Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Being Hijiacked By My123


  • This topic is locked This topic is locked
8 replies to this topic

#1 lokzi

lokzi

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 13 November 2006 - 09:42 PM

hi~

my browsers homepage is being hijiacked by something called my123
can anyone help me :thumbsup:
heres my hijackthis log


Logfile of HijackThis v1.99.1
Scan saved at 12:32:00 PM, on 14/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BitComet\BitComet.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NJStar Communicator\Njcom32.exe
C:\Program Files\NJStar Communicator\NJSIME.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\LOkz!\LOCALS~1\Temp\Rar$EX00.578\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: DNS Cache (NHLscA) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLL.EXE (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Volume Shadddddow Copyerq (Service332245) - Unknown owner - c:\windows\system\taskmrg.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:02 AM

Posted 14 November 2006 - 10:43 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 lokzi

lokzi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 14 November 2006 - 09:14 PM

HI~
thanks so much for helping

heres the conbofix log ^^



ComboFix 06.11.9 - Running from: "C:\Documents and Settings\LOkz!\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-15 to 2006-11-15 ))))))))))))))))))))))))))))))))))


2006-11-02 19:23 7,552 -r------- C:\WINDOWS\system32\drivers\pnp00066.sys
2006-10-24 02:47 90,357 -ra------ C:\WINDOWS\system32\drivers\P1130Vid.sys
2006-10-24 02:47 8,192 --a------ C:\WINDOWS\system32\tsbyuv.dll
2006-10-24 02:47 73,728 -ra------ C:\WINDOWS\Ctdrvins.exe
2006-10-24 02:47 69,632 -ra------ C:\WINDOWS\system32\P1130Sti.dll
2006-10-24 02:47 65,536 -ra------ C:\WINDOWS\system32\CtCamMgr.dll
2006-10-24 02:47 53,248 -ra------ C:\WINDOWS\P1130Cfg.exe
2006-10-24 02:47 49,664 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-10-24 02:47 49,152 -ra------ C:\WINDOWS\system32\P1130Hwx.dll
2006-10-24 02:47 45,568 --a------ C:\WINDOWS\system32\iyuv_32.dll
2006-10-24 02:47 32,768 -ra------ C:\WINDOWS\system32\P1130Pin.dll
2006-10-24 02:47 122,880 -ra------ C:\WINDOWS\system32\P1130Vfw.dll
2006-10-15 01:32 367,616 --a------ C:\WINDOWS\system32\der.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-15 13:08 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-15 12:26 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-14 12:57 -------- d-------- C:\Program Files\Minilyrics
2006-11-14 00:12 -------- d-------- C:\Program Files\360safe
2006-11-13 09:07 -------- d-------- C:\Program Files\eMule
2006-11-13 01:27 -------- d-------- C:\Program Files\Common Files
2006-11-11 20:06 -------- d-------- C:\Program Files\GetRight
2006-11-10 01:31 -------- d-------- C:\Program Files\Winamp
2006-11-08 14:30 -------- d-------- C:\Program Files\MSN Messenger
2006-11-08 14:30 -------- d-------- C:\Program Files\Messenger Plus! Live
2006-11-08 01:16 -------- d-------- C:\Program Files\Common Files\Java
2006-10-31 02:38 -------- d-------- C:\Program Files\FlashGet
2006-10-27 02:31 -------- d---s---- C:\Documents and Settings\LOkz!\Application Data\Microsoft
2006-10-24 16:02 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-10-24 15:02 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Adobe
2006-10-24 14:59 -------- d-------- C:\Program Files\Common Files\Adobe
2006-10-24 02:48 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Creative
2006-10-24 02:47 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-24 02:46 -------- d-------- C:\Program Files\Creative
2006-10-24 02:45 -------- d-------- C:\Program Files\Adobe
2006-10-18 01:33 -------- d-------- C:\Program Files\Gabest
2006-10-12 18:19 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\AdobeUM
2006-10-11 17:17 367616 --a------ C:\WINDOWS\system32\4.exe
2006-10-11 17:15 143360 --a------ C:\WINDOWS\system32\3.exe
2006-10-11 17:14 463912 --a------ C:\WINDOWS\system32\1.exe
2006-10-11 17:14 20480 --a------ C:\WINDOWS\system32\2.exe
2006-10-11 17:13 228238 --a------ C:\WINDOWS\system32\0.exe
2006-10-11 04:13 -------- d-------- C:\Program Files\coolpro2
2006-10-11 04:12 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Syntrillium
2006-10-10 05:51 -------- d-------- C:\Program Files\BitTorrent
2006-10-10 05:01 -------- d-------- C:\Program Files\Power MP3 WMA Converter
2006-10-10 02:58 -------- d-------- C:\Program Files\mediaSync Manager
2006-10-10 02:34 -------- d-------- C:\Program Files\Sony Ericsson
2006-10-09 05:24 -------- d-------- C:\Program Files\WinMX
2006-10-08 18:18 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\BitTorrent
2006-10-08 01:15 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-10-08 01:15 -------- d-------- C:\Program Files\Common Files\System
2006-10-08 01:15 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-08 01:15 -------- d-------- C:\Program Files\Common Files\Designer
2006-10-08 01:13 -------- d-------- C:\Program Files\Microsoft Office
2006-10-08 01:13 -------- d-------- C:\Program Files\microsoft frontpage
2006-10-08 01:13 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Microsoft Web Folders
2006-10-06 15:31 -------- d-------- C:\Program Files\BitTorrent Advanced Accelerator
2006-10-06 15:26 -------- d-------- C:\Program Files\Lavasoft
2006-10-06 15:26 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Lavasoft
2006-10-06 01:24 -------- d--h----- C:\Program Files\WindowsUpdate
2006-10-05 23:18 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Real
2006-10-05 23:17 -------- d-------- C:\Program Files\Real
2006-10-05 23:17 -------- d-------- C:\Program Files\Common Files\xing shared
2006-10-05 23:17 -------- d-------- C:\Program Files\Common Files\Real
2006-10-05 23:13 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Media Player Classic
2006-10-05 23:04 -------- d-------- C:\Program Files\BitComet
2006-10-05 11:40 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-10-05 11:40 -------- d-------- C:\Program Files\Common Files\ODBC
2006-10-05 11:39 62 --ahs---- C:\Documents and Settings\LOkz!\Application Data\desktop.ini
2006-10-05 04:38 -------- d-------- C:\Program Files\Windows Media Player
2006-10-05 04:28 -------- d-------- C:\Program Files\NJStar Communicator
2006-10-05 04:28 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\NJStar
2006-10-05 04:12 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Ahead
2006-10-05 04:10 -------- d-------- C:\Program Files\Common Files\Ahead
2006-10-05 04:10 -------- d-------- C:\Program Files\Ahead
2006-10-05 03:48 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Mozilla
2006-10-05 03:19 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Macromedia
2006-10-05 03:17 -------- d-------- C:\Program Files\Norton Internet Security
2006-10-05 03:09 -------- d-------- C:\Program Files\Symantec
2006-10-05 02:53 -------- d-------- C:\Program Files\SymNetDrv
2006-10-05 02:48 -------- d-------- C:\Program Files\WinRAR
2006-10-05 02:35 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Symantec
2006-10-05 02:31 -------- d-------- C:\Program Files\Gigabyte
2006-10-05 02:22 -------- d-------- C:\Program Files\Marvell
2006-10-05 02:04 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Help
2006-10-05 02:02 -------- d-------- C:\Program Files\ATI Technologies
2006-10-05 01:59 -------- d--h----- C:\Program Files\Uninstall Information
2006-10-05 01:59 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Identities
2006-10-05 01:56 0 -rahs---- C:\MSDOS.SYS
2006-10-05 01:56 0 -rahs---- C:\IO.SYS
2006-10-05 01:56 0 --a------ C:\CONFIG.SYS
2006-10-05 01:56 0 --a------ C:\AUTOEXEC.BAT
2006-10-05 01:56 -------- d-------- C:\Program Files\xerox
2006-10-05 01:55 -------- d-------- C:\Program Files\Online Services
2006-10-05 01:55 -------- d-------- C:\Program Files\Internet Explorer
2006-10-05 01:54 -------- d-------- C:\Program Files\Outlook Express
2006-10-05 01:54 -------- d-------- C:\Program Files\NetMeeting
2006-10-05 01:54 -------- d-------- C:\Program Files\Movie Maker
2006-10-05 01:54 -------- d-------- C:\Program Files\Common Files\Services
2006-10-05 01:53 -------- d-------- C:\Program Files\MSN
2006-10-05 01:53 -------- d-------- C:\Program Files\ComPlus Applications
2006-10-05 01:53 -------- d-------- C:\Program Files\Common Files\MSSoap
2006-10-05 01:52 -------- d-------- C:\Program Files\Windows NT
2006-10-05 01:52 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-09-15 23:52 91904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-09-15 23:52 124016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-08-31 19:56 5800 --a------ C:\WINDOWS\system32\nt.sys
2006-08-25 14:47 129784 --------- C:\WINDOWS\system32\pxafs.dll
2006-08-25 14:47 115880 --------- C:\WINDOWS\system32\pxinsi64.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"BitComet"="\"C:\\Program Files\\BitComet\\BitComet.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"URLLSTCK.exe"="C:\\Program Files\\Norton Internet Security\\UrlLstCk.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"CTSysVol"="C:\\Program Files\\Creative\\SB Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,2c,01,00,00,00,00,00,00,d4,03,00,00,a8,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,c0
"OriginalStateInfo"=hex:18,00,00,00,96,00,00,00,00,00,00,00,6a,04,00,00,a4,03,\
00,00,04,00,00,c0
"RestoredStateInfo"=hex:18,00,00,00,96,00,00,00,00,00,00,00,6a,04,00,00,a4,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\DM_Install_Program.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - LOkz!.job

