Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem with Google Searches, redirected pages show up


  • This topic is locked This topic is locked
19 replies to this topic

#1 blangtang

blangtang

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 10 October 2011 - 08:03 PM

Thanks for any assistance!

The 2 main issues are the redirected Google searches (have only noticed in firefox browser) and also an issue with Yahoo mail where i have repeated yahoo messenger invites when I check my yahoo mail. These two problems began about 10 days ago. I don't use and have never used yahoo messenger so I wonder if these problems are connected.

I got a new wireless router about 2 weeks ago and didn't have these problems until i started using it, not sure if that would be related...?

Also my wallpaper on the desktop disappeared and the pic i was using as well as some other files (like calculator and the basic games like solitaire) are missing or hidden. This may be due to an earlier problem I had with the Antivirus Soft malware that hijacked my system a couple months ago. I believe I've gotten rid of this Antivirus soft malware, but wonder if my files are gone or can be recovered.

I appreciate any help!

---------------
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Administrator at 16:19:01 on 2011-10-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.488 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\taskmgr.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [AcroWebHelper] rundll32.exe "c:\documents and settings\administrator\local settings\application data\acroglinterval\AcroWebHelper.dll",AppleMobileUI odbccfgTime
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11
TCP: Interfaces\{1BFA878B-9AF7-4535-8375-AA5793435A59} : DhcpNameServer = 68.105.28.11 68.105.29.11
TCP: Interfaces\{1C4CA023-188A-42D8-B1CD-FE1E480760F0} : DhcpNameServer = 192.168.2.1
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\2dabhzpf.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2011-10-07 02:04:58 -------- d-----w- c:\program files\Overland
2011-10-07 01:23:23 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-10-07 01:23:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-05 17:56:05 -------- dc-h--w- c:\windows\ie8
2011-10-05 04:00:42 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-09-28 01:57:49 -------- d-----w- c:\documents and settings\administrator\local settings\application data\AcroGLInterval
.
==================== Find3M ====================
.
2011-10-05 16:49:07 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
============= FINISH: 16:19:30.35 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:09 PM

Posted 15 October 2011 - 06:44 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 blangtang

blangtang
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 15 October 2011 - 07:30 PM

I'm here and the problem persists. thanks for any help!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:09 PM

Posted 15 October 2011 - 08:14 PM

Let's see if any rootkit activity is involved

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 blangtang

blangtang
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 15 October 2011 - 08:22 PM

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-15 20:16:02
-----------------------------
20:16:02.187 OS Version: Windows 5.1.2600 Service Pack 3
20:16:02.187 Number of processors: 1 586 0x209
20:16:02.187 ComputerName: USER-C13FDF9FC8 UserName: Administrator
20:16:04.328 Initialize success
20:17:14.390 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:17:14.390 Disk 0 Vendor: WDC_WD800BB-53CAA0 16.06V16 Size: 76319MB BusType: 3
20:17:16.421 Disk 0 MBR read successfully
20:17:16.421 Disk 0 MBR scan
20:17:16.421 Disk 0 Windows XP default MBR code
20:17:16.421 Disk 0 scanning sectors +156296385
20:17:16.500 Disk 0 scanning C:\WINDOWS\system32\drivers
20:17:21.781 Service scanning
20:17:22.875 Modules scanning
20:17:29.109 Disk 0 trace - called modules:
20:17:29.140 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
20:17:29.140 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f95ab8]
20:17:29.140 3 CLASSPNP.SYS[f7617fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86fdab00]
20:17:29.156 Scan finished successfully
20:18:46.046 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\Logs\MBR.dat"
20:18:46.078 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\Logs\aswMBR.txt"

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:09 PM

Posted 15 October 2011 - 08:26 PM

That looks okay.

Please run Gooredfix next

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista/Windows 7).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Posted Image
m0le is a proud member of UNITE

#7 blangtang

blangtang
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 15 October 2011 - 08:53 PM

okay, here's the newest log:

GooredFix by jpshortstuff (03.07.10.1)
Log created at 20:48 on 15/10/2011 (Administrator)
Firefox version 7.0.1 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:00 05/10/2011]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [19:36 15/08/2009]
{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} [01:23 07/10/2011]

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2dabhzpf.default\extensions\
{902D2C4A-457A-4EF9-AD43-7014562929FF} [01:20 27/03/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [13:52 13/07/2009]

-=E.O.F=-

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:09 PM

Posted 15 October 2011 - 08:56 PM

Please run Combofix next

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 blangtang

blangtang
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 15 October 2011 - 09:24 PM

ComboFix 11-10-15.04 - Administrator 10/15/2011 21:11:03.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.423 [GMT -5:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Desktop\Windows XP Recovery.lnk
c:\documents and settings\Administrator\Local Settings\Application Data\AcroGLInterval\AcroWebHelper.dll
c:\documents and settings\Administrator\Start Menu\Programs\Windows XP Recovery
c:\documents and settings\Administrator\Start Menu\Programs\Windows XP Recovery\Uninstall Windows XP Recovery.lnk
c:\documents and settings\Administrator\Start Menu\Programs\Windows XP Recovery\Windows XP Recovery.lnk
c:\windows\system32\d3d9caps.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-09-16 to 2011-10-16 )))))))))))))))))))))))))))))))
.
.
2011-10-07 02:04 . 2011-10-07 02:05 -------- d-----w- c:\program files\Overland
2011-10-07 01:23 . 2011-10-07 01:23 -------- d-----w- c:\program files\Common Files\Java
2011-10-07 01:23 . 2011-05-04 09:52 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-10-07 01:23 . 2011-05-04 09:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-05 17:56 . 2011-10-05 17:56 -------- dc-h--w- c:\windows\ie8
2011-10-05 04:00 . 2011-09-29 06:53 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-09-28 01:57 . 2011-10-16 02:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AcroGLInterval
2011-09-26 16:41 . 2011-09-26 16:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-05 16:49 . 2011-06-05 17:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 16:41 . 2004-08-12 11:25 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2004-08-12 11:25 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2008-04-14 08:41 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2008-04-14 04:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 22:00 . 2010-04-28 08:32 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48 . 2008-04-14 08:42 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2008-04-14 08:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 23:48 . 2008-04-14 08:41 43520 ------w- c:\windows\system32\licmgr10.dll
2011-08-22 11:56 . 2008-04-14 03:07 385024 ------w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2008-04-14 03:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-09-29 06:53 . 2011-10-05 04:00 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-05-25 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-05-25 126976]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-23 176128]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-03-22 74752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*NewlyCreated* - GTNDIS5
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1177238915-1417001333-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-19 19:22]
.
2011-10-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1177238915-1417001333-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-19 19:22]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2dabhzpf.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AcroWebHelper - c:\documents and settings\Administrator\Local Settings\Application Data\AcroGLInterval\AcroWebHelper.dll
AddRemove-Move Media Player - c:\documents and settings\Administrator\Application Data\Move Networks\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-15 21:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1214440339-1177238915-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ff,fb,ec,09,40,cd,4c,46,b7,6f,94,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ff,fb,ec,09,40,cd,4c,46,b7,6f,94,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\GTGina.dll
.
Completion time: 2011-10-15 21:19:48
ComboFix-quarantined-files.txt 2011-10-16 02:19
.
Pre-Run: 68,549,394,432 bytes free
Post-Run: 68,745,633,792 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - EBA834B7263ED74B17D6B2EADCE8073C

#10 blangtang

blangtang
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 15 October 2011 - 09:29 PM

many files and folders have reappeared. amazing!

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:09 PM

Posted 16 October 2011 - 01:28 PM

But not all of them?

Please download Unhide

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.


Now please rerun Combofix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

RegLock::
[HKEY_USERS\S-1-5-21-1214440339-1177238915-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#12 blangtang

blangtang
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 16 October 2011 - 06:47 PM

I can't get the link for unhide to work, i get a 404 error. is there another link for that program? thanks!

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:09 PM

Posted 16 October 2011 - 06:48 PM

Sorry, try this
Posted Image
m0le is a proud member of UNITE

#14 blangtang

blangtang
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 16 October 2011 - 07:24 PM

ComboFix 11-10-16.02 - Administrator 10/16/2011 19:18:25.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.696 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-09-17 to 2011-10-17 )))))))))))))))))))))))))))))))
.
.
2011-10-07 02:04 . 2011-10-07 02:05 -------- d-----w- c:\program files\Overland
2011-10-07 01:23 . 2011-10-07 01:23 -------- d-----w- c:\program files\Common Files\Java
2011-10-07 01:23 . 2011-05-04 09:52 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-10-07 01:23 . 2011-05-04 09:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-05 17:56 . 2011-10-05 17:56 -------- dc----w- c:\windows\ie8
2011-10-05 04:00 . 2011-09-29 06:53 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-09-28 01:57 . 2011-10-16 02:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AcroGLInterval
2011-09-26 16:41 . 2011-09-26 16:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-05 16:49 . 2011-06-05 17:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 16:41 . 2004-08-12 11:25 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2004-08-12 11:25 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2008-04-14 08:41 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2008-04-14 04:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 22:00 . 2010-04-28 08:32 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48 . 2008-04-14 08:42 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2008-04-14 08:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 23:48 . 2008-04-14 08:41 43520 ------w- c:\windows\system32\licmgr10.dll
2011-08-22 11:56 . 2008-04-14 03:07 385024 ------w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2008-04-14 03:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-09-29 06:53 . 2011-10-05 04:00 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-16_02.16.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-16 16:30 . 2011-10-16 16:30 16384 c:\windows\Temp\Perflib_Perfdata_72c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-05-25 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-05-25 126976]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-23 176128]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-03-22 74752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1177238915-1417001333-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-19 19:22]
.
2011-10-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1177238915-1417001333-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-19 19:22]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2dabhzpf.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-16 19:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\GTGina.dll
.
- - - - - - - > 'explorer.exe'(2712)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-10-16 19:22:26
ComboFix-quarantined-files.txt 2011-10-17 00:22
ComboFix2.txt 2011-10-17 00:13
ComboFix3.txt 2011-10-16 02:19
.
Pre-Run: 68,873,728,000 bytes free
Post-Run: 68,860,358,656 bytes free
.
- - End Of File - - 026E41EF9F378724B15825DCBCDF3B34

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:09 PM

Posted 16 October 2011 - 07:33 PM

That's a very good log. Please scan online with ESET

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users