Redirecting web pages

View previous topic View next topic Go down

Redirecting web pages

Post by Ctiizzlll on Tue 27 Jul 2010, 1:24 pm

Greetings all,

I have some malaware and I am sure some other stuff. I have followed directions for downloading and running Commy.exe and the log is below. Please let me know what else to do if anything.
Thanks

ComboFix 10-07-24.06 - Admin 07/26/2010 20:59:26.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.416 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\Commy.exe.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Admin\Application Data\inst.exe
c:\documents and settings\Admin\Local Settings\Application Data\{9B601FED-2673-407A-8444-1DFD03A5F6D6}
c:\documents and settings\Admin\Local Settings\Application Data\{9B601FED-2673-407A-8444-1DFD03A5F6D6}\chrome.manifest
c:\documents and settings\Admin\Local Settings\Application Data\{9B601FED-2673-407A-8444-1DFD03A5F6D6}\chrome\content\_cfg.js
c:\documents and settings\Admin\Local Settings\Application Data\{9B601FED-2673-407A-8444-1DFD03A5F6D6}\chrome\content\overlay.xul
c:\documents and settings\Admin\Local Settings\Application Data\{9B601FED-2673-407A-8444-1DFD03A5F6D6}\install.rdf
c:\windows\jestertb.dll
c:\windows\system32\systeminfo3.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-27 to 2010-07-27 )))))))))))))))))))))))))))))))
.

2010-07-26 18:55 . 2010-07-26 18:55 -------- d-----w- c:\documents and settings\Admin\Application Data\ElevatedDiagnostics
2010-07-25 14:54 . 2010-07-25 14:54 -------- d-----w- c:\program files\Windows Defender
2010-07-25 04:19 . 2010-07-25 04:23 -------- d-----w- c:\documents and settings\Admin\Application Data\Media Player Classic
2010-07-25 04:18 . 2010-07-25 04:18 -------- d-----w- c:\program files\MPC HomeCinema
2010-07-25 03:05 . 2010-07-25 03:16 47360 ----a-w- c:\documents and settings\Admin\Application Data\pcouffin.sys
2010-07-25 03:05 . 2010-07-25 03:05 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-07-25 03:05 . 2010-07-25 03:16 -------- d-----w- c:\documents and settings\Admin\Application Data\Vso
2010-07-14 22:29 . 2010-07-14 22:29 -------- d-----w- c:\program files\Common Files\HP
2010-07-14 22:29 . 2010-07-14 22:29 -------- d-----w- c:\program files\Hewlett-Packard
2010-07-14 22:27 . 2007-01-17 08:37 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-07-14 22:27 . 2007-01-17 08:37 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2010-07-14 22:27 . 2007-11-06 18:10 271704 ----a-w- c:\windows\system32\hpzids01.dll
2010-07-14 22:27 . 2007-10-31 04:19 729088 ----a-w- c:\windows\system32\hpwwiax3.dll
2010-07-14 22:27 . 2007-10-31 04:19 970752 ----a-w- c:\windows\system32\hpwtiop3.dll
2010-07-14 22:27 . 2007-01-17 08:37 364544 ----a-w- c:\windows\system32\hppldcoi.dll
2010-07-14 22:27 . 2007-01-17 08:37 309760 ----a-w- c:\windows\system32\difxapi.dll
2010-07-14 22:27 . 2007-01-17 08:31 294912 ----a-w- c:\windows\system32\hpovst11.dll
2010-07-14 22:25 . 2010-07-14 22:32 179412 ----a-w- c:\windows\hpwins14.dat
2010-07-14 22:25 . 2008-06-09 11:02 1108 ----a-w- c:\windows\hpwmdl14.dat
2010-07-11 06:17 . 2010-07-11 06:17 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\WMTools Downloaded Files
2010-07-09 02:29 . 2010-07-09 02:29 -------- d-----w- C:\_OTL
2010-07-09 00:19 . 2010-07-09 00:19 -------- d-----w- c:\program files\Trend Micro
2010-07-08 17:12 . 2010-07-08 17:12 -------- d-----w- c:\windows\system32\Registry Patrol
2010-07-08 17:11 . 2010-07-08 17:11 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-07-08 16:21 . 2010-07-21 17:30 -------- d-----w- c:\program files\Registry Patrol
2010-07-06 00:33 . 2010-07-06 00:33 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-04 17:38 . 2010-07-08 17:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 03:42 . 2009-08-20 01:07 -------- d-----w- c:\program files\VideoLAN
2010-07-23 15:58 . 2009-10-26 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-23 08:12 . 2009-11-14 23:43 -------- d-----w- c:\program files\PokerStars
2010-07-14 20:25 . 2009-10-16 17:20 -------- d-----w- c:\documents and settings\Admin\Application Data\HpUpdate
2010-07-14 18:31 . 2009-08-19 02:49 69624 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-14 18:02 . 2009-09-09 23:38 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-07-10 02:57 . 2010-03-23 17:42 -------- d-----w- c:\program files\Lx_cats
2010-06-06 00:06 . 2009-12-31 21:07 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-05 13:48 . 2010-06-04 20:12 -------- d-----w- c:\documents and settings\Admin\Application Data\U3
2010-05-29 16:35 . 2010-05-29 16:35 -------- d-----w- c:\program files\Clearwire
2010-05-29 16:35 . 2010-05-29 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Clearwire
2010-05-29 16:30 . 2010-05-29 16:30 -------- d-----w- c:\documents and settings\Admin\Application Data\Clearwire
2010-05-28 19:21 . 2010-05-28 19:21 -------- d-----w- c:\program files\Skyhook Wireless
2010-05-04 17:20 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2004-08-04 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 04:15 . 2010-03-29 04:58 23110 ----a-w- c:\windows\hpqins15.dat
2010-04-28 04:09 . 2010-03-29 04:48 77349 ----a-w- c:\windows\hpqins05.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"LXCJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2006-11-21 106496]
"lxcjmon.exe"="c:\program files\Lexmark 8300 Series\lxcjmon.exe" [2007-05-08 205744]
"Clearwire Connection Manager"="c:\program files\Clearwire\Connection Manager\ClearwireCM.exe" [2009-12-01 54608]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-01 13:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2007-05-08 21:13 103344 ----a-w- c:\program files\Lexmark 8300 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-06-06 21:06 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-06-06 21:10 118784 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-06-06 21:09 94208 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 22:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 21:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2010-04-01 03:34 243000 ----a-w- c:\program files\Yahoo!\Search Protection\YspService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MDM"=2 (0x2)
"lxcj_device"=2 (0x2)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\lxcjcoms.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/19/2009 7:54 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/19/2009 7:54 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/19/2009 7:54 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/19/2009 7:54 PM 297752]
R2 SMSI Device Launch Service;Clearwire Device Launch Service;c:\program files\Clearwire\Connection Manager\DeviceLaunchSvc.exe [11/9/2009 12:00 PM 107856]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 bcm;WiMAX Network Adapter;c:\windows\system32\drivers\drxvi314.sys [11/3/2009 7:28 PM 282112]
S3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\drivers\BcmBusCtr.sys [11/3/2009 8:55 PM 51712]
S3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;c:\program files\Clearwire\Connection Manager\RcAppSvc.exe [11/9/2009 12:02 PM 120144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-07-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5577
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\agohxd47.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Gxeteguw - c:\windows\ohepitucigenog.dll
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-26 21:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCJCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


c:\windows\TEMP\TMP0000004919AE306D3CB0EBA6 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2536)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-07-26 21:16:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-27 02:16

Pre-Run: 20,369,666,048 bytes free
Post-Run: 21,178,970,112 bytes free

- - End Of File - - 8E49B0C927954C7D7BA08592C89140FE

Ctiizzlll

Newbie Surfer
Newbie Surfer

Posts : 10
Joined : 2010-07-09
Operating System : XP svpk3

View user profile

Back to top Go down

Re: Redirecting web pages

Post by Sneakyone on Tue 27 Jul 2010, 2:19 pm

Hi.

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    DDS::
    uInternet Settings,ProxyOverride =
    uInternet Settings,ProxyServer = http=127.0.0.1:5577

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Redirecting web pages

Post by Ctiizzlll on Wed 28 Jul 2010, 7:39 am

Thanks, here is the latest log:

ComboFix 10-07-26.04 - Admin 07/27/2010 15:26:52.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.523 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\Commy.exe.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-06-27 to 2010-07-27 )))))))))))))))))))))))))))))))
.

2010-07-27 08:13 . 2010-07-27 08:13 -------- d-----w- c:\windows\LastGood
2010-07-27 08:07 . 2010-07-27 08:07 -------- d-----w- c:\program files\MSXML 4.0
2010-07-27 06:39 . 2010-05-21 19:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-27 05:58 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-27 01:58 . 2010-07-27 02:16 -------- d-----w- C:\Commy.exe
2010-07-26 18:55 . 2010-07-26 18:55 -------- d-----w- c:\documents and settings\Admin\Application Data\ElevatedDiagnostics
2010-07-25 14:54 . 2010-07-25 14:54 -------- d-----w- c:\program files\Windows Defender
2010-07-25 04:19 . 2010-07-25 04:23 -------- d-----w- c:\documents and settings\Admin\Application Data\Media Player Classic
2010-07-25 04:18 . 2010-07-25 04:18 -------- d-----w- c:\program files\MPC HomeCinema
2010-07-25 03:05 . 2010-07-25 03:16 47360 ----a-w- c:\documents and settings\Admin\Application Data\pcouffin.sys
2010-07-25 03:05 . 2010-07-25 03:05 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-07-25 03:05 . 2010-07-25 03:16 -------- d-----w- c:\documents and settings\Admin\Application Data\Vso
2010-07-14 22:29 . 2010-07-14 22:29 -------- d-----w- c:\program files\Common Files\HP
2010-07-14 22:29 . 2010-07-14 22:29 -------- d-----w- c:\program files\Hewlett-Packard
2010-07-14 22:27 . 2007-01-17 08:37 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-07-14 22:27 . 2007-01-17 08:37 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2010-07-14 22:27 . 2007-11-06 18:10 271704 ----a-w- c:\windows\system32\hpzids01.dll
2010-07-14 22:27 . 2007-10-31 04:19 729088 ----a-w- c:\windows\system32\hpwwiax3.dll
2010-07-14 22:27 . 2007-10-31 04:19 970752 ----a-w- c:\windows\system32\hpwtiop3.dll
2010-07-14 22:27 . 2007-01-17 08:37 364544 ----a-w- c:\windows\system32\hppldcoi.dll
2010-07-14 22:27 . 2007-01-17 08:37 309760 ----a-w- c:\windows\system32\difxapi.dll
2010-07-14 22:27 . 2007-01-17 08:31 294912 ----a-w- c:\windows\system32\hpovst11.dll
2010-07-14 22:25 . 2010-07-14 22:32 179412 ----a-w- c:\windows\hpwins14.dat
2010-07-14 22:25 . 2008-06-09 11:02 1108 ----a-w- c:\windows\hpwmdl14.dat
2010-07-11 06:17 . 2010-07-11 06:17 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\WMTools Downloaded Files
2010-07-09 02:29 . 2010-07-09 02:29 -------- d-----w- C:\_OTL
2010-07-09 00:19 . 2010-07-09 00:19 -------- d-----w- c:\program files\Trend Micro
2010-07-08 17:12 . 2010-07-08 17:12 -------- d-----w- c:\windows\system32\Registry Patrol
2010-07-08 17:11 . 2010-07-08 17:11 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-07-08 16:21 . 2010-07-21 17:30 -------- d-----w- c:\program files\Registry Patrol
2010-07-06 00:33 . 2010-07-06 00:33 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-05 18:36 . 2010-07-05 18:36 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\HPAppData
2010-07-04 17:38 . 2010-07-08 17:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-27 08:09 . 2009-10-26 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-25 03:42 . 2009-08-20 01:07 -------- d-----w- c:\program files\VideoLAN
2010-07-23 08:12 . 2009-11-14 23:43 -------- d-----w- c:\program files\PokerStars
2010-07-14 20:25 . 2009-10-16 17:20 -------- d-----w- c:\documents and settings\Admin\Application Data\HpUpdate
2010-07-14 18:31 . 2009-08-19 02:49 69624 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-14 18:02 . 2009-09-09 23:38 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-07-10 02:57 . 2010-03-23 17:42 -------- d-----w- c:\program files\Lx_cats
2010-06-14 14:31 . 2009-08-19 02:37 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-06 00:06 . 2009-12-31 21:07 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-05 13:48 . 2010-06-04 20:12 -------- d-----w- c:\documents and settings\Admin\Application Data\U3
2010-05-29 16:35 . 2010-05-29 16:35 -------- d-----w- c:\program files\Clearwire
2010-05-29 16:35 . 2010-05-29 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Clearwire
2010-05-29 16:30 . 2010-05-29 16:30 -------- d-----w- c:\documents and settings\Admin\Application Data\Clearwire
2010-05-04 17:20 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2004-08-04 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"LXCJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2006-11-21 106496]
"lxcjmon.exe"="c:\program files\Lexmark 8300 Series\lxcjmon.exe" [2007-05-08 205744]
"Clearwire Connection Manager"="c:\program files\Clearwire\Connection Manager\ClearwireCM.exe" [2009-12-01 54608]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-01 13:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2007-05-08 21:13 103344 ----a-w- c:\program files\Lexmark 8300 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-06-06 21:06 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-06-06 21:10 118784 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-06-06 21:09 94208 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 22:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 21:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2010-04-01 03:34 243000 ----a-w- c:\program files\Yahoo!\Search Protection\YspService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MDM"=2 (0x2)
"lxcj_device"=2 (0x2)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\lxcjcoms.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/19/2009 7:54 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/19/2009 7:54 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/19/2009 7:54 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/19/2009 7:54 PM 297752]
R2 SMSI Device Launch Service;Clearwire Device Launch Service;c:\program files\Clearwire\Connection Manager\DeviceLaunchSvc.exe [11/9/2009 12:00 PM 107856]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 bcm;WiMAX Network Adapter;c:\windows\system32\drivers\drxvi314.sys [11/3/2009 7:28 PM 282112]
S3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\drivers\BcmBusCtr.sys [11/3/2009 8:55 PM 51712]
S3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;c:\program files\Clearwire\Connection Manager\RcAppSvc.exe [11/9/2009 12:02 PM 120144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-07-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\agohxd47.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-27 15:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCJCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(1876)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-27 15:33:57
ComboFix-quarantined-files.txt 2010-07-27 20:33
ComboFix2.txt 2010-07-27 02:16

Pre-Run: 20,755,353,600 bytes free
Post-Run: 20,921,438,208 bytes free

- - End Of File - - 0A985F72E5D62353B689EBFD22E51D88

Ctiizzlll

Newbie Surfer
Newbie Surfer

Posts : 10
Joined : 2010-07-09
Operating System : XP svpk3

View user profile

Back to top Go down

Re: Redirecting web pages

Post by Sneakyone on Wed 28 Jul 2010, 2:52 pm

Hi.

Please download Malwarebytes Anti-Malware from Here.


Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Redirecting web pages

Post by Ctiizzlll on Wed 28 Jul 2010, 4:01 pm

This is the malaware log:

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4361

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/27/2010 11:56:46 PM
mbam-log-2010-07-27 (23-56-46).txt

Scan type: Quick scan
Objects scanned: 145365
Time elapsed: 9 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Ctiizzlll

Newbie Surfer
Newbie Surfer

Posts : 10
Joined : 2010-07-09
Operating System : XP svpk3

View user profile

Back to top Go down

Re: Redirecting web pages

Post by Sneakyone on Thu 29 Jul 2010, 5:15 am

Hi.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Redirecting web pages

Post by Ctiizzlll on Thu 29 Jul 2010, 7:32 pm

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17055 (vista_gdr.100414-0533)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0e14294b4cd40644bcb4b82562889107
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-29 08:10:54
# local_time=2010-07-29 03:10:54 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 831193 831193 0 0
# compatibility_mode=1024 16777191 100 0 28736325 28736325 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=49277
# found=1
# cleaned=1
# scan_time=3474
C:\Qoobox\Quarantine\C\Documents and Settings\Admin\Local Settings\Application Data\{9B601FED-2673-407A-8444-1DFD03A5F6D6}\chrome\content\overlay.xul.vir probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Ctiizzlll

Newbie Surfer
Newbie Surfer

Posts : 10
Joined : 2010-07-09
Operating System : XP svpk3

View user profile

Back to top Go down

Re: Redirecting web pages

Post by Sneakyone on Fri 30 Jul 2010, 2:21 am

Hi.

Your computer is now clean. Now, time to remove the tools used, and update your computer to prevent vulnerability.

Updating System Restore
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE.


You now have a clean restore point.

To get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do a calculation of temporary/old files, and then display a dialogue box.
  • Select the More Options Tab.
  • At the bottom will be a System Restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done.


========

Removing the tools
Now, to remove all of the tools we used and the files and folders they created, please do the following:

Download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


============

Service Pack upgrade
Please consider upgrading to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

More info about SP3: [You must be registered and logged in to see this link.]

=====

Update Programs
Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.



Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

========

Here are some prevention tips I have provided:

1. Don't download files from untrusted websites or websites that seem suspious.

2. Don't use torrents they are a good way to get lots of malware.

3. Don't download and use cracks/warez/keygens they are illegal and are another good way to contract malware.

4. Disable autorun XP or Vista/7

5. Always make sure you have the latest Windows updates. windowsupdate.microsoft.com

6. Don't ever click on the links inside of a popup.

7. Make sure you know what you install you can make sure it is not know for being a virus by just simply searching about it on google.

8. Use a Site Advisor so you don't go to sites that will infect you. Mcafee Siteadvisor

9. Also there are many holes and flaws in Internet Explorer I recommend using Firefox 3 to keep you more safe.

10. Always keep your Java and Adobe updated.

11. Don't fall for the Scareware. What is Scareware? it is a website made to download a rogue Antivirus on your system that will scare you into buying their fake software due to false detections.

12. Always have a Firewall and a Antivirus.

Thanks for choosing GeekPolice, see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?

For more information please visit [You must be registered and logged in to see this link.]


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Redirecting web pages

Post by Sponsored content Today at 7:57 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum