Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Browser tab malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Browser tab malware

Unread postby kolio » May 20th, 2011, 5:40 am

My internet browser - firefox, keeps opening random tabs to some advertising website. I have blocked the sites in the hosts file so i don't see the ads, however, i want to remove this malware. Your help would be greatly appreciated. Here is my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:40:11, on 20.5.2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\StkCSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Atheros\ACU.exe
C:\WINDOWS\system32\ASUSTPE.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R3 - URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O2 - BHO: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll
O3 - Toolbar: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [ASUSTPE] C:\WINDOWS\system32\ASUSTPE.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: CCC.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5488428156
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Syntek AVStream USB2.0 WebCam Service (StkSSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkCSrv.exe

--
End of file - 4603 bytes
kolio
Active Member
 
Posts: 10
Joined: May 20th, 2011, 5:32 am
Advertisement
Register to Remove

Re: Browser tab malware

Unread postby Cypher » May 21st, 2011, 6:28 am

Hi and welcome to Malware Removal Forum.
My name is Cypher, and I will be helping you with your malware problems.
This may or may not, solve other issues you have with your machine.
If you no longer require help i would be grateful if you would let me know.

Before we start please note the following important guidelines.
  • The instructions being given are for YOUR computer and system only!.
    Using these instructions on a different computer, can damage that computer and possibly make it inoperable!
  • If you don't know or understand something, please don't hesitate to ask.
  • Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
  • Only reply to this thread do not start another, Please continue responding until I give you the "All Clean"
    Absence of symptoms does not mean that everything is clear.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • Please DO NOT install any other software (or hardware) during the cleaning process.
  • Print each set of instructions... if possible...your Internet connection will not be available during some fix processes.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
Backup your data - XP
Backup your data - Vista
Backup your data - windows 7


Please post an Uninstall list.

  • Open HijackThis.
  • Click on the Open the Misc Tools section button.
  • Look under System tools.
  • Click on the Open Uninstall Manager... button.
  • Click on the Save list... button.
  • It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  • Notepad will open. Please post this log in your next reply.

Next.

  • Please download this tool from Microsoft.
  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in the window.
  • Save this file and copy/paste it in your next reply.

Next.

Run CKScanner

  • Please download CKScanner from Here
  • Important: - Save it to your desktop.
  • Double-click CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.


Logs/Information to Post in your Next Reply

  • Uninstall list.
  • MGADiag log.
  • CKFiles.txt.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Browser tab malware

Unread postby kolio » May 22nd, 2011, 9:47 am

Hello Cypher,

uninstall_list

µTorrent
Adobe Flash Player 10 Plugin
ASUS Touch Pad Extra
Atheros Client Installation Program
Atheros Communications Inc.(R) L2 Fast Ethernet Driver
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
Conduit Engine
Garena 2010
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
K-Lite Codec Pack 7.1.0 (Full)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office Professional Edition 2003
Motorola SM56 Speakerphone Modem
Mozilla Firefox 4.0.1 (x86 bg)
Power4 Gear
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2497640)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Skype™ 5.3
Synaptics Pointing Device Driver
Update for Windows XP (KB2345886)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB2.0 1.3M WebCam
uTorrentBar Toolbar
WinRAR 4.00 (32-bit)

MGADiag log

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-Y37HC-GHBBX-QYDFQ
Windows Product Key Hash: 7v4JR3p9gc5a03dhYlR/04pTGqQ=
Windows Product ID: 76487-640-3037215-23609
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {FB7AE097-4BDF-400E-820C-F33EB27E0549}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.40.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.9.40.0
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 114 Blocked VLK 2
Microsoft Office Professional Edition 2003 - 114 Blocked VLK 2
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{FB7AE097-4BDF-400E-820C-F33EB27E0549}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-QYDFQ</PKey><PID>76487-640-3037215-23609</PID><PIDType>1</PIDType><SID>S-1-5-21-1645522239-602162358-1177238915</SID><SYSTEM><Manufacturer>ASUSTeK Computer Inc.</Manufacturer><Model>F5RL </Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>209 </Version><SMBIOSVersion major="2" minor="4"/><Date>20080420000000.000000+000</Date></BIOS><HWID>173B34AF01842E6A</HWID><UserLCID>0402</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>FLE Standard Time(GMT+02:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.9.40.0"/><File Name="WgaLogon.dll" Version="1.9.40.0"/></GANotification></MachineData><Software><Office><Result>114</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>59D1605114E3500</Val><Hash>vfZmaSmFPIYrLWTcZSZErUQg+Fo=</Hash><Pid>73931-640-0000106-57201</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="114"/><App Id="16" Version="11" Result="114"/><App Id="18" Version="11" Result="114"/><App Id="19" Version="11" Result="114"/><App Id="1A" Version="11" Result="114"/><App Id="1B" Version="11" Result="114"/><App Id="44" Version="11" Result="114"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1E860:ASUSTeK Computer Inc|1443D:GENUINE C&C INC
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A

ckfiles

CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\garena\plugins\ui\avoidcrackplugin.dll
scanner sequence 3.NA.11
----- EOF -----

Thanks for the help!
kolio
Active Member
 
Posts: 10
Joined: May 20th, 2011, 5:32 am

Re: Browser tab malware

Unread postby Cypher » May 22nd, 2011, 11:21 am

Hi kolio.

Remove P2P Programs

  • I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
    µTorrent
  • Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  • Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the programs listed above (in red) and any other P2P you have installed NOW.
  • Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.
  • While you are in Add/remove programs uninstall the following also.
Conduit Engine
uTorrentBar Toolbar


Next.

Cracked/Keygen related software detected!!!

While going through your logs I found out that you have downloaded various keygen/cracked software and that you are actively using it.
Microsoft Office Professional Edition 2003

Our forum policy Here says we will not help people who use cracked or pirated software.
You likely got infected by using cracked software or visiting crack sites.
Hence, i would like you to remove all the crack/keygen applications that are present on your system.

NOTE: If you give me advice that the software/Keygens have been removed & I find it has not (the tools we use can & will detect it) then I will have no choice but to closed this thread.

Next.

Security Check

  • Please download Security Check by screen317 from one of the links below:
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt
  • Please post the contents of that document.

Next.

Please download DDS by sUBs from one of the links below, save it to your Desktop (Note: It must be in this location).
Please disable any anti-malware program that will block scripts from running before running DDS.

  • Double-Click on dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply


Logs/Information to Post in your Next Reply

  • checkup.txt
  • DDS.txt and Attach.txt contents.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Browser tab malware

Unread postby kolio » May 22nd, 2011, 11:48 am

Hi Cypher, I have removed all the p2p programs and the Cracked/Keygen related software.

checkup

Results of screen317's Security Check version 0.99.11
Windows XP Service Pack 3
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Adobe Flash Player 10.3.181.14
Mozilla Firefox (x86 bg..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

DDS

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by nikola at 18:38:55 on 2011-05-22
Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.895.192 [GMT 3:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Atheros\ACU.exe
C:\WINDOWS\system32\ASUSTPE.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\StkCSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe
C:\DOCUME~1\nikola\LOCALS~1\Temp\ose00000.exe
C:\Documents and Settings\nikola\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Taskman=c:\documents and settings\nikola\cbzvl.exe
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [ASUSTPE] c:\windows\system32\ASUSTPE.exe
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\nikola\startm~1\programs\startup\ccc.lnk - c:\program files\ati technologies\ati.ace\core-static\CCC.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupda ... 5488428156
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
mASetup: ccc-core-static - msiexec /fums {857D4360-762B-978B-76AD-491AA719E47A} /qb
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\nikola\application data\mozilla\firefox\profiles\esckl0b3.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: network.proxy.type - 0
.
============= SERVICES / DRIVERS ===============
.
R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\system32\StkCSrv.exe [2011-5-15 24576]
R3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;c:\windows\system32\drivers\StkCMini.sys [2011-5-15 1260672]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\garena\safedrv.sys --> c:\program files\garena\safedrv.sys [?]
.
=============== Created Last 30 ================
.
2011-05-20 09:39:31 388096 ----a-r- c:\documents and settings\nikola\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-20 09:39:31 -------- d-----w- c:\program files\Trend Micro
2011-05-19 18:18:15 -------- d-----w- c:\documents and settings\all users\application data\Skype Extras
2011-05-19 18:17:17 -------- d-----r- c:\program files\Skype
2011-05-19 18:13:51 -------- d-----w- c:\documents and settings\nikola\application data\PriceGong
2011-05-19 17:43:47 -------- d-----w- c:\windows\system32\appmgmt
2011-05-17 21:06:10 2829 ----a-w- c:\windows\War3Unin.pif
2011-05-17 21:06:10 139264 ----a-w- c:\windows\War3Unin.exe
2011-05-17 20:53:42 -------- d-----w- c:\program files\Garena
2011-05-17 19:05:23 -------- d-----w- c:\windows\system32\XPSViewer
2011-05-17 19:04:58 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-05-17 19:04:46 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-05-17 19:04:46 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-05-17 19:04:46 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-05-17 19:04:46 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-05-17 19:04:46 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-05-17 19:04:46 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-05-17 19:04:46 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-05-17 19:04:46 117760 ------w- c:\windows\system32\prntvpt.dll
2011-05-17 19:04:46 -------- d-----w- C:\6f65aa0747f5982665a2bca5f235acce
2011-05-17 19:00:35 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-05-17 19:00:29 -------- d-----w- c:\program files\DAEMON Tools Lite
2011-05-17 19:00:06 -------- d-----w- c:\documents and settings\nikola\application data\DAEMON Tools Lite
2011-05-17 19:00:03 -------- d-----w- c:\documents and settings\all users\application data\DAEMON Tools Lite
2011-05-17 10:35:27 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-05-17 10:35:27 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-05-17 10:35:26 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-05-17 10:35:26 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-05-16 08:43:58 8992 ----a-w- c:\windows\system32\KBDBPH.dLL
.
==================== Find3M ====================
.
2011-05-19 08:17:56 203776 --sh--r- c:\documents and settings\nikola\cbzvl.exe
2011-05-15 20:04:21 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-03-29 08:00:00 80896 ----a-w- c:\windows\system32\ff_vfw.dll
2011-03-24 19:35:18 243200 ----a-w- c:\windows\system32\xvidvfw.dll
2011-03-24 19:28:12 631808 ----a-w- c:\windows\system32\xvidcore.dll
2011-03-19 19:00:38 151552 ----a-w- c:\windows\system32\ac3acm.acm
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 10:43:46 175616 ----a-w- c:\windows\system32\unrar.dll
.
============= FINISH: 18:39:47.56 ===============

Attach

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 15.5.2011 21:34:07
System Uptime: 22.5.2011 15:45:19 (3 hours ago)
.
Motherboard: ASUSTeK Computer Inc. | | F5RL
Processor: Intel(R) Pentium(R) Dual CPU T2370 @ 1.73GHz | Socket 478 | 1729/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 78 GiB total, 69.385 GiB free.
D: is FIXED (NTFS) - 71 GiB total, 54.158 GiB free.
E: is CDROM ()
F: is Removable
G: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 15.5.2011 21:37:14 - System Checkpoint
RP2: 15.5.2011 21:46:12 - Installed ATI Catalyst Control Center
RP3: 15.5.2011 21:50:34 - Installed ATI Parental Control & Encoder
RP4: 15.5.2011 21:52:01 - Installed Realtek High Definition Audio Driver
RP5: 15.5.2011 21:52:51 - Installed Atheros Communications Inc.(R) L2 Fast Ethernet Driver
RP6: 15.5.2011 21:54:33 - Installed Realtek USB 2.0 Card Reader
RP7: 15.5.2011 21:55:09 - Installed Atheros Client Installation Program
RP8: 15.5.2011 21:56:12 - Installed ASUS Touch Pad Extra
RP9: 15.5.2011 21:56:24 - Installed Power4 Gear
RP10: 15.5.2011 22:05:17 - Installed Microsoft Office Professional Edition 2003
RP11: 15.5.2011 22:42:56 - Software Distribution Service 3.0
RP12: 15.5.2011 23:00:28 - Software Distribution Service 3.0
RP13: 17.5.2011 22:00:34 - SPTD setup V1.62
RP14: 17.5.2011 22:01:07 - Software Distribution Service 3.0
RP15: 17.5.2011 23:59:20 - Installed Windows XP WgaNotify.
RP16: 18.5.2011 00:39:24 - Software Distribution Service 3.0
RP17: 19.5.2011 12:54:07 - System Checkpoint
RP18: 19.5.2011 20:43:39 - Removed Skype™ 4.1
RP19: 19.5.2011 21:09:29 - Removed Skype Toolbars
RP20: 19.5.2011 21:09:40 - Removed Skype™ 4.1
RP21: 19.5.2011 21:15:42 - Removed Skype™ 3.2
RP22: 20.5.2011 12:39:30 - Installed HiJackThis
RP23: 21.5.2011 12:58:47 - System Checkpoint
RP24: 22.5.2011 18:32:21 - Removed Microsoft Office Professional Edition 2003
.
==== Installed Programs ======================
.
Adobe Flash Player 10 Plugin
ASUS Touch Pad Extra
Atheros Client Installation Program
Atheros Communications Inc.(R) L2 Fast Ethernet Driver
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Garena 2010
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB976002-v5)
K-Lite Codec Pack 7.1.0 (Full)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Motorola SM56 Speakerphone Modem
Mozilla Firefox 4.0.1 (x86 bg)
Power4 Gear
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2497640)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Skins
Skype™ 5.3
Synaptics Pointing Device Driver
Update for Windows XP (KB2345886)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB2.0 1.3M WebCam
Warcraft III: All Products
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
WinRAR 4.00 (32-bit)
.
==== Event Viewer Messages From Past Week ========
.
19.5.2011 11:18:40, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.
15.5.2011 23:03:04, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 8 for Windows XP.
15.5.2011 21:56:30, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
.
==== End Of File ===========================

Thanks for your help and i apologise for not following thoroughly the rules.
kolio
Active Member
 
Posts: 10
Joined: May 20th, 2011, 5:32 am

Re: Browser tab malware

Unread postby Cypher » May 22nd, 2011, 12:22 pm

Hi kolio
Thanks for your help and i apologise for not following thoroughly the rules.

No problem and thank you for your cooperation.

No anti-virus

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors.


Note: You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.

Next.

Upload File/Files for testing

Please go to Virustotal or jotti.org

Copy/paste this file and path into the white box at the top:
c:\documents and settings\nikola\cbzvl.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.
Example of web address :
Image

Next.

Please download TDSSKiller.exe and save it to your Desktop.
  • Double click on TDSSKiller.exe to launch it.
  • Click on Start Scan, the scan will run.
  • When the scan has finished, if it finds anything please click on the drop down arrow next to Cure and select Skip
  • Now click on Report to open the log file created by TDSSKiller in your root directory C:\
  • To find the log go to Start > Computer > C:
  • Post the contents of that log in your next reply please.
  • DO NOT TRY TO FIX ANYTHING AT THIS POINT

Logs/Information to Post in your Next Reply

  • Virustotal or jotti results
  • TDSSKiller log.
  • Please give me an update on how your computer is performing.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Browser tab malware

Unread postby kolio » May 24th, 2011, 8:22 am

Hi Cypher!

Virustotal results
http://www.virustotal.com/file-scan/rep ... 1306238151

TDSSKiller log

2011/05/24 15:16:30.0169 1880 TDSS rootkit removing tool 2.5.2.0 May 24 2011 11:01:23
2011/05/24 15:16:30.0325 1880 ================================================================================
2011/05/24 15:16:30.0325 1880 SystemInfo:
2011/05/24 15:16:30.0325 1880
2011/05/24 15:16:30.0325 1880 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/24 15:16:30.0325 1880 Product type: Workstation
2011/05/24 15:16:30.0325 1880 ComputerName: NICK
2011/05/24 15:16:30.0325 1880 UserName: nikola
2011/05/24 15:16:30.0325 1880 Windows directory: C:\WINDOWS
2011/05/24 15:16:30.0325 1880 System windows directory: C:\WINDOWS
2011/05/24 15:16:30.0325 1880 Processor architecture: Intel x86
2011/05/24 15:16:30.0325 1880 Number of processors: 2
2011/05/24 15:16:30.0325 1880 Page size: 0x1000
2011/05/24 15:16:30.0325 1880 Boot type: Normal boot
2011/05/24 15:16:30.0325 1880 ================================================================================
2011/05/24 15:16:31.0575 1880 Initialize success
2011/05/24 15:16:38.0841 3832 ================================================================================
2011/05/24 15:16:38.0841 3832 Scan started
2011/05/24 15:16:38.0841 3832 Mode: Manual;
2011/05/24 15:16:38.0841 3832 ================================================================================
2011/05/24 15:16:39.0231 3832 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/24 15:16:39.0309 3832 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/05/24 15:16:39.0403 3832 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/24 15:16:39.0481 3832 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/24 15:16:39.0809 3832 AR5211 (bd4a059b937a64f403e693dcaa26fe38) C:\WINDOWS\system32\DRIVERS\ar5211.sys
2011/05/24 15:16:40.0028 3832 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/24 15:16:40.0122 3832 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/24 15:16:40.0216 3832 AtcL002 (5dd646e4c9e447d83d7e781ef202f709) C:\WINDOWS\system32\DRIVERS\l251x86.sys
2011/05/24 15:16:40.0403 3832 ati2mtag (a1789368b4a31d2111af7aeda0c8d3fc) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/05/24 15:16:40.0559 3832 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/24 15:16:40.0622 3832 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/24 15:16:40.0669 3832 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/24 15:16:40.0731 3832 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/24 15:16:40.0778 3832 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/05/24 15:16:40.0841 3832 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/24 15:16:40.0903 3832 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/24 15:16:40.0950 3832 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/24 15:16:41.0059 3832 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/05/24 15:16:41.0137 3832 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/05/24 15:16:41.0372 3832 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/24 15:16:41.0481 3832 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/24 15:16:41.0606 3832 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/24 15:16:41.0653 3832 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/24 15:16:41.0716 3832 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/24 15:16:41.0794 3832 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/24 15:16:41.0903 3832 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/24 15:16:41.0966 3832 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/05/24 15:16:42.0012 3832 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/24 15:16:42.0059 3832 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/05/24 15:16:42.0153 3832 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/05/24 15:16:42.0200 3832 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/24 15:16:42.0231 3832 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/24 15:16:42.0356 3832 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/24 15:16:42.0419 3832 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/24 15:16:42.0497 3832 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/24 15:16:42.0622 3832 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/24 15:16:42.0762 3832 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/24 15:16:42.0841 3832 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/24 15:16:43.0137 3832 IntcAzAudAddService (47f27af890da3e51c633fdd510910115) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/05/24 15:16:43.0419 3832 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/24 15:16:43.0450 3832 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/05/24 15:16:43.0497 3832 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/24 15:16:43.0512 3832 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/24 15:16:43.0559 3832 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/24 15:16:43.0637 3832 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/24 15:16:43.0684 3832 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/24 15:16:43.0762 3832 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/24 15:16:43.0809 3832 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/24 15:16:43.0841 3832 kbfiltr (cc2a86d7bbf14977340dca61bbcba771) C:\WINDOWS\system32\DRIVERS\kbfiltr.sys
2011/05/24 15:16:43.0919 3832 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/24 15:16:43.0966 3832 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/24 15:16:44.0122 3832 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/24 15:16:44.0184 3832 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/24 15:16:44.0247 3832 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/05/24 15:16:44.0294 3832 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/24 15:16:44.0341 3832 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/24 15:16:44.0403 3832 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/24 15:16:44.0512 3832 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/24 15:16:44.0591 3832 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/24 15:16:44.0669 3832 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/24 15:16:44.0716 3832 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/24 15:16:44.0747 3832 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/24 15:16:44.0778 3832 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/24 15:16:44.0825 3832 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/24 15:16:44.0856 3832 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/05/24 15:16:44.0903 3832 MTsensor (1c0f480b7c6136ddb5fb909995af014a) C:\WINDOWS\system32\DRIVERS\ATKACPI.sys
2011/05/24 15:16:44.0950 3832 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/24 15:16:44.0997 3832 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/05/24 15:16:45.0044 3832 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/24 15:16:45.0091 3832 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/05/24 15:16:45.0137 3832 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/24 15:16:45.0184 3832 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/24 15:16:45.0200 3832 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/24 15:16:45.0278 3832 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/24 15:16:45.0309 3832 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/24 15:16:45.0356 3832 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/24 15:16:45.0466 3832 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/24 15:16:45.0528 3832 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/24 15:16:45.0637 3832 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/24 15:16:45.0684 3832 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/24 15:16:45.0700 3832 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/24 15:16:45.0762 3832 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/05/24 15:16:45.0794 3832 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/24 15:16:45.0841 3832 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/24 15:16:45.0903 3832 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/24 15:16:45.0997 3832 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/24 15:16:46.0091 3832 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/24 15:16:46.0528 3832 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/24 15:16:46.0559 3832 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/24 15:16:46.0606 3832 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/24 15:16:46.0887 3832 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/24 15:16:46.0966 3832 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/24 15:16:47.0044 3832 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/24 15:16:47.0091 3832 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/24 15:16:47.0169 3832 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/24 15:16:47.0216 3832 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/24 15:16:47.0325 3832 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/24 15:16:47.0419 3832 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/24 15:16:47.0497 3832 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/24 15:16:47.0606 3832 RTSTOR (daaf657c0b5bd0595669496857040f75) C:\WINDOWS\system32\drivers\RTSTOR.SYS
2011/05/24 15:16:47.0700 3832 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/24 15:16:47.0794 3832 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/05/24 15:16:47.0872 3832 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/24 15:16:48.0106 3832 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/05/24 15:16:48.0247 3832 smserial (d9bfd2298f5cf116d8eaae3b02dcee2e) C:\WINDOWS\system32\DRIVERS\smserial.sys
2011/05/24 15:16:48.0356 3832 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/24 15:16:48.0450 3832 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/05/24 15:16:48.0450 3832 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/05/24 15:16:48.0466 3832 sptd - detected LockedFile.Multi.Generic (1)
2011/05/24 15:16:48.0528 3832 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/24 15:16:48.0637 3832 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/24 15:16:48.0778 3832 StkCMini (409f7268dd0d820110adcc78a8e9ce71) C:\WINDOWS\system32\Drivers\StkCMini.sys
2011/05/24 15:16:48.0887 3832 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/05/24 15:16:48.0966 3832 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/24 15:16:49.0059 3832 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/24 15:16:49.0356 3832 SynTP (69bf2dd9b1099d1aa3e7cf14b4b842cd) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/05/24 15:16:49.0419 3832 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/24 15:16:49.0528 3832 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/24 15:16:49.0591 3832 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/24 15:16:49.0669 3832 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/24 15:16:49.0700 3832 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/24 15:16:49.0825 3832 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/24 15:16:49.0981 3832 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/24 15:16:50.0106 3832 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/24 15:16:50.0153 3832 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/24 15:16:50.0216 3832 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/05/24 15:16:50.0294 3832 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/24 15:16:50.0341 3832 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/24 15:16:50.0419 3832 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/24 15:16:50.0559 3832 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/24 15:16:50.0622 3832 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/24 15:16:50.0747 3832 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/24 15:16:50.0903 3832 WSIMD (2ea107f535b0b7bfb1d8d6bd79325dbb) C:\WINDOWS\system32\DRIVERS\wsimd.sys
2011/05/24 15:16:50.0966 3832 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/05/24 15:16:51.0044 3832 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/05/24 15:16:51.0184 3832 ================================================================================
2011/05/24 15:16:51.0184 3832 Scan finished
2011/05/24 15:16:51.0184 3832 ================================================================================
2011/05/24 15:16:51.0200 3308 Detected object count: 1
2011/05/24 15:16:51.0200 3308 Actual detected object count: 1
2011/05/24 15:17:58.0669 3308 LockedFile.Multi.Generic(sptd) - User select action: Skip



I haven't had much free time these days to sit at my computer, however, today i haven't been redirected to any sites at all.
kolio
Active Member
 
Posts: 10
Joined: May 20th, 2011, 5:32 am

Re: Browser tab malware

Unread postby Cypher » May 24th, 2011, 10:10 am

Hi kolio.
I haven't had much free time these days to sit at my computer, however, today i haven't been redirected to any sites at all.

Ok keep me updated and let me know if you suffer any more redirects.

Download OTM.exe by Old Timer and save it to your Desktop.
  • Double-click OTM.exe to run it.
  • Right-click then copy the following code, Do not include the word Code.
    Code: Select all
    :Files
    c:\documents and settings\nikola\cbzvl.exe
    ipconfig /flushdns /c
    
    :Commands
    [EmptyFlash]
    [emptytemp]
    [ClearAllRestorePoints]
    [start explorer]
    [Reboot]
    

    • Return to OTM, right-click then paste the code into the blank box below Image
    • Next click on the large Image button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next.

Java SE Runtime Environment (JRE).

Please download from HERE
  • Find Java SE Runtime Environment (JRE) 6 Update 25.
  • Click the Download JRE button to the right.
  • Choose the correct Platform and Multi-language. Next, check the box that says I agree to the Java SE Runtime Environment 6 License Agreement.
  • Click the Continue button.
  • Click on the filename under Windows Offline Installation and save it to your desktop.
  • Close all active windows.
  • Install the program.
  • Note: remember to Uncheck Free McAfee® Security Scan Plus (optional)

Next.

ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • First please Disable any Antivirus you have active, as shown in This topic.
  • Note: Don't forget to re-enable it after the scan.
  • Next hold down Control then click on the following link to open a new window to ESET online scannner
  • Then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.


Logs/Information to Post in your Next Reply

  • OTM log.
  • ESET log.
  • Please give me an update on how your computer is performing.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Browser tab malware

Unread postby kolio » May 25th, 2011, 2:18 pm

Hi Cypher, unfortunately i have just been redirected again to another advertising website.

OTM log

All processes killed
========== FILES ==========
File move failed. c:\documents and settings\nikola\cbzvl.exe scheduled to be moved on reboot.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\nikola\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\nikola\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: nikola
->Temp folder emptied: 102298156 bytes
->Temporary Internet Files folder emptied: 20615449 bytes
->FireFox cache emptied: 161126404 bytes
->Flash cache emptied: 1741 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 511 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 273.00 mb


Restore points cleared and new OTM Restore Point set!

OTM by OldTimer - Version 3.1.18.0 log created on 05252011_204541

Files moved on Reboot...
File move failed. c:\documents and settings\nikola\cbzvl.exe scheduled to be moved on reboot.

Registry entries deleted on Reboot...

ESET log

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=a414935ed6fe624290c6ec44c9ad4a22
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-05-25 06:14:46
# local_time=2011-05-25 09:14:46 (+0200, FLE Daylight Time)
# country="Bulgaria"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 462133 462133 0 0
# compatibility_mode=8192 67108863 100 0 405 405 0 0
# scanned=22959
# found=1
# cleaned=0
# scan_time=782
C:\Documents and Settings\nikola\cbzvl.exe a variant of Win32/Kryptik.NYL trojan (unable to clean) 00000000000000000000000000000000 I

Thank you for the help.
kolio
Active Member
 
Posts: 10
Joined: May 20th, 2011, 5:32 am

Re: Browser tab malware

Unread postby Cypher » May 25th, 2011, 2:28 pm

Hi kolio.
Thank you for the help.

You're welcome.
Ok first please reboot your computer if you have not already done so.
Then continue with the instructions below.

Download and Run ComboFix

  • Please download ComboFix from one of the following links.

    Link 1.

    Link 2.

    **IMPORTANT !!! Save ComboFix.exe to your Desktop**
  • Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



Logs/Information to Post in your Next Reply

  • ComboFix.txt.
  • Please give me an update on the redirects.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Browser tab malware

Unread postby kolio » May 26th, 2011, 7:32 am

Hi Cypher,

ComboFix log

ComboFix 11-05-25.03 - nikola 26.05.2011 14:14:00.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.895.616 [GMT 3:00]
Running from: c:\documents and settings\nikola\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\nikola\Application Data\PriceGong
c:\documents and settings\nikola\Application Data\PriceGong\Data\1.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\a.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\b.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\c.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\d.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\e.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\f.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\g.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\h.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\i.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\J.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\k.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\l.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\m.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\n.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\o.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\p.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\q.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\r.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\s.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\t.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\u.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\v.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\w.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\x.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\y.xml
c:\documents and settings\nikola\Application Data\PriceGong\Data\z.xml
.
.
((((((((((((((((((((((((( Files Created from 2011-04-26 to 2011-05-26 )))))))))))))))))))))))))))))))
.
.
2011-05-25 17:45 . 2011-05-25 17:45 -------- d-----w- C:\_OTM
2011-05-17 19:04 . 2011-05-17 19:05 -------- d-----w- C:\6f65aa0747f5982665a2bca5f235acce
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-04 06:45 . 2008-04-14 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-04-14 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-04-14 16:37 . 2011-05-15 19:50 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 16269312]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 630784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"ACU"="c:\program files\Atheros\ACU.exe" [2007-10-23 376921]
"ASUSTPE"="c:\windows\system32\ASUSTPE.exe" [2007-01-16 106496]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\nikola\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [17.5.2011 22:00 691696]
R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\system32\StkCSrv.exe [15.5.2011 22:02 24576]
R3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;c:\windows\system32\drivers\StkCMini.sys [15.5.2011 22:02 1260672]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\safedrv.sys --> c:\program files\Garena\safedrv.sys [?]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\nikola\Application Data\Mozilla\Firefox\Profiles\esckl0b3.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKLM_ActiveSetup-ccc-core-static - msiexec
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-26 14:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(940)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-05-26 14:19:04
ComboFix-quarantined-files.txt 2011-05-26 11:19
.
Pre-Run: 73 174 679 552 bytes free
Post-Run: 73 140 719 616 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 14FA7B74D0D959001C4337F5CD31B5EF


I have not been redirected since i ran combofix. I will let you know if the redirects continue. Just one question is it possible that combofix somehow damaged the IM program i am using, because when i attempt to execute it an error appears?
kolio
Active Member
 
Posts: 10
Joined: May 20th, 2011, 5:32 am

Re: Browser tab malware

Unread postby Cypher » May 26th, 2011, 7:56 am

Hi kolio.
I have not been redirected since i ran combofix.

Ok keep me updated and let me know if the redirects start again.
Just one question is it possible that combofix somehow damaged the IM program i am using

Can i ask which IM you are using?
Did you install an antivirus as i ask you to Here ?
It appears that there is still no Antivirus running on your syatem.

Re-run OTM
  • Double-click OTM.exe to run it.
  • Right-click then copy the following code, Do not include the word Code.
    Code: Select all
    :Reg
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=-
    
    :Files
    c:\\Program Files\\uTorrent
    ipconfig /flushdns /c
    
    :Commands
    [EmptyFlash]
    [emptytemp]
    [start explorer]
    [Reboot]
    

    • Return to OTM, right-click then paste the code into the blank box below Image
    • Next click on the largeImage button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next.

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware and save to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Next.

Pleass run Security Check again and post the resulting log.

Logs/Information to Post in your Next Reply

  • OTM log.
  • Malwarebytes log.
  • checkup.txt.
  • Please give me an update on how your computer is performing.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Browser tab malware

Unread postby kolio » May 27th, 2011, 10:48 am

Hi Cypher, I have not experienced any redirects ever since i ran combofix. The IM I am using is Skype and the program crashes whenever i attempt to install it. This problem has accured since i ran combofix.

OTM log

All processes killed
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List not found.
========== FILES ==========
Folder move failed. c:\\Program Files\\uTorrent scheduled to be moved on reboot.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\nikola\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\nikola\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: nikola
->Temp folder emptied: 1140992 bytes
->Temporary Internet Files folder emptied: 264929 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 58231164 bytes
->Flash cache emptied: 844 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 57.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 05272011_173304

Files moved on Reboot...
Folder move failed. c:\\Program Files\\uTorrent scheduled to be moved on reboot.
C:\Documents and Settings\nikola\Local Settings\Temporary Internet Files\Content.IE5\Z50FVQ7D\list-item-plus[1].png moved successfully.
C:\Documents and Settings\nikola\Local Settings\Temporary Internet Files\Content.IE5\V9AXW0VR\background-banner-middle-v9[1].jpg moved successfully.
C:\Documents and Settings\nikola\Local Settings\Temporary Internet Files\Content.IE5\V9AXW0VR\background_button_green_full[1].png moved successfully.
C:\Documents and Settings\nikola\Local Settings\Temporary Internet Files\Content.IE5\HHHR2PFF\background-banner-right-v9[1].jpg moved successfully.
C:\Documents and Settings\nikola\Local Settings\Temporary Internet Files\Content.IE5\HHHR2PFF\background_banner_green_50_v9[1].jpg moved successfully.
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Malwarebytes log

Malwarebytes' Anti-Malware 1.50.1.1100
http://www.malwarebytes.org

Database version: 6693

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

27.5.2011 17:42:51
mbam-log-2011-05-27 (17-42-51).txt

Scan type: Quick scan
Objects scanned: 133120
Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


checkup.txt

Results of screen317's Security Check version 0.99.11
Windows XP Service Pack 3
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
avast! Free Antivirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java(TM) 6 Update 25
Adobe Flash Player 10.3.181.14
Mozilla Firefox (x86 bg..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
``````````End of Log````````````

Thanks for your help.
kolio
Active Member
 
Posts: 10
Joined: May 20th, 2011, 5:32 am

Re: Browser tab malware

Unread postby Cypher » May 27th, 2011, 11:09 am

Hi kolio.
Thanks for your help.

You're most welcome.
I can't see anything in the ComboFix log that would account for Skype not working now.
Nothing related to Skype has been removed, lets come back to this problem once we are sure your computer is clean.
We need to run another scan so please do the following.


Please download ATF Cleaner to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Next.

ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • First please Disable any Antivirus you have active, as shown in This topic.
  • Note: Don't forget to re-enable it after the scan.
  • Next hold down Control then click on the following link to open a new window to ESET online scannner
  • Then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.


Logs/Information to Post in your Next Reply

  • ESET log.
  • Please give me an update on how your computer is performing.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Browser tab malware

Unread postby kolio » May 27th, 2011, 2:10 pm

Hi Cypher,

ESET log

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=a414935ed6fe624290c6ec44c9ad4a22
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-05-27 06:07:53
# local_time=2011-05-27 09:07:53 (+0200, FLE Daylight Time)
# country="Bulgaria"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 630764 630764 0 0
# compatibility_mode=8192 67108863 100 0 281 281 0 0
# scanned=22022
# found=2
# cleaned=0
# scan_time=938
C:\System Volume Information\_restore{0F51177A-ED5D-4F0A-8A9A-C94BB5733C37}\RP26\snapshot\MFEX-1.DAT a variant of Win32/Kryptik.NYL trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\05252011_204541\c_documents and settings\nikola\cbzvl.exe a variant of Win32/Kryptik.NYL trojan (unable to clean) 00000000000000000000000000000000 I

I have not experienced any redirects.
kolio
Active Member
 
Posts: 10
Joined: May 20th, 2011, 5:32 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 29 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware