browser hijack, not cleaned by MalwareBytes or Zone Alarm

View previous topic View next topic Go down

browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by solr on 3rd July 2009, 3:35 pm

Running XP SP3, latest Java, Flash, all Windows Updates, IE8.
Browsing is hijacked to other sites psoting ads.

Scanned with latest MalwareBytes and Zone Alarm Security Suite, fully updated.

Attached is HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:44 AM, on 7/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6044 bytes

solr
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-03
OS OS : XP SP3
Points Points : 27183
# Likes # Likes : 0

View user profile

Back to top Go down

Re: browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by Belahzur on 3rd July 2009, 3:41 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    O4 - Global Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe


  • Press "Fix Checked"
  • Close Hijack This.

Next,

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by solr on 3rd July 2009, 4:01 pm

[You must be registered and logged in to see this link.] wrote:Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    O4 - Global Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe


  • Press "Fix Checked"
  • Close Hijack This.

Next,

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.



DDS (Ver_09-06-26.01) - NTFSx86
Run by R O Warburg at 11:57:40.85 on Fri 07/03/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3061.2502 [GMT -4:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k drv
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
svchost
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscript.exe
C:\Documents and Settings\R O Warburg\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [SetDefPrt] c:\program files\brother\brmfl04g\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R?2 drv;drv;c:\windows\system32\svchost.exe -k drv [2008-4-25 14336]
R1 drvdrv;drvdrv;c:\program files\drv\drv.sys [2009-7-1 9344]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-7-1 150544]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-7-1 365448]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2009-07-03 11:00 --d----- c:\program files\Trend Micro
2009-07-02 21:30 --d----- c:\windows\pss
2009-07-02 08:26 268,648 a------- c:\windows\system32\mucltui.dll
2009-07-02 08:26 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-07-01 18:20 2,541 a------- C:\rollback.ini
2009-07-01 18:04 --d----- c:\docume~1\rowarb~1\applic~1\MailFrontier
2009-07-01 18:01 31,137,824 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-07-01 18:01 414,836 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-07-01 18:00 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-07-01 18:00 72,584 a------- c:\windows\zllsputility.exe
2009-07-01 18:00 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-07-01 18:00 --d----- c:\windows\system32\ZoneLabs
2009-07-01 18:00 --d----- c:\program files\Zone Labs
2009-07-01 17:59 415,148 a------- c:\windows\system32\vsconfig.xml
2009-07-01 17:59 --d----- c:\windows\Internet Logs
2009-07-01 17:56 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-07-01 17:56 --dsh--- c:\documents and settings\r o warburg\IECompatCache
2009-07-01 17:55 --dsh--- c:\documents and settings\r o warburg\PrivacIE
2009-07-01 17:53 --dsh--- c:\documents and settings\r o warburg\IETldCache
2009-07-01 17:49 --d----- C:\8c0938a125a336e06e96d7b81c
2009-07-01 17:48 --d----- c:\windows\SxsCaPendDel
2009-07-01 17:43 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-07-01 17:43 --d----- c:\windows\ie8updates
2009-07-01 17:43 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-01 17:43 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-01 17:41 -cd-h--- c:\windows\ie8
2009-07-01 17:27 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-07-01 17:27 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-07-01 17:27 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-07-01 17:27 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-07-01 17:27 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-07-01 17:27 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-07-01 17:27 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-07-01 17:27 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-07-01 17:27 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-07-01 17:27 35,328 -c------ c:\windows\system32\dllcache\sc.exe
2009-07-01 17:26 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-07-01 17:26 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-07-01 16:51 --d----- c:\docume~1\rowarb~1\applic~1\Malwarebytes
2009-07-01 16:51 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-01 16:51 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-01 16:51 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-01 16:51 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-01 16:47 --d----- c:\windows\system32\appmgmt
2009-07-01 15:17 --d----- c:\program files\drv

==================== Find3M ====================

2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:55 78,336 -------- c:\windows\system32\ieencode.dll
2009-04-17 06:50 1,847,808 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 11:57:57.71 ===============

solr
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-03
OS OS : XP SP3
Points Points : 27183
# Likes # Likes : 0

View user profile

Back to top Go down

Re: browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by Belahzur on 3rd July 2009, 4:10 pm

Hello.


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (ZoneAlarm)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by solr on 3rd July 2009, 4:24 pm

ComboFix 09-07-02.02 - R O Warburg 07/03/2009 12:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3061.2637 [GMT -4:00]
Running from: c:\documents and settings\All Users\Documents\ZoneAlarm Install\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\wbem\proquota.exe

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRV
-------\Service_drv


((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-03 15:00 . 2009-07-03 15:00 -------- d-----w- c:\program files\Trend Micro
2009-07-03 01:33 . 2009-07-03 01:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-03 01:33 . 2009-07-03 01:33 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-07-02 12:26 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-07-01 22:11 . 2009-07-01 22:11 -------- d-----w- c:\documents and settings\R O Warburg\Application Data\Roxio
2009-07-01 22:04 . 2009-07-01 22:04 0 ----a-w- c:\windows\nsreg.dat
2009-07-01 22:04 . 2009-07-01 22:04 -------- d-----w- c:\documents and settings\R O Warburg\Application Data\MailFrontier
2009-07-01 22:01 . 2009-07-03 16:18 31723808 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-01 21:59 . 2009-07-03 16:01 -------- d-----w- c:\windows\Internet Logs
2009-07-01 21:56 . 2009-07-01 21:56 -------- d-sh--w- c:\documents and settings\R O Warburg\IECompatCache
2009-07-01 21:55 . 2009-07-01 21:55 -------- d-sh--w- c:\documents and settings\R O Warburg\PrivacIE
2009-07-01 21:54 . 2009-07-01 21:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-01 21:53 . 2009-07-01 21:53 -------- d-sh--w- c:\documents and settings\R O Warburg\IETldCache
2009-07-01 21:49 . 2009-07-01 21:49 -------- d-----w- C:\8c0938a125a336e06e96d7b81c
2009-07-01 21:48 . 2009-07-01 21:53 -------- d-----w- c:\windows\SxsCaPendDel
2009-07-01 21:43 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-01 21:43 . 2009-07-01 21:43 -------- d-----w- c:\windows\ie8updates
2009-07-01 21:43 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-01 21:43 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-01 21:41 . 2009-07-01 21:42 -------- dc-h--w- c:\windows\ie8
2009-07-01 21:27 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-07-01 21:27 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-07-01 21:27 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-07-01 21:27 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-07-01 21:27 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-07-01 21:27 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-07-01 21:27 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-07-01 21:27 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-07-01 21:27 . 2009-02-06 10:39 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2009-07-01 21:27 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-07-01 21:26 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-07-01 21:26 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-01 21:04 . 2009-07-01 21:04 152576 ----a-w- c:\documents and settings\R O Warburg\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-01 20:51 . 2009-07-01 20:51 -------- d-----w- c:\documents and settings\R O Warburg\Application Data\Malwarebytes
2009-07-01 20:51 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-01 20:51 . 2009-07-01 20:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-01 20:51 . 2009-07-01 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-01 20:51 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-01 19:17 . 2009-07-01 19:17 -------- d-----w- c:\program files\drv

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-03 16:15 . 2009-07-01 22:01 425540 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-03 01:00 . 2009-07-03 01:00 144384 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-07-02 14:32 . 2009-01-07 03:09 -------- d-----w- c:\program files\Google
2009-07-02 01:10 . 2009-07-01 22:00 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-07-02 00:05 . 2009-07-02 01:08 94208 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-07-01 22:00 . 2009-07-01 22:00 -------- d-----w- c:\program files\Zone Labs
2009-07-01 21:58 . 2009-01-07 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-01 21:53 . 2009-01-07 03:19 49384 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-01 21:45 . 2009-01-07 03:09 -------- d-----w- c:\program files\Microsoft Works
2009-07-01 21:24 . 2009-01-07 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-01 21:22 . 2009-01-07 03:06 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-01 21:05 . 2009-01-07 03:05 -------- d-----w- c:\program files\Java
2009-06-07 15:00 . 2009-03-02 21:32 -------- d-----w- c:\program files\RJJ
2009-05-29 00:25 . 2009-07-01 22:00 72584 ----a-w- c:\windows\zllsputility.exe
2009-05-29 00:25 . 2009-07-01 22:00 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-05-29 00:25 . 2009-07-01 22:00 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-05-29 00:25 . 2009-07-01 22:00 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-05-25 23:41 . 2009-02-15 05:19 -------- d-----w- c:\documents and settings\R O Warburg\Application Data\Move Networks
2009-05-21 15:33 . 2009-01-13 17:59 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-13 05:15 . 2008-04-25 16:16 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2008-04-25 16:16 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:55 . 2009-04-29 04:55 78336 ------w- c:\windows\system32\ieencode.dll
2009-04-24 16:19 . 2009-04-24 16:19 34062 ----a-w- c:\documents and settings\R O Warburg\Application Data\Move Networks\ie_bin\Uninst.exe
2009-04-24 16:19 . 2009-04-24 16:19 1047072 ----a-w- c:\documents and settings\R O Warburg\Application Data\Move Networks\MoveMediaPlayer_071303000006.exe
2009-04-17 10:50 . 2008-04-25 16:16 1847808 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-04-25 16:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 138008]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-05-29 1005960]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-17 16132608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-01-07 03:16 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:drv

