• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.
Sign in to follow this  
Followers 0
mninja

google search links direct me to random sites

9 posts in this topic

Hello!

 

I am facing this problem for past couple of days. Whenever I click on search links provided by google, It takes me to random sites. It doesn't not happen all the time though. I have Windows XP Professional Edition w/ latest Service pack. Automatic update is ON. I am using AVG free edition along with Malware bytes & Yesterday, I also installed Spybot search & destroy.

All these anti virus & spyware do not detect anything. I don't know what can I do to get rid of this problem. I am using two browsers namely, IE7 and Google Chrome.

 

Experts, please help.

 

Thanks!

 

P.S. I tried to run Anti virus, Malwarebytes & spy bot in safe mode. But w/ all, I got Visual studio Just in Time debugger which ended all abruptly.

Edited by mninja

Share this post


Link to post
Share on other sites

Hello mninja

 

t9y3df.gif

It may take some time and couple of attempts to provide you with the right help. Many of today's infections are advanced and install other infections on the computer.

It's almost impossible to remove the entire infection and to check for leftovers in one go. Please be patient. :)

 

Please download ATF Cleaner. Save it to your Desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.

If you use Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

 

 

Download the HostsXpert 4.2 - Hosts File Manager.

  • Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
  • Run HostsXpert 4.2 - Hosts File Manager from its new home
  • Click on "File Handling".
  • Click on "Restore MS Hosts File".
  • Click OK on the Confirmation box.
  • Click on "Make Read Only?"
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

 

 

 

Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

 

 

Update Malwarebytes' Anti-Malware to the newest version and perform the complete scan.

Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK for either of the prompts and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately.

 

 

 

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

 

 

 

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

 

Please include the C:\ComboFix.txt, MBAM log, GooredFix.txt and the contents of checkup.txt in your next reply for further review.

 

 

Best regards

 

e-tech

Edited by e-tech

Share this post


Link to post
Share on other sites

I do not know whether it is fixed now or not. But now for two days running, I didn't see any google redirect issue.

I installed norton AV and ran it in Safe Mode. Also, I installed a new copy of Malware bytes. Both scans caught few trojans.

Now, its running fine so far

 

 

 

Hello mninja

 

t9y3df.gif

It may take some time and couple of attempts to provide you with the right help. Many of today's infections are advanced and install other infections on the computer.

It's almost impossible to remove the entire infection and to check for leftovers in one go. Please be patient. :)

 

Please download ATF Cleaner. Save it to your Desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.

If you use Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

 

 

Download the HostsXpert 4.2 - Hosts File Manager.

  • Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
  • Run HostsXpert 4.2 - Hosts File Manager from its new home
  • Click on "File Handling".
  • Click on "Restore MS Hosts File".
  • Click OK on the Confirmation box.
  • Click on "Make Read Only?"
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

 

 

 

Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

 

 

Update Malwarebytes' Anti-Malware to the newest version and perform the complete scan.

Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK for either of the prompts and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately.

 

 

 

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

 

 

 

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

 

Please include the C:\ComboFix.txt, MBAM log, GooredFix.txt and the contents of checkup.txt in your next reply for further review.

 

 

Best regards

 

e-tech

Share this post


Link to post
Share on other sites

Hello mninja

 

When replying to your topic, please use the t_reply.gif button.

I do not need to see my previous post. :)

 

 

To provide you with the best possible help I need you to follow my instructions. Please run the tools and post the logs.

At this stage of cleaning process I can't guarantee that your computer is clean.

 

You've probably removed the symptoms but infection is most likely not removed.

 

If you don’t proceed with the cleaning process then I strongly recommend you to format and reinstall your Windows.

When Should I Format, How Should I Reinstall

 

Should you have any questions, please feel free to ask.

 

Please, let me know what is your decision.

 

 

Best regards

 

e-tech

Share this post


Link to post
Share on other sites

Sorry for the delay.

Please find logs you asked for.

Thanks!

 

ATF ran perfectly. HostXpert did not. I am getting following error:

Error cannot Create file C:\Windows\System32\Drivers\Etc\Hosts??

 

Security Check Log:

 

Results of screen317's Security Check version 0.98.4

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

``````````````````````````````

Windows Firewall Enabled!

WindowsLiveOneCaresafetyscanner

SymantecAntiVirus

Antivirus up to date! (On Access scanning disabled!)

``````````````````````````````

Anti-malware/Other Utilities Check:

``````````````````````````````

Malwarebytes' Anti-Malware

CCleaner (remove only)

Java 6 Update 14

Java SE Runtime Environment 6

Java 6 Update 2

Java 6 Update 3

Java 6 Update 4

Java 6 Update 5

Java 6 Update 7

Java SE Development Kit 6 Update 3

Java 2 SDK, SE v1.4.2_13

Out of date Java installed!

Adobe Flash Player 10

``````````````````````````````

Process Check:

objlist.exe by Laurent

``````````````````````````````

Symantec AntiVirus DefWatch.exe

Symantec AntiVirus Rtvscan.exe

``````````````````````````````

DNS Vulnerability Check:

``````````````````````````````

GREAT! (Very random)

 

Scan took 13 seconds.

`````````End of Log```````````

 

GooredFix Log:

GooredFix by jpshortstuff (03.07.09)

Log created at 01:35 on 11/07/2009 (Mudit)

Firefox version [unable to determine]

 

========== GooredScan ==========

 

C:\Program Files\Mozilla Firefox\extensions\

(none)

 

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [02:34 29/01/2009]

"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [00:12 11/03/2009]

 

-=E.O.F=-

 

MalwareBytes Log:

Malwarebytes' Anti-Malware 1.38

Database version: 2405

Windows 5.1.2600 Service Pack 3

 

7/11/2009 9:04:29 AM

mbam-log-2009-07-11 (09-04-29).txt

 

Scan type: Full Scan (C:\|E:\|F:\|G:\|)

Objects scanned: 215602

Time elapsed: 1 hour(s), 4 minute(s), 40 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

 

ComboFox Log:

ComboFix 09-07-09.08 - Mudit 07/11/2009 9:28.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.298 [GMT -4:00]

Running from: c:\documents and settings\Mudit\My Documents\Downloads\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Mudit\Local Settings\Application Data\{86B9F5F8-5048-4281-BE65-A296244801DC}

c:\documents and settings\Mudit\Local Settings\Application Data\{86B9F5F8-5048-4281-BE65-A296244801DC}\chrome.manifest

c:\documents and settings\Mudit\Local Settings\Application Data\{86B9F5F8-5048-4281-BE65-A296244801DC}\chrome\content\_cfg.js

c:\documents and settings\Mudit\Local Settings\Application Data\{86B9F5F8-5048-4281-BE65-A296244801DC}\chrome\content\c.js

c:\documents and settings\Mudit\Local Settings\Application Data\{86B9F5F8-5048-4281-BE65-A296244801DC}\chrome\content\overlay.xul

c:\documents and settings\Mudit\Local Settings\Application Data\{86B9F5F8-5048-4281-BE65-A296244801DC}\install.rdf

c:\windows\system32\Cache

c:\windows\system32\mkghj.dll

c:\windows\system32\rtc.dat

 

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_IPRIP

-------\Legacy_NPF

-------\Legacy_TDSSSERV

-------\Service_Iprip

 

 

((((((((((((((((((((((((( Files Created from 2009-06-11 to 2009-07-11 )))))))))))))))))))))))))))))))

.

 

2009-07-11 05:17 . 2008-07-27 16:11 -------- d-----w- C:\HostsXpert

2009-07-10 21:20 . 2009-07-10 21:20 -------- d-----w- c:\windows\McAfee.com

2009-07-10 01:20 . 2009-07-10 01:20 152576 ----a-w- c:\documents and settings\Mudit\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-07-10 00:11 . 2009-07-10 00:11 -------- d-----w- c:\program files\CCleaner

2009-07-08 22:21 . 2009-07-08 22:22 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-07-08 22:21 . 2009-07-08 22:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2009-07-08 12:09 . 2009-07-08 12:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec

2009-07-08 11:07 . 2009-07-08 11:07 -------- d-----w- c:\documents and settings\Mudit\Local Settings\Application Data\Symantec

2009-07-08 11:06 . 2006-01-31 17:29 87808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-07-08 11:06 . 2006-01-31 17:29 107696 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-07-08 11:03 . 2009-07-08 11:12 -------- d-----w- c:\program files\Symantec

2009-07-08 11:03 . 2009-07-11 13:40 -------- d-----w- c:\program files\Symantec AntiVirus

2009-07-08 11:03 . 2009-07-08 11:07 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-07-08 11:03 . 2009-07-08 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-07-08 11:03 . 2009-07-08 11:03 -------- d-----w- c:\temp\SAV

2009-07-08 00:46 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-08 00:46 . 2009-07-08 00:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-08 00:46 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-07 22:49 . 2009-07-07 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-07-07 22:48 . 2009-07-08 23:39 -------- d-----w- c:\documents and settings\Mudit\Application Data\SUPERAntiSpyware.com

2009-07-02 11:13 . 2009-07-02 11:13 -------- d-----w- c:\documents and settings\Mudit\Local Settings\Application Data\Temp

2009-07-01 22:58 . 2009-07-09 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\CA

2009-07-01 21:37 . 2009-07-01 22:48 -------- d-----w- c:\windows\rnapxs

2009-07-01 17:01 . 2009-07-01 17:01 38312 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-01 01:03 . 2009-07-01 22:30 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-07-01 01:03 . 2009-07-01 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-06-30 22:08 . 2009-07-01 01:08 -------- d-----w- c:\program files\Lavasoft

2009-06-22 19:23 . 2009-06-22 19:23 239088 ----a-w- c:\documents and settings\Mudit\Application Data\Mozilla\plugins\npgoogletalk.dll

2009-06-12 22:47 . 2009-06-12 22:47 -------- d-----w- c:\program files\iPod

2009-06-12 22:47 . 2009-06-12 22:48 -------- d-----w- c:\program files\iTunes

2009-06-12 22:43 . 2009-06-12 22:44 -------- d-----w- c:\program files\QuickTime

2009-06-12 22:36 . 2009-06-12 22:36 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-10 01:21 . 2007-08-17 05:16 -------- d-----w- c:\program files\Java

2009-07-10 00:38 . 2008-05-07 01:25 -------- d-----w- c:\program files\Windows Live Safety Center

2009-07-09 00:09 . 2008-05-21 21:42 -------- d-----w- c:\program files\CA

2009-07-08 03:07 . 2008-08-23 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-07-08 02:29 . 2007-08-17 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-07-01 22:18 . 2008-12-08 22:59 -------- d-----w- c:\program files\Canon

2009-07-01 21:37 . 2007-08-17 03:16 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-07-01 01:08 . 2008-12-22 23:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-06-28 13:57 . 2009-01-01 20:26 1 ----a-w- c:\documents and settings\Mudit\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2009-06-12 22:47 . 2008-08-08 22:33 -------- d-----w- c:\program files\Common Files\Apple

2009-06-05 15:42 . 2009-03-14 14:30 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-06-05 15:42 . 2008-08-08 22:34 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-06-04 21:31 . 2009-06-04 21:31 -------- d-----w- c:\program files\SportStreamZ Watcher

2009-05-21 15:33 . 2009-01-05 23:09 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll

2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr

2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll

2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll

2009-01-01 20:05 . 2009-01-01 19:39 149286272 ------w- c:\program files\OOo_3.0.0_Win32Intel_install_wJRE_en-US.exe

.

 

------- Sigcheck -------

 

[7] 2004-08-04 12:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll

[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll

[-] 2008-09-14 19:29 295424 63999D0ABD8DABFD76A9C07F6E104868 c:\windows\system32\termsrv.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

"ISUSScheduler"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [2006-10-03 81920]

"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2007-05-14 1191936]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-27 124656]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Mudit^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]

path=c:\documents and settings\Mudit\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk

backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Mudit^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]

path=c:\documents and settings\Mudit\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk

backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Mudit^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]

path=c:\documents and settings\Mudit\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk

backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Mudit^Start Menu^Programs^Startup^RocketDock.lnk]

path=c:\documents and settings\Mudit\Start Menu\Programs\Startup\RocketDock.lnk

backup=c:\windows\pss\RocketDock.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Mudit^Start Menu^Programs^Startup^TransBar.lnk]

path=c:\documents and settings\Mudit\Start Menu\Programs\Startup\TransBar.lnk

backup=c:\windows\pss\TransBar.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Mudit^Start Menu^Programs^Startup^UberIcon.lnk]

path=c:\documents and settings\Mudit\Start Menu\Programs\Startup\UberIcon.lnk

backup=c:\windows\pss\UberIcon.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Mudit^Start Menu^Programs^Startup^Y'z Shadow.lnk]

path=c:\documents and settings\Mudit\Start Menu\Programs\Startup\Y'z Shadow.lnk

backup=c:\windows\pss\Y'z Shadow.lnkStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" /startup

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"AIMPro"="c:\program files\AIM\AIM Pro\aimpro.exe"

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe"

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe

"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Documents and Settings\\Mudit\\Application Data\\SopCast\\adv\\SopAdver.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"e:\\Program Files\\SopCast\\SopCast.exe"=

"e:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"e:\\Program Files\\Veoh networks\\Veoh\\VeohClient.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Documents and Settings\\Mudit\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Mudit\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

"c:\\Documents and Settings\\Mudit\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping

"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

 

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 4:42 PM 156968]

R2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [12/15/2007 6:52 PM 75016]

R2 MsDtsServer;SQL Server Integration Services;e:\90\DTS\Binn\MsDtsSrvr.exe [10/14/2005 5:45 AM 199384]

R2 MSOLAP$TRAINING2;SQL Server Analysis Services (TRAINING2);c:\program files\Microsoft SQL Server\MSSQL.5\OLAP\bin\msmdsrv.exe [10/14/2005 4:46 AM 14557912]

R2 MSSQL$TRAINING2;SQL Server (TRAINING2);c:\program files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\sqlservr.exe [10/14/2005 4:51 AM 28768528]

R2 ReportServer$TRAINING2;SQL Server Reporting Services (TRAINING2);c:\program files\Microsoft SQL Server\MSSQL.6\Reporting Services\ReportServer\bin\ReportingServicesService.exe [10/14/2005 4:44 AM 14552]

R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [10/14/2005 5:44 AM 14552]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/8/2009 7:11 AM 101936]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S2 msftesql$TRAINING2;SQL Server FullText Search (TRAINING2);c:\program files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\msftesql.exe [8/26/2005 5:00 PM 92880]

S2 OracleServiceMUDIT;OracleServiceMUDIT;g:\oracle\ora92\bin\ORACLE.EXE MUDIT --> g:\oracle\ora92\bin\ORACLE.EXE MUDIT [?]

S2 SQLAgent$TRAINING2;SQL Server Agent (TRAINING2);c:\program files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\SQLAGENT90.EXE [10/14/2005 4:51 AM 318680]

S2 vracvkrfd;Monitor Windows;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 8:00 AM 14336]

S2 zevfzpmc;System Time;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 8:00 AM 14336]

S2 zuzrlikg;Driver Support;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 8:00 AM 14336]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [11/25/2007 11:36 AM 16512]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [5/26/2006 9:01 PM 115952]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

vvdsvc REG_MULTI_SZ vvdsvc

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

zevfzpmc

zuzrlikg

vracvkrfd

.

Contents of the 'Scheduled Tasks' folder

 

2009-06-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

 

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1390067357-725345543-1003Core.job

- c:\documents and settings\Mudit\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 23:42]

 

2009-07-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1390067357-725345543-1003UA.job

- c:\documents and settings\Mudit\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 23:42]

 

2009-07-11 c:\windows\Tasks\User_Feed_Synchronization-{777AB2BD-E517-47EA-AAB5-25A4FF7D6574}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 15:58]

.

- - - - ORPHANS REMOVED - - - -

 

BHO-{957137B2-A166-45B1-A511-FBBA7C7AE991} - (no file)

BHO-{B3FE8F4C-6506-4F78-A8D9-4CB832E0C7E0} - (no file)

Notify-avgrsstarter - avgrsstx.dll

 

 

.

------- Supplementary Scan -------

.

DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} - hxxps://fastconnect.cox.net/cd20/CoxFastConnect20.ocx

DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-11 09:46

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]

"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$TRAINING2]

"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\msftesql.exe\" -s:MSSQL.4 -f:TRAINING2"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome92TNSListener]

"ImagePath"="g:\oracle\ora92\BIN\TNSLSNR "

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'explorer.exe'(5432)

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Roxio\Drag-to-Disc\Shellex.dll

c:\windows\system32\DLAAPI_W.DLL

c:\windows\system32\CDRTC.DLL

c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\netprovcredman.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\windows\system32\msdtc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\windows\system32\inetsrv\inetinfo.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\CA\SharedComponents\CA_LIC\lic98Service.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\program files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\system32\tcpsvcs.exe

c:\windows\system32\snmp.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\rundll32.exe

c:\program files\Intel\Wireless\Bin\WLKEEPER.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-07-11 9:54 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-11 13:54

 

Pre-Run: 24,742,723,584 bytes free

Post-Run: 24,638,140,416 bytes free

 

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

297 --- E O F --- 2009-06-26 22:18

Share this post


Link to post
Share on other sites

Hello mninja

 

One or more of the identified infections is a rootkit. Rootkits are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

 

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

 

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. Further, in some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

 

"When should I re-format? How should I reinstall?"

 

However, if you do not have the resources to reinstall your computer we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

 

Best regards

 

e-tech

Share this post


Link to post
Share on other sites

Based upon posted logs, what do you suggest to do?

1) Reformat C drive only & /or All drives.

2) Reinstall OS?

Share this post


Link to post
Share on other sites

To be 100% sure I recommend you to re-format everything on your computer and re-install the fresh OS.

 

You don't have to re-format other drives if you are 100% sure and know that you've never moved files from the C to them. Infection is only seen on your C drive.

Edited by e-tech

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0