redirects

View previous topic View next topic Go down

Re: redirects

Post by andrewvanderhevel on Sat Apr 11, 2009 4:24 pm

Hello, sorry for posting in an old thread of mine, but i couldn't find the button to start a new topic for some reason. Recently my gf downloaded a codec or something to watch a movie and ever since, half the sites i try to go to redirect me to other sites and some programs don't work. Here is the log. Thanks a lot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:55 PM, on 4/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Nexon\MapleStory\npkcmsvc.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - [You must be registered and logged in to see this link.] files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - [You must be registered and logged in to see this link.] files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - [You must be registered and logged in to see this link.] Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - [You must be registered and logged in to see this link.] files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - [You must be registered and logged in to see this link.] files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Similar Pages - [You must be registered and logged in to see this link.] files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - [You must be registered and logged in to see this link.] files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\ili\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - [You must be registered and logged in to see this link.]
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} (SolitaireRush Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C82BB209-F528-46F9-96D5-69DEF7260916} (MysteryPI Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{D213A8E5-E4E7-45DE-8FC8-D722759BB6DE}: NameServer = 85.255.112.146,85.255.112.76
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.146,85.255.112.76
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.112.146,85.255.112.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.146,85.255.112.76
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\MapleStory\npkcmsvc.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)

--
End of file - 13377 bytes

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29790
# Likes # Likes : 0

View user profile

Back to top Go down

Re: redirects

Post by Belahzur on Sat Apr 11, 2009 4:40 pm

Hello.
Split this post off into a new topic.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O15 - Trusted Zone: [You must be registered and logged in to see this link.]
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D213A8E5-E4E7-45DE-8FC8-D722759BB6DE}: NameServer = 85.255.112.146,85.255.112.76
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.146,85.255.112.76
    O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.112.146,85.255.112.76
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.146,85.255.112.76


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: redirects

Post by andrewvanderhevel on Sat Apr 11, 2009 4:52 pm

I already have anti malware installed but when i click it to open it , nothing happens. so i tried to reinstall it with your link, but it wont give me the option to save it. awesome av btw. jericho's better but still.

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29790
# Likes # Likes : 0

View user profile

Back to top Go down

Re: redirects

Post by Belahzur on Sat Apr 11, 2009 4:57 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: redirects

Post by andrewvanderhevel on Sat Apr 11, 2009 5:35 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "UACd.sys" found!
ImagePath: \systemroot\system32\drivers\UACqjxaavst.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29790
# Likes # Likes : 0

View user profile

Back to top Go down

Re: redirects

Post by Belahzur on Sat Apr 11, 2009 5:42 pm

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UACqjxaavst.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: redirects

Post by andrewvanderhevel on Sat Apr 11, 2009 7:08 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACqjxaavst.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29790
# Likes # Likes : 0

View user profile

Back to top Go down

Re: redirects

Post by Belahzur on Sat Apr 11, 2009 7:13 pm

Hello.
Try MBAM now, it will run fine.

Update it and then run the scan.
Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: redirects

Post by andrewvanderhevel on Mon May 25, 2009 8:18 pm

hello, i figured i would use an old topic rather than start a new one. my computer is redirecting me. here is the hijack this log. thanks a lot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:07 PM, on 5/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Screenshot Utility.lnk = C:\Program Files\Screenshot Utility\ScreenshotUtility.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - [You must be registered and logged in to see this link.] files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - [You must be registered and logged in to see this link.] files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - [You must be registered and logged in to see this link.] Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - [You must be registered and logged in to see this link.] files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - [You must be registered and logged in to see this link.] files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Similar Pages - [You must be registered and logged in to see this link.] files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - [You must be registered and logged in to see this link.] files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\ili\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - [You must be registered and logged in to see this link.]
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} (SolitaireRush Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} (Monopoly Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C82BB209-F528-46F9-96D5-69DEF7260916} (MysteryPI Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{D213A8E5-E4E7-45DE-8FC8-D722759BB6DE}: NameServer = 85.255.112.21,85.255.112.89
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.21,85.255.112.89
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.112.21,85.255.112.89
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.21,85.255.112.89
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)

--
End of file - 13004 bytes

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29790
# Likes # Likes : 0

View user profile

Back to top Go down

Re: redirects

Post by Origin on Mon May 25, 2009 8:29 pm

Your DNS is Hijacked, lets fix it:


I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.




  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O17 - HKLM\System\CCS\Services\Tcpip\..\{D213A8E5-E4E7-45DE-8FC8-D722759BB6DE}: NameServer = 85.255.112.21,85.255.112.89
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.21,85.255.112.89
    O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.112.21,85.255.112.89
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.21,85.255.112.89


  • Press "Fix Checked"
  • Close Hijack This.




Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: redirects

Post by andrewvanderhevel on Tue May 26, 2009 6:47 pm

thanks for the help.
i did what you said with hijackthis, but the computer wont let me open mbam or other antivirus software. i click it and nothing happens.

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29790
# Likes # Likes : 0

View user profile

Back to top Go down

Re: redirects

Post by Origin on Wed May 27, 2009 1:22 am

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.
See [You must be registered and logged in to see this link.] for how to disable your AV..

  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: redirects

Post by andrewvanderhevel on Tue Jun 02, 2009 2:54 am

ComboFix 09-05-31.06 - ili 06/01/2009 22:34:20.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.661 [GMT -4:00]
Running from: C:\Documents and Settings\ili\Desktop\ComboFix.exe
FW: PC Tools Firewall Plus *enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\ili\Application Data\.#
C:\Documents and Settings\ili\Application Data\pcdefender.exe
C:\Documents and Settings\ili\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
C:\Documents and Settings\ili\My Documents\ECURIT~1
C:\Documents and Settings\ili\My Documents\ECURIT~1\Thumbs.db
C:\WINDOWS\ieocx.dll
C:\WINDOWS\system32\0121mixed.bin
C:\WINDOWS\system32\drivers\gxvxctakdvpwxstotdygaybarsmdoujyoynkc.sys
C:\WINDOWS\system32\gxvxccounter
C:\WINDOWS\system32\gxvxcjaoyrdqcmoptxelphcxeyordxlatackt.dll
C:\WINDOWS\system32\kdfinj.dll
C:\WINDOWS\system32\UACaompxivb.dat
C:\WINDOWS\system32\UACgvdjyicy.log
C:\WINDOWS\system32\UAChemqrwqp.dll
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\UACpoboiqew.dll
C:\WINDOWS\system32\UACqesbpbne.dll
C:\WINDOWS\system32\UACswesifmp.dll
C:\WINDOWS\system32\UACucgflylp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS
-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-05-02 to 2009-06-02 )))))))))))))))))))))))))))))))
.

2009-05-29 22:07:02 . 2009-05-29 22:07:02 220926964 ----a-w- C:\Documents and Settings\ili\Application Data\ijjigame\U_GUNZ_setup.exe
2009-05-29 21:54:17 . 2009-05-27 21:46:44 779720 ----a-w- C:\Documents and Settings\All Users\Application Data\IJJIGame\PurpleBean.exe
2009-05-29 21:52:57 . 2009-05-26 21:31:26 58800 ----a-w- C:\WINDOWS\system32\ijjiProcessRestarter.exe
2009-05-26 00:16:09 . 2009-05-26 00:18:08 0 d-----w- C:\Documents and Settings\ili\Application Data\Sonic
2009-05-26 00:12:22 . 2009-05-26 00:12:22 0 d-----w- C:\Program Files\Common Files\Sonic
2009-05-26 00:10:55 . 2009-05-26 00:11:27 0 d-----w- C:\Program Files\Common Files\SureThing Shared
2009-05-26 00:10:03 . 2009-05-26 00:14:24 0 d-----w- C:\WINDOWS\system32\dla
2009-05-26 00:10:03 . 2004-03-25 05:04:00 98358 ----a-w- C:\WINDOWS\dla.exe
2009-05-26 00:10:03 . 2004-03-25 05:04:00 61498 ----a-w- C:\WINDOWS\system32\tfswapi.dll
2009-05-26 00:10:03 . 2004-02-27 06:56:00 40480 ----a-w- C:\WINDOWS\system32\drivers\drvnddm.sys
2009-05-26 00:10:03 . 2004-02-13 07:21:00 86160 ----a-w- C:\WINDOWS\system32\drivers\drvmcdb.sys
2009-05-26 00:10:03 . 2004-01-14 23:18:16 5621 ----a-w- C:\WINDOWS\system32\drivers\sscdbhk5.sys
2009-05-26 00:10:03 . 2004-01-14 23:18:04 23219 ----a-w- C:\WINDOWS\system32\drivers\ssrtln.sys
2009-05-26 00:09:30 . 2009-05-26 00:10:15 0 d-----w- C:\Program Files\Sonic
2009-05-26 00:09:03 . 2009-05-26 00:11:14 0 d-----w- C:\Program Files\Common Files\Sonic Shared
2009-05-21 22:51:48 . 2009-05-21 22:51:48 41808 ----a-w- C:\WINDOWS\system32\xfcodec.dll
2009-05-19 01:19:29 . 2009-05-19 01:19:29 0 d-----w- C:\VundoFix Backups
2009-05-17 23:08:51 . 2009-05-17 23:08:51 0 d-----w- C:\Program Files\Disney
2009-05-16 20:53:35 . 2009-05-16 20:54:03 0 d-----w- C:\Program Files\Paint.NET
2009-05-16 20:53:25 . 2009-05-31 11:08:16 0 d-----w- C:\Documents and Settings\ili\Local Settings\Application Data\Paint.NET
2009-05-16 16:44:26 . 2009-05-16 16:44:26 0 d-----w- C:\Program Files\iPod
2009-05-16 16:44:20 . 2009-05-16 16:44:53 0 d-----w- C:\Program Files\iTunes
2009-05-16 16:44:20 . 2009-05-16 16:44:53 0 d-----w- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-16 16:42:57 . 2009-05-16 16:42:57 0 d-----w- C:\Program Files\Bonjour
2009-05-16 16:41:27 . 2009-05-16 16:42:19 0 d-----w- C:\Program Files\QuickTime
2009-05-16 16:33:21 . 2009-05-16 16:33:21 75048 ----a-w- C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-05-14 04:40:56 . 2009-05-14 04:40:56 0 d-----w- C:\Program Files\Brainhouse Labs
2009-05-14 04:39:10 . 2009-05-14 04:39:10 0 d-----w- C:\Program Files\Communities.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-02 01:55:06 . 2006-12-10 19:04:32 0 d---a-w- C:\Documents and Settings\All Users\Application Data\TEMP
2009-06-02 01:51:51 . 2003-03-11 06:57:38 0 d-----w- C:\Documents and Settings\ili\Application Data\Xfire
2009-06-01 22:35:57 . 2003-03-11 06:57:35 0 d-s---w- C:\Program Files\Xfire
2009-05-31 15:35:11 . 2006-08-26 21:55:05 0 d-----w- C:\Documents and Settings\ili\Application Data\BitTorrent
2009-05-29 22:09:46 . 2008-09-19 16:39:48 0 d--h--w- C:\Documents and Settings\ili\Application Data\ijjigame
2009-05-29 21:54:17 . 2008-10-30 03:36:10 0 d-----w- C:\Documents and Settings\All Users\Application Data\IJJIGame
2009-05-29 08:10:32 . 2007-07-11 06:34:35 0 d-----w- C:\Program Files\Combined Community Codec Pack
2009-05-29 08:01:57 . 2006-06-20 23:16:30 0 d-----w- C:\Program Files\AIM
2009-05-26 00:19:09 . 2006-05-15 01:01:07 113688 ----a-w- C:\Documents and Settings\ili\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-16 16:40:47 . 2008-10-07 20:53:16 0 d-----w- C:\Program Files\Common Files\Apple
2009-05-13 17:29:18 . 2009-02-22 01:21:13 0 d-----w- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-05-13 00:48:28 . 2008-10-31 04:32:45 710064 ----a-w- C:\WINDOWS\system32\ijjiSetup.exe
2009-05-05 20:32:04 . 2009-04-10 03:06:28 0 d-----w- C:\Documents and Settings\ili\Application Data\Move Networks
2009-04-26 15:48:25 . 2009-01-20 19:49:12 0 d-----w- C:\Program Files\Common Files\Blizzard Entertainment
2009-04-26 10:12:45 . 2009-04-26 10:12:45 0 d-----w- C:\Program Files\AhnLab
2009-04-26 09:24:41 . 2006-05-21 22:02:13 0 d--h--w- C:\Program Files\InstallShield Installation Information
2009-04-26 09:22:29 . 2009-04-26 09:22:29 0 d-----w- C:\Program Files\Xero Games
2009-04-26 07:17:31 . 2006-12-10 23:42:26 0 d-----w- C:\Program Files\Common Files\Real
2009-04-26 07:15:44 . 2006-05-13 14:58:52 0 d-----w- C:\Program Files\Yahoo! Games
2009-04-26 07:15:35 . 2009-03-17 05:44:30 0 d-----w- C:\Program Files\Nanny Mania
2009-04-24 09:41:22 . 2009-04-24 09:41:21 0 d-----w- C:\Program Files\Screenshot Utility
2009-04-24 09:36:12 . 2009-04-24 09:36:12 0 d-----w- C:\Documents and Settings\ili\Application Data\YAFSScreen
2009-04-17 09:29:20 . 2009-04-17 09:29:20 0 d-----w- C:\Program Files\AuditionSEA
2009-04-17 03:46:23 . 2009-02-28 09:13:09 0 d-----w- C:\Program Files\GameHouse Games Collection
2009-04-17 03:40:53 . 2009-04-14 21:56:44 0 d-----w- C:\Program Files\Ballistik
2009-04-17 03:36:18 . 2006-11-25 21:39:51 0 d-----w- C:\Program Files\MSN Games
2009-04-17 03:30:54 . 2008-12-19 02:20:41 0 d-----w- C:\Program Files\First Class Flurry
2009-04-17 03:27:40 . 2009-04-15 02:26:35 0 d-----w- C:\Program Files\Big City Adventure San Francisco
2009-04-17 03:27:26 . 2009-04-15 05:33:40 0 d-----w- C:\Program Files\Breaking News
2009-04-17 03:15:42 . 2009-03-24 05:19:43 0 d-----w- C:\Program Files\Gamenext
2009-04-16 10:30:30 . 2009-04-16 10:30:30 0 d-----w- C:\Program Files\Redbana
2009-04-15 05:34:17 . 2009-04-15 05:34:17 0 d-----w- C:\Documents and Settings\ili\Application Data\MysteryStudio
2009-04-15 02:27:36 . 2009-04-15 02:27:36 0 d-----w- C:\Documents and Settings\All Users\Application Data\JollyBear
2009-04-14 10:29:02 . 2009-04-14 10:28:38 0 d-----w- C:\Program Files\WildTangent
2009-04-11 16:40:52 . 2008-10-18 04:04:37 0 d-----w- C:\Documents and Settings\ili\Application Data\DNA
2009-04-10 21:48:55 . 2008-10-18 04:04:37 0 d-----w- C:\Program Files\DNA
2009-04-10 06:44:10 . 2009-03-24 01:25:29 0 d-----w- C:\Program Files\Oberon Media
2009-04-10 06:43:01 . 2006-12-10 22:41:58 0 d-----w- C:\Program Files\Windows Media Connect 2
2009-04-10 02:46:22 . 2009-04-10 02:45:50 0 ----a-w- C:\Documents and Settings\ili\Application Data\~eu37.tmp
2009-04-08 06:45:00 . 2009-04-08 06:44:10 0 d-----w- C:\Documents and Settings\All Users\Application Data\PMB Files
2009-04-08 06:43:42 . 2009-04-08 06:43:42 0 d-----w- C:\Program Files\Pando Networks
2009-04-06 12:48:43 . 2008-11-06 04:07:44 0 d-----w- C:\Program Files\Common Files\Adobe
2009-04-04 01:39:51 . 2009-04-04 01:33:39 0 d-----w- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2009-04-04 01:29:54 . 2009-04-04 01:29:52 0 d-----w- C:\Program Files\Messenger Plus! Live
2009-04-04 01:29:53 . 2009-04-04 01:29:53 0 d-----w- C:\Program Files\Windows Live
2009-04-04 01:29:53 . 2003-03-12 03:16:49 0 d-----w- C:\Program Files\MSN Messenger
2009-03-19 20:32:48 . 2009-03-19 20:32:48 23400 ----a-w- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 20:32:48 . 2008-10-07 21:28:10 23400 ----a-w- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2009-03-15 00:12:56 . 2009-01-15 07:16:45 73840 ----a-w- C:\WINDOWS\system32\drivers\PCTAppEvent.sys
2009-03-15 00:12:56 . 2009-01-15 07:16:45 130424 ----a-w- C:\WINDOWS\system32\drivers\PCTCore.sys
2009-03-15 00:12:43 . 2009-01-15 07:15:00 95640 ----a-w- C:\WINDOWS\system32\drivers\pctplfw.sys
2009-03-09 15:34:00 . 2009-04-10 03:05:52 971776 ----a-w- C:\Documents and Settings\ili\Application Data\Mozilla\Firefox\Profiles\63q60lpc.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
2009-03-06 14:22:18 . 2003-03-31 12:00:00 284160 ----a-w- C:\WINDOWS\system32\pdh.dll
2008-10-23 03:38:28 . 2008-10-23 03:37:50 89811 ----a-w- C:\Program Files\Uninstal.exe
2006-12-10 23:42:27 . 2008-01-27 19:15:15 774144 ----a-w- C:\Program Files\RngInterstitial.dll
2008-12-20 11:04:27 . 2006-12-18 19:44:01 67688 ----a-w- C:\Program Files\mozilla firefox\components\jar50.dll
2008-12-20 11:04:27 . 2006-12-18 19:44:01 54368 ----a-w- C:\Program Files\mozilla firefox\components\jsd3250.dll
2008-12-20 11:04:27 . 2006-12-18 19:44:01 34944 ----a-w- C:\Program Files\mozilla firefox\components\myspell.dll
2008-12-20 11:04:29 . 2006-12-18 19:44:01 46712 ----a-w- C:\Program Files\mozilla firefox\components\spellchk.dll
2008-12-20 11:04:29 . 2006-12-18 19:44:01 172136 ----a-w- C:\Program Files\mozilla firefox\components\xpinstal.dll
2008-11-20 08:36:40 . 2008-11-20 08:36:39 56 --sh--r- C:\WINDOWS\system32\17A98B4007.sys
2009-02-01 18:05:54 . 2008-11-20 08:36:38 1682 --sha-w- C:\WINDOWS\system32\KGyGaAvL.sys
.

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29790
# Likes # Likes : 0

View user profile

Back to top Go down

Re: redirects

Post by andrewvanderhevel on Tue Jun 02, 2009 2:54 am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 14:38:34 78008]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-03-15 00:12:42 2652056]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 12:00:48 33648]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 04:15:46 15872]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 06:38:00 34672]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2009-01-05 20:18:48 413696]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-25 05:04:00 122939]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 05:01:00 110592]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 00:12:27 169984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe" [2006-10-22 06:22:18 163576]

C:\Documents and Settings\ili\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Winter Fun Wallpaper Changer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Winter Fun Wallpaper Changer.lnk
backup=C:\WINDOWS\pss\Winter Fun Wallpaper Changer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^ili^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\ili\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ili^Start Menu^Programs^Startup^Screenshot Utility.lnk]
path=C:\Documents and Settings\ili\Start Menu\Programs\Startup\Screenshot Utility.lnk
backup=C:\WINDOWS\pss\Screenshot Utility.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ili^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\ili\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"Aim6"="C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LogitechVideoRepair"=C:\Program Files\Logitech\Video\ISStart.exe
"LVCOMSX"=C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\ijji\\ENGLISH\\Gunz\\BAReport.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\BYOND\\bin\\byond.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\ijji\\ENGLISH\\u_gunz.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57484:TCP"= 57484:TCP:Pando Media Booster
"57484:UDP"= 57484:UDP:Pando Media Booster

R1 pctgntdi;pctgntdi;C:\WINDOWS\system32\drivers\pctgntdi.sys [1/15/2009 3:16:36 AM 159600]
R2 PCTAppEvent;PCTAppEvent Driver;C:\WINDOWS\system32\drivers\PCTAppEvent.sys [1/15/2009 3:16:45 AM 73840]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINDOWS\system32\drivers\lne100v5.sys [5/12/2006 10:49:30 PM 36224]
R3 pctplfw;pctplfw;C:\WINDOWS\system32\drivers\pctplfw.sys [1/15/2009 3:15:00 AM 95640]
S1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys --> C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [?]
S2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys --> C:\WINDOWS\system32\DRIVERS\PavProc.sys [?]
S3 cpuz131;cpuz131;\??\C:\DOCUME~1\ili\LOCALS~1\Temp\cpuz131\cpuz_x32.sys --> C:\DOCUME~1\ili\LOCALS~1\Temp\cpuz131\cpuz_x32.sys [?]
S3 Mkd2kfNt;Mkd2kfNt;C:\WINDOWS\system32\drivers\Mkd2kfNT.sys [4/26/2009 6:14:10 AM 131072]
S3 Mkd2Nadr;Mkd2Nadr;C:\WINDOWS\system32\drivers\Mkd2Nadr.sys [4/26/2009 6:14:10 AM 79104]
S3 npggsvc;nProtect GameGuard Service;C:\WINDOWS\system32\GameMon.des -service --> C:\WINDOWS\system32\GameMon.des -service [?]
S3 XDva202;XDva202;\??\C:\WINDOWS\system32\XDva202.sys --> C:\WINDOWS\system32\XDva202.sys [?]
S3 XDva262;XDva262;\??\C:\WINDOWS\system32\XDva262.sys --> C:\WINDOWS\system32\XDva262.sys [?]
S3 XDva269;XDva269;\??\C:\WINDOWS\system32\XDva269.sys --> C:\WINDOWS\system32\XDva269.sys [?]
S3 XDva275;XDva275;\??\C:\WINDOWS\system32\XDva275.sys --> C:\WINDOWS\system32\XDva275.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-05-30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34:12 . 2008-07-30 16:34:12]

2009-06-02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20:38 . 2007-10-19 16:20:38]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = localhost;*.local
IE: &AIM Search
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
IE: &Yahoo! Search - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsrch.htm
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: Yahoo! &Dictionary - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsms.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\ili\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - C:\Documents and Settings\ili\Application Data\Mozilla\Firefox\Profiles\63q60lpc.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: C:\Documents and Settings\ili\Application Data\Mozilla\Firefox\Profiles\63q60lpc.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - component: C:\Program Files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - component: C:\Program Files\Mozilla Firefox\components\xpinstal.dll
.

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29790
# Likes # Likes : 0

View user profile

Back to top Go down

Re: redirects

Post by Origin on Tue Jun 02, 2009 3:20 am

Now open a new notepad file.
Input this into the notepad file:

File::
C:\WINDOWS\system32\dla
C:\WINDOWS\dla.exe
C:\Documents and Settings\ili\Application Data\BitTorrent
C:\Program Files\WildTangent
C:\Program Files\DNA
C:\Documents and Settings\ili\Application Data\DNA
C:\Documents and Settings\ili\Application Data\~eu37.tmp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
"UpdatesDisableNotify"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=-
"C:\\Program Files\\DNA\\btdna.exe"=-

Driver::
cpuz131
Mkd2kfNt
Mkd2Nadr
XDva202
XDva262
XDva269
XDva275




Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum