Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware / Browser Hijack

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Malware / Browser Hijack

Unread postby EricArsenal » April 24th, 2011, 12:33 pm

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6433

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/24/2011 10:20:40 AM
mbam-log-2011-04-24 (10-20-40).txt

Scan type: Quick scan
Objects scanned: 157700
Time elapsed: 3 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Adware.Websearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\grk.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\grk.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\grk.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\spsy\setup.exe (Adware.Websearch) -> Quarantined and deleted successfully.
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm
Advertisement
Register to Remove

Re: Malware / Browser Hijack

Unread postby EricArsenal » April 24th, 2011, 12:33 pm

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xBF0DD000 C:\WINDOWS\System32\ati3duag.dll 2756608 bytes (ATI Technologies Inc. , ati3duag.dll)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF37E000 C:\WINDOWS\System32\ativvaxx.dll 1753088 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xB914E000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 1642496 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xA3D9B000 C:\WINDOWS\system32\drivers\monfilt.sys 1392640 bytes (Creative Technology Ltd., Creative WDM Audio Driver (32-bit))
0xA3F13000 C:\WINDOWS\system32\drivers\sthda.sys 1114112 bytes (SigmaTel, Inc., NDRC)
0xA40D0000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS 1036288 bytes (Conexant Systems, Inc., HSF_DP driver)
0x9C1BD000 C:\WINDOWS\System32\Drivers\dump_iastor.sys 749568 bytes
0xB9E6C000 iastor.sys 749568 bytes (Intel Corporation, Intel Matrix Storage Manager driver)
0xA4023000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 708608 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xB9D80000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0x9C274000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0x9C2EF000 C:\WINDOWS\system32\DRIVERS\MRVW245.sys 462848 bytes (Marvell Semiconductor, Inc, NDIS 5.1 driver)
0xA3186000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB8FDC000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA326B000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0x99D46000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF52A000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xBF055000 C:\WINDOWS\System32\ati2cqag.dll 286720 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 274432 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBF09B000 C:\WINDOWS\System32\atikvmag.dll 270336 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0x99DEE000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB9101000 C:\WINDOWS\system32\DRIVERS\e1e5132.sys 233472 bytes (Intel Corporation, Intel(R) PRO/1000 Adapter NDIS 5.2 deserialized driver)
0x99FA6000 C:\WINDOWS\system32\DRIVERS\ctoss2k.sys 196608 bytes (Creative Technology Ltd., Creative OS Services Driver (WDM))
0xB903A000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0x9A0FC000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9D53000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0x9A025000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA31F6000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xA41CD000 C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys 167936 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0xB90B5000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA3243000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0x99FD6000 C:\WINDOWS\system32\drivers\ctusfsyn.sys 159744 bytes (Creative Technology Ltd., Creative SoundFont Synthesizer)
0xA3D74000 C:\WINDOWS\system32\DRIVERS\MpFilter.sys 159744 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)
0x99F80000 C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys 155648 bytes (Creative Technology Ltd, SoundFont(R) Manager (WDM))
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0x9C360000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0x9A0B0000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xA3EEF000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB90DD000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB9092000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA3221000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9E4C000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9D39000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x9A18F000 C:\WINDOWS\System32\DLA\DLAUDFAM.SYS 98304 bytes (Sonic Solutions, Drive Letter Access Component)
0x99D06000 C:\WINDOWS\system32\drivers\PfModNT.sys 98304 bytes (Creative Technology Ltd., PCI/ISA Device Info. Service)
0xB9E0D000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB907B000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x9A1A7000 C:\WINDOWS\System32\DLA\DLAIFS_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0x9A179000 C:\WINDOWS\System32\DLA\DLAUDF_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xB9E24000 DRVMCDB.SYS 90112 bytes (Sonic Solutions, Device Driver)
0x9A073000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB913A000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA32C4000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9E3A000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB906A000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0x9D18B000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA1E8000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA118000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xB55BE000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA1F8000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB92DF000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA258000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA128000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA208000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x9D17B000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xBA228000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x9D350000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA218000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA108000 sbp2port.sys 45056 bytes (Microsoft Corporation, SBP-2 Protocol Driver)
0xB8354000 C:\WINDOWS\System32\Drivers\DRVNDDM.SYS 40960 bytes (Sonic Solutions, Device Driver Manager)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB55EE000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA248000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0x9D1BB000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA1C8000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA238000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB537F000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0x99286000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA0F8000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0x9D360000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA390000 C:\WINDOWS\system32\DRIVERS\ELacpi.sys 32768 bytes (Intel Corporation, -)
0xB564E000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xA3A09000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0x9D213000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA380000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA440000 C:\WINDOWS\System32\DLA\DLABOIOM.SYS 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xB541F000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x9D203000 C:\WINDOWS\system32\DRIVERS\NuidFltr.sys 28672 bytes (Microsoft Corporation, Filter Driver for Microsoft Hardware HID Non-User Input Data)
0xB5437000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xB5427000 C:\WINDOWS\System32\Drivers\DLARTL_N.SYS 24576 bytes (Sonic Solutions, Shared Driver Component)
0xBA388000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBA3B0000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA3B8000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA378000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xA3A19000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xA3A11000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA328000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0x9D20B000 C:\WINDOWS\system32\DRIVERS\point32.sys 20480 bytes (Microsoft Corporation, Point32.sys)
0xBA3A0000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA3A8000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBA398000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0x9D1F3000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB65B4000 C:\WINDOWS\System32\DLA\DLAOPIOM.SYS 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0x9D254000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB968F000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0x9D240000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA4BC000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0x9D244000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0x9D406000 C:\WINDOWS\System32\Drivers\Elhid.sys 12288 bytes (Intel Corporation, -)
0x9D40A000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB57BC000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0x8A553000 C:\WINDOWS\system32\KDCOM.DLL 12288 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x99DD6000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0x9D3FA000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9C98000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB4252000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA5BE000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5E0000 C:\WINDOWS\System32\Drivers\DLACDBHM.SYS 8192 bytes (Sonic Solutions, Shared Driver Component)
0x9D066000 C:\WINDOWS\System32\DLA\DLAPoolM.SYS 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA5AA000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0x9F6FC000 C:\WINDOWS\System32\Drivers\Elkbd.sys 8192 bytes (Intel Corporation, -)
0x9F6FE000 C:\WINDOWS\System32\Drivers\Elmon.sys 8192 bytes (Intel Corporation, -)
0x9F700000 C:\WINDOWS\System32\Drivers\Elmou.sys 8192 bytes (Intel Corporation, -)
0xBA5BC000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5C0000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA5C2000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5E2000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5E4000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5A8000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA7D2000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA6EE000 C:\WINDOWS\System32\DLA\DLADResN.SYS 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xA32FD000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xA354B000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2MJVPAKA\!category-float%7C!category-pop%7C!category-mob_wives%7Cpagename-series%7Ctag-adj%7Cmtype-standard%7Csz-300x250%7Ctile-2%7Cdemo-D;ord=881003447731884300[1]]
!-->[Hidden] C:\Qoobox\BackEnv\AppData.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Cache.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Cookies.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Desktop.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Favorites.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\History.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\LocalAppData.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\LocalSettings.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Music.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\NetHood.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Personal.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Pictures.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\PrintHood.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Profiles.Folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Programs.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Recent.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SendTo.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SetPath.bat
!-->[Hidden] C:\Qoobox\BackEnv\StartMenu.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\StartUp.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SysPath.dat
!-->[Hidden] C:\Qoobox\BackEnv\Templates.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\VikPev00
!-->[Hidden] C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb::$DATA
!-->[Hidden] C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log::$DATA
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0006ECEE, Type: Inline - RelativeJump 0x80545CEE-->80545CF5 [ntkrnlpa.exe]
[1280]svchost.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[1280]svchost.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[1280]svchost.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[1280]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[1280]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[1280]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[1280]svchost.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x7E42974E-->00000000 [unknown_code_page]
[428]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[428]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[428]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[428]explorer.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[428]explorer.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[428]explorer.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[428]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[428]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[428]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[428]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[428]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm

Re: Malware / Browser Hijack

Unread postby EricArsenal » April 24th, 2011, 12:36 pm

On a side note, thanks for your help. I know its Easter Sunday and i appreciate it.

On another side note, I occasionally get these messages popping up which impacts my ability to save, close down, etc. they are attached.
You do not have the required permissions to view the files attached to this post.
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm

Re: Malware / Browser Hijack

Unread postby Gary R » April 24th, 2011, 2:41 pm

Are you still being re-directed ?

The pop ups are related to svchost.exe which launches non-windows service applications. If one of those applications is failing it is likely to generate this type of error, without more information it is hard to determine what's causing the problem.

The DDS log that you opened this topic with shows a lot of errors caused by your Service Control Manager, which are also likely to be related to this problem.

  • Double-click My Computer, and then right-click the hard disk that you want to check (C:\).
  • Click Properties, and then click Tools.
  • Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
    • Select the Automatically fix file system errors check box.
    • Select the Scan for and attempt recovery of bad sectors check box
  • Click Start.

If one or more of the files on the hard disk are open, you will receive the following message:

The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?


Click Yes to schedule the disk check, and then restart your computer to start the disk check.

Do you still have your Windows installation disk ?
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Malware / Browser Hijack

Unread postby EricArsenal » April 24th, 2011, 7:22 pm

I am still being redirected and Google Chrome still does not work.

I do not have my installation disk.

I did the fix disk you mentioned.
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm

Re: Malware / Browser Hijack

Unread postby Gary R » April 25th, 2011, 1:37 am

Been looking over everything we've done so far to see what we might have missed, and I think I might have spotted something in one of the earlier logs.

However we've done quite a lot since then, so I need to make sure that what I've found is still present on your machine and hasn't been removed in all the subsequent work we've done.

Please can you run another scan with GMER and post me the log.

  • Disconnect from the Internet, and close all running programmes.
  • There is a small chance this programme may crash your computer, so save any work you have open.
  • Double click on the randomly named GMER file (eg .... wjkl3ecz.exe) to launch GMER.
  • Let the gmer.sys driver load if asked.
  • If it gives you a warning at programme start about rootkit activity and asks if you want to run a scan ..... click OK.
  • If no warning:
    • Click Rootkit tab.
    • Ensure that All the boxes to the right of the program are checked except Show All.
    • Click Scan.
  • Do not use your computer while the scan is running.
  • Once scan is finished click Copy.
    • Click Start > Run then type Notepad.exe then click OK.
    • This will open a Notepad file.
    • Hit Ctrl+V to paste log into it.
    • Save the log to your Desktop.
  • Reconnect to internet and post the log please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Malware / Browser Hijack

Unread postby EricArsenal » April 26th, 2011, 7:23 pm

My GMER log is not nearly as extensive as it was the last time i ran it. It is below:

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-26 18:04:42
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST332063 rev.3.AD
Running: 6lhqjsr2.exe; Driver: C:\DOCUME~1\ERICGR~1\LOCALS~1\Temp\pxtdapog.sys


---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xA5560280]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1180] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B2000A
.text C:\WINDOWS\System32\svchost.exe[1180] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B8000A
.text C:\WINDOWS\System32\svchost.exe[1180] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B0000C
.text C:\WINDOWS\System32\svchost.exe[1180] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00FD000A
.text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0193000A
.text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0194000A
.text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0192000C

---- EOF - GMER 1.0.15 ----
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm

Re: Malware / Browser Hijack

Unread postby Gary R » April 27th, 2011, 2:35 am

I want you to run another scan with Combofix.

DO NOT use the version you currently have on your machine (Fredfix.com).

Delete Fredfix.com ..... DO NOT delete any other files or folders related to Combofix.

Download ComboFix from one of these locations and save it to your Desktop:

Link 1
Link 2

IMPORTANT !!! ComboFix.exe must be run from your Desktop

  • Disable your AntiVirus and AntiSpyware applications, they may otherwise interfere with Combofix. There are details for disabling many programmes here.
  • Double click on ComboFix.exe and follow the prompts.

When finished, it will produce a log for you.

Please include this log in your next reply. ......... (it can also be found at C:\ComboFix.txt)

IMPORTANT
  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.
If you have any problems with these instructions, a detailed Tutorial for how to use Combofix is available here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Malware / Browser Hijack

Unread postby EricArsenal » April 27th, 2011, 7:20 pm

ComboFix 11-04-27.01 - Eric Grafnitz 04/27/2011 17:48:50.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2583 [GMT -5:00]
Running from: I:\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\ERICGR~1\LOCALS~1\Temp\clclean.0001.dir.0001\~df394b.tmp
c:\documents and settings\Eric Grafnitz\Local Settings\temp\clclean.0001.dir.0001\~df394b.tmp
c:\documents and settings\NetworkService\Local Settings\Application Data\nis.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-27 to 2011-04-27 )))))))))))))))))))))))))))))))
.
.
2011-04-27 22:35 . 2011-04-27 22:35 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE0ACC7D-6BC9-4AAF-B9D5-D462F89EC676}\MpKsl25400abc.sys
2011-04-24 21:23 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE0ACC7D-6BC9-4AAF-B9D5-D462F89EC676}\mpengine.dll
2011-04-22 18:56 . 2011-04-22 18:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-22 16:30 . 2011-04-22 16:30 -------- d-----w- c:\program files\ESET
2011-04-22 15:26 . 2011-04-22 15:26 -------- d-----w- C:\_OTL
2011-04-22 15:25 . 2011-04-22 15:25 -------- d-----w- c:\program files\Common Files\Java
2011-04-22 15:25 . 2011-04-22 15:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-19 22:41 . 2011-04-19 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-04-15 22:49 . 2011-04-15 22:49 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-04-14 23:40 . 2007-09-27 06:00 470912 ----a-w- c:\windows\system32\Mrvw243.sys
2011-04-14 23:40 . 2007-09-27 06:00 470912 ----a-w- c:\windows\system32\drivers\Mrvw243.sys
2011-04-14 23:40 . 2007-09-27 05:58 461952 ----a-w- c:\windows\system32\Mrvw245.sys
2011-04-14 23:40 . 2007-09-27 05:58 461952 ----a-w- c:\windows\system32\drivers\Mrvw245.sys
2011-04-14 23:40 . 2011-04-14 23:40 -------- d-----w- c:\program files\Linksys
2011-04-14 23:40 . 2011-04-14 23:40 -------- d-----w- c:\documents and settings\Eric Grafnitz\Application Data\InstallShield
2011-04-14 23:32 . 2011-04-14 23:32 -------- d-----w- C:\Linksys Driver
2011-04-14 00:49 . 2011-04-14 00:49 -------- d-----w- c:\documents and settings\Eric Grafnitz\Application Data\Malwarebytes
2011-04-14 00:49 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-14 00:49 . 2011-04-14 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-14 00:48 . 2011-04-14 03:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-14 00:48 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-13 23:26 . 2011-04-13 23:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-04-13 23:25 . 2011-04-13 23:25 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-04-08 01:50 . 2011-04-08 01:50 -------- d-----w- c:\program files\Safari
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-22 15:24 . 2010-09-13 19:55 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-15 04:05 . 2010-04-16 15:09 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-07 05:33 . 2005-08-16 09:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2005-08-16 09:18 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2005-08-16 09:18 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2005-08-16 09:18 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2005-08-16 09:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2005-08-16 09:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2005-08-16 09:18 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2005-08-16 09:18 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2005-08-16 09:18 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-03-23 04:44 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2005-08-16 09:18 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-08 13:33 . 2005-08-16 09:18 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2005-08-16 09:18 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-04 23:48 . 2005-08-16 09:18 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 23:48 . 2005-08-16 09:18 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 23:11 . 2010-04-14 17:31 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2005-08-16 09:37 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-30 23:13 . 2011-01-30 23:13 5889712 ----a-w- c:\program files\HSS-1.57-install-anchorfree-232-expatshield.exe
2011-03-18 17:53 . 2011-04-25 01:48 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-23_21.42.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-27 22:35 . 2011-04-27 22:35 16384 c:\windows\Temp\Perflib_Perfdata_76c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"MBMon"="CTMBHA.DLL" [2006-06-29 1355042]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-11-07 8192]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 19:01 67584 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-18 02:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-07-24 15:20 282624 ----a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\TunnelServer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Eric Grafnitz\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
.
R1 MpKsl25400abc;MpKsl25400abc;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE0ACC7D-6BC9-4AAF-B9D5-D462F89EC676}\MpKsl25400abc.sys [4/27/2011 5:35 PM 28752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/14/2007 12:37 PM 24652]
S0 tmfag;tmfag;c:\windows\system32\drivers\hprupbe.sys --> c:\windows\system32\drivers\hprupbe.sys [?]
S1 MpKsl43daddbb;MpKsl43daddbb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7561ED23-D702-48AE-A507-0CE9E723D71D}\MpKsl43daddbb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7561ED23-D702-48AE-A507-0CE9E723D71D}\MpKsl43daddbb.sys [?]
S1 MpKsled0fceeb;MpKsled0fceeb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5FFE1E20-1976-47A6-B20B-7E488D3E49DE}\MpKsled0fceeb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5FFE1E20-1976-47A6-B20B-7E488D3E49DE}\MpKsled0fceeb.sys [?]
S1 MpKslf96f46df;MpKslf96f46df;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE0ACC7D-6BC9-4AAF-B9D5-D462F89EC676}\MpKslf96f46df.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE0ACC7D-6BC9-4AAF-B9D5-D462F89EC676}\MpKslf96f46df.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL25400ABC
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-542624359-4108094095-3092757597-1006Core.job
- c:\documents and settings\Eric Grafnitz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-25 01:48]
.
2011-04-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-542624359-4108094095-3092757597-1006UA.job
- c:\documents and settings\Eric Grafnitz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-25 01:48]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105
DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - hxxps://securera-pilot.edwardjones.com/ ... ,1218,2305
DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} - hxxps://securera-pilot.edwardjones.com/ ... ,1218,2305
DPF: {49EC7987-E331-44E3-B170-748B58A268B9} - hxxps://securera-pilot.edwardjones.com/ ... ,1218,2305
DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} - hxxps://securera-pilot.edwardjones.com/ ... ,1218,2305
FF - ProfilePath - c:\documents and settings\Eric Grafnitz\Application Data\Mozilla\Firefox\Profiles\tpzzymco.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/reader/view/?hl=e ... rview-page
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-27 17:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(744)
c:\windows\system32\WININET.dll
.
Completion time: 2011-04-27 17:59:10
ComboFix-quarantined-files.txt 2011-04-27 22:59
ComboFix2.txt 2011-04-23 21:47
.
Pre-Run: 290,160,599,040 bytes free
Post-Run: 290,307,006,464 bytes free
.
- - End Of File - - 96B565AD3C2AAFBD93D9EA130BD105AD
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm

Re: Malware / Browser Hijack

Unread postby Gary R » April 28th, 2011, 2:10 am

Are you still being re-directed ?

If you are .....

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
Code: Select all
:File
c:\WINDOWS\Downloaded Program Files\TunnelServer.exe
c:\windows\system32\drivers\hprupbe.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE0ACC7D-6BC9-4AAF-B9D5-D462F89EC676}\MpKsl25400abc.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7561ED23-D702-48AE-A507-0CE9E723D71D}\MpKsl43daddbb.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5FFE1E20-1976-47A6-B20B-7E488D3E49DE}\MpKsled0fceeb.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE0ACC7D-6BC9-4AAF-B9D5-D462F89EC676}\MpKslf96f46df.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Next

I'd like you to check the same files for Viruses.
c:\WINDOWS\Downloaded Program Files\TunnelServer.exe
c:\windows\system32\drivers\hprupbe.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE0ACC7D-6BC9-4AAF-B9D5-D462F89EC676}\MpKsl25400abc.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7561ED23-D702-48AE-A507-0CE9E723D71D}\MpKsl43daddbb.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5FFE1E20-1976-47A6-B20B-7E488D3E49DE}\MpKsled0fceeb.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE0ACC7D-6BC9-4AAF-B9D5-D462F89EC676}\MpKslf96f46df.sys

  • Copy/Paste the first filepath in the quote box above into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Note details of any viruses found.
  • Repeat for all files on the list, and post me the details please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Malware / Browser Hijack

Unread postby EricArsenal » April 28th, 2011, 8:46 pm

I am not getting redirects as bad anymore. When i visit cnn a status bar message will display with the same, "firefox prevented the page from redirecting..." in an earlier post. if i visit espn or the sun, then a new tab will open up and go to a different site.

Google Chrome still does not work. I also still get svchost.exe and generic process errors which impact the functionality of my system. The 2 websites you directed me to would not accept copy/paste. it would only allow me to browse for the files i wanted to upload.

SystemLook 04.09.10 by jpshortstuff
Log created at 19:27 on 28/04/2011 by Eric Grafnitz
Administrator - Elevation successful

========== File ==========

c:\WINDOWS\Downloaded Program Files\TunnelServer.exe - File found and opened.
MD5: 9D3B9029D5B9365D4F2432ACB72554B4
Created at 17:41 on 14/04/2010
Modified at 15:58 on 27/03/2009
Size: 440960 bytes
Attributes: --a----
FileDescription: TunnelServer
FileVersion: 6030, 2009, 0327, 1558
ProductVersion: 6030, 2009, 0327, 1558
OriginalFilename: TunnelServer.exe
InternalName: TunnelServer
ProductName: F5 Networks TunnelServer
CompanyName: F5 Networks
LegalCopyright: Copyright © 2006
Comments:

c:\windows\system32\drivers\hprupbe.sys - Unable to find/read file.

c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE0ACC7D-6BC9-4AAF-B9D5-D462F89EC676}\MpKsl25400abc.sys - Unable to find/read file.

c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7561ED23-D702-48AE-A507-0CE9E723D71D}\MpKsl43daddbb.sys - Unable to find/read file.

c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5FFE1E20-1976-47A6-B20B-7E488D3E49DE}\MpKsled0fceeb.sys - Unable to find/read file.

c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE0ACC7D-6BC9-4AAF-B9D5-D462F89EC676}\MpKslf96f46df.sys - Unable to find/read file.

-= EOF =-
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm

Re: Malware / Browser Hijack

Unread postby EricArsenal » April 28th, 2011, 10:50 pm

I am definitely still getting the redirects. I had enabled a firefox option to try to prevent that from happening which didnt always work. when i unchecked it, and tried to google cnn i immediately got redirected and microsoft security essentials gave me a warning about 3 seconds after the java icon appeared on the taskbar, near the clock.
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm

Re: Malware / Browser Hijack

Unread postby Gary R » April 29th, 2011, 1:53 am

If you are able to browse to the files I listed at Virus Total or Jottis, please browse to each file in turn and scan them and post me the findings please.

If you're unable to scan them let me know.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Malware / Browser Hijack

Unread postby EricArsenal » April 29th, 2011, 6:24 am

I was unable to scan the items when going through the pathways
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm

Re: Malware / Browser Hijack

Unread postby Gary R » April 29th, 2011, 12:25 pm

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:Files
c:\windows\system32\drivers\hprupbe.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE0ACC7D-6BC9-4AAF-B9D5-D462F89EC676}\MpKsl25400abc.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7561ED23-D702-48AE-A507-0CE9E723D71D}\MpKsl43daddbb.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5FFE1E20-1976-47A6-B20B-7E488D3E49DE}\MpKsled0fceeb.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE0ACC7D-6BC9-4AAF-B9D5-D462F89EC676}\MpKslf96f46df.sys
ipconfig /flushdns /c

:Services
MpKsl25400abc
MpKsl43daddbb
MpKsled0fceeb
MpKslf96f46df
tmfag

:Reg
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DisableNotifications"=dword:00000000

:Commands
[resethosts]
[emptyflash]
[emptytemp]

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

Next

Reset your Router to its default configuration.
  • This can be done by inserting something like an opened paper clip into a small hole labeled Reset that's usually found at the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you don’t know your router's default password, you can look it up. HERE
  • You will need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to ask your Internet Service Provider (ISP) which DNS servers your network should be using.

Note: After resetting your router, it is important to set a non-default password, and if possible, username, on the router. This should help to stop your router from being hijacked again.

Summary of the logs I need from you in your next post:
  • OTL log
  • Let me know if you're still being re-routed.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 142 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware