Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

pls help. browsers close, redirect urls etc

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

pls help. browsers close, redirect urls etc

Unread postby drjn » March 27th, 2009, 1:37 pm

Hi,

Hope someone out there is able to help me. Ive been trying to get my comp to function as usual, but no "luck".

I get redirected to other places while clicking links, my browser shuts down (both firefox and explorer), regedit only comes up aprox 5 sec, then shuts down. My AVG anti virus won't connect to update server, the icon doesnt show as usual. I've run an updated (via usb memory) avg check and an updated Malwarebytes' Anti-Malware, but problems are still here, even though I think they've gotten fewer.

Ok. Enough rambling from my part. Below is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:27:19, on 2009-03-27
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Analog Devices\Core\smax4pnp.exe
C:\Program\Java\jre6\bin\jusched.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\explorer.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\AVG\AVG8\avgwdsvc.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\Program\Delade filer\LightScribe\LSSrvc.exe
C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program\AVG\AVG8\avgrsx.exe
C:\Program\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\route.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [SN02IPRW] C:\WINDOWS\system32\SN02SELC.EXE -w
O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\Program\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Program\Registry Clean Expert\RCHelper.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program\Delade filer\Autodesk Shared\acstart17.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Kensington Si670m Bluetooth Mouse.lnk = C:\Program\Kensington Si670m Bluetooth Mouse\MulMouse.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Skicka till &Bluetooth - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie_ctx.htm
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {AD1350A0-17F5-4714-A57B-B65F9EABF5D1} (AbolishLoader Control) - https://webaccess.wmdata.com/wa/AbolishLoader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program\Delade filer\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program\Delade filer\Nero\Lib\NMIndexingService.exe
O23 - Service: OKI OPHC DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHCLDCS.EXE
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe

--
End of file - 7417 bytes




Hope someone can find the fishyness and help me out. Very thankful for any help.

Cheers.
drjn
Regular Member
 
Posts: 17
Joined: March 27th, 2009, 1:29 pm
Advertisement
Register to Remove

Re: pls help. browsers close, redirect urls etc

Unread postby John B. » April 7th, 2009, 1:43 pm

Hi! :hello2: and welcome to the Malware Removal forums.
My name is John Brouwer - if it helps, you can call me John for short. I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.

These rules are good for you to know:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me how long it will take so the topic will not be closed.

These rules are to make my voluntary work more comfortable:
  • Please be patient. The work I do is voluntary and I also have a private life (school, work, friends and hobbies).
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • Please reply to this thread. Do not start a new topic.
  • Also, don't post logs as attachments. Other helpers like to view the logs as well and opening a lot of attachments is irritating. It can also contain malware.

Finally, please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
  • Start HijackThis
  • Click on the Open The Misc Tool Section button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop and post the contents in a reply to this topic.

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: pls help. browsers close, redirect urls etc

Unread postby drjn » April 8th, 2009, 3:26 am

Hi John,

Really appreciate you efforts! :)
Here is the uninstall list.

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.9 - Svenska
Agere Systems HDA Modem
Apple Mobile Device Support
Apple Software Update
Application Installer 4.00.B5
AutoCAD Architecture 2010
AutoCAD Architecture 2010
AutoCAD LT 2007 - English
AVG 8.5
Bonjour
coverXP (remove only)
dBpoweramp Music Converter
D-Link Media Server 1.10
DWG TrueView 2008
ffdshow [rev 2099] [2008-09-03]
FreeDVD Codec Installer Version 1.0
FreeDVD Codec Installer Version 1.0 (C:\Program\CodecInstaller\)
Google SketchUp 6
Google SketchUp 6
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Media Format 11 SDK (KB929399)
HP Designjet T1100 Printer Series
HP Help and Support
HP ICC Profiles
HP Integrated Module with Bluetooth wireless technology
HP Quick Launch Buttons 6.00 D2
HP User Guides 0029
HP Web Registration
HP Wireless Assistant 2.00 E1
Intel(R) Graphics Media Accelerator Driver
iTunes
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 13
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Kensington Si670m Bluetooth Mouse 1.00.01 (Build 1000)
Logitech Harmony Remote Software 7
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1 Swedish Language Pack
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office PowerPoint Viewer 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MIKSOFT Mobile Media Converter
Mozilla Firefox (3.0.8)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Nero 8
neroxml
Net iD 4.8
Netscape Navigator (9.0.0.6)
OpenOffice.org Installer 1.0
Pdf995
QuickTime
RealPlayer
Registry Clean Expert
Remote Control USB Driver
SHARP MFP TWAIN K-scannerdrivrutin
SHARP MX Series PCL/PS Printer Driver
Snabbkorrigering för Windows Media Player 11 (KB939683)
Snabbkorrigering för Windows XP (KB942288-v3)
Snabbkorrigering för Windows XP (KB952287)
SoundMAX
Synaptics Pointing Device Driver
Säkerhetsuppdatering för Windows Media Player (KB952069)
Säkerhetsuppdatering för Windows Media Player 10 (KB917734)
Säkerhetsuppdatering för Windows Media Player 11 (KB936782)
Säkerhetsuppdatering för Windows Media Player 11 (KB954154)
Säkerhetsuppdatering för Windows Media Player 9 (KB911565)
Säkerhetsuppdatering för Windows XP (KB923789)
Säkerhetsuppdatering för Windows XP (KB938464)
Säkerhetsuppdatering för Windows XP (KB938464-v2)
Säkerhetsuppdatering för Windows XP (KB946648)
Säkerhetsuppdatering för Windows XP (KB950759)
Säkerhetsuppdatering för Windows XP (KB950760)
Säkerhetsuppdatering för Windows XP (KB950762)
Säkerhetsuppdatering för Windows XP (KB950974)
Säkerhetsuppdatering för Windows XP (KB951066)
Säkerhetsuppdatering för Windows XP (KB951376)
Säkerhetsuppdatering för Windows XP (KB951376-v2)
Säkerhetsuppdatering för Windows XP (KB951698)
Säkerhetsuppdatering för Windows XP (KB951748)
Säkerhetsuppdatering för Windows XP (KB952954)
Säkerhetsuppdatering för Windows XP (KB953838)
Säkerhetsuppdatering för Windows XP (KB953839)
Säkerhetsuppdatering för Windows XP (KB954211)
Säkerhetsuppdatering för Windows XP (KB954459)
Säkerhetsuppdatering för Windows XP (KB954600)
Säkerhetsuppdatering för Windows XP (KB955069)
Säkerhetsuppdatering för Windows XP (KB956390)
Säkerhetsuppdatering för Windows XP (KB956391)
Säkerhetsuppdatering för Windows XP (KB956802)
Säkerhetsuppdatering för Windows XP (KB956803)
Säkerhetsuppdatering för Windows XP (KB956841)
Säkerhetsuppdatering för Windows XP (KB957095)
Säkerhetsuppdatering för Windows XP (KB957097)
Säkerhetsuppdatering för Windows XP (KB958215)
Säkerhetsuppdatering för Windows XP (KB958644)
Säkerhetsuppdatering för Windows XP (KB958687)
Säkerhetsuppdatering för Windows XP (KB958690)
Säkerhetsuppdatering för Windows XP (KB960225)
Säkerhetsuppdatering för Windows XP (KB960714)
Säkerhetsuppdatering för Windows XP (KB960715)
TBS WMP Plug-in
Uppdatering för Windows XP (KB951072-v2)
Uppdatering för Windows XP (KB951978)
Uppdatering för Windows XP (KB955839)
Uppdatering för Windows XP (KB967715)
VCRedistSetup
Viktig uppdatering för Windows Media Player 11 (KB959772)
Winamp (remove only)
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
VLC media player 0.9.8a
Xvid 1.1.2 final uninstall
drjn
Regular Member
 
Posts: 17
Joined: March 27th, 2009, 1:29 pm

Re: pls help. browsers close, redirect urls etc

Unread postby John B. » April 8th, 2009, 9:06 am

Hi,

There are two files that I would like to know more about, so let's start with that.
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\system32\SN02SELC.EXE

  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programs.
  • After a while, a window will open, with details of what the scans found.
  • Save the complete results in a Notepad/Word document on your desktop.
  • Repeat for all files on the list.

Post the results in a reply to this topic. Also let me know if you have AVG Free Edition or a paid version.

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: pls help. browsers close, redirect urls etc

Unread postby drjn » April 8th, 2009, 11:22 am

File Scheduler.exe received on 04.08.2009 16:16:38 (CET)

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.08 -
AhnLab-V3 5.0.0.2 2009.04.08 -
AntiVir 7.9.0.138 2009.04.08 -
Antiy-AVL 2.0.3.1 2009.04.08 -
Authentium 5.1.2.4 2009.04.08 -
Avast 4.8.1335.0 2009.04.08 -
AVG 8.5.0.285 2009.04.08 -
BitDefender 7.2 2009.04.08 -
CAT-QuickHeal 10.00 2009.04.08 -
ClamAV 0.94.1 2009.04.08 -
Comodo 1105 2009.04.08 -
DrWeb 4.44.0.09170 2009.04.08 -
eSafe 7.0.17.0 2009.04.07 -
eTrust-Vet 31.6.6444 2009.04.08 -
F-Prot 4.4.4.56 2009.04.08 -
F-Secure 8.0.14470.0 2009.04.08 -
Fortinet 3.117.0.0 2009.04.08 -
GData 19 2009.04.08 -
Ikarus T3.1.1.49.0 2009.04.08 -
K7AntiVirus 7.10.695 2009.04.07 -
Kaspersky 7.0.0.125 2009.04.08 -
McAfee 5577 2009.04.07 -
McAfee+Artemis 5577 2009.04.07 -
McAfee-GW-Edition 6.7.6 2009.04.08 -
Microsoft 1.4502 2009.04.08 -
NOD32 3994 2009.04.07 -
Norman 6.00.06 2009.04.08 -
nProtect 2009.1.8.0 2009.04.08 -
Panda 10.0.0.14 2009.04.08 -
PCTools 4.4.2.0 2009.04.08 -
Prevx1 V2 2009.04.08 -
Rising 21.24.22.00 2009.04.08 -
Sophos 4.40.0 2009.04.08 -
Sunbelt 3.2.1858.2 2009.04.08 -
Symantec 1.4.4.12 2009.04.08 -
TheHacker 6.3.4.0.303 2009.04.08 -
TrendMicro 8.700.0.1004 2009.04.08 -
VBA32 3.12.10.2 2009.04.08 -
ViRobot 2009.4.7.1684 2009.04.08 -
VirusBuster 4.6.5.0 2009.04.08 -
Additional information
File size: 892928 bytes
MD5...: 8c453d114162391ee5e6c132a499c647
SHA1..: a5198c9a769050b73ee9bade89541f277521cf16
SHA256: 33b5e5808f3faccf46b69dee759bf081b83835fb7d4933d0fd342a7441ba2a7b
SHA512: b625c1a2cc588e2551cc0905bc196164244ae00e9e33f443d6bd2a6a07fea1fd
800fc59cd3217c6d4836c950a33989ce938141c0d303cca7f3a8ab1fb8986dc1
ssdeep: 12288:iDm2cqjtBnlQdVgFzA/mMprR/NSSkxMniZQFzmRrHe2cQ1uWax41uWaxzP
:iDmvkA/mMFRhuQFzicb
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (75.0%)
Win32 Executable Generic (16.9%)
Generic Win/DOS Executable (3.9%)
DOS Executable Generic (3.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x6e842
timedatestamp.....: 0x43f33e02 (Wed Feb 15 14:43:14 2006)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x93bf6 0x94000 6.54 a8b63ff7e0b77aa58cbfce81bd8f102a
.rdata 0x95000 0x13340 0x14000 4.62 33ba5341fa7719c09253ae98b3266131
.data 0xa9000 0x1f1e8 0x9000 3.56 218a6dc385afafcf4c161a7ab62acf2c
.rsrc 0xc9000 0x27978 0x28000 7.41 1d7d34293aaddf245545fc6aa2fb91e9

( 14 imports )
> SHLWAPI.dll: PathFileExistsW
> KERNEL32.dll: SizeofResource, LockResource, LoadResource, FindResourceW, GetVersion, LoadLibraryA, DeleteCriticalSection, GlobalLock, GlobalAlloc, MulDiv, GetSystemTime, GetModuleHandleA, GetSystemInfo, GetCurrentProcessId, VirtualQuery, WriteProcessMemory, lstrcmpiA, ExitProcess, GetModuleFileNameA, VirtualProtect, FlushInstructionCache, InterlockedIncrement, InterlockedDecrement, lstrlenA, GlobalFree, GlobalDeleteAtom, GlobalFindAtomW, GlobalAddAtomW, GlobalGetAtomNameW, FileTimeToSystemTime, FileTimeToLocalFileTime, lstrcmpA, DuplicateHandle, FlushFileBuffers, LockFile, UnlockFile, SetEndOfFile, GetFullPathNameW, GetThreadLocale, GetFileAttributesW, GetFileSize, GetFileTime, GlobalFlags, TlsAlloc, GlobalHandle, TlsFree, GlobalReAlloc, TlsSetValue, LocalReAlloc, TlsGetValue, GetProcessVersion, SetErrorMode, GetStartupInfoW, RtlUnwind, HeapSize, RaiseException, GetTimeZoneInformation, GetLocalTime, TerminateProcess, SetStdHandle, GetFileType, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetEnvironmentStrings, GetCommandLineW, GetCommandLineA, SetHandleCount, GetStdHandle, GetStartupInfoA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, LCMapStringA, LCMapStringW, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, GetCPInfo, CreateFileA, GetStringTypeA, GetStringTypeW, CompareStringA, CompareStringW, GetACP, GetOEMCP, SetEnvironmentVariableA, InterlockedExchange, GetProfileStringA, GlobalAddAtomA, FindResourceA, EnterCriticalSection, InitializeCriticalSection, LeaveCriticalSection, lstrcmpW, lstrcpynW, GetCurrentThreadId, IsBadWritePtr, FormatMessageW, FindFirstFileW, FindClose, GetVersionExW, LoadLibraryW, GetModuleHandleW, GetProcAddress, CreateFileW, FreeLibrary, GetTickCount, SetFilePointer, WriteFile, GetProcessHeap, HeapAlloc, HeapReAlloc, HeapFree, ReadFile, GetVolumeInformationW, GetCurrentThread, GetLastError, GetCurrentProcess, GetModuleFileNameW, DeleteFileW, lstrlenW, MultiByteToWideChar, SetLastError, Sleep, lstrcmpiW, LocalFree, CreateProcessW, WaitForSingleObject, LocalAlloc, lstrcpyW, lstrcatW, CloseHandle, GetPrivateProfileIntW, WritePrivateProfileStringW, GetWindowsDirectoryW, WideCharToMultiByte, GetPrivateProfileStringW, GlobalUnlock
> USER32.dll: RegisterClassW, GetClassInfoW, wsprintfW, WinHelpW, IsChild, GetTopWindow, EndDeferWindowPos, BeginDeferWindowPos, DeferWindowPos, AdjustWindowRectEx, PeekMessageW, SendDlgItemMessageA, SendDlgItemMessageW, LoadIconW, IsDialogMessageW, SetWindowTextW, CheckMenuItem, SetMenuItemBitmaps, ModifyMenuW, LoadBitmapW, GetMenuCheckMarkDimensions, TabbedTextOutW, GrayStringW, SetRectEmpty, LoadAcceleratorsW, TranslateAcceleratorW, LoadMenuW, ReuseDDElParam, UnpackDDElParam, PostQuitMessage, ShowOwnedPopups, TranslateMessage, SetWindowContextHelpId, MapDialogRect, CharNextW, GetNextDlgGroupItem, MessageBeep, RegisterClipboardFormatW, PostThreadMessageW, GetPropA, SetPropA, SetWindowLongA, GetClassNameA, IsWindowUnicode, SendMessageA, GetWindowLongA, SetWindowsHookExA, RemovePropA, CallWindowProcA, CharNextA, DefWindowProcA, DefDlgProcA, GetClassInfoA, DrawFocusRect, DrawTextA, GetWindowTextA, ExcludeUpdateRgn, ShowCaret, HideCaret, GetWindowTextLengthA, GetWindowTextLengthW, GetDlgCtrlID, GetMessageTime, GetLastActivePopup, GetForegroundWindow, RegisterWindowMessageW, GetNextDlgTabItem, EndDialog, SetActiveWindow, CreateDialogIndirectParamW, GetDlgItem, CreateIconIndirect, DrawTextExW, GetCapture, GetMessagePos, MapWindowPoints, CopyRect, CopyIcon, SetCursor, SystemParametersInfoW, LoadStringW, LoadImageW, DestroyCursor, CharUpperW, CharLowerW, MessageBoxA, GetWindowPlacement, DrawMenuBar, IsMenu, EqualRect, GetMenuItemID, GetSubMenu, ValidateRect, DrawStateW, DestroyIcon, DrawIcon, IntersectRect, GetWindowWord, SetWindowWord, SetRect, GetFocus, SetFocus, EnumChildWindows, GetSystemMetrics, IsWindowEnabled, DrawFrameControl, GetWindowTextW, CharUpperBuffA, GetIconInfo, GetDC, ShowScrollBar, SetScrollRange, SetScrollPos, SetScrollInfo, GetScrollRange, GetScrollPos, GetScrollInfo, EnableScrollBar, InflateRect, GetClassLongW, DrawIconEx, GetSystemMenu, EnableMenuItem, DestroyMenu, GetMenuItemCount, CreatePopupMenu, InsertMenuItemW, GetMenuItemInfoW, GetDesktopWindow, LockWindowUpdate, ScreenToClient, IsWindowVisible, GetCursorPos, SetCapture, ReleaseCapture, DestroyWindow, FillRect, DrawTextW, BeginPaint, EndPaint, ClientToScreen, PtInRect, InvalidateRect, SetForegroundWindow, UnregisterClassW, LoadCursorW, RegisterClassExW, CreateWindowExW, GetKeyState, CopyAcceleratorTableW, GetMenu, SetMenu, OffsetRect, IsRectEmpty, GetWindowInfo, GetWindow, IsIconic, IsZoomed, MoveWindow, ShowWindow, PostMessageW, ReleaseDC, SendMessageW, BringWindowToTop, GetWindowRect, EnableWindow, SetTimer, ExitWindowsEx, KillTimer, MessageBoxW, GetWindowDC, SetWindowRgn, SetWindowPos, RemovePropW, SetPropW, SetWindowLongW, RedrawWindow, CallWindowProcW, DefWindowProcW, GetSysColorBrush, UpdateWindow, GetClientRect, GetParent, CallNextHookEx, GetMenuState, GetPropW, GetClassNameW, GetActiveWindow, GetWindowLongW, SetWindowsHookExW, UnhookWindowsHookEx, IsWindow, DispatchMessageW, GetMessageW, GetSysColor, DrawEdge
> GDI32.dll: SetBkMode, SelectObject, SetTextColor, CreateSolidBrush, GetTextExtentPointW, GetStockObject, GetRegionData, DeleteDC, GetDIBits, CreateICW, GetObjectW, UpdateColors, BitBlt, CreateRectRgnIndirect, OffsetRgn, CreateRectRgn, LineTo, MoveToEx, CreatePen, IntersectClipRect, GetRgnBox, GetTextMetricsW, UnrealizeObject, PatBlt, SetBrushOrgEx, CreatePatternBrush, ExtTextOutW, GetTextExtentPointA, ExtTextOutA, LPtoDP, GetBkColor, GetTextColor, DPtoLP, GetMapMode, Escape, PtVisible, GetWindowExtEx, GetViewportExtEx, ScaleWindowExtEx, SetWindowExtEx, SetBkColor, CreateBitmap, RealizePalette, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SetMapMode, CombineRgn, ExtCreateRegion, DeleteObject, SelectPalette, GetDeviceCaps, CreateCompatibleBitmap, CreateCompatibleDC, StretchBlt, Polygon, RestoreDC, SaveDC, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, SetDIBitsToDevice, SetStretchBltMode, ExtSelectClipRgn, GetClipBox, RectVisible, StretchDIBits, PtInRegion, GetTextExtentPoint32W, TextOutW, GetClipRgn, SelectClipRgn, ExcludeClipRect
> ADVAPI32.dll: FreeSid, GetLengthSid, RevertToSelf, AccessCheck, RegSetValueExW, RegCreateKeyExW, RegOpenKeyExW, RegCloseKey, ImpersonateSelf, OpenThreadToken, OpenProcessToken, AllocateAndInitializeSid, InitializeSecurityDescriptor, InitializeAcl, AddAccessAllowedAce, SetSecurityDescriptorDacl, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, IsValidSecurityDescriptor
> SHELL32.dll: SHGetSpecialFolderLocation, SHGetPathFromIDListW, DragQueryFileW, DragFinish, ExtractIconExW
> COMCTL32.dll: ImageList_DrawEx, ImageList_GetIconSize, _TrackMouseEvent, ImageList_Draw, ImageList_GetIcon, ImageList_Destroy, ImageList_GetImageCount, -
> oledlg.dll: OleUIBusyW
> OLEPRO32.DLL: -
> imagehlp.dll: ImageDirectoryEntryToData
> WINSPOOL.DRV: DocumentPropertiesW, ClosePrinter, OpenPrinterW
> comdlg32.dll: GetFileTitleW
> ole32.dll: CoFreeUnusedLibraries, OleInitialize, OleIsCurrentClipboard, CoRegisterMessageFilter, OleFlushClipboard, OleUninitialize, CoTaskMemAlloc, CoTaskMemFree, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CLSIDFromString, CLSIDFromProgID, CoRevokeClassObject
> OLEAUT32.dll: -, -, -, -, -, -, -, -

( 0 exports )
RDS...: NSRL Reference Data Set
-
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=8c453d114162391ee5e6c132a499c647' target='_blank'>http://www.threatexpert.com/report.aspx?md5=8c453d114162391ee5e6c132a499c647</a>
drjn
Regular Member
 
Posts: 17
Joined: March 27th, 2009, 1:29 pm

Re: pls help. browsers close, redirect urls etc

Unread postby drjn » April 8th, 2009, 11:23 am

File SN02SELC.EXE received on 04.08.2009 16:20:54 (CET)
Current status: finished
Result: 0/40 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.08 -
AhnLab-V3 5.0.0.2 2009.04.08 -
AntiVir 7.9.0.138 2009.04.08 -
Antiy-AVL 2.0.3.1 2009.04.08 -
Authentium 5.1.2.4 2009.04.08 -
Avast 4.8.1335.0 2009.04.08 -
AVG 8.5.0.285 2009.04.08 -
BitDefender 7.2 2009.04.08 -
CAT-QuickHeal 10.00 2009.04.08 -
ClamAV 0.94.1 2009.04.08 -
Comodo 1105 2009.04.08 -
DrWeb 4.44.0.09170 2009.04.08 -
eSafe 7.0.17.0 2009.04.07 -
eTrust-Vet 31.6.6444 2009.04.08 -
F-Prot 4.4.4.56 2009.04.08 -
F-Secure 8.0.14470.0 2009.04.08 -
Fortinet 3.117.0.0 2009.04.08 -
GData 19 2009.04.08 -
Ikarus T3.1.1.49.0 2009.04.08 -
K7AntiVirus 7.10.695 2009.04.07 -
Kaspersky 7.0.0.125 2009.04.08 -
McAfee 5577 2009.04.07 -
McAfee+Artemis 5577 2009.04.07 -
McAfee-GW-Edition 6.7.6 2009.04.08 -
Microsoft 1.4502 2009.04.08 -
NOD32 3994 2009.04.07 -
Norman 6.00.06 2009.04.08 -
nProtect 2009.1.8.0 2009.04.08 -
Panda 10.0.0.14 2009.04.08 -
PCTools 4.4.2.0 2009.04.08 -
Prevx1 V2 2009.04.08 -
Rising 21.24.22.00 2009.04.08 -
Sophos 4.40.0 2009.04.08 -
Sunbelt 3.2.1858.2 2009.04.08 -
Symantec 1.4.4.12 2009.04.08 -
TheHacker 6.3.4.0.303 2009.04.08 -
TrendMicro 8.700.0.1004 2009.04.08 -
VBA32 3.12.10.2 2009.04.08 -
ViRobot 2009.4.7.1684 2009.04.08 -
VirusBuster 4.6.5.0 2009.04.08 -
Additional information
File size: 135168 bytes
MD5...: 8fffefc6d188d8d9ba87bd86629ca491
SHA1..: 0b1ad11cd76057ff1c9f4c3c6eb4404eec62b14d
SHA256: 76521167df67570228d863722fe822d782361c757c61fc8ad493518a8b827cf6
SHA512: b0608926cd208bd6dd2c55bc7be606fa784e46f60de3a5b7947d3fa63e8b37ef
5339aaa35dde408c7d02603f9a8c1ccf5b304fdd67a2c4ddc31d9db18fa1cdeb
ssdeep: 3072:uBwu2h44IveAh96EA+KV9cqKXWgPfc/oxckV+jQXatsyIgmjbSt/W+lUIIG
S:gwuuIGc6rqqKH8/oxckV+jQXatsyIgmh
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2834
timedatestamp.....: 0x42114a06 (Tue Feb 15 01:01:58 2005)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1532a 0x16000 6.49 5a7eab87b829440ce618275d68452e14
.rdata 0x17000 0x48dc 0x5000 4.56 8c40e5a0fff1cc1a6388905913bf6bbe
.data 0x1c000 0x5828 0x2000 2.80 d67dca4af20ce6d948a38e7b1220908b
.rsrc 0x22000 0x2648 0x3000 4.13 23ce615db3bafdcaff2a9ecdd052c5c2

( 6 imports )
> KERNEL32.dll: RtlUnwind, GetStartupInfoA, GetCommandLineA, GetVersionExA, ExitProcess, HeapFree, HeapAlloc, RaiseException, HeapReAlloc, HeapSize, GetACP, SetHandleCount, GetStdHandle, GetFileType, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, GetStringTypeA, GetStringTypeW, LCMapStringA, LCMapStringW, SetUnhandledExceptionFilter, VirtualProtect, GetSystemInfo, VirtualQuery, IsBadReadPtr, IsBadCodePtr, SetStdHandle, GetLocaleInfoA, GetProcessHeap, GetOEMCP, GetCPInfo, SizeofResource, GetProfileStringA, SetEndOfFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, CreateFileA, SetErrorMode, GetProcessVersion, FindResourceA, LoadResource, GetVersion, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GetLastError, GetModuleHandleA, SetLastError, lstrcpyA, lstrcatA, WritePrivateProfileStringA, GlobalFlags, lstrcpynA, TlsGetValue, LocalReAlloc, TlsSetValue, EnterCriticalSection, GlobalReAlloc, LeaveCriticalSection, TlsFree, GlobalHandle, FreeLibrary, GlobalUnlock, GlobalFree, DeleteCriticalSection, TlsAlloc, InitializeCriticalSection, LocalAlloc, MultiByteToWideChar, InterlockedDecrement, InterlockedIncrement, LocalFree, lstrlenA, WideCharToMultiByte, CloseHandle, GlobalLock, GlobalAlloc, GlobalDeleteAtom, lstrcmpA, lstrcmpiA, GetCurrentThread, GetCurrentThreadId, GetModuleFileNameA, GetSystemDirectoryA, LoadLibraryA, GetProcAddress, HeapDestroy
> USER32.dll: GetMessagePos, GetMessageTime, RemovePropA, CallWindowProcA, GetPropA, SetPropA, GetClassLongA, CreateWindowExA, DestroyWindow, DefWindowProcA, GetMenuItemID, GetSubMenu, GetMenu, RegisterClassA, GetClassInfoA, WinHelpA, GetTopWindow, CopyRect, GetClientRect, AdjustWindowRectEx, GetSysColor, MapWindowPoints, LoadIconA, GetSysColorBrush, LoadStringA, DestroyMenu, InvalidateRect, SystemParametersInfoA, IsIconic, GetWindowPlacement, GetSystemMetrics, SetFocus, ShowWindow, SetWindowPos, SetWindowLongA, GetWindowTextLengthA, GetForegroundWindow, GetDlgItem, GrayStringA, DrawTextA, TabbedTextOutA, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, wsprintfA, GetWindowTextA, SetWindowTextA, GetWindow, GetDlgCtrlID, GetWindowRect, PtInRect, GetClassNameA, ScreenToClient, ClientToScreen, LoadCursorA, GetCapture, UnhookWindowsHookEx, GetMenuCheckMarkDimensions, LoadBitmapA, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, GetFocus, GetNextDlgTabItem, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, GetKeyState, MessageBoxA, PostMessageA, PostQuitMessage, SendMessageA, UnregisterClassA, HideCaret, CallNextHookEx, ValidateRect, IsWindowVisible, PeekMessageA, GetCursorPos, SetWindowsHookExA, GetParent, GetLastActivePopup, IsWindowEnabled, SetForegroundWindow, RegisterWindowMessageA, OffsetRect, IntersectRect, GetWindowLongA, EnableWindow, SetCursor, IsWindowUnicode, CharNextA, InflateRect, DefDlgProcA, DrawFocusRect, ExcludeUpdateRgn, ShowCaret, GetMenuItemCount
> GDI32.dll: SetTextColor, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, GetClipBox, IntersectClipRect, SetBkMode, GetDeviceCaps, CreateSolidBrush, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, GetObjectA, SetBkColor, GetStockObject, SelectObject, RestoreDC, SaveDC, DeleteDC, DeleteObject, CreateDIBitmap, PatBlt, GetTextExtentPointA, BitBlt, CreateCompatibleDC, CreateBitmap
> WINSPOOL.DRV: DocumentPropertiesA, ClosePrinter, OpenPrinterA
> ADVAPI32.dll: RegSetValueExA, RegCloseKey, RegOpenKeyExA, RegCreateKeyExA
> COMCTL32.dll: -

( 0 exports )
RDS...: NSRL Reference Data Set
-
drjn
Regular Member
 
Posts: 17
Joined: March 27th, 2009, 1:29 pm

Re: pls help. browsers close, redirect urls etc

Unread postby drjn » April 8th, 2009, 11:24 am

...and I have AVG free.
thnx
drjn
Regular Member
 
Posts: 17
Joined: March 27th, 2009, 1:29 pm

Re: pls help. browsers close, redirect urls etc

Unread postby John B. » April 8th, 2009, 12:04 pm

Hi,

Both files look good. Let's run a scanner.

You aren't running Firewall Software. Please download and install one of them first!

Use a Firewall - Using a Firewall on your computer can be very important. Without a firewall your computer is susceptible to being hacked and taken over. There are some different situations you can be in where a third-party firewall may or may not be a good addition to your system:
  • If you are not using Windows XP or Vista, but an older version I recommend you to use a firewall.
  • If you are using Windows XP or Vista, but are on dial-up I recommend you to use a firewall.
  • If you are using Windows XP or Vista and are using broadband, but are not experienced in using firewalls and getting the choice to allow or disallow things I recommend you to use Windows Firewall.
  • If you are using Windows XP or Vista, are using broadband and experienced, I recommend you to disable Windows Firewall (as it is not perfect) and get a third-party firewall.

Here are some firewalls which are free for personal use and most used:
Kerio Personal Firewall (Free version after 30 days)
Online Armor Free

Or you could buy their paid version online or in a shop nearby:
Kerio Personal Firewall (Continue paid version after 30 days)
Online Armor or Online Armor AV+ with Anti-Virus included

As you did this, we can begin with the fix.

Step 1: Download and Run ComboFix
Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. For information on how to disable your anti virus program please see this:
http://www.bleepingcomputer.com/forums/topic114351.html

If you have Avast as anti virus an additional thing has to be changed to make ComboFix work properly:
Image

Go on with the ComboFix guide when it opens its log please close it.

Remember that the ComboFix log is saved here: C:\ComboFix.txt

Step 2: Post logs
Please post the following logs in a reply to this topic (use multiple posts if needed):
  • New HijackThis log
  • ComboFix log

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: pls help. browsers close, redirect urls etc

Unread postby drjn » April 8th, 2009, 2:46 pm

ComboFix 09-04-04.01 - Administratör 2009-04-08 20:31:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1053.18.1015.555 [GMT 2:00]
Körs från: c:\documents and settings\Administratör\Skrivbord\combofix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\windows\g32.txt
c:\windows\IE4 Error Log.txt
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASPIMGR


(((((((((((((((((((((((( Filer Skapade från 2009-03-08 till 2009-04-08 ))))))))))))))))))))))))))))))
.

2009-04-08 20:21 . 2009-04-08 20:21 3,067,803 --a------ C:\combofix.exe
2009-03-27 16:56 . 2009-03-26 17:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-27 16:27 . 2009-03-27 16:27 <KAT> d-------- c:\program\Trend Micro
2009-03-27 15:36 . 2009-03-27 15:36 <KAT> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-27 14:00 . 2009-03-27 14:00 <KAT> d-------- c:\program\Delade filer\Macrovision Shared
2009-03-27 13:57 . 2009-03-27 13:57 <KAT> d-------- C:\ProgramData
2009-03-27 13:57 . 2009-03-27 15:36 <KAT> d-------- c:\program\AutoCAD Architecture 2010
2009-03-27 13:56 . 2009-03-27 13:56 <KAT> d-------- c:\windows\Logs
2009-03-27 13:56 . 2008-03-05 16:56 3,786,760 --a------ c:\windows\system32\D3DX9_37.dll
2009-03-27 13:56 . 2008-03-05 16:56 1,420,824 --a------ c:\windows\system32\D3DCompiler_37.dll
2009-03-27 13:56 . 2008-02-06 00:07 462,864 --a------ c:\windows\system32\d3dx10_37.dll
2009-03-27 13:52 . 2009-03-27 14:22 <KAT> d-------- c:\windows\SxsCaPendDel
2009-03-27 13:52 . 2009-03-27 13:52 <KAT> d-------- C:\9dea1a5b7fec128066a56162b4c1
2009-03-27 11:41 . 2009-03-27 17:21 <KAT> d--h----- C:\$AVG8.VAULT$
2009-03-27 11:07 . 2009-03-27 11:11 <KAT> d-------- c:\program\Registry Clean Expert
2009-03-27 10:59 . 2009-04-08 20:26 <KAT> d-------- c:\windows\system32\drivers\Avg
2009-03-27 10:59 . 2009-03-27 10:59 <KAT> d-------- c:\program\AVG
2009-03-27 10:59 . 2009-03-27 10:59 <KAT> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-27 10:59 . 2009-03-27 10:59 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-27 10:59 . 2009-04-08 20:27 108,552 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-27 10:59 . 2009-03-27 10:59 10,520 --a------ c:\windows\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-07 20:46 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2009-04-03 05:06 --------- d-----w c:\program\Java
2009-03-27 14:59 --------- d-----w c:\program\Malwarebytes' Anti-Malware
2009-03-27 14:02 --------- d-----w c:\program\AutoCAD Architecture 2009
2009-03-27 14:01 --------- d-----w c:\program\Delade filer\Autodesk Shared
2009-03-27 11:57 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2009-03-27 11:57 --------- d-----w c:\documents and settings\Administratör\Application Data\Autodesk
2009-03-27 10:16 --------- d-----w c:\documents and settings\Administratör\Application Data\uTorrent
2009-03-26 15:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-21 17:24 --------- d-----w c:\documents and settings\Administratör\Application Data\U3
2009-02-27 09:19 --------- d--h--w c:\program\InstallShield Installation Information
2009-02-27 08:58 --------- d-----w c:\program\Epoq Design
2008-02-17 17:15 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"RegClean Expert Scheduler"="c:\program\Registry Clean Expert\RCHelper.exe" [2009-03-27 601848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"SynTPEnh"="c:\program\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 761945]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"hpWirelessAssistant"="c:\program\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"Cpqset"="c:\program\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-01-23 802816]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-02-15 892928]
"SN02IPRW"="c:\windows\system32\SN02SELC.EXE" [2005-02-15 135168]
"Net iD"="c:\windows\system32\iid.exe" [2008-02-22 74992]
"QuickTime Task"="c:\program\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AVG8_TRAY"="c:\program\AVG\AVG8\avgtray.exe" [2009-03-27 1932568]
"SunJavaUpdateSched"="c:\program\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"MsmqIntCert"="mqrt.dll" [2008-04-14 c:\windows\system32\mqrt.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start-meny\Program\Autostart\
AutoCAD LT Startup Accelerator.lnk - c:\program\Delade filer\Autodesk Shared\acstart17.exe [2006-03-05 11000]
BTTray.lnk - c:\program\WIDCOMM\Bluetooth-programvara\BTTray.exe [2006-02-15 581693]
Kensington Si670m Bluetooth Mouse.lnk - c:\program\Kensington Si670m Bluetooth Mouse\MulMouse.exe [2007-04-23 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-27 10:59 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^DVD Check.lnk]
path=c:\documents and settings\All Users\Start-meny\Program\Autostart\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 12:48 157592 c:\program\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2008-02-28 09:59 570664 c:\program\Delade filer\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2006-03-02 15:39 131072 c:\program\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 11:30 413696 c:\program\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 17:45 313472 c:\program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program\\Mozilla Firefox\\firefox.exe"=
"c:\\Program\\Google\\Google SketchUp 6\\SketchUp.exe"=
"c:\\Program\\D-Link Media Server\\MediaServer.exe"=
"c:\\WINDOWS\\system32\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"=
"c:\\Program\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program\\MSN Messenger\\livecall.exe"=
"c:\\Program\\Bonjour\\mDNSResponder.exe"=
"c:\\Program\\iTunes\\iTunes.exe"=
"c:\\Program\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-27 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-27 108552]
R1 Si670m;WayTechSi670mFilterDriver;c:\windows\system32\drivers\Si670m.sys [2007-04-23 13312]
R2 avg8wd;AVG Free8 WatchDog;c:\program\AVG\AVG8\avgwdsvc.exe [2009-03-27 298264]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-03-27 38496]
S3 OKI OPHC DCS Loader;OKI OPHC DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHCLDCS.EXE [2006-06-22 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30dc222a-1638-11de-bb83-0018de8cf91d}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41739e70-102a-11dd-b9d1-0018de8cf91d}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67161bf6-c104-11db-b686-0018de8cf91d}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67161bf7-c104-11db-b686-0018de8cf91d}]
\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b14f206-cb43-11db-b6a3-0018de8cf91d}]
\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b14f207-cb43-11db-b6a3-0018de8cf91d}]
\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5ea7970-c0c7-11db-b684-0018de8cf91d}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5ea7972-c0c7-11db-b684-0018de8cf91d}]
\Shell\AutoRun\command - G:\AutoRun.exe
.
Innehållet i mappen 'Schemalagda aktiviteter':

2009-03-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -

MSConfigStartUp-WatchDog - c:\program\InterVideo\DVD Check\DVDCheck.exe


.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xportera till Microsoft Excel - c:\program\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Skicka till &Bluetooth - c:\program\WIDCOMM\Bluetooth-programvara\btsendto_ie_ctx.htm
DPF: {AD1350A0-17F5-4714-A57B-B65F9EABF5D1} - hxxps://webaccess.wmdata.com/wa/AbolishLoader.cab
FF - ProfilePath - c:\documents and settings\Administratör\Application Data\Mozilla\Firefox\Profiles\qkm7tmv7.default\
FF - component: c:\documents and settings\Administratör\Application Data\Mozilla\Firefox\Profiles\qkm7tmv7.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\program\Mozilla Firefox\plugins\npiidplg.dll
FF - plugin: c:\program\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-08 20:37:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program\HPQ\Default Settings\cpqset.exe???????????? ???@????????? ?????@?????hZ??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Andra processer som körs ------------------------
.
c:\windows\system32\msdtc.exe
c:\windows\system32\igfxsrvc.exe
c:\program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program\Bonjour\mDNSResponder.exe
c:\program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
c:\windows\system32\Crypserv.exe
c:\program\Java\jre6\bin\jqs.exe
c:\program\AVG\AVG8\avgrsx.exe
c:\program\AVG\AVG8\avgnsx.exe
c:\program\Delade filer\LightScribe\LSSrvc.exe
c:\program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\mqsvc.exe
c:\program\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\program\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\windows\system32\scardsvr.exe
c:\program\iPod\bin\iPodService.exe
c:\program\HPQ\Shared\HPQTOA~1.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Sluttid: 2009-04-08 20:40:03 - datorn startades om. [Administratör]
ComboFix-quarantined-files.txt 2009-04-08 18:40:00

Före genomsökningen: 71,999,954,944 byte ledigt
Efter genomsökningen: 76,575,539,200 byte ledigt

216 --- E O F --- 2009-03-15 06:37:19
drjn
Regular Member
 
Posts: 17
Joined: March 27th, 2009, 1:29 pm

Re: pls help. browsers close, redirect urls etc

Unread postby drjn » April 8th, 2009, 2:47 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:42:40, on 2009-04-08
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Analog Devices\Core\smax4pnp.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\AVG\AVG8\avgwdsvc.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\Program\AVG\AVG8\avgrsx.exe
C:\Program\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\iid.exe
C:\Program\Delade filer\LightScribe\LSSrvc.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\AVG\AVG8\avgtray.exe
C:\Program\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program\Registry Clean Expert\RCHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\WIDCOMM\Bluetooth-programvara\BTTray.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [SN02IPRW] C:\WINDOWS\system32\SN02SELC.EXE -w
O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\Program\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Program\Registry Clean Expert\RCHelper.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program\Delade filer\Autodesk Shared\acstart17.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Kensington Si670m Bluetooth Mouse.lnk = C:\Program\Kensington Si670m Bluetooth Mouse\MulMouse.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Skicka till &Bluetooth - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie_ctx.htm
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {AD1350A0-17F5-4714-A57B-B65F9EABF5D1} (AbolishLoader Control) - https://webaccess.wmdata.com/wa/AbolishLoader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program\Delade filer\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program\Delade filer\Nero\Lib\NMIndexingService.exe
O23 - Service: OKI OPHC DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHCLDCS.EXE
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe

--
End of file - 7864 bytes
drjn
Regular Member
 
Posts: 17
Joined: March 27th, 2009, 1:29 pm

Re: pls help. browsers close, redirect urls etc

Unread postby drjn » April 8th, 2009, 2:51 pm

I'm was(?) and am, using windows own firewall. If you rather see me use one of the others, I will.

After much trouble downloading combofix I got the logs at last. (dl combofix from another comp.) Already I think things are better. My avg updated, and I can see the tray icon. (dont know if its thanks to combofix, or just coincidence)
drjn
Regular Member
 
Posts: 17
Joined: March 27th, 2009, 1:29 pm

Re: pls help. browsers close, redirect urls etc

Unread postby John B. » April 9th, 2009, 11:07 am

Hi,

I'm was(?) and am, using windows own firewall. If you rather see me use one of the others, I will.

Alright, the Windows firewall is safe enough. I can certainly recommend using a third-party firewall, but I understand that some people like to use the standard Windows firewall.

After much trouble downloading combofix I got the logs at last. (dl combofix from another comp.) Already I think things are better. My avg updated, and I can see the tray icon. (dont know if its thanks to combofix, or just coincidence)

It is probably not coincidence because ComboFix removed some malware.

Let's check one folder, remove one leftover in your HJT log and run MBAM.

Step 1: Remove HijackThis entry
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside the item listed below (if present):

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

Step 2: Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :dir
    C:\9dea1a5b7fec128066a56162b4c1 /s
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please close the log for now. The log can also be found on your desktop entitled SystemLook.txt

Step 3: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Step 4: Run Malwarebytes' Anti-Malware
  • Start MalwareBytes' Anti-Malware
  • Check if there are any updates available!
  • After updating, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Close the Notepad file.
  • The log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Step 5: Post logs
Please post the following logs in a reply to this topic (use multiple posts if needed):
  • Let me know how your computer is running and if you still have problems
  • New HijackThis log
  • SystemLook log
  • MBAM log

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: pls help. browsers close, redirect urls etc

Unread postby drjn » April 10th, 2009, 4:40 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:46, on 2009-04-10
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Analog Devices\Core\smax4pnp.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\system32\iid.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\AVG\AVG8\avgtray.exe
C:\Program\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Registry Clean Expert\RCHelper.exe
C:\Program\WIDCOMM\Bluetooth-programvara\BTTray.exe
C:\Program\Kensington Si670m Bluetooth Mouse\MulMouse.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\AVG\AVG8\avgwdsvc.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program\AVG\AVG8\avgrsx.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\Program\Delade filer\LightScribe\LSSrvc.exe
C:\Program\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [SN02IPRW] C:\WINDOWS\system32\SN02SELC.EXE -w
O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\Program\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Program\Registry Clean Expert\RCHelper.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program\Delade filer\Autodesk Shared\acstart17.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Kensington Si670m Bluetooth Mouse.lnk = C:\Program\Kensington Si670m Bluetooth Mouse\MulMouse.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Skicka till &Bluetooth - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie_ctx.htm
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {AD1350A0-17F5-4714-A57B-B65F9EABF5D1} (AbolishLoader Control) - https://webaccess.wmdata.com/wa/AbolishLoader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program\Delade filer\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program\Delade filer\Nero\Lib\NMIndexingService.exe
O23 - Service: OKI OPHC DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHCLDCS.EXE
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe

--
End of file - 7968 bytes
drjn
Regular Member
 
Posts: 17
Joined: March 27th, 2009, 1:29 pm

Re: pls help. browsers close, redirect urls etc

Unread postby drjn » April 10th, 2009, 4:41 am

SystemLook v1.0 by jpshortstuff (02.03.09)
Log created at 09:02 on 10/04/2009 by Administratör (Administrator - Elevation successful)

========== dir ==========

C:\9dea1a5b7fec128066a56162b4c1 - Parameters: "/s"

---Files---
None found.

C:\9dea1a5b7fec128066a56162b4c1\amd64 d----- [11:52 27/03/2009]
filterpipelineprintproc.dll ------ 147456 bytes [11:52 27/03/2009] [12:06 06/07/2008]
msxpsdrv.cat ------ 10929 bytes [11:52 27/03/2009] [12:06 06/07/2008]
msxpsdrv.inf ------ 2204 bytes [11:52 27/03/2009] [05:33 19/06/2008]
msxpsinc.gpd ------ 73 bytes [10:03 19/06/2008] [10:03 19/06/2008]
msxpsinc.ppd ------ 72 bytes [11:52 27/03/2009] [05:33 19/06/2008]
mxdwdrv.dll ------ 748032 bytes [11:52 27/03/2009] [12:06 06/07/2008]
xpssvcs.dll ------ 2936832 bytes [16:36 06/07/2008] [16:36 06/07/2008]

C:\9dea1a5b7fec128066a56162b4c1\i386 d----- [11:52 27/03/2009]
filterpipelineprintproc.dll ------ 89088 bytes [11:52 27/03/2009] [12:06 06/07/2008]
msxpsdrv.cat ------ 10929 bytes [11:52 27/03/2009] [12:06 06/07/2008]
msxpsdrv.inf ------ 2204 bytes [11:52 27/03/2009] [05:33 19/06/2008]
msxpsinc.gpd ------ 73 bytes [11:52 27/03/2009] [10:03 19/06/2008]
msxpsinc.ppd ------ 72 bytes [11:52 27/03/2009] [05:33 19/06/2008]
mxdwdrv.dll ------ 765440 bytes [11:52 27/03/2009] [12:06 06/07/2008]
xpssvcs.dll ------ 1676288 bytes [11:52 27/03/2009] [12:06 06/07/2008]

-=End Of File=-
drjn
Regular Member
 
Posts: 17
Joined: March 27th, 2009, 1:29 pm

Re: pls help. browsers close, redirect urls etc

Unread postby drjn » April 10th, 2009, 4:42 am

Malwarebytes' Anti-Malware 1.36
Databasversion: 1961
Windows 5.1.2600 Service Pack 3

2009-04-10 10:20:09
mbam-log-2009-04-10 (10-20-09).txt

Skanningstyp: Fullständig skanning (C:\|E:\|)
Antal skannade objekt: 159382
Förfluten tid: 1 hour(s), 0 minute(s), 31 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 0
Infekterade mappar: 0
Infekterade filer: 0

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
(Inga illasinnade poster hittades)
drjn
Regular Member
 
Posts: 17
Joined: March 27th, 2009, 1:29 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 17 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware