Jump to content


Photo

google search links direct me to random sites


  • This topic is locked This topic is locked
8 replies to this topic

#1 mninja

mninja

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 01 July 2009 - 10:37 AM

Hello!

I am facing this problem for past couple of days. Whenever I click on search links provided by google, It takes me to random sites. It doesn't not happen all the time though. I have Windows XP Professional Edition w/ latest Service pack. Automatic update is ON. I am using AVG free edition along with Malware bytes & Yesterday, I also installed Spybot search & destroy.
All these anti virus & spyware do not detect anything. I don't know what can I do to get rid of this problem. I am using two browsers namely, IE7 and Google Chrome.

Experts, please help.

Thanks!

P.S. I tried to run Anti virus, Malwarebytes & spy bot in safe mode. But w/ all, I got Visual studio Just in Time debugger which ended all abruptly.

Edited by mninja, 01 July 2009 - 12:23 PM.


#2 e-tech

e-tech

    The Decontaminator

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 03 July 2009 - 09:54 AM

Hello mninja

Posted Image
It may take some time and couple of attempts to provide you with the right help. Many of today's infections are advanced and install other infections on the computer.
It's almost impossible to remove the entire infection and to check for leftovers in one go. Please be patient.
:)

Please download ATF Cleaner. Save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


Download the HostsXpert 4.2 - Hosts File Manager.
  • Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
  • Run HostsXpert 4.2 - Hosts File Manager from its new home
  • Click on "File Handling".
  • Click on "Restore MS Hosts File".
  • Click OK on the Confirmation box.
  • Click on "Make Read Only?"
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.



Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Update Malwarebytes' Anti-Malware to the newest version and perform the complete scan.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK for either of the prompts and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.




Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).



Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt, MBAM log, GooredFix.txt and the contents of checkup.txt in your next reply for further review.


Best regards

e-tech

Edited by e-tech, 04 July 2009 - 05:25 PM.

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#3 mninja

mninja

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 10 July 2009 - 07:46 AM

I do not know whether it is fixed now or not. But now for two days running, I didn't see any google redirect issue.
I installed norton AV and ran it in Safe Mode. Also, I installed a new copy of Malware bytes. Both scans caught few trojans.
Now, its running fine so far



Hello mninja

Posted Image
It may take some time and couple of attempts to provide you with the right help. Many of today's infections are advanced and install other infections on the computer.
It's almost impossible to remove the entire infection and to check for leftovers in one go. Please be patient.
:)

Please download ATF Cleaner. Save it to your Desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


Download the HostsXpert 4.2 - Hosts File Manager.
  • Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
  • Run HostsXpert 4.2 - Hosts File Manager from its new home
  • Click on "File Handling".
  • Click on "Restore MS Hosts File".
  • Click OK on the Confirmation box.
  • Click on "Make Read Only?"
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.



Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Update Malwarebytes' Anti-Malware to the newest version and perform the complete scan.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK for either of the prompts and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.




Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).



Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt, MBAM log, GooredFix.txt and the contents of checkup.txt in your next reply for further review.


Best regards

e-tech



#4 e-tech

e-tech

    The Decontaminator

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 10 July 2009 - 09:34 AM

Hello mninja

When replying to your topic, please use the Posted Image button.
I do not need to see my previous post. :)


To provide you with the best possible help I need you to follow my instructions. Please run the tools and post the logs.
At this stage of cleaning process I can't guarantee that your computer is clean.

You've probably removed the symptoms but infection is most likely not removed.

If you donít proceed with the cleaning process then I strongly recommend you to format and reinstall your Windows.
When Should I Format, How Should I Reinstall

Should you have any questions, please feel free to ask.

Please, let me know what is your decision.


Best regards

e-tech

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#5 mninja

mninja

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 11 July 2009 - 09:02 AM

Sorry for the delay.
Please find logs you asked for.
Thanks!

ATF ran perfectly. HostXpert did not. I am getting following error:
Error cannot Create file C:\Windows\System32\Drivers\Etc\Hosts??

Security Check Log:

Results of screen317's Security Check version 0.98.4
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
WindowsLiveOneCaresafetyscanner
SymantecAntiVirus
Antivirus up to date! (On Access scanning disabled!)
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Malwarebytes' Anti-Malware
CCleaner (remove only)
Java™ 6 Update 14
Java™ SE Runtime Environment 6
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 4
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Development Kit 6 Update 3
Java 2 SDK, SE v1.4.2_13
Out of date Java installed!
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Symantec AntiVirus DefWatch.exe
Symantec AntiVirus Rtvscan.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 13 seconds.
`````````End of Log```````````

GooredFix Log:
GooredFix by jpshortstuff (03.07.09)
Log created at 01:35 on 11/07/2009 (Mudit)
Firefox version [Unable to determine]

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [02:34 29/01/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [00:12 11/03/2009]

-=E.O.F=-

MalwareBytes Log:
Malwarebytes' Anti-Malware 1.38
Database version: 2405
Windows 5.1.2600 Service Pack 3

7/11/2009 9:04:29 AM
mbam-log-2009-07-11 (09-04-29).txt

Scan type: Full Scan (C:\|E:\|F:\|G:\|)
Objects scanned: 215602
Time elapsed: 1 hour(s), 4 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ComboFox Log:
ComboFix 09-07-09.08 - Mudit 07/11/2009 9:28.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.298 [GMT -4:00]
Running from: c:\documents and settings\Mudit\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mudit\Local Settings\Application Data\{86B9F5F8-5048-4281-BE65-A296244801DC}
c:\documents and settings\Mudit\Local Settings\Application Data\{86B9F5F8-5048-4281-BE65-A296244801DC}\chrome.manifest
c:\documents and settings\Mudit\Local Settings\Application Data\{86B9F5F8-5048-4281-BE65-A296244801DC}\chrome\content\_cfg.js
c:\documents and settings\Mudit\Local Settings\Application Data\{86B9F5F8-5048-4281-BE65-A296244801DC}\chrome\content\c.js
c:\documents and settings\Mudit\Local Settings\Application Data\{86B9F5F8-5048-4281-BE65-A296244801DC}\chrome\content\overlay.xul
c:\documents and settings\Mudit\Local Settings\Application Data\{86B9F5F8-5048-4281-BE65-A296244801DC}\install.rdf
c:\windows\system32\Cache
c:\windows\system32\mkghj.dll
c:\windows\system32\rtc.dat

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_NPF
-------\Legacy_TDSSSERV
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-06-11 to 2009-07-11 )))))))))))))))))))))))))))))))
.

2009-07-11 05:17 . 2008-07-27 16:11 -------- d-----w- C:\HostsXpert
2009-07-10 21:20 . 2009-07-10 21:20 -------- d-----w- c:\windows\McAfee.com
2009-07-10 01:20 . 2009-07-10 01:20 152576 ----a-w- c:\documents and settings\Mudit\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-10 00:11 . 2009-07-10 00:11 -------- d-----w- c:\program files\CCleaner
2009-07-08 22:21 . 2009-07-08 22:22 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-08 22:21 . 2009-07-08 22:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-08 12:09 . 2009-07-08 12:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-07-08 11:07 . 2009-07-08 11:07 -------- d-----w- c:\documents and settings\Mudit\Local Settings\Application Data\Symantec
2009-07-08 11:06 . 2006-01-31 17:29 87808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-07-08 11:06 . 2006-01-31 17:29 107696 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-08 11:03 . 2009-07-08 11:12 -------- d-----w- c:\program files\Symantec
2009-07-08 11:03 . 2009-07-11 13:40 -------- d-----w- c:\program files\Symantec AntiVirus
2009-07-08 11:03 . 2009-07-08 11:07 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-08 11:03 . 2009-07-08 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-08 11:03 . 2009-07-08 11:03 -------- d-----w- c:\temp\SAV
2009-07-08 00:46 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-08 00:46 . 2009-07-08 00:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 00:46 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-07 22:49 . 2009-07-07 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-07 22:48 . 2009-07-08 23:39 -------- d-----w- c:\documents and settings\Mudit\Application Data\SUPERAntiSpyware.com
2009-07-02 11:13 . 2009-07-02 11:13 -------- d-----w- c:\documents and settings\Mudit\Local Settings\Application Data\Temp
2009-07-01 22:58 . 2009-07-09 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2009-07-01 21:37 . 2009-07-01 22:48 -------- d-----w- c:\windows\rnapxs
2009-07-01 17:01 . 2009-07-01 17:01 38312 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-01 01:03 . 2009-07-01 22:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-01 01:03 . 2009-07-01 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-30 22:08 . 2009-07-01 01:08 -------- d-----w- c:\program files\Lavasoft
2009-06-22 19:23 . 2009-06-22 19:23 239088 ----a-w- c:\documents and settings\Mudit\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-06-12 22:47 . 2009-06-12 22:47 -------- d-----w- c:\program files\iPod
2009-06-12 22:47 . 2009-06-12 22:48 -------- d-----w- c:\program files\iTunes
2009-06-12 22:43 . 2009-06-12 22:44 -------- d-----w- c:\program files\QuickTime
2009-06-12 22:36 . 2009-06-12 22:36 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 01:21 . 2007-08-17 05:16 -------- d-----w- c:\program files\Java
2009-07-10 00:38 . 2008-05-07 01:25 -------- d-----w- c:\program files\Windows Live Safety Center
2009-07-09 00:09 . 2008-05-21 21:42 -------- d-----w- c:\program files\CA
2009-07-08 03:07 . 2008-08-23 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-08 02:29 . 2007-08-17 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-01 22:18 . 2008-12-08 22:59 -------- d-----w- c:\program files\Canon
2009-07-01 21:37 . 2007-08-17 03:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-01 01:08 . 2008-12-22 23:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-28 13:57 . 2009-01-01 20:26 1 ----a-w- c:\documents and settings\Mudit\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-12 22:47 . 2008-08-08 22:33 -------- d-----w- c:\program files\Common Files\Apple
2009-06-05 15:42 . 2009-03-14 14:30 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 15:42 . 2008-08-08 22:34 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-04 21:31 . 2009-06-04 21:31 -------- d-----w- c:\program files\SportStreamZ Watcher
2009-05-21 15:33 . 2009-01-05 23:09 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-01-01 20:05 . 2009-01-01 19:39 149286272 ------w- c:\program files\OOo_3.0.0_Win32Intel_install_wJRE_en-US.exe
.

------- Sigcheck -------

[7] 2004-08-04 12:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-09-14 19:29 295424 63999D0ABD8DABFD76A9C07F6E104868 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [2006-10-03 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2007-05-14 1191936]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-27 124656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mudit^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Mudit\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mudit^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Mudit\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mudit^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Mudit\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mudit^Start Menu^Programs^Startup^RocketDock.lnk]
path=c:\documents and settings\Mudit\Start Menu\Programs\Startup\RocketDock.lnk
backup=c:\windows\pss\RocketDock.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mudit^Start Menu^Programs^Startup^TransBar.lnk]
path=c:\documents and settings\Mudit\Start Menu\Programs\Startup\TransBar.lnk
backup=c:\windows\pss\TransBar.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mudit^Start Menu^Programs^Startup^UberIcon.lnk]
path=c:\documents and settings\Mudit\Start Menu\Programs\Startup\UberIcon.lnk
backup=c:\windows\pss\UberIcon.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mudit^Start Menu^Programs^Startup^Y'z Shadow.lnk]
path=c:\documents and settings\Mudit\Start Menu\Programs\Startup\Y'z Shadow.lnk
backup=c:\windows\pss\Y'z Shadow.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" /startup
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AIMPro"="c:\program files\AIM\AIM Pro\aimpro.exe"
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe"
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Mudit\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"e:\\Program Files\\SopCast\\SopCast.exe"=
"e:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Program Files\\Veoh networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Documents and Settings\\Mudit\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Mudit\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Documents and Settings\\Mudit\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 4:42 PM 156968]
R2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [12/15/2007 6:52 PM 75016]
R2 MsDtsServer;SQL Server Integration Services;e:\90\DTS\Binn\MsDtsSrvr.exe [10/14/2005 5:45 AM 199384]
R2 MSOLAP$TRAINING2;SQL Server Analysis Services (TRAINING2);c:\program files\Microsoft SQL Server\MSSQL.5\OLAP\bin\msmdsrv.exe [10/14/2005 4:46 AM 14557912]
R2 MSSQL$TRAINING2;SQL Server (TRAINING2);c:\program files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\sqlservr.exe [10/14/2005 4:51 AM 28768528]
R2 ReportServer$TRAINING2;SQL Server Reporting Services (TRAINING2);c:\program files\Microsoft SQL Server\MSSQL.6\Reporting Services\ReportServer\bin\ReportingServicesService.exe [10/14/2005 4:44 AM 14552]
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [10/14/2005 5:44 AM 14552]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/8/2009 7:11 AM 101936]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 msftesql$TRAINING2;SQL Server FullText Search (TRAINING2);c:\program files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\msftesql.exe [8/26/2005 5:00 PM 92880]
S2 OracleServiceMUDIT;OracleServiceMUDIT;g:\oracle\ora92\bin\ORACLE.EXE MUDIT --> g:\oracle\ora92\bin\ORACLE.EXE MUDIT [?]
S2 SQLAgent$TRAINING2;SQL Server Agent (TRAINING2);c:\program files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\SQLAGENT90.EXE [10/14/2005 4:51 AM 318680]
S2 vracvkrfd;Monitor Windows;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 8:00 AM 14336]
S2 zevfzpmc;System Time;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 8:00 AM 14336]
S2 zuzrlikg;Driver Support;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 8:00 AM 14336]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [11/25/2007 11:36 AM 16512]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [5/26/2006 9:01 PM 115952]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
vvdsvc REG_MULTI_SZ vvdsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
zevfzpmc
zuzrlikg
vracvkrfd
.
Contents of the 'Scheduled Tasks' folder

2009-06-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1390067357-725345543-1003Core.job
- c:\documents and settings\Mudit\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 23:42]

2009-07-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1390067357-725345543-1003UA.job
- c:\documents and settings\Mudit\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 23:42]

2009-07-11 c:\windows\Tasks\User_Feed_Synchronization-{777AB2BD-E517-47EA-AAB5-25A4FF7D6574}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 15:58]
.
- - - - ORPHANS REMOVED - - - -

BHO-{957137B2-A166-45B1-A511-FBBA7C7AE991} - (no file)
BHO-{B3FE8F4C-6506-4F78-A8D9-4CB832E0C7E0} - (no file)
Notify-avgrsstarter - avgrsstx.dll


.
------- Supplementary Scan -------
.
DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} - hxxps://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-11 09:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$TRAINING2]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\msftesql.exe\" -s:MSSQL.4 -f:TRAINING2"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome92TNSListener]
"ImagePath"="g:\oracle\ora92\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5432)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CA\SharedComponents\CA_LIC\lic98Service.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-11 9:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-11 13:54

Pre-Run: 24,742,723,584 bytes free
Post-Run: 24,638,140,416 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

297 --- E O F --- 2009-06-26 22:18

#6 e-tech

e-tech

    The Decontaminator

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 11 July 2009 - 10:42 AM

Hello mninja

One or more of the identified infections is a rootkit. Rootkits are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. Further, in some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"

However, if you do not have the resources to reinstall your computer we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

Best regards

e-tech

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#7 mninja

mninja

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 11 July 2009 - 10:56 AM

Based upon posted logs, what do you suggest to do?
1) Reformat C drive only & /or All drives.
2) Reinstall OS?

#8 e-tech

e-tech

    The Decontaminator

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 11 July 2009 - 11:15 AM

To be 100% sure I recommend you to re-format everything on your computer and re-install the fresh OS.

You don't have to re-format other drives if you are 100% sure and know that you've never moved files from the C to them. Infection is only seen on your C drive.

Edited by e-tech, 11 July 2009 - 11:18 AM.

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#9 e-tech

e-tech

    The Decontaminator

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 13 July 2009 - 01:30 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button