Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirect, Windows XP


  • This topic is locked This topic is locked
2 replies to this topic

#1 Computer Chip

Computer Chip

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 09 October 2010 - 04:44 PM

Ok....I will admit that I used Combo fix without anyone telling me to. I have used it in the past and never had a problem.

Combo fix got rid of the rogue AV but it still seems infected as the browser redirects from search engine links.

Here are my logs:



DDS (Ver_10-10-10.02) - NTFSx86
Run by Debbie at 16:14:35.90 on Sat 10/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.593 [GMT -4:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Documents and Settings\Debbie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HPHUPD05] c:\program files\hewlett-packard\\{5372b9a6-6e51-4f90-9b40-e0a3b8475c4e}\hphupd05.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://activation.rr.com/install/download/tgctlcm.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154707060698
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-3-17 220128]
S0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2010-3-17 15328]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [2010-10-9 27192]

=============== Created Last 30 ================

2010-10-09 19:58:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Macrium
2010-10-09 19:57:28 -------- d-----w- c:\program files\Macrium
2010-10-09 19:47:44 -------- d-----w- c:\docume~1\debbie\locals~1\applic~1\Help
2010-10-09 12:53:10 6084944 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{9773438c-a9e9-447f-bed0-9ab5235dbe6e}\mpengine.dll
2010-10-09 12:51:05 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-10-09 12:51:02 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-10-09 12:51:00 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-10-09 12:50:57 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-10-09 12:50:53 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-10-09 12:50:40 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2010-10-09 12:50:36 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-10-09 12:50:35 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-10-09 12:50:32 19200 ----a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-10-09 12:50:31 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-10-09 12:50:30 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2010-10-09 12:48:57 16925 ----a-w- c:\windows\system32\dllcache\w940nd.sys
2010-10-09 12:47:58 794654 ----a-w- c:\windows\system32\dllcache\usr1801.sys
2010-10-09 12:46:57 440576 ----a-w- c:\windows\system32\dllcache\tridkb.dll
2010-10-09 12:45:59 7040 ----a-w- c:\windows\system32\dllcache\tandqic.sys
2010-10-09 12:44:57 61824 ----a-w- c:\windows\system32\dllcache\speed.sys
2010-10-09 12:43:57 28160 ----a-w- c:\windows\system32\dllcache\sm91w.dll
2010-10-09 12:42:59 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys
2010-10-09 12:41:59 182272 ----a-w- c:\windows\system32\dllcache\s3mt3d.dll
2010-10-09 12:40:59 6016 ----a-w- c:\windows\system32\dllcache\qic157.sys
2010-10-09 12:39:59 86016 ----a-w- c:\windows\system32\dllcache\pctspk.exe
2010-10-09 12:38:59 43689 ----a-w- c:\windows\system32\dllcache\otceth5.sys
2010-10-09 12:38:56 27209 ----a-w- c:\windows\system32\dllcache\otc06x5.sys
2010-10-09 12:38:53 54528 ----a-w- c:\windows\system32\dllcache\opl3sax.sys
2010-10-09 12:38:51 61696 ----a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-10-09 12:38:47 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys
2010-10-09 12:38:44 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll
2010-10-09 12:38:39 51552 ----a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-10-09 12:38:39 38912 ----a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2010-10-09 12:38:36 9344 ----a-w- c:\windows\system32\dllcache\ntapm.sys
2010-10-09 12:38:33 7552 ----a-w- c:\windows\system32\dllcache\nsmmc.sys
2010-10-09 12:38:32 28672 ----a-w- c:\windows\system32\dllcache\nscirda.sys
2010-10-09 12:36:59 52255 ----a-w- c:\windows\system32\dllcache\n1000nt5.sys
2010-10-09 12:35:56 16128 ----a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-10-09 12:34:58 20573 ----a-w- c:\windows\system32\dllcache\lne100.sys
2010-10-09 12:33:57 8704 ----a-w- c:\windows\system32\dllcache\infoctrs.dll
2010-10-09 12:32:58 50751 ----a-w- c:\windows\system32\dllcache\hsf_tone.sys
2010-10-09 12:31:58 83968 ----a-w- c:\windows\system32\dllcache\hpgt21.dll
2010-10-09 12:30:59 11850 ----a-w- c:\windows\system32\dllcache\f3ab18xj.sys
2010-10-09 12:29:58 634134 ----a-w- c:\windows\system32\dllcache\el656ct5.sys
2010-10-09 12:28:59 86016 ----a-w- c:\windows\system32\dllcache\dc240usd.dll
2010-10-09 12:27:49 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-10-09 12:03:09 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2010-10-09 12:03:02 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-10-09 12:02:56 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-10-09 12:02:56 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-10-09 12:02:55 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2010-10-09 12:02:54 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-10-09 12:02:54 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-10-09 12:02:54 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2010-10-09 11:39:29 389120 ----a-w- c:\windows\system32\CF27981.exe
2010-10-09 10:52:41 -------- d-----w- c:\program files\Trend Micro
2010-10-09 10:48:53 -------- d-sh--w- c:\documents and settings\debbie\IECompatCache
2010-10-09 10:48:22 -------- d-sh--w- c:\documents and settings\debbie\PrivacIE
2010-10-09 10:47:35 -------- d-sh--w- c:\documents and settings\debbie\IETldCache
2010-10-09 10:42:03 -------- dc-h--w- c:\windows\ie8
2010-10-09 10:16:09 27192 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2010-10-08 22:09:27 -------- d-----w- c:\program files\SpywareBlaster
2010-10-08 21:20:04 -------- d-----w- c:\docume~1\debbie\applic~1\SUPERAntiSpyware.com
2010-10-08 20:56:08 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-10-08 19:16:47 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-10-08 19:10:21 -------- d-sha-r- C:\cmdcons
2010-10-08 19:07:13 98816 ----a-w- c:\windows\sed.exe
2010-10-08 19:07:13 77312 ----a-w- c:\windows\MBR.exe
2010-10-08 19:07:13 256512 ----a-w- c:\windows\PEV.exe
2010-10-08 19:07:13 161792 ----a-w- c:\windows\SWREG.exe
2010-10-08 19:06:57 -------- d-----w- C:\123456294481
2010-10-08 19:05:05 -------- d-----w- C:\123456
2010-10-08 19:05:04 389120 ----a-w- c:\windows\system32\CF29751.exe
2010-10-08 14:07:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-10-08 13:47:51 -------- d-----w- c:\docume~1\debbie\applic~1\Malwarebytes
2010-10-08 13:47:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-08 13:47:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-08 13:47:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-08 13:47:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-08 13:24:46 48 ----a-w- c:\windows\system32\_1PUTILS.dat
2010-10-08 13:23:59 -------- d-----w- c:\program files\Perfect Utilities
2010-10-08 13:10:42 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-08 13:10:42 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-07 01:24:29 112 ----a-w- c:\docume~1\alluse~1\applic~1\xGiGG0O.dat
2010-10-06 17:35:19 -------- d-----w- c:\docume~1\debbie\applic~1\CallingID
2010-10-06 17:34:22 -------- d-----w- c:\windows\rnapxs

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

============= FINISH: 16:16:28.98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Computer Chip

Computer Chip
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 10 October 2010 - 05:00 AM

thumbup.gif Solved: Ran tdsskiller from run with -l. Found MBR infection and cured. Problem gone.

I was able to find an nearly identical scenario and followed the steps. Thank you

I would LOVE to signup for training ASAP

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 AM

Posted 10 October 2010 - 03:53 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users