R1 drvdrv;drvdrv;c:\program files\drv\drv.sys [7/1/2009 3:17 PM 9344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
drv REG_MULTI_SZ drv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-03 12:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(2696)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Dell Support Center\gs_agent\dsc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-03 12:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-03 16:19

Pre-Run: 309,122,940,928 bytes free
Post-Run: 309,042,757,632 bytes free

170 --- E O F --- 2009-01-13 15:38

solr
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-03
OS OS : XP SP3
Points Points : 27183
# Likes # Likes : 0

View user profile

Back to top Go down

Re: browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by Belahzur on 3rd July 2009, 5:18 pm

Hello.
Do you have your XP disc?

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    proquota.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by solr on 3rd July 2009, 6:22 pm

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 14:14 on 03/07/2009 by R O Warburg (Administrator - Elevation successful)

========== filefind ==========

Searching for "proquota.exe"
No files found.

-=End Of File=-


I just want to add, that the prior step using ComboFix, appears to have fixed the Browser Hijack problem. It put a number of files in Quarantine and deleted some registry entries related to TCPIP. Can you tell me where in the Combofix.txt log I can see that.

Thanks so much!

Sol

solr
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-03
OS OS : XP SP3
Points Points : 27183
# Likes # Likes : 0

View user profile

Back to top Go down

Re: browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by Belahzur on 3rd July 2009, 6:42 pm

Hello.
You still have the main infection I saw from the DDS log. But you also have a missing system file, I need to know if you have your XP disc?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by solr on 3rd July 2009, 6:46 pm

yes I have an XP Pro SP3 CD

solr
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-03
OS OS : XP SP3
Points Points : 27183
# Likes # Likes : 0

View user profile

Back to top Go down

Re: browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by Belahzur on 3rd July 2009, 6:48 pm

Awesome, were gonna need to use it.
Put it in the machine and then open My Computer, let me know what drive the CD drive is. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by solr on 3rd July 2009, 6:53 pm

I just updated MalwareBytes, and for the first time found 7 infections which it removed. They were in the drv folder in Program Files and called drv.dll and drv.sys

The CD is drive D:

solr
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-03
OS OS : XP SP3
Points Points : 27183
# Likes # Likes : 0

View user profile

Back to top Go down

Re: browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by Belahzur on 3rd July 2009, 6:57 pm

Hello.
Yeah I know, like I said, the main infection is still here, we'll remove it once the needed system file is put back though.

Go to Start > Run. In the Run box, type in cmd and hit enter.
This opens the command prompt window. Now type in the following red text exactly as seen.

expand D:\i386\proquota.ex_ c:\windows\system32\proquota.exe

There is two spaces in there, so I have pointed out below where they are.

expandSPACED:\i386\proquota.ex_SPACEc:\windows\system32\proquota.exe

If done correctly, it will say "one file(s) expanded successfully".

Let me know how it goes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by solr on 3rd July 2009, 7:11 pm

Done!

solr
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-03
OS OS : XP SP3
Points Points : 27183
# Likes # Likes : 0

View user profile

Back to top Go down

Re: browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by Belahzur on 3rd July 2009, 7:21 pm

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\Internet Logs\xDB2.tmp
c:\windows\Internet Logs\xDB1.tmp

Folder::
c:\program files\drv

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"drv"=-

Driver::
drvdrv

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by solr on 3rd July 2009, 7:35 pm

ComboFix 09-07-02.03 - R O Warburg 07/03/2009 15:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3061.2522 [GMT -4:00]
Running from: c:\documents and settings\All Users\Documents\ZoneAlarm Install\ComboFix.exe
Command switches used :: c:\documents and settings\All Users\Documents\ZoneAlarm Install\CFScript.txt
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\Internet Logs\xDB1.tmp"
"c:\windows\Internet Logs\xDB2.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\31696.msp
c:\windows\Installer\NSR2_Patch_All.msp
c:\windows\Internet Logs\xDB1.tmp
c:\windows\Internet Logs\xDB2.tmp
c:\windows\patchw32.dll
c:\windows\pw32a.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-03 19:09 . 2008-04-14 09:42 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-03 19:09 . 2008-04-14 09:42 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-03 19:03 . 2009-07-03 19:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-03 18:46 . 2009-07-03 18:46 -------- d-----w- c:\documents and settings\R O Warburg\Local Settings\Application Data\Symantec_Corporation
2009-07-03 18:36 . 2007-02-13 22:20 15664 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-07-03 18:36 . 2007-02-13 22:20 109360 ----a-w- c:\windows\system32\GEARAspi.dll
2009-07-03 18:36 . 2007-02-13 23:06 128104 ----a-w- c:\windows\system32\drivers\WimFltr.sys
2009-07-03 18:34 . 2009-07-03 19:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-03 18:34 . 2003-03-19 01:19 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2009-07-03 15:00 . 2009-07-03 15:00 -------- d-----w- c:\program files\Trend Micro
2009-07-03 01:33 . 2009-07-03 01:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-03 01:33 . 2009-07-03 01:33 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-07-02 12:26 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-07-01 22:11 . 2009-07-01 22:11 -------- d-----w- c:\documents and settings\R O Warburg\Application Data\Roxio
2009-07-01 22:04 . 2009-07-01 22:04 0 ----a-w- c:\windows\nsreg.dat
2009-07-01 22:04 . 2009-07-01 22:04 -------- d-----w- c:\documents and settings\R O Warburg\Application Data\MailFrontier
2009-07-01 22:01 . 2009-07-03 19:28 36053280 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-01 21:59 . 2009-07-03 19:28 -------- d-----w- c:\windows\Internet Logs
2009-07-01 21:56 . 2009-07-01 21:56 -------- d-sh--w- c:\documents and settings\R O Warburg\IECompatCache
2009-07-01 21:55 . 2009-07-01 21:55 -------- d-sh--w- c:\documents and settings\R O Warburg\PrivacIE
2009-07-01 21:54 . 2009-07-01 21:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-01 21:53 . 2009-07-01 21:53 -------- d-sh--w- c:\documents and settings\R O Warburg\IETldCache
2009-07-01 21:49 . 2009-07-01 21:49 -------- d-----w- C:\8c0938a125a336e06e96d7b81c
2009-07-01 21:48 . 2009-07-01 21:53 -------- d-----w- c:\windows\SxsCaPendDel
2009-07-01 21:43 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-01 21:43 . 2009-07-01 21:43 -------- d-----w- c:\windows\ie8updates
2009-07-01 21:43 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-01 21:43 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-01 21:41 . 2009-07-01 21:42 -------- dc-h--w- c:\windows\ie8
2009-07-01 21:27 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-07-01 21:27 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-07-01 21:27 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-07-01 21:27 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-07-01 21:27 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-07-01 21:27 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-07-01 21:27 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-07-01 21:27 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-07-01 21:27 . 2009-02-06 10:39 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2009-07-01 21:27 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-07-01 21:26 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-07-01 21:26 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-01 21:04 . 2009-07-01 21:04 152576 ----a-w- c:\documents and settings\R O Warburg\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-01 20:51 . 2009-07-01 20:51 -------- d-----w- c:\documents and settings\R O Warburg\Application Data\Malwarebytes
2009-07-01 20:51 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-01 20:51 . 2009-07-01 20:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-01 20:51 . 2009-07-01 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-01 20:51 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-03 19:10 . 2009-07-01 22:01 475952 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-03 18:37 . 2009-01-07 03:19 49944 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-03 17:27 . 2009-07-03 18:05 172072 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-07-03 17:16 . 2009-07-03 17:18 289792 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-07-03 17:16 . 2009-07-03 17:18 2064896 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-07-03 17:15 . 2009-01-07 03:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-03 17:14 . 2009-01-07 03:15 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-02 14:32 . 2009-01-07 03:09 -------- d-----w- c:\program files\Google
2009-07-02 01:10 . 2009-07-01 22:00 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-07-01 22:00 . 2009-07-01 22:00 -------- d-----w- c:\program files\Zone Labs
2009-07-01 21:58 . 2009-01-07 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-01 21:45 . 2009-01-07 03:09 -------- d-----w- c:\program files\Microsoft Works
2009-07-01 21:24 . 2009-01-07 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-01 21:22 . 2009-01-07 03:06 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-01 21:05 . 2009-01-07 03:05 -------- d-----w- c:\program files\Java
2009-06-07 15:00 . 2009-03-02 21:32 -------- d-----w- c:\program files\RJJ
2009-05-29 00:25 . 2009-07-01 22:00 72584 ----a-w- c:\windows\zllsputility.exe
2009-05-29 00:25 . 2009-07-01 22:00 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-05-29 00:25 . 2009-07-01 22:00 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-05-29 00:25 . 2009-07-01 22:00 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-05-25 23:41 . 2009-02-15 05:19 -------- d-----w- c:\documents and settings\R O Warburg\Application Data\Move Networks
2009-05-21 15:33 . 2009-01-13 17:59 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-13 05:15 . 2008-04-25 16:16 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2008-04-25 16:16 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:55 . 2009-04-29 04:55 78336 ------w- c:\windows\system32\ieencode.dll
2009-04-24 16:19 . 2009-04-24 16:19 34062 ----a-w- c:\documents and settings\R O Warburg\Application Data\Move Networks\ie_bin\Uninst.exe
2009-04-24 16:19 . 2009-04-24 16:19 1047072 ----a-w- c:\documents and settings\R O Warburg\Application Data\Move Networks\MoveMediaPlayer_071303000006.exe
2009-04-17 10:50 . 2008-04-25 16:16 1847808 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-04-25 16:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-03 19:11 . 2009-07-03 19:11 16384 c:\windows\Temp\Perflib_Perfdata_3f0.dat
+ 2009-07-03 18:36 . 2007-02-13 22:20 15664 c:\windows\system32\DRVSTORE\gearaspiwd_62291E06449DEB0DBD570526DBFAB451EF5C01F2\x86\GEARAspiWDM.sys
+ 2009-07-01 22:02 . 2009-07-03 19:26 360224 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2009-07-03 18:36 . 2007-02-13 22:33 131944 c:\windows\system32\DRVSTORE\Symsnap_EEBF84E42DE31BAE624AE041908405959C64D078\Win32\symsnap.sys
+ 2009-07-03 18:36 . 2007-02-13 22:20 109360 c:\windows\system32\DRVSTORE\gearaspiwd_62291E06449DEB0DBD570526DBFAB451EF5C01F2\x86\GEARAspi.dll
+ 2009-07-03 18:34 . 2006-10-31 14:32 466944 c:\windows\system32\capicom.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 138008]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-05-29 1005960]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-17 16132608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-01-07 03:16 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-03 15:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2009-07-03 15:29
ComboFix-quarantined-files.txt 2009-07-03 19:29
ComboFix2.txt 2009-07-03 16:19

Pre-Run: 308,813,750,272 bytes free
Post-Run: 308,850,679,808 bytes free

177 --- E O F --- 2009-01-13 15:38

Please note, that the MalwareByetes log, shows that it removed the above items, before this run of ComboFix.

solr
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-03
OS OS : XP SP3
Points Points : 27183
# Likes # Likes : 0

View user profile

Back to top Go down

Re: browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by Belahzur on 3rd July 2009, 7:38 pm

Hello.
Go inside this folder in bold:

c:\windows\Internet Logs

Delete everything inside the folder, but do not delete the folder itself.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by solr on 3rd July 2009, 8:23 pm

Some of the files in Internet Logs belong to zone alarm, and are locked.

Machine seems to be running fine. I have been browsing around and not getting redirected.

Combofix updated itself, on the last run.

May I ask, where can I learn how to use Combofix and the other tools?

BTW, I donated $10 to geeekpolice.

Thanks!

solr
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-03
OS OS : XP SP3
Points Points : 27183
# Likes # Likes : 0

View user profile

Back to top Go down

Re: browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by Belahzur on 3rd July 2009, 8:40 pm

Hello.

These files
c:\windows\Internet Logs\xD***.tmp are created by Zone Alarm.
To stop the creation of these files execute this.

Open ZoneAlarm control.
Select Alerts and Logs on the left Pane.
Set Event Logging to Off.
Close ZoneAlarm control.

There are many online schools where they will teach you this stuff for free if you are serious about learning it. It can take a while to get your head around it if your not at a decent stage of computing already though. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by solr on 3rd July 2009, 8:51 pm

I am fairly expert in Windows and the Registry, and know how to recover the Registry from the System Restore points, when system restore doesnt work. That works on XP, but Vista does not appear to allow you to do the same thing.

So I image all my drives using Norton Save and Restore or Acronis True Image.

I used to do C++ development, but gave up on that about 8 years ago.

What are the sites where I can learn to use these malware removal tools?

solr
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-03
OS OS : XP SP3
Points Points : 27183
# Likes # Likes : 0

View user profile

Back to top Go down

Re: browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by Belahzur on 3rd July 2009, 9:08 pm

As I said, there are many.
Two links of schools I recommend are:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: browser hijack, not cleaned by MalwareBytes or Zone Alarm

Post by solr on 3rd July 2009, 9:44 pm

Thanks,

I have great weekend.

solr
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-03
OS OS : XP SP3
Points Points : 27183
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum