 14:19:26 0 d-----w- c:\windows\Logs
2010-09-05 12:55:45 2843 ----a-w- c:\windows\iculaxayotik.dll
2010-09-05 11:36:48 2843 ----a-w- c:\windows\oqamejab.dll
2010-09-05 09:24:58 178176 ----a-w- c:\windows\Ehozoa.exe
2010-09-05 09:24:35 75776 --sha-r- c:\windows\system32\msvcrt40R.dll
2010-09-05 09:24:17 0 d-sh--w- c:\documents and settings\any authorised user\.COMMgr
2010-09-05 09:24:02 83968 ---ha-w- c:\windows\system32\ddayax.dll
2010-09-05 09:24:00 83968 ---ha-w- c:\windows\system32\cbbaya.dll
2010-09-05 09:23:55 140288 ----a-w- c:\windows\system32\pcre3.dll
2010-09-05 09:23:48 0 d-----w- c:\docume~1\anyaut~1\applic~1\7CB61F39C3537C2AEF863E42D95FB119
2010-08-27 12:40:08 0 d-----w- c:\program files\Sony
2010-08-27 12:29:55 0 d-----w- c:\windows\system32\XPSViewer
2010-08-27 12:28:21 14048 ------w- c:\windows\system32\spmsg2.dll
2010-08-27 12:12:24 0 d-----w- c:\program files\Sony Setup
2010-08-27 12:05:03 0 d-----w- c:\program files\MagicISO
2010-08-27 09:44:51 0 d-----w- c:\program files\Sony Vegas 8 Pro + Crack
2010-08-19 19:03:55 0 d-----w- c:\windows\system32\Adobe

==================== Find3M ====================

2010-09-12 11:33:31 585472 ----a-w- c:\windows\system32\drivers\anapd.sys
2010-09-12 11:33:29 765440 ----a-w- c:\windows\system32\drivers\glkrqx.sys
2010-08-29 20:13:30 56708 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-12 12:15:20 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-12 12:15:20 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-09 22:02:15 1266056 ----a-w- C:\WindowsXP-KB927891-v3-x86-ENU.exe
2010-08-09 21:34:41 3038 ----a-w- C:\fix_svchost.bat
2010-08-09 21:32:12 6216032 ----a-w- C:\windowsupdateagent30-x86.exe
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2007-03-09 08:12:32 27648 --sha-w- c:\windows\system32\AVSredirect.dll

============= FINISH: 12:34:53.42 ===============


Again - no GMER as system crashes/resets instantly

Thankyou!

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:14 PM

Posted 12 September 2010 - 10:28 AM

Hi, Blinje smile.gif

welcome.gif

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
    • Copy the entire contents of the Quote Box below to Notepad.
    • Name the file as CFScript.txt
    • Change the Save as Type to All Files
    • and Save it on the desktop
    QUOTE
    http://www.bleepingcomputer.com/forums/ind...22&t=346804

    Suspect::
    c:\windows\iculaxayotik.dll
    c:\windows\oqamejab.dll
    c:\windows\Ehozoa.exe
    c:\windows\system32\msvcrt40R.dll
    c:\documents and settings\any authorised user\.COMMgr
    c:\windows\system32\ddayax.dll
    c:\windows\system32\cbbaya.dll
    c:\windows\system32\pcre3.dll
    c:\windows\msnadg.dll




    Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.
  4. Install the Recovery Console if prompted.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

In the event the upload fails, Combofix created a zipped file in the C:\Qoobox\Quarantine folder labeled in the form of [4]-Submit_Date_Time.zip. Please have this file uploaded to the following location:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Indicate a link to this address and let me know when ready.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Blinje

Blinje
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 13 September 2010 - 04:49 AM

Thankyou for getting back to me so quickly! thumbup2.gif
I wasn't sure whether it uploaded the quarantine file or not, didn't seem to be a message and my wireless connection hiccuped at that point so i've sent it in anyway.

Everything seems a lot better now, anything else I need to do?

Heres the Log:


ComboFix 10-09-12.02 - Any Authorised User 13/09/2010 9:53.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.293 [GMT 1:00]
Running from: c:\documents and settings\Any Authorised User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Any Authorised User\Desktop\CFScript.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

file zipped: c:\documents and settings\Any Authorised User\.COMMgr
file zipped: c:\windows\Ehozoa.exe
file zipped: c:\windows\iculaxayotik.dll
file zipped: c:\windows\msnadg.dll
file zipped: c:\windows\oqamejab.dll
file zipped: c:\windows\system32\cbbaya.dll
file zipped: c:\windows\system32\ddayax.dll
file zipped: c:\windows\system32\msvcrt40R.dll
file zipped: c:\windows\system32\pcre3.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Any Authorised User\.COMMgr
c:\documents and settings\Any Authorised User\Application Data\7CB61F39C3537C2AEF863E42D95FB119
c:\documents and settings\Any Authorised User\Application Data\7CB61F39C3537C2AEF863E42D95FB119\enemies-names.txt
c:\documents and settings\Any Authorised User\Application Data\7CB61F39C3537C2AEF863E42D95FB119\local.ini
c:\documents and settings\Any Authorised User\Local Settings\Application Data\{95AEA6D4-1DA1-4F89-A35E-567364BE2108}
c:\documents and settings\Any Authorised User\Local Settings\Application Data\{95AEA6D4-1DA1-4F89-A35E-567364BE2108}\chrome.manifest
c:\documents and settings\Any Authorised User\Local Settings\Application Data\{95AEA6D4-1DA1-4F89-A35E-567364BE2108}\chrome\content\_cfg.js
c:\documents and settings\Any Authorised User\Local Settings\Application Data\{95AEA6D4-1DA1-4F89-A35E-567364BE2108}\chrome\content\overlay.xul
c:\documents and settings\Any Authorised User\Local Settings\Application Data\{95AEA6D4-1DA1-4F89-A35E-567364BE2108}\install.rdf
c:\documents and settings\Any Authorised User\Local Settings\Application Data\Desktop Cleanup Wizard
c:\documents and settings\Any Authorised User\Local Settings\Application Data\Windows Server
c:\documents and settings\Any Authorised User\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Any Authorised User\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\Any Authorised User\Local Settings\Application Data\Windows Server\uses32.dat
c:\windows\Ehozoa.exe
c:\windows\eyoxusumocare.dll
c:\windows\iculaxayotik.dll
c:\windows\msnadg.dll
c:\windows\oqamejab.dll
c:\windows\system32\cbbaya.dll
c:\windows\system32\driVERs\anapd.sys
c:\windows\system32\drivers\glkrqx.sys
c:\windows\system32\STEC3.sys

Infected copy of c:\windows\system32\drivers\mouclass.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_STEC3
-------\Service_STEC3
-------\Legacy_anapd
-------\Legacy_glkrqx
-------\Service_anapd
-------\Service_glkrqx


((((((((((((((((((((((((( Files Created from 2010-08-13 to 2010-09-13 )))))))))))))))))))))))))))))))
.

2010-09-12 10:58 . 2010-09-12 10:58 388096 ----a-r- c:\documents and settings\Any Authorised User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-08 13:47 . 2010-09-08 13:47 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-08 13:27 . 2010-09-08 13:28 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-08 13:27 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-09-07 14:29 . 2010-09-07 14:29 -------- d-----w- c:\documents and settings\Any Authorised User\Application Data\VBA-M
2010-09-07 14:25 . 2008-10-27 09:04 235856 ----a-w- c:\windows\system32\xactengine3_3.dll
2010-09-07 14:24 . 2005-05-26 14:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-09-07 14:19 . 2010-09-07 14:19 -------- d-----w- c:\windows\Logs
2010-09-06 17:58 . 2010-09-06 17:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-09-06 17:20 . 2010-09-06 17:20 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-09-05 09:24 . 2010-09-05 09:24 75776 --sha-r- c:\windows\system32\msvcrt40R.dll
2010-09-05 09:24 . 2010-09-05 14:51 -------- d-----w- c:\documents and settings\Any Authorised User\Local Settings\Application Data\cpktuagem
2010-09-05 09:24 . 2010-09-05 09:24 83968 ---ha-w- c:\windows\system32\ddayax.dll
2010-09-05 09:23 . 2010-09-05 09:24 140288 ----a-w- c:\windows\system32\pcre3.dll
2010-08-27 14:24 . 2010-08-27 14:25 -------- d-----w- c:\program files\QuickTime
2010-08-27 14:24 . 2010-08-27 14:24 -------- d-----w- c:\program files\Common Files\Apple
2010-08-27 14:23 . 2010-08-27 14:23 -------- d-----w- c:\documents and settings\Any Authorised User\Local Settings\Application Data\Apple
2010-08-27 14:23 . 2010-08-27 14:23 -------- d-----w- c:\program files\Apple Software Update
2010-08-27 14:23 . 2010-08-27 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-08-27 13:21 . 2010-08-27 13:21 -------- d-----w- c:\documents and settings\Any Authorised User\Application Data\Publish Providers
2010-08-27 13:20 . 2010-08-29 18:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-27 13:20 . 2010-08-27 13:20 -------- d-----w- c:\documents and settings\Any Authorised User\Local Settings\Application Data\Sony
2010-08-27 13:20 . 2010-08-27 13:20 -------- d-----w- c:\documents and settings\Any Authorised User\Application Data\Sony
2010-08-27 12:40 . 2010-08-29 20:47 -------- d-----w- c:\program files\Sony
2010-08-27 12:34 . 2010-08-27 12:34 159640 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-08-27 12:29 . 2010-08-27 12:29 -------- d-----w- c:\windows\system32\XPSViewer
2010-08-27 12:29 . 2010-08-27 12:29 -------- d-----w- c:\program files\Reference Assemblies
2010-08-27 12:28 . 2006-10-14 15:43 27648 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-08-27 12:28 . 2006-06-29 12:07 14048 ------w- c:\windows\system32\spmsg2.dll
2010-08-27 12:12 . 2010-08-27 12:13 52770576 ----a-w- c:\documents and settings\Any Authorised User\Application Data\Sony Setup\64993CD0-67D1-4244-A2BC-FD73F4DA5B62\dotnetfx3.exe
2010-08-27 12:12 . 2010-08-27 12:12 -------- d-----w- c:\documents and settings\Any Authorised User\Application Data\Sony Setup
2010-08-27 12:12 . 2010-08-27 12:12 -------- d-----w- c:\program files\Sony Setup
2010-08-27 12:05 . 2010-09-12 11:30 -------- d-----w- c:\program files\MagicISO
2010-08-27 09:44 . 2010-08-27 12:11 -------- d-----w- c:\program files\Sony Vegas 8 Pro + Crack
2010-08-19 19:03 . 2010-08-19 19:14 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-13 08:06 . 2010-08-09 09:38 120 ----a-w- c:\windows\Ifaguyiw.dat
2010-09-13 08:06 . 2010-08-09 09:38 0 ----a-w- c:\windows\Mxuhuvil.bin
2010-09-12 23:01 . 2010-06-15 14:00 -------- d-----w- c:\program files\Steam
2010-09-09 08:31 . 2009-03-01 17:32 -------- d-----w- c:\documents and settings\Any Authorised User\Application Data\Azureus
2010-09-07 11:07 . 2009-02-03 00:24 -------- d-----w- c:\documents and settings\Any Authorised User\Application Data\vlc
2010-09-05 22:52 . 2010-04-04 17:51 -------- d-----w- c:\documents and settings\Any Authorised User\Application Data\Namuuw
2010-09-05 18:42 . 2006-09-16 20:50 -------- d-----w- c:\documents and settings\Any Authorised User\Application Data\Wihido
2010-09-05 12:28 . 2008-09-02 13:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-03 18:31 . 2010-04-09 08:57 -------- d-----w- c:\program files\Digsby
2010-08-29 20:13 . 2010-04-09 15:05 56708 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-28 13:23 . 2006-06-29 05:31 69616 ----a-w- c:\documents and settings\Any Authorised User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-28 11:46 . 2006-06-04 07:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-27 14:24 . 2006-10-31 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-08-27 13:43 . 2008-01-09 17:10 -------- d-----w- c:\program files\Replay Converter
2010-08-27 12:34 . 2007-11-21 21:15 -------- d-----w- c:\program files\MSBuild
2010-08-12 12:15 . 2009-03-22 13:05 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-12 12:15 . 2009-03-22 12:01 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-09 22:02 . 2010-08-09 22:02 1266056 ----a-w- C:\WindowsXP-KB927891-v3-x86-ENU.exe
2010-08-09 21:34 . 2010-08-09 21:34 3038 ----a-w- C:\fix_svchost.bat
2010-08-09 21:32 . 2010-08-09 21:32 6216032 ----a-w- C:\windowsupdateagent30-x86.exe
2010-08-09 15:43 . 2010-08-09 15:43 -------- d-----w- c:\program files\Defraggler
2010-08-09 11:25 . 2009-06-10 05:58 -------- d-----w- c:\documents and settings\Any Authorised User\Application Data\Siexic
2010-08-09 09:36 . 2010-08-09 09:36 24 ----a-w- c:\documents and settings\LocalService\Application Data\bawuho.dat
2010-08-09 09:29 . 2008-09-15 13:28 -------- d-----w- c:\documents and settings\Any Authorised User\Application Data\Media Player Classic
2010-08-09 09:28 . 2009-08-14 10:27 -------- d-----w- c:\program files\CCleaner
2010-08-08 22:58 . 2008-01-20 16:39 -------- d-----w- c:\documents and settings\Any Authorised User\Application Data\Cyezdi
2010-08-07 14:49 . 2010-08-07 14:49 24 ----a-w- c:\documents and settings\NetworkService\Application Data\bawuho.dat
2007-08-09 13:08 . 2007-10-11 16:49 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 13:10 . 2007-10-11 16:49 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
2007-03-09 08:12 . 2007-03-09 08:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-24 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-09-06 17:56 24576 ------w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-09-08 13:47 864624 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 01:12 110592 ----a-w- c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2005-12-15 06:10 1236992 ------w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
2005-11-29 17:55 196696 ------w- c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-04-26 16:29 133104 ----atw- c:\documents and settings\Any Authorised User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
2005-10-23 00:00 385024 ----a-w- c:\program files\Syncrosoft\POS\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMHandler]
2005-12-20 00:45 20480 ------w- c:\windows\system32\PMHandler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 04:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-11-11 21:07 90112 ------w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 04:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-07-20 22:05 729177 ------w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
2005-12-09 07:37 94208 ------w- c:\program files\Lenovo\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPWAUDAP]
2005-12-10 15:29 24064 ------w- c:\program files\Lenovo\HOTKEY\TpWAudAp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"npggsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [22/03/2009 13:01 64288]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [17/02/2009 20:00 33792]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/08/2010 13:15 1355928]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/08/2010 13:15 15008]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
Contents of the 'Scheduled Tasks' folder

2010-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4190814071-1498419441-3328042551-1005Core.job
- c:\documents and settings\Any Authorised User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-26 16:29]

2010-09-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4190814071-1498419441-3328042551-1005UA.job
- c:\documents and settings\Any Authorised User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-26 16:29]

2010-09-13 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.lenovo.com/us/en/
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Frontier - (no file)
HKCU-Run-Bdowaderirifej - c:\windows\msnadg.dll
HKLM-Run-oponolsys - cbbaya.dll
HKLM-Run-Rdacamaz - c:\windows\eyoxusumocare.dll
HKU-Default-Run-opqrpqsys - cbbaya.dll
MSConfigStartUp-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-13 10:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\tphklock.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1820)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\PMSveH.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-09-13 10:09:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-13 09:09

Pre-Run: 37,374,746,624 bytes free
Post-Run: 37,346,287,616 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 4321E2CD9386C81F464DA9A4A7851EA1


Thanks again


#4 Blinje

Blinje
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 13 September 2010 - 05:19 AM

Oh Hell. I just realised I left windows firewall active while combofix was doing its thing... should I do it again?

#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:14 PM

Posted 13 September 2010 - 11:48 AM

The file was not uploaded. Please try again.

Go to Start -> Run, type CMD and click OK

At the prompt type the following and press Enter:

SC Delete npggsvc
Exit

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under Upgrading Java, to download and install the latest version.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following are checked
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.
Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21 .
  • Click the JDK 6 Update 21 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u21-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 Blinje

Blinje
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 13 September 2010 - 03:12 PM

Heya.
I've followed your instructions to the letter, updated java aswell - Kaspersky is currently scanning the machine in question, but it's taking ages! It has taken half an hour to complete 5% of the scan and the information appears to have frozen in the window. I'm not sure its still running - should I leave it as is?

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:14 PM

Posted 13 September 2010 - 04:40 PM

Kaspersky online scanner will take some time, perhaps hours. Be patient.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:14 PM

Posted 02 October 2010 - 12:54 AM

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users