Malware-Search Engine Hijacked

View previous topic View next topic Go down

Malware-Search Engine Hijacked

Post by bigbadjonv on Tue Feb 23, 2010 11:05 pm

I have some type of malware. It hijacks my search engine results as well. I've ran Malware Anti-bytes normally, as well as in safe mode, and it stays in there. It hasn't revealed the name of which one it is yet. Here is my HiJackThis Log. Also, when I open files, it asks me to "Choose the program you want to use to open this file." even when it's on just Inet Explorer.

Also I'm using Windows XP on a Dell Laptop Inspiron 6000.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:50 PM, on 2/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jonathan\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Jonathan\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Jonathan\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8826 bytes

bigbadjonv
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2010-02-23
OS : Windows XP

View user profile

Back to top Go down

Re: Malware-Search Engine Hijacked

Post by Dr Jay on Wed Feb 24, 2010 9:31 am

Please visit this webpage for a tutorial on downloading and running ComboFix:

[You must be registered and logged in to see this link.]

See the area: Using ComboFix, and when done, post the log back here.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13711
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: Malware-Search Engine Hijacked

Post by bigbadjonv on Thu Feb 25, 2010 9:13 pm

Sorry it took me so long.

ComboFix 10-02-25.02 - Jonathan 02/25/2010 19:16:30.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1575 [GMT -6:00]
Running from: c:\documents and settings\Jonathan\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: My Security Wall *On-access scanning enabled* (Updated) {2D48B3B0-D7DC-478D-B4A0-39CAE0940152}
FW: My Security Wall *enabled* {3FB756FB-C58A-4581-80E3-0271AADAB3E4}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\srchasst\nls302en.lex
c:\windows\system32\11478.exe
c:\windows\system32\11942.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\32391.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2010-01-26 to 2010-02-26 )))))))))))))))))))))))))))))))
.

2010-04-17 15:35 . 2010-04-17 15:36 -------- d-----w- c:\documents and settings\Jonathan\Application Data\HpUpdate
2010-04-17 15:35 . 2010-04-17 15:35 -------- d-----w- c:\windows\Hewlett-Packard
2010-02-23 04:48 . 2010-02-23 04:48 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-02-23 04:47 . 2010-02-23 04:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-23 04:35 . 2010-02-24 13:18 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-23 04:35 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-02-23 04:35 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-02-23 04:35 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-02-23 04:35 . 2010-02-23 04:35 -------- d-----w- c:\program files\Avira
2010-02-23 04:35 . 2010-02-23 04:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-02-23 03:12 . 2010-02-23 03:12 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-02-13 03:48 . 2010-02-13 03:48 -------- d-sh--w- c:\documents and settings\All Users\Application Data\MSPLEIW
2010-02-13 03:48 . 2010-01-12 01:59 457688 ----a-w- c:\documents and settings\All Users\Application Data\3928403\sqlite3.dll
2010-02-13 03:48 . 2010-01-12 01:59 722392 ----a-w- c:\documents and settings\All Users\Application Data\3928403\mozcrt19.dll
2010-02-13 03:47 . 2010-02-13 03:48 -------- d-sh--w- c:\documents and settings\All Users\Application Data\3928403
2010-02-04 23:46 . 2010-02-26 02:02 792064 ----a-w- c:\windows\system32\drivers\vyszjlud.sys
2010-02-04 17:40 . 2010-02-04 17:40 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-02-04 05:43 . 2010-02-04 05:43 52224 ----a-w- c:\documents and settings\Jonathan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-04 05:41 . 2008-04-13 19:41 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-02-04 05:41 . 2008-04-13 19:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-02-04 05:37 . 2010-02-04 06:02 0 ----a-w- c:\windows\Lzuvewip.bin
2010-02-04 05:37 . 2010-02-04 05:37 120 ----a-w- c:\windows\Yhirehokofatahix.dat
2010-02-04 05:36 . 2010-02-04 05:37 -------- d-----w- c:\documents and settings\Jonathan\Local Settings\Application Data\{FA6635AF-DB37-4F40-A7A7-367C55DC0FA1}
2010-02-04 05:34 . 2008-04-13 19:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-02-04 05:34 . 2008-04-13 19:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-02-04 05:33 . 2010-02-04 23:46 116 ----a-w- c:\windows\system32\fjhdyfhsn.bat
2010-02-02 04:30 . 2010-02-14 23:37 -------- d-----w- c:\program files\Battle for Wesnoth 1.6.5
2010-01-31 23:55 . 2010-01-31 23:55 50354 ----a-w- c:\documents and settings\Jonathan\Application Data\Facebook\uninstall.exe
2010-01-31 23:55 . 2010-01-31 23:55 -------- d-----w- c:\documents and settings\Jonathan\Application Data\Facebook
2010-01-27 03:21 . 2010-01-27 03:21 847040 ----a-w- c:\documents and settings\Jonathan\Application Data\Facebook\axfbootloader.dll
2010-01-27 03:20 . 2010-01-27 03:20 5578752 ----a-w- c:\documents and settings\Jonathan\Application Data\Facebook\npfbplugin_1_0_1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-17 15:40 . 2008-11-12 00:20 141199 ----a-w- c:\windows\hpoins14.dat
2010-02-26 00:59 . 2009-08-05 03:03 117760 ----a-w- c:\documents and settings\Jonathan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-23 18:01 . 2009-05-14 23:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-23 18:00 . 2009-08-04 23:07 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-23 04:47 . 2008-11-24 02:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-23 03:15 . 2008-11-05 04:34 -------- d-----w- c:\program files\DivX
2010-02-21 03:06 . 2009-08-05 03:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-17 00:33 . 2008-11-06 04:23 -------- d-----w- c:\program files\UltimateBet
2010-02-14 22:48 . 2009-07-02 23:20 -------- d-----w- c:\program files\Full Tilt Poker
2010-02-11 13:34 . 2008-11-07 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-04 17:41 . 2009-08-16 14:54 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-04 06:04 . 2008-11-04 02:57 -------- d-----w- c:\documents and settings\Jonathan\Application Data\DNA
2010-02-04 06:02 . 2008-11-04 02:57 -------- d-----w- c:\program files\DNA
2010-02-04 05:42 . 2009-09-20 18:20 -------- d-----w- c:\program files\PokerStars
2010-02-04 05:33 . 2010-02-04 05:33 24 ----a-w- c:\documents and settings\LocalService\Application Data\anvkgp.dat
2010-01-23 02:15 . 2009-12-30 00:03 -------- d-----w- c:\program files\TableNinjaFT
2010-01-19 16:16 . 2009-07-30 16:59 69232 ----a-w- c:\documents and settings\April\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-12 02:04 . 2009-11-02 04:44 144160 ----a-w- c:\documents and settings\Jonathan\Application Data\Move Networks\uninstall.exe
2010-01-12 02:04 . 2008-11-06 15:11 -------- d-----w- c:\documents and settings\Jonathan\Application Data\Move Networks
2010-01-12 02:04 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\Jonathan\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-01-12 02:04 . 2010-01-12 02:02 1436320 ----a-w- c:\documents and settings\Jonathan\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2010-01-07 22:07 . 2009-05-14 23:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2009-05-14 23:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-02 17:30 . 2008-11-14 02:36 -------- d-----w- c:\program files\Cake Poker
2010-01-02 01:24 . 2010-01-02 01:24 13094 ----a-r- c:\documents and settings\Jonathan\Application Data\Microsoft\Installer\{5E5364A0-646F-4F63-ABFD-F752C8A61507}\_F2EA64330B7DD641F4B54A.exe
2010-01-02 01:24 . 2010-01-02 01:24 13094 ----a-r- c:\documents and settings\Jonathan\Application Data\Microsoft\Installer\{5E5364A0-646F-4F63-ABFD-F752C8A61507}\_4EB00CB163E57CFF5E56F5.exe
2009-12-31 16:50 . 2009-08-04 23:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 02:29 . 2009-12-30 02:29 -------- d-----w- c:\program files\PostgreSQL
2009-12-30 02:06 . 2009-12-30 02:06 -------- d-----w- c:\program files\PokerTracker 3
2009-12-30 00:01 . 2008-11-04 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-12-28 01:25 . 2009-07-06 03:07 8192 ----a-r- c:\documents and settings\Jonathan\Application Data\Microsoft\Installer\{84031A18-BA9A-4156-A74F-E05B52DDFCE2}\Icon84031A18.exe
2009-12-21 19:14 . 2009-08-04 23:01 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2009-08-04 23:02 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2009-08-04 23:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-10 19:27 . 2009-12-10 19:27 97144 ----a-w- c:\documents and settings\Jonathan\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-08 19:27 . 2009-08-04 23:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2009-08-04 23:00 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2009-08-04 23:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-21 2012912]
"Google Update"="c:\documents and settings\Jonathan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-18 135664]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\April\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-01 01:51 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jonathan^Start Menu^Programs^Startup^DING!.lnk]
path=c:\documents and settings\Jonathan\Start Menu\Programs\Startup\DING!.lnk
backup=c:\windows\pss\DING!.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jonathan^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Jonathan\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jonathan^Start Menu^Programs^Startup^wwwpos32.exe]
path=c:\documents and settings\Jonathan\Start Menu\Programs\Startup\wwwpos32.exe
backup=c:\windows\pss\wwwpos32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-08-06 03:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-07 01:48 323392 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2006-06-29 18:13 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-18 23:45 135664 ----atw- c:\documents and settings\Jonathan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 03:34 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2007-02-21 17:17 970752 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2007-02-21 17:19 819200 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 21:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 08:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 02:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-07-16 18:20 25604904 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 10:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2008-12-09 10:12 234856 ----a-w- c:\program files\TomTom HOME 2\HOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 02:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/16/2009 6:48 PM 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [8/5/2009 3:06 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/22/2010 10:35 PM 108289]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [4/16/2009 7:25 PM 54752]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [9/19/2008 3:03 AM 65536]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 12872]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]

--- Other Services/Drivers In Memory ---

*Deregistered* - vyszjlud

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-436374069-725345543-1004Core.job
- c:\documents and settings\Jonathan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-18 23:45]

2010-02-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-436374069-725345543-1004UA.job
- c:\documents and settings\Jonathan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-18 23:45]

2010-02-23 c:\windows\Tasks\Install_NSS.job
- c:\program files\DivX\Symantec\scstubinstaller.exe [2009-11-14 00:49]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Jonathan\Start Menu\Programs\UltimateBet\UltimateBet.lnk
FF - ProfilePath - c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\3pzdtdbe.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Jonathan\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Jonathan\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Jonathan\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {FA6635AF-DB37-4F40-A7A7-367C55DC0FA1} - c:\documents and settings\Jonathan\Local Settings\Application Data\{FA6635AF-DB37-4F40-A7A7-367C55DC0FA1}
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-avgnt - c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-smss32 - c:\windows\system32\smss32.exe
MSConfigStartUp-Vhitumuhifopawuq - c:\windows\ivosuqikuwaf.dll
MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\mcafee.com\vso\mcmnhdlr.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-25 20:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\vyszjlud]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(680)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2010-02-25 20:11:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-26 02:11
ComboFix2.txt 2009-08-20 00:36

Pre-Run: 27,303,018,496 bytes free
Post-Run: 27,630,284,800 bytes free

Current=4 Default=4 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 09016D73E70BDC946998B204825EBECF

bigbadjonv
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2010-02-23
OS : Windows XP

View user profile

Back to top Go down

Re: Malware-Search Engine Hijacked

Post by Dr Jay on Fri Feb 26, 2010 12:07 am

Please run a free online scan with the [You must be registered and logged in to see this link.]
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13711
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: Malware-Search Engine Hijacked

Post by bigbadjonv on Fri Feb 26, 2010 7:17 pm

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=97b8a7b7259a9d4990f2e4f6e589f2d3
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-26 08:13:32
# local_time=2010-02-26 02:13:32 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 94 0 38922551 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=87129
# found=3
# cleaned=3
# scan_time=3978
C:\Documents and Settings\Jonathan\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7BC20518\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HoldemManager.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.UI trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\fjhdyfhsn.bat BAT/Agent.NFC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

bigbadjonv
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2010-02-23
OS : Windows XP

View user profile

Back to top Go down

Re: Malware-Search Engine Hijacked

Post by Dr Jay on Sat Feb 27, 2010 10:20 am

Please open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13711
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: Malware-Search Engine Hijacked

Post by bigbadjonv on Sat Feb 27, 2010 8:53 pm

Malwarebytes' Anti-Malware 1.44
Database version: 3805
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/27/2010 7:53:36 PM
mbam-log-2010-02-27 (19-53-36).txt

Scan type: Quick Scan
Objects scanned: 154104
Time elapsed: 7 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\vyszjlud.sys (HackTool.Agent) -> Delete on reboot.

bigbadjonv
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2010-02-23
OS : Windows XP

View user profile

Back to top Go down

Re: Malware-Search Engine Hijacked

Post by Dr Jay on Sat Feb 27, 2010 11:27 pm

Please download RootRepeal from [You must be registered and logged in to see this link.].

  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe.
  • Click Settings > Options. Drag the slider to High Level. Then, click the Red X.
  • Go to the Report tab and click on the Scan button.


  • Select ALL of the checkboxes and then click OK and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13711
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: Malware-Search Engine Hijacked

Post by bigbadjonv on Sun Feb 28, 2010 6:37 pm

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/02/28 17:28
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB0493000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE24000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xACEDC000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\vyszjlud.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "" at address 0xbafe44be

#: 053 Function Name: NtCreateThread
Status: Hooked by "" at address 0xbafe44b4

#: 063 Function Name: NtDeleteKey
Status: Hooked by "" at address 0xbafe44c3

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "" at address 0xbafe44cd

#: 098 Function Name: NtLoadKey
Status: Hooked by "" at address 0xbafe44d2

#: 122 Function Name: NtOpenProcess
Status: Hooked by "" at address 0xbafe44a0

#: 128 Function Name: NtOpenThread
Status: Hooked by "" at address 0xbafe44a5

#: 193 Function Name: NtReplaceKey
Status: Hooked by "" at address 0xbafe44dc

#: 204 Function Name: NtRestoreKey
Status: Hooked by "" at address 0xbafe44d7

#: 247 Function Name: NtSetValueKey
Status: Hooked by "" at address 0xbafe44c8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb065a320

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a70f150 Size: 493

Hidden Services
-------------------
Service Name: vyszjlud
Image Path: C:\WINDOWS\system32\drivers\vyszjlud.sys

==EOF==

bigbadjonv
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2010-02-23
OS : Windows XP

View user profile

Back to top Go down

Re: Malware-Search Engine Hijacked

Post by Dr Jay on Sun Feb 28, 2010 11:15 pm

Double-click on RootRepeal.exe and click the Hidden Services tab.

Click Scan and allow it to scan. Then look for the entry that contains this string: C:\WINDOWS\system32\drivers\vyszjlud.sys or vyszjlud

Right-click the result, then click Force Delete.

Then, click the Files tab.

Click Scan and allow it to scan. Then look for the entry that contains this string: C:\WINDOWS\system32\drivers\vyszjlud.sys

Right-click the result, then click Force Delete.

====

Then, following the instructions above, please post a new RootRepeal log.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13711
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: Malware-Search Engine Hijacked

Post by bigbadjonv on Mon Mar 01, 2010 2:11 pm

It says "Could not force-delete file! Error code 0xc0000001"

When trying to do a force delete.

bigbadjonv
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2010-02-23
OS : Windows XP

View user profile

Back to top Go down

Re: Malware-Search Engine Hijacked

Post by Dr Jay on Mon Mar 01, 2010 11:47 pm

Which one...Services or Files?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13711
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: Malware-Search Engine Hijacked

Post by bigbadjonv on Tue Mar 02, 2010 9:00 am

Both

bigbadjonv
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2010-02-23
OS : Windows XP

View user profile

Back to top Go down

Re: Malware-Search Engine Hijacked

Post by Dr Jay on Tue Mar 02, 2010 4:09 pm

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    File::
    C:\WINDOWS\system32\drivers\vyszjlud.sys

    NetSvc::
    vyszjlud

    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet004\Services\vyszjlud]
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13711
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: Malware-Search Engine Hijacked

Post by bigbadjonv on Tue Mar 02, 2010 7:40 pm

ComboFix 10-03-02.02 - Jonathan 03/02/2010 18:18:20.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1546 [GMT -6:00]
Running from: c:\documents and settings\Jonathan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jonathan\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\drivers\vyszjlud.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\vyszjlud.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_vyszjlud
-------\Service_vyszjlud


((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-04-17 15:35 . 2010-04-17 15:36 -------- d-----w- c:\documents and settings\Jonathan\Application Data\HpUpdate
2010-04-17 15:35 . 2010-04-17 15:35 -------- d-----w- c:\windows\Hewlett-Packard
2010-02-28 23:10 . 2010-02-28 23:10 -------- d-----w- c:\program files\ImageShack Uploader
2010-02-26 18:52 . 2010-02-26 18:52 -------- d-----w- c:\program files\ESET
2010-02-23 04:48 . 2010-02-23 04:48 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-02-23 04:47 . 2010-02-23 04:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-23 04:35 . 2010-02-24 13:18 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-23 04:35 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-02-23 04:35 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-02-23 04:35 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-02-23 04:35 . 2010-02-23 04:35 -------- d-----w- c:\program files\Avira
2010-02-23 04:35 . 2010-02-23 04:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-02-23 03:12 . 2010-02-23 03:12 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-02-13 03:48 . 2010-02-13 03:48 -------- d-sh--w- c:\documents and settings\All Users\Application Data\MSPLEIW
2010-02-13 03:48 . 2010-01-12 01:59 457688 ----a-w- c:\documents and settings\All Users\Application Data\3928403\sqlite3.dll
2010-02-13 03:48 . 2010-01-12 01:59 722392 ----a-w- c:\documents and settings\All Users\Application Data\3928403\mozcrt19.dll
2010-02-13 03:47 . 2010-02-13 03:48 -------- d-sh--w- c:\documents and settings\All Users\Application Data\3928403
2010-02-04 17:40 . 2010-02-04 17:40 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-02-04 05:43 . 2010-02-04 05:43 52224 ----a-w- c:\documents and settings\Jonathan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-04 05:41 . 2008-04-13 19:41 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-02-04 05:41 . 2008-04-13 19:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-02-04 05:37 . 2010-02-04 06:02 0 ----a-w- c:\windows\Lzuvewip.bin
2010-02-04 05:37 . 2010-02-04 05:37 120 ----a-w- c:\windows\Yhirehokofatahix.dat
2010-02-04 05:36 . 2010-02-04 05:37 -------- d-----w- c:\documents and settings\Jonathan\Local Settings\Application Data\{FA6635AF-DB37-4F40-A7A7-367C55DC0FA1}
2010-02-04 05:34 . 2008-04-13 19:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-02-04 05:34 . 2008-04-13 19:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-02-02 04:30 . 2010-02-14 23:37 -------- d-----w- c:\program files\Battle for Wesnoth 1.6.5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-17 15:40 . 2008-11-12 00:20 141199 ----a-w- c:\windows\hpoins14.dat
2010-03-02 23:23 . 2009-08-05 03:03 117760 ----a-w- c:\documents and settings\Jonathan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-02 15:52 . 2009-07-06 03:07 8192 ----a-r- c:\documents and settings\Jonathan\Application Data\Microsoft\Installer\{84031A18-BA9A-4156-A74F-E05B52DDFCE2}\Icon84031A18.exe
2010-02-28 23:26 . 2008-11-04 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-02-23 18:01 . 2009-05-14 23:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-23 18:00 . 2009-08-04 23:07 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-23 04:47 . 2008-11-24 02:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-23 03:15 . 2008-11-05 04:34 -------- d-----w- c:\program files\DivX
2010-02-21 03:06 . 2009-08-05 03:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-17 00:33 . 2008-11-06 04:23 -------- d-----w- c:\program files\UltimateBet
2010-02-14 22:48 . 2009-07-02 23:20 -------- d-----w- c:\program files\Full Tilt Poker
2010-02-11 13:34 . 2008-11-07 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-04 17:41 . 2009-08-16 14:54 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-04 06:04 . 2008-11-04 02:57 -------- d-----w- c:\documents and settings\Jonathan\Application Data\DNA
2010-02-04 06:02 . 2008-11-04 02:57 -------- d-----w- c:\program files\DNA
2010-02-04 05:42 . 2009-09-20 18:20 -------- d-----w- c:\program files\PokerStars
2010-02-04 05:33 . 2010-02-04 05:33 24 ----a-w- c:\documents and settings\LocalService\Application Data\anvkgp.dat
2010-01-31 23:55 . 2010-01-31 23:55 50354 ----a-w- c:\documents and settings\Jonathan\Application Data\Facebook\uninstall.exe
2010-01-31 23:55 . 2010-01-31 23:55 -------- d-----w- c:\documents and settings\Jonathan\Application Data\Facebook
2010-01-27 03:21 . 2010-01-27 03:21 847040 ----a-w- c:\documents and settings\Jonathan\Application Data\Facebook\axfbootloader.dll
2010-01-27 03:20 . 2010-01-27 03:20 5578752 ----a-w- c:\documents and settings\Jonathan\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-23 02:15 . 2009-12-30 00:03 -------- d-----w- c:\program files\TableNinjaFT
2010-01-19 16:16 . 2009-07-30 16:59 69232 ----a-w- c:\documents and settings\April\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-12 02:04 . 2009-11-02 04:44 144160 ----a-w- c:\documents and settings\Jonathan\Application Data\Move Networks\uninstall.exe
2010-01-12 02:04 . 2008-11-06 15:11 -------- d-----w- c:\documents and settings\Jonathan\Application Data\Move Networks
2010-01-12 02:04 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\Jonathan\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-01-12 02:04 . 2010-01-12 02:02 1436320 ----a-w- c:\documents and settings\Jonathan\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2010-01-07 22:07 . 2009-05-14 23:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2009-05-14 23:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-02 17:30 . 2008-11-14 02:36 -------- d-----w- c:\program files\Cake Poker
2010-01-02 01:24 . 2010-01-02 01:24 13094 ----a-r- c:\documents and settings\Jonathan\Application Data\Microsoft\Installer\{5E5364A0-646F-4F63-ABFD-F752C8A61507}\_F2EA64330B7DD641F4B54A.exe
2010-01-02 01:24 . 2010-01-02 01:24 13094 ----a-r- c:\documents and settings\Jonathan\Application Data\Microsoft\Installer\{5E5364A0-646F-4F63-ABFD-F752C8A61507}\_4EB00CB163E57CFF5E56F5.exe
2009-12-31 16:50 . 2009-08-04 23:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2009-08-04 23:01 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2009-08-04 23:02 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2009-08-04 23:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-10 19:27 . 2009-12-10 19:27 97144 ----a-w- c:\documents and settings\Jonathan\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-08 19:27 . 2009-08-04 23:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2009-08-04 23:00 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2009-08-04 23:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-21 2012912]
"Google Update"="c:\documents and settings\Jonathan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-18 135664]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\April\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\Jonathan\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-2-4 495432]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-01 01:51 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jonathan^Start Menu^Programs^Startup^DING!.lnk]
path=c:\documents and settings\Jonathan\Start Menu\Programs\Startup\DING!.lnk
backup=c:\windows\pss\DING!.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jonathan^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Jonathan\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jonathan^Start Menu^Programs^Startup^wwwpos32.exe]
path=c:\documents and settings\Jonathan\Start Menu\Programs\Startup\wwwpos32.exe
backup=c:\windows\pss\wwwpos32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-08-06 03:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-07 01:48 323392 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2006-06-29 18:13 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-18 23:45 135664 ----atw- c:\documents and settings\Jonathan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 03:34 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2007-02-21 17:17 970752 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2007-02-21 17:19 819200 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 21:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 08:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 02:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-07-16 18:20 25604904 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 10:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2008-12-09 10:12 234856 ----a-w- c:\program files\TomTom HOME 2\HOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 02:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
ati2nwxp REG_SZ c:\windows\system32\napstupn.dll
2446smgr REG_SZ c:\windows\system32\memeset.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/16/2009 6:48 PM 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [8/5/2009 3:06 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/22/2010 10:35 PM 108289]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [4/16/2009 7:25 PM 54752]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [9/19/2008 3:03 AM 65536]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 12872]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-436374069-725345543-1004Core.job
- c:\documents and settings\Jonathan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-18 23:45]

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-436374069-725345543-1004UA.job
- c:\documents and settings\Jonathan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-18 23:45]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Jonathan\Start Menu\Programs\UltimateBet\UltimateBet.lnk
FF - ProfilePath - c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\3pzdtdbe.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Jonathan\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Jonathan\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Jonathan\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Jonathan\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {FA6635AF-DB37-4F40-A7A7-367C55DC0FA1} - c:\documents and settings\Jonathan\Local Settings\Application Data\{FA6635AF-DB37-4F40-A7A7-367C55DC0FA1}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-02 18:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1808)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2010-03-02 18:39:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-03 00:39
ComboFix2.txt 2010-02-26 02:11
ComboFix3.txt 2009-08-20 00:36

Pre-Run: 27,051,675,648 bytes free
Post-Run: 27,174,031,360 bytes free

Current=4 Default=4 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - E5281DAAC921F564BF79AF40FC2B2DE6

bigbadjonv
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2010-02-23
OS : Windows XP

View user profile

Back to top Go down

Re: Malware-Search Engine Hijacked

Post by Dr Jay on Wed Mar 03, 2010 12:17 am


  1. Download Win32kDiag from any of the following locations and save it to your Desktop.

  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.


  • Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Status :
    Online
    Offline

    Posts : 13711
    Joined : 2009-09-06
    Gender : Male
    OS : Windows 10 Home & Pro

    View user profile

    Back to top Go down

    Re: Malware-Search Engine Hijacked

    Post by bigbadjonv on Wed Mar 03, 2010 8:34 pm

    Running from: C:\Documents and Settings\Jonathan\Desktop\Win32kDiag.exe

    Log file at : C:\Documents and Settings\Jonathan\Desktop\Win32kDiag.txt

    WARNING: Could not get backup privileges!

    Searching 'C:\WINDOWS'...





    Finished!




    --------------------------------------------------
    (From me: That's really all it says in the logfile)

    bigbadjonv
    Novice
    Novice

    Status :
    Online
    Offline

    Posts : 14
    Joined : 2010-02-23
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: Malware-Search Engine Hijacked

    Post by Dr Jay on Wed Mar 03, 2010 9:43 pm

    Please post a new HijackThis log.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Status :
    Online
    Offline

    Posts : 13711
    Joined : 2009-09-06
    Gender : Male
    OS : Windows 10 Home & Pro

    View user profile

    Back to top Go down

    Re: Malware-Search Engine Hijacked

    Post by bigbadjonv on Thu Mar 04, 2010 1:27 pm

    This may be pertinent, and I forgot to tell you earlier, but one time when I was doing one of the steps you said to do, a message came up saying that a virus blocker "My Security Wall" could make the scan not work properly.

    Here's the new HiJack This Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:25:58 PM, on 3/4/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Southwest Airlines\Ding\Ding.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Jonathan\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jonathan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
    O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
    O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Jonathan\Start Menu\Programs\UltimateBet\UltimateBet.lnk
    O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Jonathan\Start Menu\Programs\UltimateBet\UltimateBet.lnk
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - [You must be registered and logged in to see this link.]
    O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - [You must be registered and logged in to see this link.]
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 9018 bytes

    bigbadjonv
    Novice
    Novice

    Status :
    Online
    Offline

    Posts : 14
    Joined : 2010-02-23
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: Malware-Search Engine Hijacked

    Post by Dr Jay on Thu Mar 04, 2010 3:30 pm

    Please go to [You must be registered and logged in to see this link.], agree to the Terms, and download Threat Expert Memory Scanner.
    • Install the program.
    • Then, run the program. Click the Start button on the main screen.
    • It will search for threats, and finish in 5-10 minutes.
    • When done, press the View Report button.
    • It will launch a web page with results. Please copy those results, and paste it in to your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Status :
    Online
    Offline

    Posts : 13711
    Joined : 2009-09-06
    Gender : Male
    OS : Windows 10 Home & Pro

    View user profile

    Back to top Go down

    Re: Malware-Search Engine Hijacked

    Post by bigbadjonv on Thu Mar 04, 2010 7:27 pm

    Scan details:
    Scan started: Thursday, March 04, 2010 18:18:26
    Scan time: 02 minutes, 31 seconds
    Number of memory objects scanned: 5403
    processes: 45
    modules: 1936
    heap pages: 3422
    Number of suspicious memory objects detected: 0
    Number of malicious memory objects detected: 0
    Overall Risk Level: Safe
    Summary of the detected threat characteristics:
    No suspicious characteristics detected.
    Summary of the detected memory objects:
    No suspicious memory objects detected.

    bigbadjonv
    Novice
    Novice

    Status :
    Online
    Offline

    Posts : 14
    Joined : 2010-02-23
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: Malware-Search Engine Hijacked

    Post by Dr Jay on Fri Mar 05, 2010 10:13 am

    Lol...that scan was not supposed to be clean. But it was. I think we got TDSS on our hands here.

    Download this [You must be registered and logged in to see this link.] & extract TDSSKiller.exe onto your Desktop

    Then create this batch file to be placed next to TDSSKiller

    =====

    Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:
    Code:
    @ECHO OFF
    START /WAIT TDSSKILLER.exe -l Logit.txt -v
    START Logit.txt
    del %0
    Save this as fix.bat Choose to "Save type as - All Files"
    It should look like this:
    Double click on fix.bat & allow it to run

    Post back to tell me what it says


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Status :
    Online
    Offline

    Posts : 13711
    Joined : 2009-09-06
    Gender : Male
    OS : Windows 10 Home & Pro

    View user profile

    Back to top Go down

    Re: Malware-Search Engine Hijacked

    Post by bigbadjonv on Fri Mar 05, 2010 1:47 pm

    12:46:39:281 2216 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
    12:46:39:281 2216 ================================================================================
    12:46:39:281 2216 SystemInfo:

    12:46:39:281 2216 OS Version: 5.1.2600 ServicePack: 3.0
    12:46:39:281 2216 Product type: Workstation
    12:46:39:281 2216 ComputerName: VANHORN-D2264E6
    12:46:39:281 2216 UserName: Jonathan
    12:46:39:281 2216 Windows directory: C:\WINDOWS
    12:46:39:281 2216 Processor architecture: Intel x86
    12:46:39:281 2216 Number of processors: 1
    12:46:39:281 2216 Page size: 0x1000
    12:46:39:281 2216 Boot type: Normal boot
    12:46:39:281 2216 ================================================================================
    12:46:39:281 2216 UnloadDriverW: NtUnloadDriver error 2
    12:46:39:281 2216 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
    12:46:39:343 2216 Initialize success
    12:46:39:343 2216
    12:46:39:343 2216 Scanning Services ...
    12:46:39:343 2216 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
    12:46:39:343 2216 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    12:46:39:343 2216 wfopen_ex: Trying to KLMD file open
    12:46:39:343 2216 wfopen_ex: File opened ok (Flags 2)
    12:46:39:343 2216 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
    12:46:39:343 2216 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    12:46:39:343 2216 wfopen_ex: Trying to KLMD file open
    12:46:39:343 2216 wfopen_ex: File opened ok (Flags 2)
    12:46:39:875 2216 GetAdvancedServicesInfo: Raw services enum returned 353 services
    12:46:39:875 2216 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
    12:46:39:875 2216 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
    12:46:39:875 2216
    12:46:39:875 2216 Scanning Kernel memory ...
    12:46:39:875 2216 Devices to scan: 2
    12:46:39:875 2216
    12:46:39:875 2216 Driver Name: Disk
    12:46:39:875 2216 IRP_MJ_CREATE : BA90EBB0
    12:46:39:875 2216 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
    12:46:39:875 2216 IRP_MJ_CLOSE : BA90EBB0
    12:46:39:875 2216 IRP_MJ_READ : BA908D1F
    12:46:39:875 2216 IRP_MJ_WRITE : BA908D1F
    12:46:39:875 2216 IRP_MJ_QUERY_INFORMATION : 804F355A
    12:46:39:875 2216 IRP_MJ_SET_INFORMATION : 804F355A
    12:46:39:875 2216 IRP_MJ_QUERY_EA : 804F355A
    12:46:39:875 2216 IRP_MJ_SET_EA : 804F355A
    12:46:39:875 2216 IRP_MJ_FLUSH_BUFFERS : BA9092E2
    12:46:39:875 2216 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
    12:46:39:875 2216 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
    12:46:39:875 2216 IRP_MJ_DIRECTORY_CONTROL : 804F355A
    12:46:39:875 2216 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
    12:46:39:875 2216 IRP_MJ_DEVICE_CONTROL : BA9093BB
    12:46:39:875 2216 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
    12:46:39:875 2216 IRP_MJ_SHUTDOWN : BA9092E2
    12:46:39:875 2216 IRP_MJ_LOCK_CONTROL : 804F355A
    12:46:39:875 2216 IRP_MJ_CLEANUP : 804F355A
    12:46:39:875 2216 IRP_MJ_CREATE_MAILSLOT : 804F355A
    12:46:39:875 2216 IRP_MJ_QUERY_SECURITY : 804F355A
    12:46:39:875 2216 IRP_MJ_SET_SECURITY : 804F355A
    12:46:39:875 2216 IRP_MJ_POWER : BA90AC82
    12:46:39:875 2216 IRP_MJ_SYSTEM_CONTROL : BA90F99E
    12:46:39:875 2216 IRP_MJ_DEVICE_CHANGE : 804F355A
    12:46:39:875 2216 IRP_MJ_QUERY_QUOTA : 804F355A
    12:46:39:875 2216 IRP_MJ_SET_QUOTA : 804F355A
    12:46:39:890 2216 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
    12:46:39:890 2216 sion
    12:46:39:890 2216 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
    12:46:39:890 2216
    12:46:39:890 2216 Driver Name: atapi
    12:46:39:890 2216 IRP_MJ_CREATE : BA71D6F2
    12:46:39:890 2216 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
    12:46:39:890 2216 IRP_MJ_CLOSE : BA71D6F2
    12:46:39:890 2216 IRP_MJ_READ : 804F355A
    12:46:39:890 2216 IRP_MJ_WRITE : 804F355A
    12:46:39:890 2216 IRP_MJ_QUERY_INFORMATION : 804F355A
    12:46:39:890 2216 IRP_MJ_SET_INFORMATION : 804F355A
    12:46:39:890 2216 IRP_MJ_QUERY_EA : 804F355A
    12:46:39:890 2216 IRP_MJ_SET_EA : 804F355A
    12:46:39:890 2216 IRP_MJ_FLUSH_BUFFERS : 804F355A
    12:46:39:890 2216 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
    12:46:39:890 2216 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
    12:46:39:890 2216 IRP_MJ_DIRECTORY_CONTROL : 804F355A
    12:46:39:890 2216 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
    12:46:39:890 2216 IRP_MJ_DEVICE_CONTROL : BA71D712
    12:46:39:906 2216 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA719852
    12:46:39:906 2216 IRP_MJ_SHUTDOWN : 804F355A
    12:46:39:906 2216 IRP_MJ_LOCK_CONTROL : 804F355A
    12:46:39:906 2216 IRP_MJ_CLEANUP : 804F355A
    12:46:39:906 2216 IRP_MJ_CREATE_MAILSLOT : 804F355A
    12:46:39:906 2216 IRP_MJ_QUERY_SECURITY : 804F355A
    12:46:39:906 2216 IRP_MJ_SET_SECURITY : 804F355A
    12:46:39:906 2216 IRP_MJ_POWER : BA71D73C
    12:46:39:906 2216 IRP_MJ_SYSTEM_CONTROL : BA724336
    12:46:39:906 2216 IRP_MJ_DEVICE_CHANGE : 804F355A
    12:46:39:906 2216 IRP_MJ_QUERY_QUOTA : 804F355A
    12:46:39:906 2216 IRP_MJ_SET_QUOTA : 804F355A
    12:46:39:906 2216 siohd: 0
    12:46:39:906 2216 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
    12:46:39:906 2216
    12:46:39:906 2216 Completed
    12:46:39:906 2216
    12:46:39:906 2216 Results:
    12:46:39:906 2216 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
    12:46:39:906 2216 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
    12:46:39:906 2216 File objects infected / cured / cured on reboot: 0 / 0 / 0
    12:46:39:906 2216
    12:46:39:906 2216 KLMD(ARK) unloaded successfully

    bigbadjonv
    Novice
    Novice

    Status :
    Online
    Offline

    Posts : 14
    Joined : 2010-02-23
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: Malware-Search Engine Hijacked

    Post by Dr Jay on Fri Mar 05, 2010 10:27 pm

    Please download Stealth MBR Rootkit Detector by GMER from [You must be registered and logged in to see this link.], and save to your Desktop.
    • Double-click mbr.exe to start the program.
    • When done scanning, it will save a log on the Desktop called mbr.log.
    • Please post the contents of that log in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Status :
    Online
    Offline

    Posts : 13711
    Joined : 2009-09-06
    Gender : Male
    OS : Windows 10 Home & Pro

    View user profile

    Back to top Go down

    Re: Malware-Search Engine Hijacked

    Post by bigbadjonv on Sat Mar 06, 2010 9:55 pm

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK

    bigbadjonv
    Novice
    Novice

    Status :
    Online
    Offline

    Posts : 14
    Joined : 2010-02-23
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: Malware-Search Engine Hijacked

    Post by Dr Jay on Sat Mar 06, 2010 9:58 pm

    Now, how is your computer running? Still search engine hijacks?


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Status :
    Online
    Offline

    Posts : 13711
    Joined : 2009-09-06
    Gender : Male
    OS : Windows 10 Home & Pro

    View user profile

    Back to top Go down

    Re: Malware-Search Engine Hijacked

    Post by bigbadjonv on Sun Mar 07, 2010 8:16 pm

    Doesn't seem to be, but I'm not sure what fixed it.

    bigbadjonv
    Novice
    Novice

    Status :
    Online
    Offline

    Posts : 14
    Joined : 2010-02-23
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: Malware-Search Engine Hijacked

    Post by Dr Jay on Sun Mar 07, 2010 11:33 pm

    Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
    • Select Start > All Programs > Accessories > System tools > System Restore.
    • On the dialogue box that appears select Create a Restore Point
    • Click NEXT
    • Enter a name e.g. Clean
    • Click CREATE

    You now have a clean restore point, to get rid of the bad ones:
    • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
    • In the Drop down box that appears select your main drive e.g. C
    • Click OK
    • The System will do some calculation and the display a dialogue box with TABS
    • Select the More Options Tab.
    • At the bottom will be a system restore box with a CLEANUP button click this
    • Accept the Warning and select OK again, the program will close and you are done


    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download [You must be registered and logged in to see this link.] by OldTimer:

    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    ==

    Please download [You must be registered and logged in to see this link.] to your desktop
    • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • It will close all programs when run, so make sure you have saved all your work before you begin.
    • Click the Start
      button to begin the process. Depending on how often you clean temp
      files, execution time should be anywhere from a few seconds to a minute
      or two. Let it run uninterrupted to completion.
    • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


    ==

    Download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Status :
    Online
    Offline

    Posts : 13711
    Joined : 2009-09-06
    Gender : Male
    OS : Windows 10 Home & Pro

    View user profile

    Back to top Go down

    View previous topic View next topic Back to top

    - Similar topics

     
    Permissions in this forum:
    You cannot reply to topics in this forum