Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HJT log, browser search redirector

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HJT log, browser search redirector

Unread postby cturtle » June 29th, 2009, 2:27 pm

My PC is suffering from one of those search-redirect conditions, taking my Google searches to obscure search engine pages, or even completely irrelevant sites. (Clicking on a link to DiabeticDirect.com took me to realtor.com.)

Here's my HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:35 PM, on 6/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=4070802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=4070802
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (User 'Default user')
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\cturtle\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://symantec.webex.com/client/T23L/ ... eatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://site03.remoteoffice.citigroup.c ... tupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 7277 bytes
cturtle
Active Member
 
Posts: 10
Joined: June 29th, 2009, 2:20 pm
Location: NJ
Advertisement
Register to Remove

Re: HJT log, browser search redirector

Unread postby Axephilic » June 30th, 2009, 3:12 pm

Welcome to the Malware Removal Forums! My name is Adam and I will be assisting you with getting the malware off of your computer. Please observe the following points before we start:
  1. If at any point you don't understand something, please let me know and I will be glad to explain or go more into depth for you. :)
  2. Please remember, I am a volunteer and I have a personal life. I go to school full time, have a part time job, and I do sports. A lot of this takes a lot of time.
  3. Please keep all of your replies in this topic/thread and do not make a new topic/thread, thanks!
  4. Please stick with this, don't stop responding because the symptoms are gone, the infection could still be there. Keep replying to my posts until I give you the All Clean message. ;)
  5. If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me so the topic will not be closed.
  6. Please do not run other tools to remove the malware unless I ask you to until I give you the all clean. They will just mess up my fixes and make things more complicated, not fix the problem.

Download and Run ComboFix
Please visit this page to download and run Combofix - http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Save it to your desktop.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will see the following message if Microsoft Windows Recovery Console is not installed.

    Image

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes to continue scanning for malware.

When finished, a log will be produced. Please post this log in your next reply. Please also post a new HJT log.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: HJT log, browser search redirector

Unread postby cturtle » June 30th, 2009, 6:45 pm

Thank you, Adam.

After a few hours yesterday, I wasn't confident I'd find help on this forum (I had not heard of it previously), and had proceeded to research it on my own. A few hours after my original post, I learned about the tool Malwarebytes' Anti-Malware and ran it, cleaning 4 infections that AVG never detected. That did not resolved my search problem, however, so I want to make you aware that I took this action in case it complicates your efforts to help me. I'll stick to your instructions from here on.

I ran the ComboFix. It warned me that I needed to disable AVG, and I found some components I could not terminate even in the task manager and Process Explorer. Uninstalling AVG also failed. I ultimately renamed the AVG directory and rebooted just so could run ComboFix, and it "blue screened" and I had to run combofix from Safe Mode. It found four rootkit files (log below) and then rebooted into normal mode successfully to continue running. I clicked yes to download and install the recovery console, but it never confirmed that it did so.

Here is the combofix log. I'll another HJT log in a new post.

ComboFix 09-06-29.07 - cturtle 06/30/2009 18:24.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.2198 [GMT -4:00]
Running from: c:\documents and settings\cturtle\Desktop\hijacktheis\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\hjgruiuwniybww.sys
c:\windows\system32\hjgruiardprktk.dat
c:\windows\system32\hjgruibwqpllky.dll
c:\windows\system32\hjgruiglvfkypr.dll
c:\windows\system32\hjgruiruuvtppb.dat
c:\windows\system32\mlfcache.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruimtnvvror


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-29 18:46 . 2009-06-29 18:46 -------- d-----w- c:\documents and settings\cturtle\Application Data\Malwarebytes
2009-06-29 18:46 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-29 18:46 . 2009-06-29 19:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 18:46 . 2009-06-29 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-29 18:46 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-29 17:51 . 2009-06-29 17:51 -------- d-----w- c:\program files\CCleaner
2009-06-29 17:46 . 2009-06-29 17:46 -------- d-----w- c:\program files\Trend Micro
2009-06-29 17:32 . 2009-06-14 20:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-29 13:24 . 2009-06-29 13:24 -------- d-----w- c:\documents and settings\cturtle\Local Settings\Application Data\AVG Security Toolbar
2009-06-29 12:12 . 2009-06-29 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-29 12:12 . 2009-06-29 12:12 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AVGTOOLBAR
2009-06-29 06:02 . 2009-06-29 06:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-29 05:58 . 2009-06-29 05:58 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-28 22:19 . 2009-06-28 22:20 -------- d-----w- c:\program files\TES_Map
2009-06-28 20:37 . 2009-06-28 20:37 -------- d-----w- c:\program files\Lame for Audacity
2009-06-28 20:36 . 2009-06-28 20:36 -------- d-----w- c:\program files\Audacity
2009-06-27 22:20 . 2009-06-27 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2009-06-27 22:20 . 2009-06-27 22:20 -------- d-----w- c:\documents and settings\cturtle\Application Data\NCH Software
2009-06-27 22:19 . 2009-06-27 22:20 -------- d-----w- c:\program files\NCH Software
2009-06-26 05:08 . 2009-06-26 05:08 -------- d--h--r- c:\documents and settings\cturtle\Application Data\SecuROM
2009-06-14 00:30 . 2009-06-14 00:30 -------- d-----w- c:\documents and settings\cturtle\Local Settings\Application Data\NWN2 Toolset
2009-06-12 16:37 . 2009-03-27 05:16 12672 ----a-w- c:\windows\system32\drivers\cpuz132_x32.sys
2009-06-12 16:37 . 2009-06-12 16:37 -------- d-----w- c:\program files\CPUID
2009-06-12 04:11 . 2009-06-12 04:11 -------- d-----w- c:\program files\Atari
2009-06-11 21:13 . 2009-06-11 21:13 -------- d-----w- c:\program files\AGEIA Technologies
2009-06-11 21:13 . 2009-06-11 21:13 -------- d-----w- c:\windows\system32\AGEIA
2009-06-11 21:13 . 2009-06-11 21:13 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-10 06:23 . 2009-06-10 06:23 -------- d-----w- C:\NeverwinterNights
2009-06-09 19:18 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-09 19:18 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-08 16:34 . 2009-06-08 16:34 -------- d-----w- c:\program files\CDV Software Entertainment USA
2009-06-06 23:51 . 2009-06-06 23:51 -------- d-----w- c:\program files\SystemRequirementsLab
2009-06-06 23:51 . 2009-06-06 23:51 290816 ----a-w- c:\documents and settings\cturtle\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-06-06 23:51 . 2009-06-06 23:51 290816 ----a-w- c:\documents and settings\cturtle\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-06-06 23:51 . 2009-06-06 23:51 290816 ----a-w- c:\documents and settings\cturtle\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-06-06 23:51 . 2009-06-06 23:51 290816 ----a-w- c:\documents and settings\cturtle\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-06-06 23:51 . 2009-06-06 23:51 -------- d-----w- c:\documents and settings\cturtle\Application Data\SystemRequirementsLab
2009-06-06 23:43 . 2009-06-07 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-06-06 23:35 . 2009-06-06 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2009-06-06 22:19 . 2009-06-06 22:19 -------- d-sh--w- c:\documents and settings\cturtle\PrivacIE
2009-06-05 00:35 . 2009-06-05 00:35 -------- d-sh--w- c:\documents and settings\cturtle\IETldCache
2009-06-05 00:33 . 2009-06-05 00:33 -------- d-----w- c:\windows\ie8updates
2009-06-05 00:33 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-05 00:32 . 2009-06-05 00:33 -------- dc-h--w- c:\windows\ie8
2009-06-03 00:19 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-06-03 00:19 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-06-02 05:50 . 2009-06-02 05:50 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-01 16:38 . 2009-03-16 16:16 198504 ----a-w- c:\documents and settings\cturtle\Application Data\Microsoft\Internet Explorer\Quick Launch\Tcpview.exe
2009-06-01 16:22 . 2009-03-16 16:16 2902376 ----a-w- c:\documents and settings\cturtle\Application Data\Microsoft\Internet Explorer\Quick Launch\Procmon.exe
2009-06-01 15:54 . 2009-02-03 14:32 3550592 ----a-w- c:\documents and settings\cturtle\Application Data\Microsoft\Internet Explorer\Quick Launch\procexp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 22:03 . 2008-05-12 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-29 12:12 . 2008-05-12 02:21 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 12:12 . 2008-05-12 02:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-29 12:12 . 2007-08-07 23:08 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-26 04:41 . 2008-05-12 02:21 -------- d-----w- c:\documents and settings\cturtle\Application Data\AVGTOOLBAR
2009-06-23 07:30 . 2007-09-26 12:55 -------- d-----w- c:\program files\NCSoft
2009-06-23 07:30 . 2007-08-02 09:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-23 07:29 . 2007-09-26 12:54 -------- d-----w- c:\documents and settings\cturtle\Application Data\InstallShield
2009-06-23 06:17 . 2008-02-29 04:15 -------- d-----w- c:\documents and settings\cturtle\Application Data\OpenOffice.org2
2009-06-23 06:16 . 2008-02-29 04:15 1 ----a-w- c:\documents and settings\cturtle\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-06-15 11:15 . 2007-10-09 04:04 -------- d-----w- c:\documents and settings\cturtle\Application Data\.purple
2009-06-11 21:13 . 2008-11-15 18:23 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-10 01:33 . 2007-08-02 09:16 -------- d-----w- c:\program files\Microsoft Works
2009-06-04 04:17 . 2008-03-10 06:37 -------- d-----w- c:\program files\Bethesda Softworks
2009-06-01 21:25 . 2007-08-10 03:09 -------- d-----w- c:\program files\SecondLife
2009-05-25 11:36 . 2009-05-25 11:36 81 ----a-w- C:\CTX.DAT
2009-05-25 11:31 . 2008-02-29 03:07 -------- d-----w- c:\documents and settings\cturtle\Application Data\Juniper Networks
2009-05-25 11:31 . 2008-02-29 03:07 33220 ----a-w- c:\documents and settings\cturtle\Application Data\Juniper Networks\setup\uninstall.exe
2009-05-25 11:31 . 2009-05-25 11:31 122152 ------w- c:\documents and settings\cturtle\Application Data\JuniperSetup.exe
2009-05-25 11:31 . 2009-05-25 11:31 122152 ------w- c:\documents and settings\cturtle\Application Data\JuniperSetup.exe
2009-05-15 21:03 . 2007-08-02 09:15 -------- d-----w- c:\program files\Google
2009-05-13 05:15 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 01:46 . 2009-05-11 01:46 -------- d-----w- c:\program files\NVIDIA Corporation
2009-05-11 01:45 . 2009-05-11 01:45 -------- d-----w- c:\program files\NVIDIA nTune Performance Application
2009-05-10 22:37 . 2009-05-10 22:37 -------- d-----w- c:\program files\7-Zip
2009-05-10 22:00 . 2009-05-10 22:00 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-05-10 21:54 . 2008-05-12 02:21 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2004-08-10 17:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 04:31 . 2009-05-01 04:31 1657376 ----a-w- c:\windows\system32\nwiz.exe
2009-05-01 04:31 . 2009-05-01 04:31 449056 ----a-w- c:\windows\system32\nvappbar.exe
2009-05-01 04:31 . 2009-05-01 04:31 436768 ----a-w- c:\windows\system32\keystone.exe
2009-05-01 04:31 . 2009-05-01 04:31 466944 ----a-w- c:\windows\system32\nvshell.dll
2009-05-01 04:31 . 2009-05-01 04:31 1724416 ----a-w- c:\windows\system32\nvwdmcpl.dll
2009-05-01 04:31 . 2009-05-01 04:31 1507328 ----a-w- c:\windows\system32\nview.dll
2009-05-01 04:31 . 2009-05-01 04:31 1101824 ----a-w- c:\windows\system32\nvwimg.dll
2009-05-01 02:02 . 2009-05-01 02:02 663552 ----a-w- c:\windows\system32\nvcuvid.dll
2009-05-01 02:02 . 2009-05-01 02:02 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-05-01 02:02 . 2009-05-01 02:02 1579630 ----a-w- c:\windows\system32\nvdata.bin
2009-05-01 02:02 . 2009-05-01 02:02 1314816 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-05-01 02:02 . 2007-08-02 08:57 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-05-01 02:02 . 2007-08-02 08:53 9994240 ----a-w- c:\windows\system32\nvoglnt.dll
2009-05-01 02:02 . 2007-08-02 08:53 806912 ----a-w- c:\windows\system32\nvapi.dll
2009-05-01 02:02 . 2007-08-02 08:53 143360 ----a-w- c:\windows\system32\nvcodins.dll
2009-05-01 02:02 . 2007-08-02 08:53 143360 ----a-w- c:\windows\system32\nvcod.dll
2009-05-01 02:02 . 2004-08-10 17:59 8055584 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-05-01 02:02 . 2004-08-10 17:59 5896320 ----a-w- c:\windows\system32\nv4_disp.dll
2009-04-27 04:42 . 2007-08-08 00:08 457248 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-04-17 12:26 . 2004-08-10 17:51 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 17:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-03 16:39 . 2009-04-03 16:39 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-05-01 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-29 12:12 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SecondLifeWindLight\\SLVoice.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\SecondLifeReleaseCandidate\\SLVoice.exe"=
"c:\\cygwin\\usr\\X11R6\\bin\\XWin.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/11/2008 10:21 PM 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/11/2008 10:21 PM 108552]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [6/12/2009 12:37 PM 12672]
S4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\cturtle\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\cturtle\Application Data\Mozilla\Firefox\Profiles\igfo9r99.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.altavista.com/
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-30 18:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{107E6D21-54ED-32EA-89EBEFDD29F12B2C}\{B975045C-7EA8-ADE1-408732B9E3F99960}\{A296A331-83C2-2419-70104A7C6B45B24D}*]
"2EQJ2Z3RJDTDB2HBN4IWIN4ITC1"=hex:01,00,01,00,00,00,00,00,50,18,12,ae,1d,3d,93,
38,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7FA7DB51-4296-4DCE-E915E900AF1A706F}\{6ECD6E35-CD02-B6E7-116E97829ECA1B77}\{2BCFFA55-7302-F76B-60625DCE35F7A6E2}*]
"DIUMUTVOZPCSSGX5CJY2KLBAVE1"=hex:01,00,01,00,00,00,00,00,64,6d,b1,e3,87,75,1d,
e5,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AD212F18-226F-19C5-6836DC0F322A8CD1}\{165CDB28-57BC-2FFB-C17032E84F1598CE}\{1D773DA2-1E07-1A59-CFCCE9D8E9744932}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,01,20,51,
35,db,44,42,8b,7a,02,e2,d3,14,3c,f8,3b,21,39,38,fc,5f,97,62,ae,54,19,ed,96,\
.
Completion time: 2009-06-30 18:33
ComboFix-quarantined-files.txt 2009-06-30 22:31

Pre-Run: 12,123,344,896 bytes free
Post-Run: 12,262,256,640 bytes free

213 --- E O F --- 2009-06-10 01:33
cturtle
Active Member
 
Posts: 10
Joined: June 29th, 2009, 2:20 pm
Location: NJ

Re: HJT log, browser search redirector

Unread postby cturtle » June 30th, 2009, 6:46 pm

Here is a new HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:01 PM, on 6/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=4070802
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (User 'Default user')
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\cturtle\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://symantec.webex.com/client/T23L/ ... eatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://site03.remoteoffice.citigroup.c ... tupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 5932 bytes
cturtle
Active Member
 
Posts: 10
Joined: June 29th, 2009, 2:20 pm
Location: NJ

Re: HJT log, browser search redirector

Unread postby Axephilic » June 30th, 2009, 10:20 pm

Hi there,

Please post me the MBAM log.

The log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Fix HijackThis lines

  • Run HijackThis!
  • Click on Do a System Scan only
  • Place a tick next to the following lines:

    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll (file missing)
Close all open windows and click on Fix checked and when you get a popup window click on Yes.

Run ComboFix
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Image


Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'No' to not run the full ComboFix scan.

    Image

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=-
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
RegNULL::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{107E6D21-54ED-32EA-89EBEFDD29F12B2C}\{B975045C-7EA8-ADE1-408732B9E3F99960}\{A296A331-83C2-2419-70104A7C6B45B24D}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7FA7DB51-4296-4DCE-E915E900AF1A706F}\{6ECD6E35-CD02-B6E7-116E97829ECA1B77}\{2BCFFA55-7302-F76B-60625DCE35F7A6E2}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AD212F18-226F-19C5-6836DC0F322A8CD1}\{165CDB28-57BC-2FFB-C17032E84F1598CE}\{1D773DA2-1E07-1A59-CFCCE9D8E9744932}*]


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include:
  1. ComboFix log
  2. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: HJT log, browser search redirector

Unread postby cturtle » June 30th, 2009, 11:57 pm

Thanks, Adam,

Below are the three logs you requested.

1. The original mbam log generated before you began to help me.
2. The combofix log generated by "dragging" the CFScript.txt onto the Combofix executable.
3. A new HJT log

MBAM log:

Malwarebytes' Anti-Malware 1.38
Database version: 2352
Windows 5.1.2600 Service Pack 3

6/29/2009 3:51:26 PM
mbam-log-2009-06-29 (15-51-26).txt

Scan type: Full Scan (C:\|)
Objects scanned: 271073
Time elapsed: 1 hour(s), 3 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
c:\windows\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
c:\windows\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.





Combofix log:

ComboFix 09-06-29.07 - cturtle 06/30/2009 23:46.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.2103 [GMT -4:00]
Running from: c:\documents and settings\cturtle\Desktop\hijacktheis\ComboFix.exe
Command switches used :: c:\documents and settings\cturtle\Desktop\hijacktheis\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.

2009-06-29 18:46 . 2009-06-29 18:46 -------- d-----w- c:\documents and settings\cturtle\Application Data\Malwarebytes
2009-06-29 18:46 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-29 18:46 . 2009-06-29 19:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 18:46 . 2009-06-29 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-29 18:46 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-29 17:51 . 2009-06-29 17:51 -------- d-----w- c:\program files\CCleaner
2009-06-29 17:46 . 2009-06-29 17:46 -------- d-----w- c:\program files\Trend Micro
2009-06-29 17:32 . 2009-06-14 20:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-29 13:24 . 2009-06-29 13:24 -------- d-----w- c:\documents and settings\cturtle\Local Settings\Application Data\AVG Security Toolbar
2009-06-29 12:12 . 2009-06-29 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-29 12:12 . 2009-06-29 12:12 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AVGTOOLBAR
2009-06-29 06:02 . 2009-06-29 06:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-29 05:58 . 2009-06-29 05:58 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-28 22:19 . 2009-06-28 22:20 -------- d-----w- c:\program files\TES_Map
2009-06-28 20:37 . 2009-06-28 20:37 -------- d-----w- c:\program files\Lame for Audacity
2009-06-28 20:36 . 2009-06-28 20:36 -------- d-----w- c:\program files\Audacity
2009-06-27 22:20 . 2009-06-27 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2009-06-27 22:20 . 2009-06-27 22:20 -------- d-----w- c:\documents and settings\cturtle\Application Data\NCH Software
2009-06-27 22:19 . 2009-06-27 22:20 -------- d-----w- c:\program files\NCH Software
2009-06-26 05:08 . 2009-06-26 05:08 -------- d--h--r- c:\documents and settings\cturtle\Application Data\SecuROM
2009-06-14 00:30 . 2009-06-14 00:30 -------- d-----w- c:\documents and settings\cturtle\Local Settings\Application Data\NWN2 Toolset
2009-06-12 16:37 . 2009-03-27 05:16 12672 ----a-w- c:\windows\system32\drivers\cpuz132_x32.sys
2009-06-12 16:37 . 2009-06-12 16:37 -------- d-----w- c:\program files\CPUID
2009-06-12 04:11 . 2009-06-12 04:11 -------- d-----w- c:\program files\Atari
2009-06-11 21:13 . 2009-06-11 21:13 -------- d-----w- c:\program files\AGEIA Technologies
2009-06-11 21:13 . 2009-06-11 21:13 -------- d-----w- c:\windows\system32\AGEIA
2009-06-11 21:13 . 2009-06-11 21:13 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-10 06:23 . 2009-06-10 06:23 -------- d-----w- C:\NeverwinterNights
2009-06-09 19:18 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-09 19:18 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-08 16:34 . 2009-06-08 16:34 -------- d-----w- c:\program files\CDV Software Entertainment USA
2009-06-06 23:51 . 2009-06-06 23:51 -------- d-----w- c:\program files\SystemRequirementsLab
2009-06-06 23:51 . 2009-06-06 23:51 290816 ----a-w- c:\documents and settings\cturtle\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-06-06 23:51 . 2009-06-06 23:51 290816 ----a-w- c:\documents and settings\cturtle\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-06-06 23:51 . 2009-06-06 23:51 290816 ----a-w- c:\documents and settings\cturtle\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-06-06 23:51 . 2009-06-06 23:51 290816 ----a-w- c:\documents and settings\cturtle\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-06-06 23:51 . 2009-06-06 23:51 -------- d-----w- c:\documents and settings\cturtle\Application Data\SystemRequirementsLab
2009-06-06 23:43 . 2009-06-07 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-06-06 23:35 . 2009-06-06 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2009-06-06 22:19 . 2009-06-06 22:19 -------- d-sh--w- c:\documents and settings\cturtle\PrivacIE
2009-06-05 00:35 . 2009-06-05 00:35 -------- d-sh--w- c:\documents and settings\cturtle\IETldCache
2009-06-05 00:33 . 2009-06-05 00:33 -------- d-----w- c:\windows\ie8updates
2009-06-05 00:33 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-05 00:32 . 2009-06-05 00:33 -------- dc-h--w- c:\windows\ie8
2009-06-03 00:19 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-06-03 00:19 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-06-02 05:50 . 2009-06-02 05:50 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-01 16:38 . 2009-03-16 16:16 198504 ----a-w- c:\documents and settings\cturtle\Application Data\Microsoft\Internet Explorer\Quick Launch\Tcpview.exe
2009-06-01 16:22 . 2009-03-16 16:16 2902376 ----a-w- c:\documents and settings\cturtle\Application Data\Microsoft\Internet Explorer\Quick Launch\Procmon.exe
2009-06-01 15:54 . 2009-02-03 14:32 3550592 ----a-w- c:\documents and settings\cturtle\Application Data\Microsoft\Internet Explorer\Quick Launch\procexp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-01 03:28 . 2007-08-02 09:15 -------- d-----w- c:\program files\BAE
2009-06-30 22:03 . 2008-05-12 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-29 12:12 . 2008-05-12 02:21 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 12:12 . 2008-05-12 02:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-29 12:12 . 2007-08-07 23:08 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-26 04:41 . 2008-05-12 02:21 -------- d-----w- c:\documents and settings\cturtle\Application Data\AVGTOOLBAR
2009-06-23 07:30 . 2007-09-26 12:55 -------- d-----w- c:\program files\NCSoft
2009-06-23 07:30 . 2007-08-02 09:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-23 07:29 . 2007-09-26 12:54 -------- d-----w- c:\documents and settings\cturtle\Application Data\InstallShield
2009-06-23 06:17 . 2008-02-29 04:15 -------- d-----w- c:\documents and settings\cturtle\Application Data\OpenOffice.org2
2009-06-23 06:16 . 2008-02-29 04:15 1 ----a-w- c:\documents and settings\cturtle\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-06-15 11:15 . 2007-10-09 04:04 -------- d-----w- c:\documents and settings\cturtle\Application Data\.purple
2009-06-11 21:13 . 2008-11-15 18:23 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-10 01:33 . 2007-08-02 09:16 -------- d-----w- c:\program files\Microsoft Works
2009-06-04 04:17 . 2008-03-10 06:37 -------- d-----w- c:\program files\Bethesda Softworks
2009-06-01 21:25 . 2007-08-10 03:09 -------- d-----w- c:\program files\SecondLife
2009-05-25 11:36 . 2009-05-25 11:36 81 ----a-w- C:\CTX.DAT
2009-05-25 11:31 . 2008-02-29 03:07 -------- d-----w- c:\documents and settings\cturtle\Application Data\Juniper Networks
2009-05-25 11:31 . 2008-02-29 03:07 33220 ----a-w- c:\documents and settings\cturtle\Application Data\Juniper Networks\setup\uninstall.exe
2009-05-25 11:31 . 2009-05-25 11:31 122152 ------w- c:\documents and settings\cturtle\Application Data\JuniperSetup.exe
2009-05-25 11:31 . 2009-05-25 11:31 122152 ------w- c:\documents and settings\cturtle\Application Data\JuniperSetup.exe
2009-05-15 21:03 . 2007-08-02 09:15 -------- d-----w- c:\program files\Google
2009-05-13 05:15 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 01:46 . 2009-05-11 01:46 -------- d-----w- c:\program files\NVIDIA Corporation
2009-05-11 01:45 . 2009-05-11 01:45 -------- d-----w- c:\program files\NVIDIA nTune Performance Application
2009-05-10 22:37 . 2009-05-10 22:37 -------- d-----w- c:\program files\7-Zip
2009-05-10 22:00 . 2009-05-10 22:00 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-05-10 21:54 . 2008-05-12 02:21 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2004-08-10 17:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 04:31 . 2009-05-01 04:31 1657376 ----a-w- c:\windows\system32\nwiz.exe
2009-05-01 04:31 . 2009-05-01 04:31 449056 ----a-w- c:\windows\system32\nvappbar.exe
2009-05-01 04:31 . 2009-05-01 04:31 436768 ----a-w- c:\windows\system32\keystone.exe
2009-05-01 04:31 . 2009-05-01 04:31 466944 ----a-w- c:\windows\system32\nvshell.dll
2009-05-01 04:31 . 2009-05-01 04:31 1724416 ----a-w- c:\windows\system32\nvwdmcpl.dll
2009-05-01 04:31 . 2009-05-01 04:31 1507328 ----a-w- c:\windows\system32\nview.dll
2009-05-01 04:31 . 2009-05-01 04:31 1101824 ----a-w- c:\windows\system32\nvwimg.dll
2009-05-01 02:02 . 2009-05-01 02:02 663552 ----a-w- c:\windows\system32\nvcuvid.dll
2009-05-01 02:02 . 2009-05-01 02:02 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-05-01 02:02 . 2009-05-01 02:02 1579630 ----a-w- c:\windows\system32\nvdata.bin
2009-05-01 02:02 . 2009-05-01 02:02 1314816 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-05-01 02:02 . 2007-08-02 08:57 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-05-01 02:02 . 2007-08-02 08:53 9994240 ----a-w- c:\windows\system32\nvoglnt.dll
2009-05-01 02:02 . 2007-08-02 08:53 806912 ----a-w- c:\windows\system32\nvapi.dll
2009-05-01 02:02 . 2007-08-02 08:53 143360 ----a-w- c:\windows\system32\nvcodins.dll
2009-05-01 02:02 . 2007-08-02 08:53 143360 ----a-w- c:\windows\system32\nvcod.dll
2009-05-01 02:02 . 2004-08-10 17:59 8055584 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-05-01 02:02 . 2004-08-10 17:59 5896320 ----a-w- c:\windows\system32\nv4_disp.dll
2009-04-27 04:42 . 2007-08-08 00:08 457248 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-04-17 12:26 . 2004-08-10 17:51 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 17:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-03 16:39 . 2009-04-03 16:39 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-05-01 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-29 12:12 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SecondLifeWindLight\\SLVoice.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\SecondLifeReleaseCandidate\\SLVoice.exe"=
"c:\\cygwin\\usr\\X11R6\\bin\\XWin.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/11/2008 10:21 PM 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/11/2008 10:21 PM 108552]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [6/12/2009 12:37 PM 12672]
S4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\cturtle\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\cturtle\Application Data\Mozilla\Firefox\Profiles\igfo9r99.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.altavista.com/
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-30 23:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\CLBCATQ.DLL

- - - - - - - > 'explorer.exe'(1916)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-07-01 23:49
ComboFix-quarantined-files.txt 2009-07-01 03:47
ComboFix2.txt 2009-07-01 03:41
ComboFix3.txt 2009-06-30 23:34
ComboFix4.txt 2009-06-30 22:33

Pre-Run: 12,223,926,272 bytes free
Post-Run: 12,208,201,728 bytes free

200 --- E O F --- 2009-06-10 01:33





HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:00 PM, on 6/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=4070802
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (User 'Default user')
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\cturtle\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://symantec.webex.com/client/T23L/ ... eatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://site03.remoteoffice.citigroup.c ... tupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 5358 bytes
cturtle
Active Member
 
Posts: 10
Joined: June 29th, 2009, 2:20 pm
Location: NJ

Re: HJT log, browser search redirector

Unread postby Axephilic » July 1st, 2009, 1:30 am

Hello,

Kaspersky Online Scanner
Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

In your next reply, please include:
  1. Kaspersky log
  2. How is it running now?
  3. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: HJT log, browser search redirector

Unread postby cturtle » July 1st, 2009, 9:35 am

The Kapersky scan didn't find anything, and the log came up empty. So far, my Google searches have all behaved properly.

Here's a new HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:40 AM, on 7/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=4070802
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (User 'Default user')
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\cturtle\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://symantec.webex.com/client/T23L/ ... eatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://site03.remoteoffice.citigroup.c ... tupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 5435 bytes
cturtle
Active Member
 
Posts: 10
Joined: June 29th, 2009, 2:20 pm
Location: NJ

Re: HJT log, browser search redirector

Unread postby cturtle » July 1st, 2009, 9:36 am

The Kapersky scan didn't find anything, and the log came up empty. So far, my Google searches have all behaved properly.

Here's a new HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:40 AM, on 7/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=4070802
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (User 'Default user')
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\cturtle\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://symantec.webex.com/client/T23L/ ... eatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://site03.remoteoffice.citigroup.c ... tupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 5435 bytes
cturtle
Active Member
 
Posts: 10
Joined: June 29th, 2009, 2:20 pm
Location: NJ

Re: HJT log, browser search redirector

Unread postby cturtle » July 1st, 2009, 9:37 am

The Kapersky scan didn't find anything, and the log came up empty. So far, my Google searches have all behaved properly.

Here's a new HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:40 AM, on 7/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=4070802
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (User 'Default user')
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\cturtle\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://symantec.webex.com/client/T23L/ ... eatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://site03.remoteoffice.citigroup.c ... tupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 5435 bytes
cturtle
Active Member
 
Posts: 10
Joined: June 29th, 2009, 2:20 pm
Location: NJ

Re: HJT log, browser search redirector

Unread postby Axephilic » July 1st, 2009, 1:01 pm

Congratulations, you are now all clean! To help to prevent from becoming reinfected, please follow the instructions below in order. If you have any questions, please feel free to ask them. If after 48 hours you have not responded to this, then I will assume you have no questions and have the topic closed.

First, lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

Flush the system restore points

  1. Right click on My Computer and select Properties.
  2. Select the System Restore tab.
  3. Check (tick) Turn off system restore on all drives box.
  4. Click Apply.
  5. Uncheck (untick) Turn off system restore on all drives box.
  6. Click OK.
  7. Restart your computer.
Note: Do this only ONCE, don't flush it regularly.

Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version. Adobe Reader 9. Please uninstall all old versions of Adobe Reader and then you can download the newest version from http://www.adobe.com/products/acrobat/readstep2.html If you already have Adobe Photoshop Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop Album Starter Edition.

Make sure you turn on AVG 8 again.

No Firewall
I don't see a firewall program present on your system! You should pick ONE of the following and install it.

Note: Never install more than 1 anti-virus or firewall.


Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows and office

Go to Start > All Programs > Microsoft Update


Alternatively, you can visit the link below to update Windows and Office products.

Microsoft Update

I also recommend, if it's not already on, to enable Automatic updates. It will notify you whenever there are new updates available. Here's how:

  1. Go to Start > Control Panel > Automatic Updates
  2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
  3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
  4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Surf safely

Many of the exploits are directed to users of Internet Explorer and Firefox.

Using Firefox with NoScript add-on helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.

If you prefer to use Internet Explorer, here are some settings to change to improve the security of Internet Explorer.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection

  1. Winpatrol
    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  2. Hosts File
    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:

    MVPS Hosts File
    Bluetack's Hosts File
    Bluetack's Host Manager
    hpHosts

    A tutorial about Hosts File can be found at Malware Removal.

  3. Spybot Search and Destroy
    Spybot Search & Destroy is another program for scanning spywares and adwares. Not only so, it has other preventive options as well. You are strongly encouraged to run a scan at least once per week.

    Spybot Search & Destroy can be downloaded from here.

    If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial at Bleeping Computer.

    Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs and Malwarebytes RogueNET. This will save you from a lot of trouble. If in doubt, don't ever download it.

  4. SiteHound Toolbar
    SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Happy surfing and stay clean!

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: HJT log, browser search redirector

Unread postby cturtle » July 1st, 2009, 11:10 pm

Thanks, Adam,

I activated AVG8.5 again, and I installed the ZoneAlarm firewall, Spybot, Sitehound, and the MVPS host file. I'll look into WinPatrol next.


Thanks for all the help.
cturtle
Active Member
 
Posts: 10
Joined: June 29th, 2009, 2:20 pm
Location: NJ

Re: HJT log, browser search redirector

Unread postby Axephilic » July 2nd, 2009, 2:44 am

You are most welcome. :)
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: HJT log, browser search redirector

Unread postby NonSuch » July 2nd, 2009, 2:59 am

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27302
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 25 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware