Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware and browser redirection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Malware and browser redirection

Unread postby Fable » May 21st, 2010, 4:39 pm

Hey Cypher,

Here are the logs:

SystemLook.txt log

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 16:53 on 21/05/2010 by Sagar (Administrator - Elevation successful)

========== filefind ==========

Searching for "tyyd.exe"
C:\_OTM\MovedFiles\05212010_124446\C_Documents and Settings\Sagar\Application Data\Lyazga\tyyd.exe --a--- 133124 bytes [11:17 27/09/2008] [11:17 27/09/2008] A6F09C245665DCF23E2A0535A204AE9F

-=End Of File=-


ESET log


C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\xuxuig.exe Win32/Spy.Zbot.YW trojan
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\usicip.exe Win32/Spy.Zbot.YW trojan
C:\WINDOWS\system32\userinit.exe a variant of Win32/Kryptik.EKN trojan
C:\_OTM\MovedFiles\05212010_124446\C_Documents and Settings\Sagar\Application Data\Lyazga\tyyd.exe Win32/Spy.Zbot.YW trojan


As for my computers preformance, the redirections seemed to have stopped, but the start up problem still occurs.

Thanks
Fable
Regular Member
 
Posts: 45
Joined: November 20th, 2009, 2:02 pm
Advertisement
Register to Remove

Re: Malware and browser redirection

Unread postby Cypher » May 22nd, 2010, 5:58 am

Hi Fable.
the redirections seemed to have stopped, but the start up problem still occurs.
As i stared in my first post, it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection.
From you're logs there are still some thing needing dealt with but with you current problems i am reluctant to run more tools.
We can try doing a system restore to see if that resolves the problems with you're PC restarting.
This could mean restarting from scratch cleaning you're PC.
If you would like to try this go ahead and do a system to before we ran OTM, and let me know if you're PC restarts normally.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Malware and browser redirection

Unread postby Fable » May 22nd, 2010, 6:08 am

Hi cypher,

Unfortunetly i disabled my system restore a while ago so i wont be able to restore my computer to an earlier date.

I used the Erunt program u asked me to run just before i used OTM if that can be used?

Also i wanted to ask if the trojans that the Eset Scanner picked up could be the cause of my start up problem?
Fable
Regular Member
 
Posts: 45
Joined: November 20th, 2009, 2:02 pm

Re: Malware and browser redirection

Unread postby Cypher » May 22nd, 2010, 6:23 am

Hi Fable.
Unfortunetly i disabled my system restore a while ago

I wish you had informed me about this before we started this makes things more difficult, please turn System restore back on now.
I doubt that the remaining infections are the cause of you're startup problems but i could be wrong.
Before we go any further do you have the discs that came with you're PC?.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Malware and browser redirection

Unread postby Fable » May 22nd, 2010, 6:34 am

Right ive turned system restore back on

As for the discs, i have not been able to find them including the CD to reinstall the operating system. They were misplaced some time ago.
Fable
Regular Member
 
Posts: 45
Joined: November 20th, 2009, 2:02 pm

Re: Malware and browser redirection

Unread postby Cypher » May 22nd, 2010, 11:06 am

Hi Fable.
i have not been able to find them including the CD to reinstall the operating system.

That's unfortunate but before i decide on our options i would like to get a file tested.

Upload a File to Jotti

Please go to jotti.org

Copy/paste this file and path into the white box at the top:
C:\WINDOWS\system32\userinit.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

If you have trouble using jotti try Virustotal

Post back with the jotti or virustotal results.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Malware and browser redirection

Unread postby Fable » May 22nd, 2010, 11:31 am

Here are the results from jotti.org

[ArcaVir]
2010-05-21 Found nothing
[G DATA]
2010-05-22 Gen:Variant.Zbot.6
[Avast! antivirus]
2010-05-22 Win32:Zbot-MTI
[Ikarus]
2010-05-22 Trojan.Win32.Vaklik
[Grisoft AVG Anti-Virus]
2010-05-22 Cryptic.SQ
[Kaspersky Anti-Virus]
2010-05-22 Trojan.Win32.Vilsel.aeuz
[Avira AntiVir]
2010-05-21 TR/Vilsel.aeuz
[ESET NOD32]
2010-05-22 Win32/Kryptik.EKN
[Softwin BitDefender]
2010-05-22 Gen:Variant.Zbot.6
[Panda Antivirus]
2010-05-21 Found nothing
[ClamAV]
2010-05-22 Found nothing
[Quick Heal]
2010-05-21 Found nothing
[CPsecure]
2010-05-22 Found nothing
[Sophos]
2010-05-22 Found nothing
[Dr.Web]
2010-05-22 Found nothing
[VirusBlokAda VBA32]
2010-05-21 Trojan.Win32.Vilsel.aeuz
[Frisk F-Prot Antivirus]
2010-05-21 Found nothing
[VirusBuster]
2010-05-22 Found nothing
[F-Secure Anti-Virus]
2010-05-22 Trojan.Win32.Vilsel.aeuz
Fable
Regular Member
 
Posts: 45
Joined: November 20th, 2009, 2:02 pm

Re: Malware and browser redirection

Unread postby Cypher » May 22nd, 2010, 11:59 am

Hi Fable.
That confirms we need to run more tools.
As i see it we have two options as you have no recovery discs.
You could order the recovery discs form you're PC manufacturer then come back to finish the cleaning process later.
Or we go ahead and try cleaning you're PC, as i stated previously i have no way of knowing what effect running the tools we need to will have on you're PC, so the decision is yours.
Post back and let me know what you decide to do.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Malware and browser redirection

Unread postby Fable » May 22nd, 2010, 12:10 pm

Hi Cypher,

Id like to continue with the cleaning please

Thanks again
Fable
Regular Member
 
Posts: 45
Joined: November 20th, 2009, 2:02 pm

Re: Malware and browser redirection

Unread postby Cypher » May 22nd, 2010, 12:20 pm

Hi Fable.
Id like to continue with the cleaning please

Ok lets continue with the instructions below.



  • Please navigate to Start >> All Programs >> ERUNT, then double-click ERUNT from the menu.
  • Click on OK within the pop-up menu.
  • In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  • Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  • Now click on "OK". A registry backup has now been created.


Next.



Turn off Norton Internet Security

  • Start Norton Internet Security.
  • In the left pane, click Status & Settings.
  • Click Security.
  • Click Turn off.
  • Note: Don't forget to re-enable it after the fix.

Next.

Download and Run ComboFix

  • Please download ComboFix from one of the following links.

    Link 1.

    Link 2.

    **IMPORTANT !!! Save ComboFix.exe to your Desktop**
  • Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper




Logs/Information to Post in your Next Reply

  • ComboFix log.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Malware and browser redirection

Unread postby Fable » May 22nd, 2010, 1:35 pm

Hey Cyher,

I conducted Combofix, but a small problem i had was that despite turning off my antivirus, combofix kept telling me that it was on but it would work anyway. Im not sure if that is an issue.

Heres the combofix log:

ComboFix 10-05-21.06 - Sagar 22/05/2010 18:03:42.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.556 [GMT 1:00]
Running from: c:\documents and settings\Sagar\My Documents\Downloads\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Sagar\Favorites\Download programs.url
c:\documents and settings\Sagar\Favorites\Games.url
c:\documents and settings\Sagar\Favorites\Translator.url
c:\documents and settings\Sagar\Favorites\Videos.url
c:\documents and settings\Sagar\Start Menu\Programs\Download programs.url
c:\documents and settings\Sagar\Start Menu\Programs\Games.url
c:\documents and settings\Sagar\Start Menu\Programs\Translator.url
c:\documents and settings\Sagar\Start Menu\Programs\Videos.url
c:\windows\system32\2559057699.dat
c:\windows\system32\AutoRun.inf

----- BITS: Possible infected sites -----

hxxp://goldencaravela.net
Infected copy of c:\windows\system32\DRIVERS\isapnp.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))
.

2010-05-22 16:58 . 2008-04-13 18:36 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-05-22 16:58 . 2008-04-13 18:36 37248 ----a-w- c:\windows\system32\dllcache\isapnp.sys
2010-05-22 16:50 . 2010-05-22 16:50 -------- d-----w- c:\documents and settings\Sagar\Application Data\Tific
2010-05-22 16:50 . 2010-05-22 16:50 -------- d-----w- c:\documents and settings\Sagar\Local Settings\Application Data\Symantec
2010-05-21 16:08 . 2010-05-21 16:08 -------- d-----w- c:\program files\ESET
2010-05-21 11:44 . 2010-05-21 11:44 -------- d-----w- C:\_OTM
2010-05-21 11:40 . 2010-05-21 11:40 -------- d-----w- c:\program files\ERUNT
2010-05-21 11:20 . 2010-05-06 04:01 47408 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-05-09 23:36 . 2010-05-09 23:36 -------- d--h--w- c:\windows\system32\WLANProfiles
2010-05-09 11:29 . 2010-05-09 11:29 -------- d-----w- c:\program files\Google
2010-05-08 18:09 . 2010-05-21 11:17 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2010-05-08 18:09 . 2010-05-20 16:09 23040 ----a-w- c:\windows\system32\dllcache\mouclass.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-22 17:18 . 2007-02-06 20:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-21 12:28 . 2009-11-20 17:52 -------- d-----w- c:\program files\Trend Micro
2010-05-21 11:44 . 2006-12-01 21:48 -------- d-----w- c:\program files\MSN Messenger
2010-05-20 17:57 . 2009-11-21 18:06 -------- d-----w- c:\documents and settings\Sagar\Application Data\SUPERAntiSpyware.com
2010-05-20 17:57 . 2009-11-21 18:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-20 17:55 . 2006-08-25 16:16 -------- d-----w- c:\program files\Java
2010-05-20 08:39 . 2004-08-11 16:00 22008 ----a-w- c:\windows\system32\userinit.exe
2010-05-13 10:04 . 2010-04-20 17:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-08 16:34 . 2009-09-05 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Tablet
2010-05-02 10:28 . 2010-04-17 12:01 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-29 14:39 . 2010-04-20 17:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2010-04-20 17:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-17 12:01 . 2010-04-17 12:01 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-02 10:56 . 2009-08-25 21:12 -------- d-----w- c:\program files\McAfee
2010-04-01 14:22 . 2010-04-01 14:22 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-01 14:21 . 2006-08-25 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-01 13:10 . 2006-08-25 16:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-01 12:25 . 2006-08-25 16:27 -------- d-----w- c:\program files\Symantec
2010-04-01 12:25 . 2010-04-01 12:25 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-01 12:25 . 2010-04-01 12:25 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-01 12:25 . 2010-04-01 12:25 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-04-01 12:25 . 2010-04-01 12:25 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-01 12:25 . 2010-04-01 12:25 -------- d-----w- c:\program files\Norton Internet Security
2010-04-01 12:25 . 2010-04-01 12:25 -------- d-----w- c:\program files\Windows Sidebar
2010-04-01 12:25 . 2010-04-01 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-01 12:24 . 2010-04-01 12:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-04-01 12:22 . 2010-04-01 12:22 -------- d-----w- c:\program files\NortonInstaller
2010-04-01 12:20 . 2006-08-25 16:31 -------- d-----w- c:\program files\McAfee.com
2010-03-10 06:15 . 2004-08-11 16:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-11 16:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-11 16:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 16:43 . 2010-02-23 16:43 1923768 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2007-06-05 16:19 . 2007-06-05 16:18 918874 ----a-w- c:\program files\TB.log
2007-09-09 02:46 . 2006-08-31 11:42 56 --sh--r- c:\windows\system32\A1CF96F6F6.sys
2007-11-04 00:23 . 2006-08-30 10:38 88 -csh--r- c:\windows\system32\F6F696CFA1.sys
2007-11-04 00:23 . 2006-08-30 10:38 6580 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2010-05-20 08:39 . 3720136C5B742C20144FA4E945BB5C7B . 22008 . . [------] . . c:\windows\system32\userinit.exe
[7] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe
[7] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\NetWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-09-26 3660848]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-08-20 2000120]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL Companion.lnk - c:\program files\AOL Companion\companion.exe [2006-8-25 250992]
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-8-25 7168]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-25 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Common Files\\AOL\\1235323325\\ee\\aolsoftware.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects CS4\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"56407:TCP"= 56407:TCP:Pando Media Booster
"56407:UDP"= 56407:UDP:Pando Media Booster

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\symds.sys [21/05/2010 09:47 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\symefa.sys [21/05/2010 09:47 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [29/04/2010 18:44 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\cchpx86.sys [21/05/2010 09:47 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\ironx86.sys [21/05/2010 09:47 116784]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [01/04/2010 15:21 93320]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe [21/05/2010 09:47 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [01/04/2010 16:45 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100513.002\IDSXpx86.sys [17/05/2010 20:13 329592]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [18/07/2009 22:52 131072]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [18/07/2009 22:52 79104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Sagar\Application Data\Mozilla\Firefox\Profiles\dnflfdwe.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Sagar\Application Data\Mozilla\Firefox\Profiles\dnflfdwe.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
------- File Associations -------
.
.txt=
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
HKCU-Run-{9972BAAC-8A55-7E95-38B9-639DA799D67B} - c:\documents and settings\Sagar\Application Data\Lyazga\tyyd.exe
HKLM-Run-DMXLauncher - c:\program files\Dell\Media Experience\DMXLauncher.exe
SafeBoot-klmdb.sys
AddRemove-McAfee Uninstall Utility - c:\progra~1\McAfee.com\Shared\mcappins.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-22 18:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\p*|*0 ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\à*w*0 ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\ø*w*0 ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\¬  2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4028)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Dell Network Assistant\ezi_hnm2.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\AOL\1235323325\ee\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2010-05-22 18:27:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-22 17:27

Pre-Run: 33,510,236,160 bytes free
Post-Run: 33,514,946,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6D8A274D0BA4F97FE3FE06824639770A



Performance wise, my computer continues to have the start up problem, but the redirections have stopped.
Fable
Regular Member
 
Posts: 45
Joined: November 20th, 2009, 2:02 pm

Re: Malware and browser redirection

Unread postby Cypher » May 22nd, 2010, 2:06 pm

Hi Fable.
Lets get you clean then we can see about you're restarting problem.
Please disable you're AV again before running ComboFix.

ComboFix - CFScript
This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
  1. Please open Notepad and copy/paste all the text below... into the window:
    Code: Select all
    FCopy::
    c:\windows\ServicePackFiles\i386\userinit.exe | c:\windows\system32\userinit.exe
    
    DDS:: 
    uInternet Settings,ProxyOverride = <local>
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    
    
  2. Save it to your desktop as CFScript.txt
  3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
    *Only* when the 2 items above (Step 3) have been taken care of...
  4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
    Image
    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!
  5. When finished ComboFix will create a log file... you can save this file to a convenient place.
Please copy/paste the ComboFix log file in your next reply.


Next.

Upload a File to Jotti

Please go to jotti.org

Copy/paste this file and path into the white box at the top:
c:\windows\system32\A1CF96F6F6.sys

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

Please repeat the process for the following.
c:\windows\system32\F6F696CFA1.sys


If you have trouble using jotti try Virustotal


Logs/Information to Post in your Next Reply

  • ComboFix log.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Malware and browser redirection

Unread postby Fable » May 22nd, 2010, 3:49 pm

Hey Cypher,

Heres the Combofix Log:

ComboFix 10-05-21.06 - Sagar 22/05/2010 20:29:00.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.409 [GMT 1:00]
Running from: c:\documents and settings\Sagar\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Sagar\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://raggaperfibra.net
.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\userinit.exe --> c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))
.

2010-05-22 16:58 . 2008-04-13 18:36 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-05-22 16:58 . 2008-04-13 18:36 37248 ----a-w- c:\windows\system32\dllcache\isapnp.sys
2010-05-22 16:50 . 2010-05-22 16:50 -------- d-----w- c:\documents and settings\Sagar\Application Data\Tific
2010-05-22 16:50 . 2010-05-22 16:50 -------- d-----w- c:\documents and settings\Sagar\Local Settings\Application Data\Symantec
2010-05-21 16:08 . 2010-05-21 16:08 -------- d-----w- c:\program files\ESET
2010-05-21 11:44 . 2010-05-21 11:44 -------- d-----w- C:\_OTM
2010-05-21 11:40 . 2010-05-21 11:40 -------- d-----w- c:\program files\ERUNT
2010-05-21 11:20 . 2010-05-06 04:01 47408 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-05-09 23:36 . 2010-05-09 23:36 -------- d--h--w- c:\windows\system32\WLANProfiles
2010-05-09 11:29 . 2010-05-09 11:29 -------- d-----w- c:\program files\Google
2010-05-08 18:09 . 2010-05-21 11:17 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2010-05-08 18:09 . 2010-05-20 16:09 23040 ----a-w- c:\windows\system32\dllcache\mouclass.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-22 17:18 . 2007-02-06 20:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-21 12:28 . 2009-11-20 17:52 -------- d-----w- c:\program files\Trend Micro
2010-05-21 11:44 . 2006-12-01 21:48 -------- d-----w- c:\program files\MSN Messenger
2010-05-20 17:57 . 2009-11-21 18:06 -------- d-----w- c:\documents and settings\Sagar\Application Data\SUPERAntiSpyware.com
2010-05-20 17:57 . 2009-11-21 18:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-20 17:55 . 2006-08-25 16:16 -------- d-----w- c:\program files\Java
2010-05-13 10:04 . 2010-04-20 17:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-08 16:34 . 2009-09-05 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Tablet
2010-05-02 10:28 . 2010-04-17 12:01 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-29 14:39 . 2010-04-20 17:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2010-04-20 17:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-17 12:01 . 2010-04-17 12:01 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-02 10:56 . 2009-08-25 21:12 -------- d-----w- c:\program files\McAfee
2010-04-01 14:22 . 2010-04-01 14:22 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-01 14:21 . 2006-08-25 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-01 13:10 . 2006-08-25 16:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-01 12:25 . 2006-08-25 16:27 -------- d-----w- c:\program files\Symantec
2010-04-01 12:25 . 2010-04-01 12:25 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-01 12:25 . 2010-04-01 12:25 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-01 12:25 . 2010-04-01 12:25 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-04-01 12:25 . 2010-04-01 12:25 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-01 12:25 . 2010-04-01 12:25 -------- d-----w- c:\program files\Norton Internet Security
2010-04-01 12:25 . 2010-04-01 12:25 -------- d-----w- c:\program files\Windows Sidebar
2010-04-01 12:25 . 2010-04-01 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-01 12:24 . 2010-04-01 12:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-04-01 12:22 . 2010-04-01 12:22 -------- d-----w- c:\program files\NortonInstaller
2010-04-01 12:20 . 2006-08-25 16:31 -------- d-----w- c:\program files\McAfee.com
2010-03-10 06:15 . 2004-08-11 16:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-11 16:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-11 16:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 16:43 . 2010-02-23 16:43 1923768 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2007-06-05 16:19 . 2007-06-05 16:18 918874 ----a-w- c:\program files\TB.log
2007-09-09 02:46 . 2006-08-31 11:42 56 --sh--r- c:\windows\system32\A1CF96F6F6.sys
2007-11-04 00:23 . 2006-08-30 10:38 88 -csh--r- c:\windows\system32\F6F696CFA1.sys
2007-11-04 00:23 . 2006-08-30 10:38 6580 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\NetWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-09-26 3660848]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-08-20 2000120]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL Companion.lnk - c:\program files\AOL Companion\companion.exe [2006-8-25 250992]
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-8-25 7168]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-25 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Common Files\\AOL\\1235323325\\ee\\aolsoftware.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects CS4\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"56407:TCP"= 56407:TCP:Pando Media Booster
"56407:UDP"= 56407:UDP:Pando Media Booster

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\symds.sys [21/05/2010 09:47 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\symefa.sys [21/05/2010 09:47 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [29/04/2010 18:44 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\cchpx86.sys [21/05/2010 09:47 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\ironx86.sys [21/05/2010 09:47 116784]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [01/04/2010 15:21 93320]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe [21/05/2010 09:47 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [01/04/2010 16:45 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100513.002\IDSXpx86.sys [17/05/2010 20:13 329592]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [18/07/2009 22:52 131072]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [18/07/2009 22:52 79104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
FF - ProfilePath - c:\documents and settings\Sagar\Application Data\Mozilla\Firefox\Profiles\dnflfdwe.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Sagar\Application Data\Mozilla\Firefox\Profiles\dnflfdwe.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-22 20:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\p*|*0 ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\à*w*0 ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\ø*w*0 ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\¬  2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
Completion time: 2010-05-22 20:38:53
ComboFix-quarantined-files.txt 2010-05-22 19:38
ComboFix2.txt 2010-05-22 17:27

Pre-Run: 33,519,427,584 bytes free
Post-Run: 33,503,764,480 bytes free

- - End Of File - - 5A2E7A95B3BB65AF55B86134F1CD99FD
Fable
Regular Member
 
Posts: 45
Joined: November 20th, 2009, 2:02 pm

Re: Malware and browser redirection

Unread postby Fable » May 22nd, 2010, 3:54 pm

And the Jotti Logs:

For: A1CF96F6F6.sys

[ArcaVir]
2010-05-22 Found nothing
[G DATA]
2010-05-22 Found nothing
[Avast! antivirus]
2010-05-22 Found nothing
[Ikarus]
2010-05-22 Found nothing
[Grisoft AVG Anti-Virus]
2010-05-22 Found nothing
[Kaspersky Anti-Virus]
2010-05-22 Found nothing
[Avira AntiVir]
2010-05-21 Found nothing
[ESET NOD32]
2010-05-22 Found nothing
[Softwin BitDefender]
2010-05-22 Found nothing
[Panda Antivirus]
2010-05-21 Found nothing
[ClamAV]
2010-05-22 Found nothing
[Quick Heal]
2010-05-21 Found nothing
[CPsecure]
2010-05-22 Found nothing
[Sophos]
2010-05-22 Found nothing
[Dr.Web]
2010-05-22 Found nothing
[VirusBlokAda VBA32]
2010-05-21 Found nothing
[Frisk F-Prot Antivirus]
2010-05-21 Found nothing
[VirusBuster]
2010-05-22 Found nothing
[F-Secure Anti-Virus]
2010-05-22 Found nothing


For:F6F696CFA1.sys

[ArcaVir]
2010-05-22 Found nothing
[G DATA]
2010-05-22 Found nothing
[Avast! antivirus]
2010-05-22 Found nothing
[Ikarus]
2010-05-22 Found nothing
[Grisoft AVG Anti-Virus]
2010-05-22 Found nothing
[Kaspersky Anti-Virus]
2010-05-22 Found nothing
[Avira AntiVir]
2010-05-21 Found nothing
[ESET NOD32]
2010-05-22 Found nothing
[Softwin BitDefender]
2010-05-22 Found nothing
[Panda Antivirus]
2010-05-21 Found nothing
[ClamAV]
2010-05-22 Found nothing
[Quick Heal]
2010-05-21 Found nothing
[CPsecure]
2010-05-22 Found nothing
[Sophos]
2010-05-22 Found nothing
[Dr.Web]
2010-05-22 Found nothing
[VirusBlokAda VBA32]
2010-05-21 Found nothing
[Frisk F-Prot Antivirus]
2010-05-21 Found nothing
[VirusBuster]
2010-05-22 Found nothing
[F-Secure Anti-Virus]
2010-05-22 Found nothing



As for my computers performance, again its the same. The redirections have stopped and apart from the start up problem, there are no abnormalities.

Thanks
Fable
Regular Member
 
Posts: 45
Joined: November 20th, 2009, 2:02 pm

Re: Malware and browser redirection

Unread postby Cypher » May 23rd, 2010, 5:17 am

Hi Fable.
You're doing great so far well done.
I need you to check two more files for me, im pretty sure they are bad but just want to make sure.

Upload a File to Jotti

Please go to jotti.org

Copy/paste this file and path into the white box at the top:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\xuxuig.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

If you have trouble using jotti try Virustotal

Repeat the process for the following.
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\usicip.exe


Please post back with the results.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 28 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware