Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

browser's been highjacked

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

browser's been highjacked

Unread postby hi2mom » June 26th, 2011, 11:12 am

Hi Analyzers,
There is a browser Hijacker on my Windows xp home computer.
The sypmtoms are; change of browser home page, constant redirect of browswer from clicked URLS. This is with either Firefox or IE. It is still possible to navigate by pasting a destination url in browser navigation field.
This started along with a slew of malware such as Fake Windows Repair and multiple trojan horses that I've picked off one by one.
Just prior to running DDS I ran Malwarebytes, Norton AV, ccleaner, and Spybot S&D. So far I have not done any manual registry changes...but I can't wait to get rid of this devil. Please tell me what to do. Many thanks.
hi2mom
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Run by Margaret at 10:25:18 on 2011-06-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2704 [GMT -4:00]
.
AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: ZoneAlarm Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\DOCUME~1\Margaret\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Margaret\Application Data\U3\000018519471BDE0\LaunchPad.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell/en/si ... lient=dell
uSearch Bar = hxxp://www.google.com/hws/sb/dell/en/si ... lient=dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell/en/si ... lient=dell
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.6.0.29\ips\IPSBHO.DLL
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130
TCP: Interfaces\{296D2D77-ADBA-4666-AB12-56E4FE4D17EF} : DhcpNameServer = 167.206.251.129 167.206.251.130
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 http://www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\margaret\application data\mozilla\firefox\profiles\k86oi7ld.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\margaret\application data\mozilla\firefox\profiles\k86oi7ld.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071304000006.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1206000.01d\SymDS.sys [2011-6-14 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1206000.01d\SymEFA.sys [2011-6-14 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.6.0.29\definitions\bashdefs\20110616.003\BHDrvx86.sys [2011-6-16 810616]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1206000.01d\Ironx86.sys [2011-6-14 136312]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-11-20 353680]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\18.6.0.29\ccSvcHst.exe [2011-6-14 130008]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-6-17 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.6.0.29\definitions\ipsdefs\20110624.050\IDSXpx86.sys [2011-6-24 355256]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.6.0.29\definitions\virusdefs\20110625.002\NAVENG.SYS [2011-6-25 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.6.0.29\definitions\virusdefs\20110625.002\NAVEX15.SYS [2011-6-25 1542392]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-30 136176]
.
=============== Created Last 30 ================
.
2011-06-26 12:36:27 -------- d-----w- c:\windows\pss
2011-06-18 02:18:43 -------- d-----w- c:\documents and settings\margaret\application data\Tific
2011-06-18 02:18:41 -------- d-----w- c:\documents and settings\margaret\local settings\application data\Symantec
2011-06-16 13:53:01 388096 ----a-r- c:\documents and settings\margaret\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-06-16 13:53:01 -------- d-----w- c:\program files\Trend Micro
2011-06-16 13:48:27 1402880 ----a-w- c:\program files\HiJackThis.msi
2011-06-14 18:46:23 44024 ----a-r- c:\windows\system32\drivers\SymIM.sys
2011-06-14 18:24:38 -------- d-----w- c:\program files\NortonInstaller
2011-06-14 18:24:38 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
2011-06-14 18:21:58 -------- d-----w- c:\documents and settings\all users\application data\Norton
2011-06-14 15:09:01 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-06-14 15:09:00 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-06-14 15:09:00 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-06-14 15:09:00 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-06-14 15:09:00 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-06-14 15:09:00 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-06-14 15:09:00 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-06-14 15:09:00 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-06-14 15:09:00 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-06-14 15:09:00 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-06-13 21:15:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-13 21:15:22 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-06-12 19:10:52 -------- d-----w- c:\documents and settings\margaret\application data\Malwarebytes
2011-06-12 19:10:41 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-12 19:10:40 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-12 19:10:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-12 17:00:10 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-06-04 07:07:02 -------- d--h--w- c:\documents and settings\margaret\application data\Millennia
2011-06-04 06:30:58 35328 ----a-w- c:\windows\system32\lfcal11n.dll
2011-06-04 06:30:58 27136 ----a-w- c:\windows\system32\lfimg11n.dll
2011-06-04 06:30:58 26112 ----a-w- c:\windows\system32\lfmsp11n.dll
2011-06-04 06:30:51 -------- d-----w- c:\program files\Legacy
.
==================== Find3M ====================
.
2011-06-14 18:25:27 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-06-14 18:25:27 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-03-31 03:00:09 516216 ----a-r- c:\windows\system32\drivers\nav\1206000.01d\srtsp.sys
2011-03-31 03:00:09 50168 ----a-r- c:\windows\system32\drivers\nav\1206000.01d\srtspx.sys
.
============= FINISH: 10:26:16.03 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 11/19/2008 9:56:20 PM
System Uptime: 6/26/2011 8:02:20 AM (2 hours ago)
.
Motherboard: Dell Inc. | | 0FJ030
Processor: Intel(R) Pentium(R) D CPU 3.20GHz | Microprocessor | 3192/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 229 GiB total, 133.435 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 466 GiB total, 390.443 GiB free.
G: is CDROM (CDFS)
H: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP779: 3/28/2011 11:18:14 PM - System Checkpoint
RP780: 3/29/2011 11:23:52 PM - System Checkpoint
RP781: 3/31/2011 12:18:14 AM - System Checkpoint
RP782: 4/1/2011 1:18:14 AM - System Checkpoint
RP783: 4/2/2011 2:18:14 AM - System Checkpoint
RP784: 4/3/2011 3:18:14 AM - System Checkpoint
RP785: 4/4/2011 4:18:14 AM - System Checkpoint
RP786: 4/5/2011 5:18:14 AM - System Checkpoint
RP787: 4/6/2011 6:18:14 AM - System Checkpoint
RP788: 4/6/2011 9:54:14 PM - Software Distribution Service 3.0
RP789: 4/7/2011 10:17:03 PM - System Checkpoint
RP790: 4/8/2011 8:37:56 AM - Removed EducateU
RP791: 4/8/2011 8:38:17 AM - Removed iSEEK AnswerWorks English Runtime
RP792: 4/9/2011 12:05:31 PM - System Checkpoint
RP793: 4/10/2011 10:45:56 AM - Installed TurboTax 2010 wrapper
RP794: 4/11/2011 11:09:55 AM - System Checkpoint
RP795: 4/12/2011 12:08:50 PM - System Checkpoint
RP796: 4/13/2011 1:08:50 PM - System Checkpoint
RP797: 4/14/2011 2:08:50 PM - System Checkpoint
RP798: 4/15/2011 2:20:01 PM - System Checkpoint
RP799: 4/17/2011 9:59:09 PM - Installed TurboTax 2010 wnyiper
RP800: 4/19/2011 9:09:05 AM - System Checkpoint
RP801: 4/20/2011 9:48:58 AM - System Checkpoint
RP802: 4/21/2011 10:48:58 AM - System Checkpoint
RP803: 4/22/2011 1:35:08 PM - System Checkpoint
RP804: 4/23/2011 1:48:58 PM - System Checkpoint
RP805: 4/24/2011 2:00:58 PM - System Checkpoint
RP806: 4/25/2011 2:48:58 PM - System Checkpoint
RP807: 4/26/2011 3:48:58 PM - System Checkpoint
RP808: 4/27/2011 4:52:45 PM - System Checkpoint
RP809: 4/28/2011 5:48:58 PM - System Checkpoint
RP810: 4/29/2011 6:25:43 PM - System Checkpoint
RP811: 4/30/2011 7:42:43 PM - System Checkpoint
RP812: 5/1/2011 8:15:51 PM - System Checkpoint
RP813: 5/2/2011 9:00:58 PM - System Checkpoint
RP814: 5/3/2011 9:15:50 PM - System Checkpoint
RP815: 5/4/2011 10:23:01 PM - System Checkpoint
RP816: 5/6/2011 12:23:04 AM - System Checkpoint
RP817: 5/7/2011 1:15:50 AM - System Checkpoint
RP818: 5/10/2011 1:45:47 AM - System Checkpoint
RP819: 5/11/2011 2:03:10 AM - System Checkpoint
RP820: 5/12/2011 3:03:10 AM - System Checkpoint
RP821: 5/13/2011 4:03:10 AM - System Checkpoint
RP822: 5/14/2011 1:49:57 PM - System Checkpoint
RP823: 5/15/2011 7:13:54 PM - System Checkpoint
RP824: 5/16/2011 7:47:32 PM - System Checkpoint
RP825: 5/17/2011 7:47:37 PM - System Checkpoint
RP826: 5/18/2011 9:31:25 PM - System Checkpoint
RP827: 5/19/2011 10:29:08 PM - System Checkpoint
RP828: 5/21/2011 12:00:43 AM - System Checkpoint
RP829: 5/22/2011 5:28:08 PM - System Checkpoint
RP830: 5/23/2011 6:11:50 PM - System Checkpoint
RP831: 5/24/2011 7:03:09 PM - System Checkpoint
RP832: 5/25/2011 7:50:33 PM - System Checkpoint
RP833: 5/27/2011 1:47:08 AM - System Checkpoint
RP834: 5/28/2011 3:36:34 AM - System Checkpoint
RP835: 5/29/2011 10:46:58 AM - System Checkpoint
RP836: 5/30/2011 4:19:58 PM - System Checkpoint
RP837: 5/31/2011 4:52:59 PM - System Checkpoint
RP838: 6/1/2011 5:57:41 PM - System Checkpoint
RP839: 6/2/2011 6:09:06 PM - System Checkpoint
RP840: 6/3/2011 6:52:57 PM - System Checkpoint
RP841: 6/4/2011 7:06:58 PM - System Checkpoint
RP842: 6/6/2011 9:17:21 AM - System Checkpoint
RP843: 6/9/2011 6:32:21 PM - System Checkpoint
RP844: 6/10/2011 6:50:35 PM - System Checkpoint
RP845: 6/11/2011 7:12:51 PM - System Checkpoint
RP846: 6/12/2011 1:28:01 PM - Restore Operation
RP847: 6/12/2011 1:30:30 PM - Restore Operation
RP848: 6/13/2011 1:31:05 PM - System Checkpoint
RP849: 6/13/2011 6:36:10 PM - Software Distribution Service 3.0
RP850: 6/14/2011 12:39:01 PM - Installed Symantec Technical Support Web Controls
RP851: 6/14/2011 3:07:13 PM - Removed Microsoft .NET Framework 1.1
RP852: 6/14/2011 3:10:55 PM - Removed TweetDeck
RP853: 6/15/2011 3:19:57 PM - System Checkpoint
RP854: 6/16/2011 9:53:00 AM - Installed HiJackThis
RP855: 6/17/2011 10:51:44 AM - System Checkpoint
RP856: 6/18/2011 11:24:53 AM - System Checkpoint
RP857: 6/20/2011 10:09:45 AM - System Checkpoint
RP858: 6/21/2011 10:40:53 AM - System Checkpoint
RP859: 6/22/2011 10:53:20 AM - System Checkpoint
RP860: 6/23/2011 11:53:20 AM - System Checkpoint
RP861: 6/24/2011 12:03:47 PM - System Checkpoint
RP862: 6/25/2011 12:53:20 PM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Premiere Elements 4.0
Adobe Premiere Elements 4.0 Templates
Adobe Reader 8.1.3
Amazon Kindle For PC v1.0
Andrea VoiceCenter
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Brother MFL-Pro Suite
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner
Creative MediaSource
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell System Restore
DellSupport
Digital Content Portal
ELIcon
Google
Google Earth Plug-in
Google SketchUp 7.1
Google Update Helper
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel Matrix Storage Manager
Intel(R) 537EP V9x DF PCI Modem
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 13
Legacy 7.5
Legacy Charting 7.5
Malwarebytes' Anti-Malware version 1.51.0.1200
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Basic Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
ML-1200 Series
Modem Event Monitor
Modem Helper
Modem On Hold
Mozilla Firefox 4.0.1 (x86 en-US)
Mozilla Thunderbird (3.1.11)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
Musicmatch for Windows Media Player
Netflix Movie Viewer
NetZeroInstallers
Norton AntiVirus
NVIDIA Drivers
Octoshape add-in for Adobe Flash Player
OpenOffice.org 3.1
PaperPort Image Printer
Personal Ancestral File 5
Photo Click
PowerDVD 5.5
Qualxserve Service Agreement
QuickTime
RealPlayer Basic
ScanSoft PaperPort 11
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360131)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2416400)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sonic Advanced Decoder
Sonic Copy Module
Sonic DLA
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Data
Sound Blaster Audigy ADVANCED MB
Sound Blaster Audigy ADVANCED MB Product Registration
Spybot - Search & Destroy
Symantec Technical Support Web Controls
System Requirements Lab
TurboTax 2009
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wnyiper
TurboTax 2009 wrapper
TurboTax 2010
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wnyiper
TurboTax 2010 wrapper
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
URL Assistant
VC 9.0 Runtime
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
ZoneAlarm
ZoneAlarm Spy Blocker
.
==== End Of File ===========================
hi2mom
Regular Member
 
Posts: 15
Joined: June 26th, 2011, 10:14 am
Advertisement
Register to Remove

Re: browser's been highjacked

Unread postby Cypher » June 28th, 2011, 12:36 pm

Hi.
Checking your logs now be right back.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: browser's been highjacked

Unread postby Cypher » June 28th, 2011, 12:45 pm

Hi and welcome to Malware Removal Forum.
My name is Cypher, and I will be helping you with your malware problems.
This may or may not, solve other issues you have with your machine.
If you no longer require help i would be grateful if you would let me know.

Before we start please note the following important guidelines.
  • The instructions being given are for YOUR computer and system only!.
    Using these instructions on a different computer, can damage that computer and possibly make it inoperable!
  • If you don't know or understand something, please don't hesitate to ask.
  • Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
  • Only reply to this thread do not start another, Please continue responding until I give you the "All Clean"
    Absence of symptoms does not mean that everything is clear.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • Please DO NOT install any other software (or hardware) during the cleaning process.
  • Print each set of instructions... if possible...your Internet connection will not be available during some fix processes.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
Backup your data - XP
Backup your data - Vista
Backup your data - windows 7



Add/Remove programs
  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the following.
Java 2 Runtime Environment, SE v1.4.2_03
Spybot - Search & Destroy << You can reinstall once your computer is clean

Next.

  • Please download this tool from Microsoft.
  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in the window.
  • Save this file and copy/paste it in your next reply.

Next.

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • * This can take a while. Please be patient *.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of this log in you're next reply.
  • This log can be lengthy you may have to post it in separate replies.
  • Note: You may get the following warning - it is ok - just ignore it:
    "Rootkit Unhooker has detected a parasite inside itself!
    It is recommended to remove parasite, okay?"


Logs/Information to Post in your Next Reply

  • MGADiag log.
  • RKUnHooker log.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: browser's been highjacked

Unread postby hi2mom » June 29th, 2011, 11:23 am

testing - my recent post didn't show up so I can see it.
hi2mom
Regular Member
 
Posts: 15
Joined: June 26th, 2011, 10:14 am

Re: browser's been highjacked

Unread postby hi2mom » June 29th, 2011, 11:28 am

this might be a duplicate.

Hi Cypher,

Thanks for your help.

I couldn't get all the logs you asked for but RKUnhook log for the C drive is pasted below.

Right now, the PC has all security programs shut down and the ethernet cable is detached, I am woking from an uninfected (I hope) laptop and a trusted thumbdrive.

Upon receiving your reply I put a windows backup file of the C drive onto the F drive which is normally attached, creating an an exta 95GB of stored data on the F drive. But I did not detach the F drivr since it was attached when all the trouble started. Also I removed SpyBot and Jave Runtime Env SE v1.4_2_03.

First off MGADiag didn't run. There were no messages; after clicking the first continue button it showed the copy button right away as if it was done, but no file was created. At that time there was Zone Alarm and Norton AV running but later it also failed when I removed the ethernet cable and shut down everything that might restrict the program, ZoneAlarm, Norton AV.

Moving on to RKUnhook ...It didn't seem to be running until I shut down a Norton process and then I immediately got the log for the C drive which is pasted below. I intended to RKUnhooker twice to get a separate log for the (F:) to make the size more manageable.

The second time I started RKUnhooker it didn't give me the option to select which drive, it proceeded to choose both drives. I left it alone with the clock showing, but inthe morning found that RKUnhooker "cannot be closed because it is locked by the system"

I have a feeling this was a mistake, but I rebooted. The Report tab on RKUnhooker is blank now.

Thanks for your time and expterise.
hi2mom

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 3911680 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 77.74 )
0xB810E000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 3198976 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 77.74 )
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xA35EE000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\VirusDefs\20110628.020\NAVEX15.SYS 1536000 bytes (Symantec Corporation, AV Engine)
0xA5F80000 C:\WINDOWS\system32\drivers\sigfilt.sys 1351680 bytes (Creative Technology Ltd., Creative WDM Audio Driver)
0xB7F39000 C:\WINDOWS\system32\DRIVERS\IntelC51.sys 1208320 bytes (Intel Corporation, Modem DSP Driver)
0xA5A46000 C:\WINDOWS\System32\Drivers\dump_iastor.sys 872448 bytes
0xB9E36000 iastor.sys 872448 bytes (Intel Corporation, Intel Matrix Storage Manager driver)
0xA5B1B000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\BASHDefs\20110616.003\BHDrvx86.sys 827392 bytes (Symantec Corporation, BASH Driver)
0xB9CF2000 SYMEFA.SYS 765952 bytes
0xB7EA4000 C:\WINDOWS\system32\DRIVERS\IntelC52.sys 610304 bytes (Intel Corporation, Modem CP Driver)
0xB9C39000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA382D000 C:\WINDOWS\system32\drivers\NAV\1206000.01D\SRTSP.SYS 548864 bytes (Symantec Corporation, Symantec AutoProtect)
0xA5C61000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xA5D42000 C:\WINDOWS\System32\vsdatant.sys 438272 bytes (Check Point Software Technologies LTD, TrueVector Device Driver)
0xA5C03000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xB7DEE000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA5DD5000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\IPSDefs\20110625.050\IDSxpx86.sys 368640 bytes (Symantec Corporation, IDS Core Driver)
0xA5E7B000 C:\WINDOWS\system32\drivers\NAV\1206000.01D\SYMTDI.SYS 364544 bytes (Symantec Corporation, Network Dispatch Driver)
0xA5ED4000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA3CEB000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xB9DBF000 SYMDS.SYS 356352 bytes
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA2577000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xA403F000 C:\WINDOWS\system32\DRIVERS\ctoss2k.sys 196608 bytes (Creative Technology Ltd., Creative OS Services Driver (WDM))
0xB7E4C000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA3E5B000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9C0C000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA60EE000 C:\WINDOWS\system32\drivers\sthda.sys 184320 bytes (SigmaTel, Inc., DELLRC)
0xB80A7000 C:\WINDOWS\system32\DRIVERS\e1e5132.sys 176128 bytes (Intel Corporation, Intel(R) PRO/1000 Adapter NDIS 5.1 deserialized driver)
0xA1B52000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA5CD1000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB80D2000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA5DAD000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xA406F000 C:\WINDOWS\system32\drivers\ctusfsyn.sys 159744 bytes (Creative Technology Ltd., Creative SoundFont Synthesizer)
0xA4019000 C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys 155648 bytes (Creative Technology Ltd, SoundFont(R) Manager (WDM))
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA5E55000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA5E2F000 C:\WINDOWS\system32\Drivers\SYMEVENT.SYS 155648 bytes (Symantec Corporation, Symantec Event Library)
0xA4171000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xA5CFC000 C:\WINDOWS\system32\drivers\NAV\1206000.01D\Ironx86.SYS 147456 bytes (Symantec Corporation, Iron Driver)
0xA60CA000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB8083000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB8060000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA5D20000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9E16000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xA5BE5000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 122880 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xB9BDE000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xA4A76000 C:\WINDOWS\system32\dla\tfsnudf.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xA4A5D000 C:\WINDOWS\system32\dla\tfsnudfa.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB9CC6000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB7E8D000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA4A8F000 C:\WINDOWS\system32\dla\tfsnifs.sys 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xB9CDD000 drvmcdb.sys 86016 bytes (Sonic Solutions, Device Driver)
0xA40E4000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xA35B2000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\VirusDefs\20110628.020\NAVENG.SYS 81920 bytes (Symantec Corporation, AV Engine)
0xB9BF8000 srescan.sys 81920 bytes
0xB80FA000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA5F2D000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9DAD000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB7E7C000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xA825B000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA148000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xBA108000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xA8A21000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xA92F4000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA178000 C:\WINDOWS\system32\DRIVERS\IntelC53.sys 61440 bytes (Intel Corporation, Modem AFE Driver)
0xBA158000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB0A99000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xA92D4000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA118000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA188000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xA82AB000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA168000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA198000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xA89A1000 C:\WINDOWS\system32\drivers\NAV\1206000.01D\SRTSPX.SYS 45056 bytes (Symantec Corporation, Symantec AutoProtect)
0xBA278000 C:\WINDOWS\system32\drivers\drvnddm.sys 40960 bytes (Sonic Solutions, Device Driver Manager)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xA9304000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB849B000 C:\WINDOWS\system32\DRIVERS\SymIM.sys 40960 bytes (Symantec Corporation, NDIS Intermediate Driver)
0xB84AB000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xA3201000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xA824B000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA138000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xB92F2000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xA89C1000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xBA0F8000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xBA288000 C:\WINDOWS\system32\dla\tfsncofs.sys 36864 bytes (Sonic Solutions, Drive Letter Access Component)
0xA8A31000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA438000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xA8838000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA390000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA428000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA440000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xA8850000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xB7311000 C:\WINDOWS\system32\dla\tfsnboio.sys 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA3A0000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xBA388000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xBA448000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBA468000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA430000 C:\WINDOWS\system32\DRIVERS\mohfilt.sys 24576 bytes (Intel Corporation, Filter Driver to Support Modem-on-Hold)
0xBA470000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xA8858000 C:\WINDOWS\system32\drivers\ssrtln.sys 24576 bytes (Sonic Solutions, Shared Driver Component)
0xBA420000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xA8848000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xA8868000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xA8840000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA458000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA460000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBA450000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA3A8000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xA3E1F000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xAE43E000 C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys 16384 bytes (Brother Industries Ltd., Brother USB Scanner Driver)
0xAE432000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9BA9000 C:\WINDOWS\system32\drivers\MODEMCSA.sys 16384 bytes (Microsoft Corporation, Unimodem CSA Filter)
0xBA590000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB468D000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB9B4D000 C:\WINDOWS\system32\dla\tfsnopio.sys 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xA9421000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xAE43A000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xA8A8F000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xACF68000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9810000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xA8A83000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA5B0000 C:\WINDOWS\System32\Drivers\ASCTRM.SYS 8192 bytes (Windows (R) 2000 DDK provider, TR Manager)
0xA8DD8000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA66E000 C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys 8192 bytes (Gteko Ltd., Process Trigger Driver)
0xBA5D4000 C:\WINDOWS\system32\DRIVERS\dsunidrv.sys 8192 bytes (Gteko Ltd., GUniDriver)
0xA8DDA000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xA8DD6000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xA8DD4000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA624000 C:\WINDOWS\system32\drivers\sscdbhk5.sys 8192 bytes (Sonic Solutions, Shared Driver Component)
0xBA626000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xAA18A000 C:\WINDOWS\system32\dla\tfsnpool.sys 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xA9193000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA7C8000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xA8CAD000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xA8336000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xA8816000 C:\WINDOWS\system32\dla\tfsndrct.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xA8817000 C:\WINDOWS\system32\dla\tfsndres.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
==============================================
>Stealth
==============================================
0x8A7C3A91 Unknown page with executable code, 1391 bytes
0x8A7C6860 Unknown page with executable code, 1952 bytes
0x8A7C6781 Unknown page with executable code, 2175 bytes
0x8A7C8718 Unknown page with executable code, 2280 bytes
0x8A7C85B1 Unknown page with executable code, 2639 bytes
0x8A7C2288 Unknown page with executable code, 3448 bytes
0x8A7C4191 Unknown page with executable code, 3695 bytes
0xBA0C8000 WARNING: Virus alike driver modification [VolSnap.sys], 53248 bytes
0x8A7C6E7A Unknown thread object [ ETHREAD 0x8A72ADA8 ] TID: 160, 600 bytes
0x8A7C9008 Unknown thread object [ ETHREAD 0x8A72AB30 ] TID: 164, 600 bytes
0x8A7C8CDC Unknown page with executable code, 804 bytes
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0002D548, Type: Inline - RelativeJump 0x80504548-->80504527 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D578, Type: Inline - RelativeJump 0x80504578-->8050451A [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D604, Type: Inline - RelativeJump 0x80504604-->805045E7 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D780, Type: Inline - RelativeJump 0x80504780-->805047FF [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D7B8, Type: Inline - RelativeJump 0x805047B8-->80504800 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D810, Type: Inline - PushRet 0x80504810-->DC18805C [unknown_code_page]
ntkrnlpa.exe+0x0002D874, Type: Inline - PushRet 0x80504874-->D8458089 [unknown_code_page]
ntkrnlpa.exe+0x0006ECBE, Type: Inline - RelativeJump 0x80545CBE-->80545CC5 [ntkrnlpa.exe]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xA5F13428-->A5D81B50 [vsdatant.sys]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xA5F13454-->A5D81220 [vsdatant.sys]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xA5F13460-->A5D81410 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xA8A36B4C-->A5D81B50 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification 0xA8A36B1C-->A5D7F780 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xA8A36B3C-->A5D81220 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xA8A36B28-->A5D81410 [vsdatant.sys]
[1128]iexplore.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
[1128]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DD1214-->715B9E59 [aclayers.dll]
[1128]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DD105C-->715BA16B [aclayers.dll]
[1128]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DD11E0-->715BA067 [aclayers.dll]
[1128]iexplore.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
[1128]iexplore.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77A81190-->715B9E59 [aclayers.dll]
[1128]iexplore.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x77A811F8-->715B9F5D [aclayers.dll]
[1128]iexplore.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77A811FC-->715BA16B [aclayers.dll]
[1128]iexplore.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
[1128]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084-->715B9E59 [aclayers.dll]
[1128]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078-->715BA16B [aclayers.dll]
[1128]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8-->715BA067 [aclayers.dll]
[1128]iexplore.exe-->kernel32.dll+0x00001ACF, Type: Inline - RelativeJump 0x7C801ACF-->022E03D2 [unknown_code_page]
[1128]iexplore.exe-->kernel32.dll+0x0000220E, Type: Inline - RelativeJump 0x7C80220E-->022E01B0 [unknown_code_page]
[1128]iexplore.exe-->kernel32.dll+0x00009AEC, Type: Inline - RelativeJump 0x7C809AEC-->022E031C [unknown_code_page]
[1128]iexplore.exe-->kernel32.dll+0x00012C51, Type: Inline - RelativeJump 0x7C812C51-->022E0488 [unknown_code_page]
[1128]iexplore.exe-->kernel32.dll+0x0006229F, Type: Inline - RelativeJump 0x7C86229F-->022E0266 [unknown_code_page]
[1128]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x00401030-->5CB77774 [shimeng.dll]
[1128]iexplore.exe-->kernel32.dll-->HeapCreate, Type: Inline - RelativeJump 0x7C812C56-->7C812C51 [kernel32.dll]
[1128]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00401034-->715B9E59 [aclayers.dll]
[1128]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00F1000A [unknown_code_page]
[1128]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00F0000A [unknown_code_page]
[1128]iexplore.exe-->kernel32.dll-->SetProcessDEPPolicy, Type: Inline - RelativeJump 0x7C8622A4-->7C86229F [kernel32.dll]
[1128]iexplore.exe-->kernel32.dll-->VirtualAlloc, Type: Inline - RelativeJump 0x7C809AF1-->7C809AEC [kernel32.dll]
[1128]iexplore.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->7C801ACF [kernel32.dll]
[1128]iexplore.exe-->kernel32.dll-->WriteProcessMemory, Type: Inline - RelativeJump 0x7C802213-->7C80220E [kernel32.dll]
[1128]iexplore.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->5CB77774 [shimeng.dll]
[1128]iexplore.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71A51184-->715B9E59 [aclayers.dll]
[1128]iexplore.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x71A511A0-->715BA067 [aclayers.dll]
[1128]iexplore.exe-->ntdll.dll-->NtMapViewOfSection, Type: Inline - RelativeJump 0x7C90D51E-->022E003A [unknown_code_page]
[1128]iexplore.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->022E00F7 [unknown_code_page]
[1128]iexplore.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
[1128]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C13E8-->715B9E59 [aclayers.dll]
[1128]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C163C-->715B9F5D [aclayers.dll]
[1128]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C161C-->715BA16B [aclayers.dll]
[1128]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C15A0-->715BA067 [aclayers.dll]
[1128]iexplore.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
[1128]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E4112F4-->715B9E59 [aclayers.dll]
[1128]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->715BA16B [aclayers.dll]
[1128]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E411340-->715BA067 [aclayers.dll]
[1128]iexplore.exe-->wininet.dll-->HttpAddRequestHeadersA, Type: Inline - RelativeJump 0x771C40E2-->00EA000C [unknown_code_page]
[1128]iexplore.exe-->wininet.dll-->HttpAddRequestHeadersW, Type: Inline - RelativeJump 0x771CEF44-->00EB000A [unknown_code_page]
[1128]iexplore.exe-->wininet.dll-->HttpOpenRequestA, Type: Inline - RelativeJump 0x771C2B11-->00ED000A [unknown_code_page]
[1128]iexplore.exe-->wininet.dll-->HttpOpenRequestW, Type: Inline - RelativeJump 0x771CF45A-->00EC000A [unknown_code_page]
[1128]iexplore.exe-->wininet.dll-->InternetConnectA, Type: Inline - RelativeJump 0x771C346A-->00EF000A [unknown_code_page]
[1128]iexplore.exe-->wininet.dll-->InternetConnectW, Type: Inline - RelativeJump 0x771CEE50-->00EE000A [unknown_code_page]
[1128]iexplore.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x771B1248-->5CB77774 [shimeng.dll]
[1128]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x771B124C-->715B9E59 [aclayers.dll]
[1128]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x771B1214-->715B9F5D [aclayers.dll]
[1128]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x771B122C-->715BA067 [aclayers.dll]
[1128]iexplore.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]
[1128]iexplore.exe-->ws2_32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71AB10A8-->715B9E59 [aclayers.dll]
[248]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
[248]explorer.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
[248]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
[248]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->5CB77774 [shimeng.dll]
[248]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
[248]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
[248]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x771B1248-->5CB77774 [shimeng.dll]
[248]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]
hi2mom
Regular Member
 
Posts: 15
Joined: June 26th, 2011, 10:14 am

Re: browser's been highjacked

Unread postby Cypher » June 29th, 2011, 11:45 am

Hi.
See if you can run the below scan in place of MGADiag.exe

Scan with WVCheck:

Please download WVCheck and save it to the desktop.

  • Double click on WVCheck.exe and follow the prompts.
  • The scan may take some time depending on the Hard-Drive size.
  • Please post the contents of the notepad file WVCheck_1436_dd-mm-yyyy that can be located on the desktop.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: browser's been highjacked

Unread postby hi2mom » June 29th, 2011, 12:04 pm

That worked..

Windows Validation Check
Version: 1.9.12.5
Log Created On: 1153_29-06-2011
-----------------------

Windows Information
-----------------------
Windows Version: Windows XP Service Pack 3
Windows Mode: Normal
Systemroot Path: C:\WINDOWS

WVCheck's Auto Update Check
-----------------------
Auto-Update Option: Do not download or install updates automatically.
-----------------------
Last Success Time for Update Detection: 2010-12-19 20:46:20
Last Success Time for Update Download: 2010-12-16 06:08:11
Last Success Time for Update Installation: 2010-12-16 08:01:06


WVCheck's Registry Check Check
-----------------------
Antiwpa: Not Found
-----------------------
Chew7Hale: Not Found
-----------------------


WVCheck's File Dump
-----------------------
WVCheck found no known bad files.


WVCheck's Dir Dump
-----------------------
WVCheck found no known bad directories.


WVCheck's Missing File Check
-----------------------
WVCheck found no missing Windows files.


WVCheck's MBAM Quarantine Check
-----------------------
There were no bad files quarantined by MBAM.


WVCheck's HOSTS File Check
-----------------------
WVCheck found no bad lines in the hosts file.


WVCheck's MD5 Check
EXPERIMENTAL!!
-----------------------
user32.dll - b26b135ff1b9f60c9388b4a7d16f600b


-------- End of File, program close at 1157_29-06-2011 --------
hi2mom
Regular Member
 
Posts: 15
Joined: June 26th, 2011, 10:14 am

Re: browser's been highjacked

Unread postby Cypher » June 29th, 2011, 12:15 pm

Hi.
Your logs indicate that there have been no windows updates installed on your computer since the 16th of December 2010.
Is there any reason why no updates have been installed since then?
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: browser's been highjacked

Unread postby hi2mom » June 29th, 2011, 2:01 pm

Automatic update is turned off...I'm the only person here so most likely responsible. Shall I reboot in safe mode and run Windows Automatic Update?
hi2mom
Regular Member
 
Posts: 15
Joined: June 26th, 2011, 10:14 am

Re: browser's been highjacked

Unread postby Cypher » June 29th, 2011, 2:20 pm

Hi.
Automatic update is turned off...I'm the only person here so most likely responsible. Shall I reboot in safe mode and run Windows Automatic Update?

No please do not run the windows updates just yet, once your computer is clean you will need to install all the missing updates, they include vital updates for your computers security.
Do the following then give me an update on how your computer is performing.

Download and Run ComboFix

  • Please download ComboFix from one of the following links.

    Link 1.

    Link 2.

    **IMPORTANT !!! Save ComboFix.exe to your Desktop**
  • Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



Logs/Information to Post in your Next Reply

  • ComboFix.txt.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: browser's been highjacked

Unread postby hi2mom » June 29th, 2011, 3:49 pm

Cypher,
So far the system looks good, Combo Fox found and removed somthing. Yeah!
Google and Yahoo searches checked out ok on Firefox and IE - no redirection took place.
Combo Fox ran without installing Recovery Console. Even though I thought I had every bit of zoneAlarm shut down, short of removing the program, I see in the log that a ComboFix connection was blocked.
This machine was hit with lots of invasive stuff a couple of weeks ago so I am still checking it out...I also noticed in zone alarm that it is still trying to connect to a bad site 167.206.251.130.53 vdns2.srv.whplny.cv.net
What should I do next?
Thank you!


ComboFix 11-06-25.05 - Margaret 06/29/2011 14:47:21.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3133
[GMT -4:00]
Running from: c:\documents and settings\Margaret\Desktop\ComboFix.exe
AV: Norton AntiVirus *Disabled/Updated*
{E10A9785-9598-4754-B552-92431C1C35F8}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Margaret\Desktop\Windows XP Restore.lnk
c:\documents and settings\Margaret\GoToAssistDownloadHelper.exe
c:\documents and settings\Margaret\Start Menu\Programs\Windows XP Restore
c:\documents and settings\Margaret\Start Menu\Programs\Windows XP
Restore\Uninstall Windows XP Restore.lnk
c:\documents and settings\Margaret\Start Menu\Programs\Windows XP
Restore\Windows XP Restore.lnk
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and
disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2011-05-28 to 2011-06-29
)))))))))))))))))))))))))))))))
.
.
2011-06-29 01:38 . 2011-06-29 01:38 7168 ----a-w-
c:\windows\system32\74E82C32.exe
2011-06-29 01:17 . 2011-06-29 01:17 -------- d-----w-
c:\documents and settings\All Users\Application Data\Office Genuine
Advantage
2011-06-28 19:48 . 2011-06-29 01:07 -------- d-----w-
c:\windows\system32\NtmsData
2011-06-18 02:18 . 2011-06-18 02:18 -------- d-----w-
c:\documents and settings\Margaret\Application Data\Tific
2011-06-18 02:18 . 2011-06-18 02:18 -------- d-----w-
c:\documents and settings\Margaret\Local Settings\Application
Data\Symantec
2011-06-16 13:53 . 2011-06-16 13:53 388096 ------r-
c:\documents and settings\Margaret\Application
Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-16 13:53 . 2011-06-16 13:53 -------- d-----w-
c:\program files\Trend Micro
2011-06-16 13:48 . 2011-06-16 13:44 1402880 ------w- c:\program
files\HiJackThis.msi
2011-06-14 18:46 . 2011-03-31 03:04 44024 ------r-
c:\windows\system32\drivers\SymIM.sys
2011-06-14 18:25 . 2011-06-14 18:25 60872 ----a-w-
c:\windows\system32\S32EVNT1.DLL
2011-06-14 18:25 . 2011-06-14 18:25 126584 ----a-w-
c:\windows\system32\drivers\SYMEVENT.SYS
2011-06-14 18:25 . 2011-06-14 18:25 -------- d-----w-
c:\program files\Symantec
2011-06-14 18:25 . 2011-06-14 18:25 -------- d-----w-
c:\windows\system32\drivers\NAV
2011-06-14 18:25 . 2011-06-14 18:25 -------- d-----w-
c:\program files\Norton AntiVirus
2011-06-14 18:25 . 2011-06-14 18:25 -------- d-----w-
c:\program files\Windows Sidebar
2011-06-14 18:24 . 2011-06-14 18:24 -------- d-----w-
c:\program files\NortonInstaller
2011-06-14 18:21 . 2011-06-18 13:54 -------- d-----w-
c:\documents and settings\All Users\Application Data\Norton
2011-06-14 15:09 . 2011-04-14 16:26 142296 ------w- c:\program
files\Mozilla Firefox\components\browsercomps.dll
2011-06-14 15:09 . 2011-04-14 16:25 16856 ------w- c:\program
files\Mozilla Firefox\plugin-container.exe
2011-06-14 15:09 . 2011-04-14 16:25 781272 ------w- c:\program
files\Mozilla Firefox\mozsqlite3.dll
2011-06-14 15:09 . 2011-04-14 16:25 1874904 ------w- c:\program
files\Mozilla Firefox\mozjs.dll
2011-06-14 15:09 . 2011-04-14 16:25 719832 ------w- c:\program
files\Mozilla Firefox\mozcpp19.dll
2011-06-14 15:09 . 2011-04-14 16:25 15832 ------w- c:\program
files\Mozilla Firefox\mozalloc.dll
2011-06-14 15:09 . 2011-04-14 16:25 465880 ------w- c:\program
files\Mozilla Firefox\libGLESv2.dll
2011-06-14 15:09 . 2011-04-14 16:25 89048 ------w- c:\program
files\Mozilla Firefox\libEGL.dll
2011-06-14 15:09 . 2010-01-01 08:00 1974616 ------w- c:\program
files\Mozilla Firefox\D3DCompiler_42.dll
2011-06-14 15:09 . 2010-01-01 08:00 1892184 ------w- c:\program
files\Mozilla Firefox\d3dx9_42.dll
2011-06-13 21:15 . 2011-06-29 01:13 -------- d-----w-
c:\program files\Spybot - Search & Destroy
2011-06-13 21:15 . 2011-06-29 01:12 -------- d-----w-
c:\documents and settings\All Users\Application Data\Spybot - Search &
Destroy
2011-06-12 19:10 . 2011-06-12 19:10 -------- d-----w-
c:\documents and settings\Margaret\Application Data\Malwarebytes
2011-06-12 19:10 . 2011-05-29 13:11 39984 ------w-
c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-12 19:10 . 2011-06-12 19:10 -------- d-----w-
c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-12 19:10 . 2011-06-14 01:17 -------- d-----w-
c:\program files\Malwarebytes' Anti-Malware
2011-06-12 17:00 . 2011-06-12 17:00 -------- d--h--w-
c:\windows\system32\GroupPolicy
2011-06-04 07:07 . 2011-06-04 17:01 -------- d--h--w-
c:\documents and settings\Margaret\Application Data\Millennia
2011-06-04 06:30 . 1999-11-22 17:52 26112 ------w-
c:\windows\system32\lfmsp11n.dll
2011-06-04 06:30 . 1999-11-22 17:52 27136 ------w-
c:\windows\system32\lfimg11n.dll
2011-06-04 06:30 . 1999-11-22 17:52 35328 ------w-
c:\windows\system32\lfcal11n.dll
2011-06-04 06:30 . 2011-06-04 20:35 -------- d-----w-
c:\program files\Legacy
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 16:26 . 2011-06-14 15:09 142296 ------w- c:\program
files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"Creative Detector"="c:\program
files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage
Manager\iaanotif.exe" [2005-06-17 139264]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe"
[2003-09-04 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
[2005-02-23 53248]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround
Mixer\CTSysVol.exe" [2005-09-15 57344]
"MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe"
[2005-09-19 1159168]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-02-21
26112]
"ISUSScheduler"="c:\program files\Common
Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe"
[2005-01-27 86016]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe"
[2008-11-13 981904]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21
305440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader
8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft
Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe"
[2008-07-10 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe"
[2008-07-10 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe"
[2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-11-12
1122304]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe"
[2008-08-12 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
[2009-07-28 148888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
R0 SymDS;Symantec Data
Store;c:\windows\system32\drivers\NAV\1206000.01D\SymDS.sys [6/14/2011
2:25 PM 340088]
R0 SymEFA;Symantec Extended File
Attributes;c:\windows\system32\drivers\NAV\1206000.01D\SymEFA.sys
[6/14/2011 2:25 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application
Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\BASHDefs\20110616.003\BHDrvx86.sys
[6/16/2011 6:45 PM 810616]
R1 SymIRON;Symantec Iron
Driver;c:\windows\system32\drivers\NAV\1206000.01D\Ironx86.sys
[6/14/2011 2:25 PM 136312]
R2 NAV;Norton AntiVirus;c:\program files\Norton
AntiVirus\Engine\18.6.0.29\ccSvcHst.exe [6/14/2011 2:25 PM 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common
Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/17/2011 8:02 PM
105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application
Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\IPSDefs\20110625.050\IDSXpx86.sys
[6/27/2011 10:22 PM 355256]
S2 gupdate;Google Update Service (gupdate);c:\program
files\Google\Update\GoogleUpdate.exe [9/30/2010 1:23 PM 136176]
S3 74E82C32;74E82C32;c:\windows\system32\74E82C32.exe [6/28/2011 9:38 PM
7168]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 17:23]
.
2011-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 17:23]
.
2011-06-12 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext =
hxxp://www.google.com/ig/dell?hl=en&client=dell
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel -
c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 167.206.251.130 167.206.251.129
FF - ProfilePath - c:\documents and settings\Margaret\Application
Data\Mozilla\Firefox\Profiles\k86oi7ld.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ISUSPM Startup - c:\program files\Common
Files\InstallShield\UpdateService\isuspm.exe
AddRemove-WebCyberCoach_wtrb - c:\program
files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by
Gmer, http://www.gmer.net
Rootkit scan 2011-06-29 15:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton
AntiVirus\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program
files\Norton AntiVirus\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
Completion time: 2011-06-29 15:07:47
ComboFix-quarantined-files.txt 2011-06-29 19:07
.
Pre-Run: 142,758,440,960 bytes free
Post-Run: 142,933,147,648 bytes free
.
- - End Of File - - 6ACBE2B5775A94C8857680A0C02F6E52
hi2mom
Regular Member
 
Posts: 15
Joined: June 26th, 2011, 10:14 am

Re: browser's been highjacked

Unread postby Cypher » June 30th, 2011, 5:40 am

Hi.
I need you the post the ComboFix.txt log again but first make sure Word Wrap is turned off in Notepad:

  • Open Notepad then on the Toolbar click Format.
  • Make sure Word Wrap is unticked then close Notepad.

Now post the ComboFix.txt log again, it can be found by going to Start > Computer > C: > ComboFix.txt.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: browser's been highjacked

Unread postby hi2mom » June 30th, 2011, 7:54 am

Sorry, this should be better ...

ComboFix 11-06-25.05 - Margaret 06/29/2011 14:47:21.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3133 [GMT -4:00]
Running from: c:\documents and settings\Margaret\Desktop\ComboFix.exe
AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Margaret\Desktop\Windows XP Restore.lnk
c:\documents and settings\Margaret\GoToAssistDownloadHelper.exe
c:\documents and settings\Margaret\Start Menu\Programs\Windows XP Restore
c:\documents and settings\Margaret\Start Menu\Programs\Windows XP Restore\Uninstall Windows XP Restore.lnk
c:\documents and settings\Margaret\Start Menu\Programs\Windows XP Restore\Windows XP Restore.lnk
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2011-05-28 to 2011-06-29 )))))))))))))))))))))))))))))))
.
.
2011-06-29 01:38 . 2011-06-29 01:38 7168 ----a-w- c:\windows\system32\74E82C32.exe
2011-06-29 01:17 . 2011-06-29 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-06-28 19:48 . 2011-06-29 01:07 -------- d-----w- c:\windows\system32\NtmsData
2011-06-18 02:18 . 2011-06-18 02:18 -------- d-----w- c:\documents and settings\Margaret\Application Data\Tific
2011-06-18 02:18 . 2011-06-18 02:18 -------- d-----w- c:\documents and settings\Margaret\Local Settings\Application Data\Symantec
2011-06-16 13:53 . 2011-06-16 13:53 388096 ------r- c:\documents and settings\Margaret\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-16 13:53 . 2011-06-16 13:53 -------- d-----w- c:\program files\Trend Micro
2011-06-16 13:48 . 2011-06-16 13:44 1402880 ------w- c:\program files\HiJackThis.msi
2011-06-14 18:46 . 2011-03-31 03:04 44024 ------r- c:\windows\system32\drivers\SymIM.sys
2011-06-14 18:25 . 2011-06-14 18:25 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-06-14 18:25 . 2011-06-14 18:25 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-06-14 18:25 . 2011-06-14 18:25 -------- d-----w- c:\program files\Symantec
2011-06-14 18:25 . 2011-06-14 18:25 -------- d-----w- c:\windows\system32\drivers\NAV
2011-06-14 18:25 . 2011-06-14 18:25 -------- d-----w- c:\program files\Norton AntiVirus
2011-06-14 18:25 . 2011-06-14 18:25 -------- d-----w- c:\program files\Windows Sidebar
2011-06-14 18:24 . 2011-06-14 18:24 -------- d-----w- c:\program files\NortonInstaller
2011-06-14 18:21 . 2011-06-18 13:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-06-14 15:09 . 2011-04-14 16:26 142296 ------w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-06-14 15:09 . 2011-04-14 16:25 16856 ------w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-06-14 15:09 . 2011-04-14 16:25 781272 ------w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-06-14 15:09 . 2011-04-14 16:25 1874904 ------w- c:\program files\Mozilla Firefox\mozjs.dll
2011-06-14 15:09 . 2011-04-14 16:25 719832 ------w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-06-14 15:09 . 2011-04-14 16:25 15832 ------w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-06-14 15:09 . 2011-04-14 16:25 465880 ------w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-06-14 15:09 . 2011-04-14 16:25 89048 ------w- c:\program files\Mozilla Firefox\libEGL.dll
2011-06-14 15:09 . 2010-01-01 08:00 1974616 ------w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-06-14 15:09 . 2010-01-01 08:00 1892184 ------w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-06-13 21:15 . 2011-06-29 01:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-13 21:15 . 2011-06-29 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-06-12 19:10 . 2011-06-12 19:10 -------- d-----w- c:\documents and settings\Margaret\Application Data\Malwarebytes
2011-06-12 19:10 . 2011-05-29 13:11 39984 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-12 19:10 . 2011-06-12 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-12 19:10 . 2011-06-14 01:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-12 17:00 . 2011-06-12 17:00 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-06-04 07:07 . 2011-06-04 17:01 -------- d--h--w- c:\documents and settings\Margaret\Application Data\Millennia
2011-06-04 06:30 . 1999-11-22 17:52 26112 ------w- c:\windows\system32\lfmsp11n.dll
2011-06-04 06:30 . 1999-11-22 17:52 27136 ------w- c:\windows\system32\lfimg11n.dll
2011-06-04 06:30 . 1999-11-22 17:52 35328 ------w- c:\windows\system32\lfcal11n.dll
2011-06-04 06:30 . 2011-06-04 20:35 -------- d-----w- c:\program files\Legacy
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 16:26 . 2011-06-14 15:09 142296 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-02-21 26112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-11-12 1122304]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-08-12 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-28 148888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1206000.01D\SymDS.sys [6/14/2011 2:25 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1206000.01D\SymEFA.sys [6/14/2011 2:25 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\BASHDefs\20110616.003\BHDrvx86.sys [6/16/2011 6:45 PM 810616]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1206000.01D\Ironx86.sys [6/14/2011 2:25 PM 136312]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe [6/14/2011 2:25 PM 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/17/2011 8:02 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\IPSDefs\20110625.050\IDSXpx86.sys [6/27/2011 10:22 PM 355256]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/30/2010 1:23 PM 136176]
S3 74E82C32;74E82C32;c:\windows\system32\74E82C32.exe [6/28/2011 9:38 PM 7168]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 17:23]
.
2011-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 17:23]
.
2011-06-12 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 167.206.251.130 167.206.251.129
FF - ProfilePath - c:\documents and settings\Margaret\Application Data\Mozilla\Firefox\Profiles\k86oi7ld.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ISUSPM Startup - c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-29 15:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
Completion time: 2011-06-29 15:07:47
ComboFix-quarantined-files.txt 2011-06-29 19:07
.
Pre-Run: 142,758,440,960 bytes free
Post-Run: 142,933,147,648 bytes free
.
- - End Of File - - 6ACBE2B5775A94C8857680A0C02F6E52
hi2mom
Regular Member
 
Posts: 15
Joined: June 26th, 2011, 10:14 am

Re: browser's been highjacked

Unread postby Cypher » June 30th, 2011, 11:12 am

Hi.
Sorry, this should be better

Don't worry no need to apologise :)
Thank you that's easier to read, I need you to upload a file for me to get it tested.

Upload File/Files for testing

Please go to Virustotal or jotti.org

Copy/paste this file and path into the white box at the top:
c:\windows\system32\74E82C32.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.
Example of web address :
Image
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: browser's been highjacked

Unread postby hi2mom » June 30th, 2011, 12:50 pm

hi2mom
Regular Member
 
Posts: 15
Joined: June 26th, 2011, 10:14 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 490 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware