Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect - Nothing found


  • This topic is locked This topic is locked
4 replies to this topic

#1 DaBigKahuna

DaBigKahuna

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 26 May 2011 - 12:14 AM

Hi,

I posted in the Am I infected? What do I do? forum and was told to post logs here since nothing was showing up on any scans or logs. Topic referenced is here: http://www.bleepingcomputer.com/forums/topic399518.html/ ~ OB

I have a Windows XP Pro SP3 system with a google redirect happening. I'm not seeing anything specific causing the problem. It's usually a redirect to an ad or similar.

Here's what I've tried so far:

Checked IE internet settings to make sure there is no proxy setup
Checked hosts file and DNS
Ran Symantec Corp AV
Ran Malwarebytes
Ran SuperAntiMalware
Ran ESET web scan
Ran TDSSkiller
Ran rkill
updated all programs before running them.

Everything comes up clean. No signs of anything. It doesn't appear to be happening in safe mode.

Kind of at a loss as nothing seems to even see that there is a problem.

Thanks for any help or advice you can offer.


DDS log below.

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by at 21:03:04 on 2011-05-25
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3581.2759 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\DOCUME~1\llahaye\LOCALS~1\Temp\LMIR0002.tmp\unattended_srv.exe
C:\WINDOWS\TEMP\LMIR0001.tmp\LMI_Rescue_srv.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\WINDOWS\TEMP\LMIR0001.tmp\LMI_Rescue_srv.exe
C:\WINDOWS\TEMP\LMIR0001.tmp\LMI_Rescue.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\llahaye\LOCALS~1\Temp\LMIR0002.tmp\unattended.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\llahaye\Desktop\AV\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.bing.com
uSearch Bar = hxxp://www.bing.com/sphome.aspx
mSearchAssistant = hxxp://www.bing.com/sphome.aspx
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: Pesquisa 1.4 Toolbar: {2b1ed805-4587-44ca-9ad5-ec821a21906d} - c:\program files\translatorbar_3\prxtbTra0.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Pesquisa 1.4 Toolbar: {2b1ed805-4587-44ca-9ad5-ec821a21906d} - c:\program files\translatorbar_3\prxtbTra0.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Pesquisa 1.4 Toolbar: {2b1ed805-4587-44ca-9ad5-ec821a21906d} - c:\program files\translatorbar_3\prxtbTra0.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [PPort9reminder] "c:\program files\scansoft\paperport\webereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\9\config\ereg.ini"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
StartupFolder: c:\docume~1\llahaye\startm~1\programs\startup\blackb~1.lnk - c:\program files\research in motion\blackberry\Redirector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: {B283EAEB-9787-4BBC-8D83-B7C69982AA59} = 192.168.1.5,4.2.2.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth
.
============= SERVICES / DRIVERS ===============
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2010-2-27 24064]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-12 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRescue_868d819c-b017-42ec-99fd-590ec0b3a82a;LogMeIn Rescue (868d819c-b017-42ec-99fd-590ec0b3a82a);c:\windows\temp\lmir0001.tmp\LMI_Rescue_srv.exe [2011-5-25 2482552]
R2 LMIRescueUA_101115;LogMeIn Rescue (101115);c:\docume~1\llahaye\locals~1\temp\lmir0002.tmp\unattended_srv.exe -service -unattendedid 282690 --> c:\docume~1\llahaye\locals~1\temp\lmir0002.tmp\unattended_srv.exe -service -unattendedid 282690 [?]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-3-12 47640]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-9-28 363344]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2002-6-19 29184]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\program files\symantec_client_security\symantec antivirus\Rtvscan.exe [2002-7-30 573440]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-18 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-18 399416]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-9-28 20952]
R3 NAVAP;NAVAP;c:\program files\symantec_client_security\symantec antivirus\Navap.sys [2002-6-19 218112]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101018.002\NAVENG.sys [2010-10-18 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101018.002\NAVEX15.sys [2010-10-18 1371184]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
S4 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-7-16 376096]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-17 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-17 135664]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2009-7-22 76288]
.
=============== Created Last 30 ================
.
2011-05-25 17:33:38 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-05-25 17:26:30 -------- d-----w- c:\program files\common files\xing shared
2011-05-25 17:21:40 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-25 17:19:28 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-25 17:15:46 -------- d-----w- c:\documents and settings\llahaye\local settings\application data\Secunia PSI
2011-05-25 17:15:40 -------- d-----w- c:\program files\Secunia
2011-05-25 00:02:06 -------- d-sha-r- C:\cmdcons
2011-05-25 00:01:10 89088 ----a-w- c:\windows\MBR.exe
2011-05-25 00:01:09 256512 ----a-w- c:\windows\PEV.exe
2011-05-25 00:01:08 98816 ----a-w- c:\windows\sed.exe
2011-05-25 00:01:08 161792 ----a-w- c:\windows\SWREG.exe
2011-05-25 00:01:01 -------- d-s---w- C:\gotcha
2011-05-24 23:33:36 -------- d-----w- c:\documents and settings\llahaye\application data\SUPERAntiSpyware.com
2011-05-24 23:33:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-24 23:22:31 -------- d-----w- c:\program files\ESET
2011-05-24 22:52:51 -------- d-----w- c:\documents and settings\llahaye\local settings\application data\LogMeIn Rescue Unattended
2011-05-24 22:42:59 -------- d-----w- c:\windows\pss
2011-05-23 00:32:59 6962000 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{136ea067-bf00-45c8-b724-cd167e4d92e9}\mpengine.dll
2011-05-20 00:35:22 6962000 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-05-18 21:44:21 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-12 21:46:00 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-05-12 21:45:59 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-05-03 15:28:50 61513480 ----a-w- C:\bmy5wj9b.exe
.
==================== Find3M ====================
.
2011-05-25 20:43:30 256 ----a-w- c:\windows\system32\pool.bin
2011-05-25 17:19:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-22 16:33:51 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-03-11 14:10:38 471552 ----a-w- c:\windows\apppatch\aclayers.dll
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:27:43 1866880 ----a-w- c:\windows\system32\win32k.sys
2010-10-25 18:27:43 6153352 ----a-w- c:\program files\mbam-setup.exe
.
============= FINISH: 21:03:44.73 ===============

GMER Log

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-25 22:12:40
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST325031 rev.CC45
Running: gmer.exe; Driver: C:\DOCUME~1\llahaye\LOCALS~1\Temp\fxtdrpog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8A99000, 0x236DB7, 0xE8000020]
? C:\DOCUME~1\llahaye\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[396] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01A3C23C
.text C:\Program Files\Internet Explorer\iexplore.exe[396] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[396] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[396] USER32.dll!DrawTextExW 7E42B415 5 Bytes JMP 01A3D349
.text C:\Program Files\Internet Explorer\iexplore.exe[396] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[396] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[396] USER32.dll!DrawTextW 7E42D7E2 5 Bytes JMP 01A3D187
.text C:\Program Files\Internet Explorer\iexplore.exe[396] USER32.dll!SetClipboardData 7E430F9E 5 Bytes JMP 01A3CDFD
.text C:\Program Files\Internet Explorer\iexplore.exe[396] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[396] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[396] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[396] USER32.dll!DrawTextA 7E43C702 5 Bytes JMP 01A3D0AC
.text C:\Program Files\Internet Explorer\iexplore.exe[396] USER32.dll!DrawTextExA 7E43C739 5 Bytes JMP 01A3D262
.text C:\Program Files\Internet Explorer\iexplore.exe[396] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[396] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[396] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[396] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[396] GDI32.dll!TextOutW 77F17EAC 5 Bytes JMP 01A3CFE0
.text C:\Program Files\Internet Explorer\iexplore.exe[396] GDI32.dll!ExtTextOutW 77F18086 5 Bytes JMP 01A3D514
.text C:\Program Files\Internet Explorer\iexplore.exe[396] GDI32.dll!TextOutA 77F1BA4F 5 Bytes JMP 01A3CF14
.text C:\Program Files\Internet Explorer\iexplore.exe[396] GDI32.dll!ExtTextOutA 77F1D3FA 5 Bytes JMP 01A3D430
.text C:\Program Files\Internet Explorer\iexplore.exe[396] GDI32.dll!GetGlyphIndicesA 77F3DFE3 5 Bytes JMP 01A3D8D4
.text C:\Program Files\Internet Explorer\iexplore.exe[396] GDI32.dll!GetGlyphIndicesW 77F52604 5 Bytes JMP 01A3D9A1
.text C:\Program Files\Internet Explorer\iexplore.exe[396] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[396] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[396] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 01A3BD87
.text C:\Program Files\Internet Explorer\iexplore.exe[396] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01A3CD56
.text C:\Program Files\Internet Explorer\iexplore.exe[396] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01A3C8CB
.text C:\Program Files\Internet Explorer\iexplore.exe[396] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01A3CAF2
.text C:\Program Files\Internet Explorer\iexplore.exe[396] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 01A3BCC6
.text C:\Program Files\Internet Explorer\iexplore.exe[396] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01A3C970
.text C:\Program Files\Internet Explorer\iexplore.exe[396] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01A3CA1E
.text C:\Program Files\Internet Explorer\iexplore.exe[396] WS2_32.dll!WSAAsyncGetHostByName 71ABE99D 5 Bytes JMP 01A3C15D
.text C:\Program Files\Internet Explorer\iexplore.exe[528] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[528] USER32.dll!DrawTextExW 7E42B415 5 Bytes JMP 00C3D349
.text C:\Program Files\Internet Explorer\iexplore.exe[528] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[528] USER32.dll!DrawTextW 7E42D7E2 5 Bytes JMP 00C3D187
.text C:\Program Files\Internet Explorer\iexplore.exe[528] USER32.dll!SetClipboardData 7E430F9E 5 Bytes JMP 00C3CDFD
.text C:\Program Files\Internet Explorer\iexplore.exe[528] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[528] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[528] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[528] USER32.dll!DrawTextA 7E43C702 5 Bytes JMP 00C3D0AC
.text C:\Program Files\Internet Explorer\iexplore.exe[528] USER32.dll!DrawTextExA 7E43C739 5 Bytes JMP 00C3D262
.text C:\Program Files\Internet Explorer\iexplore.exe[528] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[528] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[528] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[528] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[528] GDI32.dll!TextOutW 77F17EAC 5 Bytes JMP 00C3CFE0
.text C:\Program Files\Internet Explorer\iexplore.exe[528] GDI32.dll!ExtTextOutW 77F18086 5 Bytes JMP 00C3D514
.text C:\Program Files\Internet Explorer\iexplore.exe[528] GDI32.dll!TextOutA 77F1BA4F 5 Bytes JMP 00C3CF14
.text C:\Program Files\Internet Explorer\iexplore.exe[528] GDI32.dll!ExtTextOutA 77F1D3FA 5 Bytes JMP 00C3D430
.text C:\Program Files\Internet Explorer\iexplore.exe[528] GDI32.dll!GetGlyphIndicesA 77F3DFE3 5 Bytes JMP 00C3D8D4
.text C:\Program Files\Internet Explorer\iexplore.exe[528] GDI32.dll!GetGlyphIndicesW 77F52604 5 Bytes JMP 00C3D9A1
.text C:\Program Files\Internet Explorer\iexplore.exe[528] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00C3BD87
.text C:\Program Files\Internet Explorer\iexplore.exe[528] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C3CD56
.text C:\Program Files\Internet Explorer\iexplore.exe[528] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C3C8CB
.text C:\Program Files\Internet Explorer\iexplore.exe[528] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C3CAF2
.text C:\Program Files\Internet Explorer\iexplore.exe[528] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00C3BCC6
.text C:\Program Files\Internet Explorer\iexplore.exe[528] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C3C970
.text C:\Program Files\Internet Explorer\iexplore.exe[528] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C3CA1E
.text C:\Program Files\Internet Explorer\iexplore.exe[528] WS2_32.dll!WSAAsyncGetHostByName 71ABE99D 5 Bytes JMP 00C3C15D
.text C:\WINDOWS\system32\SearchIndexer.exe[2520] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)
Device 9D565D20

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by Orange Blossom, 27 May 2011 - 05:12 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:46 AM

Posted 28 May 2011 - 06:52 PM

Hi

Please post the ComboFix Log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 DaBigKahuna

DaBigKahuna
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 31 May 2011 - 02:03 PM

ComboFIX log attached. Sorry out of town over the weekend.

Thanks very much for any help you can offer

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:46 AM

Posted 31 May 2011 - 03:34 PM

Hi,

Please do the following:

(note: Allow ComboFix to update if it requests to do so)

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic399659.html/page__view__findpost__p__2271257

Collect::
C:\bmy5wj9b.exe


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:46 AM

Posted 10 June 2011 - 01:51 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users