Completion time: 06-11-15 13:09:01.27
C:\ComboFix.txt ... 06-11-15 13:09

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:02 AM

Posted 15 November 2006 - 05:50 PM

We need a different version of Combofix. Please delete Combofix.exe that you have on your desktop currently.

Please download ComboFix and save it to your desktop.

IMPORTANT - Make sure the Combofix is saved to your desktop.

Click Start -> Run
Copy the command below and paste it into the Run box and click Ok.

"%userprofile%\desktop\combofix.exe" /wow

When it's done running it will produce a log for you. Please post that log in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 lokzi

lokzi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 15 November 2006 - 09:07 PM

OoooO~ ok~ ^^
here it is ...


ComboFix 06.11.9W - Running from: "C:\Documents and Settings\LOkz!\desktop"
Command switches used :: /wow

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users\Templates\temp.exe
C:\WINDOWS\tasks\dm_install_program.job
C:\WINDOWS\system32\nt.sys
C:\WINDOWS\system32\inetsrv\SysOption.bin
C:\WINDOWS\system32\wbem\ocmor.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
C:\WINDOWS\system32\0.exe
C:\WINDOWS\system32\1.exe
C:\WINDOWS\system32\2.exe
C:\WINDOWS\system32\3.exe
C:\WINDOWS\system32\4.exe
C:\Program Files\360safe


((((((((((((((((((((((((((((((( Files Created from 2006-10-16 to 2006-11-16 ))))))))))))))))))))))))))))))))))


2006-11-12 16:19 <DIR> d-------- C:\WINDOWS\system32\wsword
2006-11-12 07:18 <DIR> d-------- C:\WINDOWS\system32\wsworld
2006-11-12 02:18 <DIR> d-------- C:\WINDOWS\system32\msworld
2006-11-12 01:18 <DIR> d-------- C:\WINDOWS\system32\mspalnt
2006-11-10 01:33 <DIR> d-------- C:\Program Files\Minilyrics
2006-11-10 01:29 <DIR> d-------- C:\Program Files\Winamp
2006-11-08 15:49 <DIR> d-------- C:\Program Files\GetRight
2006-11-08 01:16 <DIR> d-------- C:\Program Files\Common Files\Java
2006-11-06 01:59 <DIR> d-------- C:\Documents and Settings\LOkz!\ok.. im downl
2006-11-02 19:23 7,552 -r------- C:\WINDOWS\system32\drivers\pnp00066.sys
2006-10-26 13:14 <DIR> d-------- C:\Program Files\eMule
2006-10-24 15:24 <DIR> d-------- C:\My Music
2006-10-24 02:47 90,357 -ra------ C:\WINDOWS\system32\drivers\P1130Vid.sys
2006-10-24 02:47 8,192 --a------ C:\WINDOWS\system32\tsbyuv.dll
2006-10-24 02:47 73,728 -ra------ C:\WINDOWS\Ctdrvins.exe
2006-10-24 02:47 69,632 -ra------ C:\WINDOWS\system32\P1130Sti.dll
2006-10-24 02:47 65,536 -ra------ C:\WINDOWS\system32\CtCamMgr.dll
2006-10-24 02:47 53,248 -ra------ C:\WINDOWS\P1130Cfg.exe
2006-10-24 02:47 49,664 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-10-24 02:47 49,152 -ra------ C:\WINDOWS\system32\P1130Hwx.dll
2006-10-24 02:47 45,568 --a------ C:\WINDOWS\system32\iyuv_32.dll
2006-10-24 02:47 32,768 -ra------ C:\WINDOWS\system32\P1130Pin.dll
2006-10-24 02:47 122,880 -ra------ C:\WINDOWS\system32\P1130Vfw.dll
2006-10-24 02:46 <DIR> d-------- C:\Media
2006-10-18 01:33 <DIR> d-------- C:\Program Files\Gabest


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-16 13:02 -------- d-------- C:\Program Files\Common Files
2006-11-16 12:56 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-15 22:57 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-08 14:30 -------- d-------- C:\Program Files\MSN Messenger
2006-11-08 14:30 -------- d-------- C:\Program Files\Messenger Plus! Live
2006-10-31 02:38 -------- d-------- C:\Program Files\FlashGet
2006-10-27 02:31 -------- d---s---- C:\Documents and Settings\LOkz!\Application Data\Microsoft
2006-10-24 16:02 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-10-24 15:02 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Adobe
2006-10-24 14:59 -------- d-------- C:\Program Files\Common Files\Adobe
2006-10-24 02:48 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Creative
2006-10-24 02:47 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-24 02:46 -------- d-------- C:\Program Files\Creative
2006-10-24 02:45 -------- d-------- C:\Program Files\Adobe
2006-10-16 00:33 367616 --a------ C:\WINDOWS\system32\der.exe
2006-10-12 18:19 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\AdobeUM
2006-10-11 04:13 -------- d-------- C:\Program Files\coolpro2
2006-10-11 04:12 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Syntrillium
2006-10-10 05:51 -------- d-------- C:\Program Files\BitTorrent
2006-10-10 05:01 -------- d-------- C:\Program Files\Power MP3 WMA Converter
2006-10-10 02:58 -------- d-------- C:\Program Files\mediaSync Manager
2006-10-10 02:34 -------- d-------- C:\Program Files\Sony Ericsson
2006-10-09 05:24 -------- d-------- C:\Program Files\WinMX
2006-10-08 18:18 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\BitTorrent
2006-10-08 01:15 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-10-08 01:15 -------- d-------- C:\Program Files\Common Files\System
2006-10-08 01:15 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-08 01:15 -------- d-------- C:\Program Files\Common Files\Designer
2006-10-08 01:13 -------- d-------- C:\Program Files\Microsoft Office
2006-10-08 01:13 -------- d-------- C:\Program Files\microsoft frontpage
2006-10-08 01:13 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Microsoft Web Folders
2006-10-06 15:31 -------- d-------- C:\Program Files\BitTorrent Advanced Accelerator
2006-10-06 15:26 -------- d-------- C:\Program Files\Lavasoft
2006-10-06 15:26 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Lavasoft
2006-10-06 01:24 -------- d--h----- C:\Program Files\WindowsUpdate
2006-10-05 23:18 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Real
2006-10-05 23:17 -------- d-------- C:\Program Files\Real
2006-10-05 23:17 -------- d-------- C:\Program Files\Common Files\xing shared
2006-10-05 23:17 -------- d-------- C:\Program Files\Common Files\Real
2006-10-05 23:13 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Media Player Classic
2006-10-05 23:04 -------- d-------- C:\Program Files\BitComet
2006-10-05 11:40 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-10-05 11:40 -------- d-------- C:\Program Files\Common Files\ODBC
2006-10-05 11:39 62 --ahs---- C:\Documents and Settings\LOkz!\Application Data\desktop.ini
2006-10-05 04:38 -------- d-------- C:\Program Files\Windows Media Player
2006-10-05 04:28 -------- d-------- C:\Program Files\NJStar Communicator
2006-10-05 04:28 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\NJStar
2006-10-05 04:12 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Ahead
2006-10-05 04:10 -------- d-------- C:\Program Files\Common Files\Ahead
2006-10-05 04:10 -------- d-------- C:\Program Files\Ahead
2006-10-05 03:48 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Mozilla
2006-10-05 03:19 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Macromedia
2006-10-05 03:17 -------- d-------- C:\Program Files\Norton Internet Security
2006-10-05 03:09 -------- d-------- C:\Program Files\Symantec
2006-10-05 02:53 -------- d-------- C:\Program Files\SymNetDrv
2006-10-05 02:48 -------- d-------- C:\Program Files\WinRAR
2006-10-05 02:35 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Symantec
2006-10-05 02:31 -------- d-------- C:\Program Files\Gigabyte
2006-10-05 02:22 -------- d-------- C:\Program Files\Marvell
2006-10-05 02:04 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Help
2006-10-05 02:02 -------- d-------- C:\Program Files\ATI Technologies
2006-10-05 01:59 -------- d--h----- C:\Program Files\Uninstall Information
2006-10-05 01:59 -------- d-------- C:\Documents and Settings\LOkz!\Application Data\Identities
2006-10-05 01:56 0 -rahs---- C:\MSDOS.SYS
2006-10-05 01:56 0 -rahs---- C:\IO.SYS
2006-10-05 01:56 0 --a------ C:\CONFIG.SYS
2006-10-05 01:56 0 --a------ C:\AUTOEXEC.BAT
2006-10-05 01:56 -------- d-------- C:\Program Files\xerox
2006-10-05 01:55 -------- d-------- C:\Program Files\Online Services
2006-10-05 01:55 -------- d-------- C:\Program Files\Internet Explorer
2006-10-05 01:54 -------- d-------- C:\Program Files\Outlook Express
2006-10-05 01:54 -------- d-------- C:\Program Files\NetMeeting
2006-10-05 01:54 -------- d-------- C:\Program Files\Movie Maker
2006-10-05 01:54 -------- d-------- C:\Program Files\Common Files\Services
2006-10-05 01:53 -------- d-------- C:\Program Files\MSN
2006-10-05 01:53 -------- d-------- C:\Program Files\ComPlus Applications
2006-10-05 01:53 -------- d-------- C:\Program Files\Common Files\MSSoap
2006-10-05 01:52 -------- d-------- C:\Program Files\Windows NT
2006-10-05 01:52 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-09-15 23:52 91904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-08-25 14:47 129784 --------- C:\WINDOWS\system32\pxafs.dll
2006-08-25 14:47 115880 --------- C:\WINDOWS\system32\pxinsi64.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"BitComet"="\"C:\\Program Files\\BitComet\\BitComet.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"URLLSTCK.exe"="C:\\Program Files\\Norton Internet Security\\UrlLstCk.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"CTSysVol"="C:\\Program Files\\Creative\\SB Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,2c,01,00,00,00,00,00,00,d4,03,00,00,a8,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,c0
"OriginalStateInfo"=hex:18,00,00,00,96,00,00,00,00,00,00,00,6a,04,00,00,a4,03,\
00,00,04,00,00,c0
"RestoredStateInfo"=hex:18,00,00,00,96,00,00,00,00,00,00,00,6a,04,00,00,a4,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
Framework


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - LOkz!.job

Completion time: 06-11-16 13:03:03.55
C:\ComboFix.txt ... 06-11-16 13:03
C:\ComboFix2.txt ... 06-11-15 13:09

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:02 AM

Posted 16 November 2006 - 05:12 PM

Is your browser still being hijacked?


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 lokzi

lokzi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 17 November 2006 - 05:41 AM

lol ~ i cant run the online scanner~

is there anyway to get rid off this thing

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:02 AM

Posted 17 November 2006 - 09:11 AM

Is your browser still being hijacked?

Is your browser still being hijacked?

Why can't you run the online scan? Do you get an error? What happens?


Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to the desktop and start GMER.exe
Click the Rootkit tab and click the Scan button.

Warning! Please do not select the "Show all" checkbox during the scan.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results here in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 lokzi

lokzi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 17 November 2006 - 10:01 PM

nothing happened when i clicked on the button to do the online scanning...

the comboxfix didnt work...........
but i got my frd to fix it ~
its alright now~

once again thank you for your help!!! ^^




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users