Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJacked


  • This topic is locked This topic is locked
2 replies to this topic

#1 pomchi

pomchi

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 05 January 2011 - 03:24 PM

hi.

i need some help.

I'm running windows xp. browser page is constantly redirected.

i ran malwarebytes; cleaned up some infected files, but still have problem. log will appear below.

also ran hijackthis. log will appear below.

can't run tdskiller, no matter what name i change file to.


hijackthis log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:20:49 AM, on 1/5/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17093)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\NLSSRV32.EXE
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TSSchBkpService.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Virtual Account Numbers Helper - {17424104-1444-4810-85D7-B4DA413C5A9A} - C:\Program Files\Virtual Account Numbers\CitiVANHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Virtual Account Numbers - {7A21A046-B886-4A62-9D69-EF2059B0A27B} - C:\Program Files\Virtual Account Numbers\CitiVANToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia PC Suite\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia PC Suite\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\ScanSoft\OmniPagePro14.0\PdfCnv\IEShellExt.dll /100
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.humana-medicare.com
O15 - Trusted Zone: *.intuit.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1282257022093
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Amazon Download Agent (amazon download agent) - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NLS Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\NLSSRV32.EXE
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Samsung UPD Service - Samsung Electronics CO., LTD. - C:\WINDOWS\system32\SUPDSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TimeslipsBackup (TSScheduleBackup) - Unknown owner - C:\WINDOWS\system32\TSSchBkpService.exe

--
End of file - 9504 bytes



Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5464

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/5/2011 11:05:10 AM
mbam-log-2011-01-05 (11-05-10).txt

Scan type: Full scan (C:\|)
Objects scanned: 222788
Time elapsed: 29 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edit: Moved topic from Am I infected? What do I do? to the more appropriate forum, due to the presence of a HijackThis log. ~ Animal

here is combofix log.

thanks in advance for any help you can give me.

ComboFix 11-01-04.06 - Steve Sokol 01/05/2011 7:43.9.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.943 [GMT -8:00]
Running from: c:\documents and settings\Steve Sokol\Desktop\Steve.exe
.

((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 )))))))))))))))))))))))))))))))
.

2011-01-05 07:18 . 2011-01-05 07:18 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-05 07:03 . 2011-01-05 07:18 -------- d-----w- C:\32788R22FWJFW(2)
2011-01-05 06:48 . 2011-01-05 06:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-01-05 06:46 . 2011-01-05 06:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-12-26 07:22 . 2010-12-26 07:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\IsolatedStorage
2010-12-15 15:18 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 15:17 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2007-07-02 22:21 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34 . 2004-08-04 10:00 78336 ------w- c:\windows\system32\ieencode.dll
2010-11-06 00:34 . 2004-08-04 10:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll
2010-11-03 12:25 . 2004-08-04 10:00 389120 ------w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 10:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 10:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 10:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((( SnapShot_2011-01-05_09.11.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-05 09:31 . 2011-01-05 09:31 16384 c:\windows\temp\Perflib_Perfdata_560.dat
+ 2011-01-05 09:31 . 2011-01-05 09:31 16384 c:\windows\temp\Perflib_Perfdata_528.dat
+ 2007-07-02 22:27 . 2011-01-05 09:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-07-02 22:27 . 2011-01-05 08:29 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-07-02 22:27 . 2011-01-05 09:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-07-02 22:27 . 2011-01-05 08:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-08-19 21:43 . 2011-01-05 09:31 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-08-19 21:43 . 2011-01-05 08:29 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"Norton Ghost 12.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-11-13 2037096]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia PC Suite\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-12 44544]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Amazon Unbox.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk
backup=c:\windows\pss\Amazon Unbox.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-09-23 21:36 624056 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 18:09 63712 -c--a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 15:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amazongsdownloadertray]
2009-05-20 21:17 223744 ----a-w- c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
2003-06-11 18:54 4608 -c--a-w- c:\windows\system32\carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Citi Virtual Account Numbers]
2009-07-10 23:53 372736 ----a-w- c:\progra~1\VIRTUA~1\CitiVAN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 18:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 12.0]
2008-11-13 00:01 2037096 ----a-w- c:\program files\Norton Ghost\Agent\VProTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OP14 Reminder]
2003-07-07 17:29 729088 -c--a-r- c:\program files\ScanSoft\OmniPagePro14.0\EregEng\Ereg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpScheduler]
2004-03-08 20:33 114688 -c--a-w- c:\program files\ScanSoft\OmniPagePro14.0\OpScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14]
2004-03-08 20:30 57344 -c--a-w- c:\program files\ScanSoft\OmniPagePro14.0\opware14.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
2007-06-18 23:10 271360 -c--a-w- c:\program files\Nokia PC Suite\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF Converter Registry Controller]
2003-09-30 17:55 102400 -c--a-w- c:\program files\ScanSoft\OmniPagePro14.0\PdfCnv\RegistryController.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pxdotnetloader]
2009-03-25 09:26 42336 ----a-w- c:\program files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SharpTray]
2003-07-18 17:58 28672 -c--a-w- c:\program files\Sharp\Sharpdesk\SharpTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 17:22 155648 -c--a-r- c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSPrnAgent]
2003-10-29 10:07 20480 -c--a-w- c:\program files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-06-04 03:52 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-07-04 03:11 185896 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray]
2004-03-08 20:31 155747 -c--a-w- c:\program files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R2 amazon download agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [9/30/2009 7:44 PM 297472]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [7/9/2010 11:40 AM 65856]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [12/20/2007 1:03 AM 23200]
S1 b3f546b2;b3f546b2;c:\windows\system32\drivers\b3f546b2.sys [6/5/2009 5:55 AM 0]
S2 ssport;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S2 TSScheduleBackup;TimeslipsBackup;c:\windows\system32\TSSchBkpService.exe [7/7/2007 4:12 PM 705024]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [9/3/2009 4:21 PM 127656]
S3 SecBulk;SECBULK.sys, SEC SOC USBD Driver;c:\windows\system32\drivers\secbulk.sys [8/18/2007 4:49 PM 10430]
S3 USBVSP;USBVSP;c:\windows\system32\drivers\usbvsp.sys [11/22/2007 12:29 AM 89728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = about:blank
uStart Page = hxxp://www.google.com/advanced_search?hl=en
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open PDF in Word - c:\program files\ScanSoft\OmniPagePro14.0\PdfCnv\IEShellExt.dll /100
Trusted Zone: aol.com\free
Trusted Zone: humana-medicare.com
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Steve Sokol\Application Data\Mozilla\Firefox\Profiles\5z4v44e5.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Virtual Account Numbers: citius@orbiscom - c:\program files\Virtual Account Numbers
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-05 08:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-842925246-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F928A42E-A485-A8B7-A8CC-6E7802559D58}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"ianhlbjfebnofkegph"=hex:6a,61,6a,6b,6e,65,6c,6e,6d,66,64,66,66,69,62,70,63,6e,
69,6f,00,d0
"hahffkgkenhelpng"=hex:6a,61,6a,6b,63,66,6d,6d,6d,6c,63,65,67,6e,69,66,70,6f,
66,6d,00,22
"iajelklmbnpiaghgac"=hex:63,61,6d,6b,6d,67,00,7c

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3396)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-01-05 08:22:28
ComboFix-quarantined-files.txt 2011-01-05 16:22
ComboFix2.txt 2011-01-05 09:25
ComboFix3.txt 2010-08-19 16:45
ComboFix4.txt 2010-06-26 10:17
ComboFix5.txt 2011-01-05 15:36

Pre-Run: 7,269,961,728 bytes free
Post-Run: 7,289,683,968 bytes free

- - End Of File - - A3DB2C35A26463D6969CE0CAB72FE04D

still haven't heard from anyone yet, but here's an update (which hopefully will save us some time):

Redirect is from google search in IE and Firefox. Also get computer error messages generated by malware/virus.

I cannot run tdss killer, even in safe mode and even after renaming it. Also i cannot use control/alt/delete to shut down individual programs or even to see what is running.

Malwarebytes, combofix, super antispyware, norman tdss cleaner, eolmarktdl4 cleaner, mcafee stinger, f-secure blacklight and a few other programs don't detect that there's a problem.

Dr. Web identified a backdoor tdss 565 and eradicates it, but then it reappears.

computer is running windows xp sp3; pentium 4 dell.

Thanks in advance.

oh and eset found nothing either.

Merged 4 posts. ~ OB

Edited by Orange Blossom, 08 January 2011 - 11:41 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:34 PM

Posted 10 January 2011 - 07:18 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:34 PM

Posted 16 January 2011 - 09:26 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users