Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google/webhp redirection


  • This topic is locked This topic is locked
2 replies to this topic

#1 Athias

Athias

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 01 October 2010 - 05:18 PM

Recently my computer got hit with a pretty bad virus, and while I think I was able to clear most of it out, a few bugs remain on my computer. Namely, google search is messed up now, when I click a link from google, it redirects me a good third of the time to random spam sites. Also, occasionally an entirely new google tab will open up on my computer. After exhausting most other options, I used combofix, here's my log:

ComboFix 10-10-01.01 - Bob 10/01/2010 18:02:44.1.4 - x86 NETWORK
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3327.2372 [GMT -4:00]
Running from: c:\users\Bob\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Bob\AppData\Local\{C8305957-133A-45F6-B840-57B474A7029C}
c:\users\Bob\AppData\Local\{C8305957-133A-45F6-B840-57B474A7029C}\chrome.manifest
c:\users\Bob\AppData\Local\{C8305957-133A-45F6-B840-57B474A7029C}\chrome\content\_cfg.js
c:\users\Bob\AppData\Local\{C8305957-133A-45F6-B840-57B474A7029C}\chrome\content\overlay.xul
c:\users\Bob\AppData\Local\{C8305957-133A-45F6-B840-57B474A7029C}\install.rdf
c:\users\Bob\AppData\Local\{FE05D2B5-5536-43A4-9E3E-CAF56338B2B8}
c:\users\Bob\AppData\Local\{FE05D2B5-5536-43A4-9E3E-CAF56338B2B8}\chrome\content\overlay.xul
c:\users\Bob\AppData\Local\{FE05D2B5-5536-43A4-9E3E-CAF56338B2B8}\install.rdf
c:\windows\system32\DROPPEDFILEOK1.tmp

.
((((((((((((((((((((((((( Files Created from 2010-09-01 to 2010-10-01 )))))))))))))))))))))))))))))))
.

2010-10-01 22:06 . 2010-10-01 22:06 -------- d-----w- c:\users\Bob\AppData\Local\temp
2010-10-01 22:06 . 2010-10-01 22:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-01 22:00 . 2010-10-01 22:00 -------- d-----w- C:\32788R22FWJFW
2010-10-01 21:23 . 2009-07-15 06:54 485920 ----a-w- c:\windows\system32\nvuninst.exe
2010-10-01 21:19 . 2010-09-24 20:43 618128 ----a-w- c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\a3mf1dls.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-10-01 21:19 . 2010-09-24 20:42 644384 ----a-w- c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\a3mf1dls.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-09-28 20:40 . 2010-09-28 20:40 -------- d-----w- c:\users\Bob\AppData\Roaming\Malwarebytes
2010-09-28 20:40 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-28 20:40 . 2010-09-28 20:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-28 20:40 . 2010-09-28 20:40 -------- d-----w- c:\programdata\Malwarebytes
2010-09-28 20:40 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-22 00:44 . 2010-09-22 00:54 -------- d-----w- c:\users\Bob\AppData\Local\Microsoft Games
2010-09-15 01:46 . 2010-09-15 01:46 -------- d-sh--w- c:\windows\system32\%APPDATA%
2010-09-14 23:56 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-14 23:54 . 2010-09-14 23:54 56997 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-09-14 23:54 . 2010-09-14 23:54 56765 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-09-14 23:54 . 2010-09-14 23:53 185640 ----a-w- c:\programdata\DivX\Setup\finishPlugin.dll
2010-09-14 23:54 . 2010-09-14 23:54 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-09-14 23:54 . 2010-09-14 23:54 57691 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-09-14 23:54 . 2010-09-14 23:54 84063 ----a-w- c:\programdata\DivX\TransferWizard\Uninstaller.exe
2010-09-14 23:54 . 2010-09-14 23:54 54153 ----a-w- c:\programdata\DivX\DFXPlugin\Uninstaller.exe
2010-09-14 20:52 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-07 18:51 . 2010-08-30 18:34 1496064 ----a-w- c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\a3mf1dls.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-09-07 18:51 . 2010-08-30 18:33 43008 ----a-w- c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\a3mf1dls.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-09-07 18:51 . 2010-08-30 18:33 338944 ----a-w- c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\a3mf1dls.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-09-07 18:51 . 2010-08-30 18:33 346112 ----a-w- c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\a3mf1dls.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-09-06 16:55 . 2010-09-06 16:55 -------- d-----w- c:\program files\iPod
2010-09-06 16:55 . 2010-09-06 16:55 -------- d-----w- c:\program files\iTunes
2010-09-06 16:54 . 2010-09-06 16:54 -------- d-----w- c:\program files\QuickTime
2010-09-06 16:51 . 2010-09-06 16:51 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-01 21:57 . 2010-07-24 15:45 -------- d-----w- c:\users\Bob\AppData\Roaming\Skype
2010-10-01 21:57 . 2010-01-29 20:13 -------- d-----w- c:\users\Bob\AppData\Roaming\uTorrent
2010-10-01 21:32 . 2010-08-29 01:50 -------- d-----w- c:\program files\Steam
2010-10-01 21:20 . 2010-07-11 02:04 -------- d-----w- c:\users\Bob\AppData\Roaming\QuickScan
2010-09-30 21:52 . 2010-01-29 19:34 -------- d-----w- c:\programdata\NVIDIA
2010-09-29 01:11 . 2010-05-02 21:20 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-28 22:40 . 2010-08-01 01:43 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-09-28 20:02 . 2010-07-24 15:46 -------- d-----w- c:\users\Bob\AppData\Roaming\skypePM
2010-09-27 23:14 . 2010-02-20 13:23 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-09-27 23:14 . 2010-01-29 20:14 -------- d-----w- c:\program files\uTorrent
2010-09-15 19:21 . 2010-07-19 15:47 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-14 23:56 . 2010-03-06 01:12 -------- d-----w- c:\program files\Java
2010-09-14 23:54 . 2010-04-30 20:22 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-09-14 23:54 . 2010-04-30 20:13 -------- d-----w- c:\program files\DivX
2010-09-14 23:54 . 2010-04-30 20:13 -------- d-----w- c:\programdata\DivX
2010-09-14 23:53 . 2010-08-20 19:25 1062184 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-09-14 23:53 . 2010-08-20 19:24 144696 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-09-14 23:53 . 2010-04-30 20:20 850200 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-09-06 17:17 . 2010-08-01 01:43 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-09-06 16:55 . 2010-01-29 20:32 -------- d-----w- c:\program files\Common Files\Apple
2010-08-29 01:50 . 2010-08-29 01:50 -------- d-----w- c:\program files\Common Files\Steam
2010-08-20 22:24 . 2010-08-20 22:24 -------- d-----w- c:\program files\Norton Security Scan
2010-08-20 22:24 . 2010-04-30 23:14 -------- d-----w- c:\programdata\Norton
2010-08-20 22:24 . 2010-08-20 22:24 -------- d-----w- c:\program files\NortonInstaller
2010-08-20 12:26 . 2010-08-20 12:26 0 ----a-w- c:\windows\nsreg.dat
2010-08-14 14:39 . 2010-08-14 14:39 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-08-11 00:36 . 2010-07-22 01:51 -------- d-----w- c:\users\Bob\AppData\Roaming\A0F1B481D24340E1FB400FF4E07E8483
2010-08-11 00:32 . 2010-07-31 12:34 0 ----a-w- c:\users\Bob\AppData\Local\Oralukelikufev.bin
2010-08-07 04:18 . 2010-08-07 04:15 765952 ----a-w- c:\programdata\NexonUS\NGM\NGMDll.dll
2010-08-07 04:18 . 2010-08-07 04:15 401408 ----a-w- c:\programdata\NexonUS\NGM\NGMResource.dll
2010-08-07 04:15 . 2010-08-07 04:15 90112 ----a-w- c:\programdata\NexonUS\NGM\npNxGameUS.dll
2010-08-07 04:15 . 2010-08-07 04:15 258352 ----a-w- c:\programdata\NexonUS\NGM\unicows.dll
2010-08-07 04:15 . 2010-08-07 04:15 167936 ----a-w- c:\programdata\NexonUS\NGM\NGM.exe
2010-08-07 04:15 . 2010-08-07 04:15 118784 ----a-w- c:\programdata\NexonUS\NGM\nxgameus.dll
2010-08-07 04:15 . 2010-08-07 04:15 -------- d-----w- c:\programdata\NexonUS
2010-08-06 23:39 . 2010-02-04 21:28 87400 ----a-w- c:\users\Bob\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-06 23:36 . 2010-07-27 18:06 -------- d-----w- c:\program files\ooVoo
2010-08-04 12:19 . 2010-08-04 12:19 134464 ----a-w- c:\windows\system32\LnkProtect.dll
2010-07-31 12:34 . 2010-07-31 12:34 120 ----a-w- c:\users\Bob\AppData\Local\Dpalequwam.dat
2010-07-29 06:30 . 2010-08-13 00:15 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-13 00:15 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-28 03:00 . 2010-07-28 03:00 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-09-07 328568]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
"ooVoo.exe"="c:\program files\ooVoo\oovoo.exe" [2010-07-11 18707640]
"Steam"="c:\program files\steam\steam.exe" [2010-08-29 1242448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-02-06 2021400]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-05-20 119152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-25 202256]
"openvpn-gui"="c:\program files\UltraVPN\bin\openvpn-gui.exe" [2009-05-26 413635]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\users\Bob\AppData\Local\Google\Update\GoogleUpdate.exe" /c
"vrpfjnxa"=c:\users\Bob\AppData\Local\jmdckxfak\ktrakksshdw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

R1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-02-06 106208]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2009-02-06 727720]
R2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2009-02-06 38240]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2009-12-17 1044808]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2009-07-13 1394688]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-09-28 16968]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys [2010-05-20 30576]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2009-07-13 545792]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-30 1343400]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-09-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1919156618-3699952227-470474661-1000Core.job
- c:\users\Bob\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-07 13:02]

2010-10-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1919156618-3699952227-470474661-1000UA.job
- c:\users\Bob\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-07 13:02]

2010-09-28 c:\windows\Tasks\Hitman Pro 3.5 Boot Task.job
- c:\program files\Hitman Pro 3.5\HitmanPro35.exe [2010-08-01 20:30]

2010-09-20 c:\windows\Tasks\Norton Security Scan for Bob.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-08-20 14:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mystart.com?pr=oovoo2_2
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel
FF - ProfilePath - c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\a3mf1dls.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\a3mf1dls.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\a3mf1dls.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\users\Bob\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\Bob\AppData\Roaming\Move Networks\plugins\npqmp071502000008.dll
FF - plugin: c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\a3mf1dls.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-RegistryBooster - c:\program files\Uniblue\RegistryBooster\launcher.exe
HKCU-Run-prbwnfvb - c:\users\Bob\AppData\Local\vnyqbkgmk\hgwrqjutssd.exe
HKLM-RunOnce-<NO NAME> - (no file)


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-10-01 18:07:41
ComboFix-quarantined-files.txt 2010-10-01 22:07

Pre-Run: 409,602,555,904 bytes free
Post-Run: 409,215,438,848 bytes free

- - End Of File - - 9F8F4E751D4523E85A6B2754BC692BC6


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:16 AM

Posted 06 October 2010 - 05:18 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:16 AM

Posted 10 October 2010 - 07:58 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users