Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Web search is redirected....

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Web search is redirected....

Unread postby maritimer » November 24th, 2007, 3:26 pm

A thanks to all who help out here..... Having a problem as the title suggests. My web search results are being redirected to "suggestsnow" and "monstersearch", among others. My Hijack This log is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:22:08 PM, on 24/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\M-Audio\JamLab\JamLabInst.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\WINDOWS\System32\DeltTray.exe
C:\WINDOWS\System32\msg32.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\hello.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [xxy_Shell] C:\Documents and Settings\Mike & Sharon\xxy_bbvx.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1784500375
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/acti ... 0.0.10.cab?
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\CDS300\__CDS2.dll (file missing)
O21 - SSODL: E404Helper - {a2a30590-dc0b-4bed-a057-3ea00eb47332} - e404d.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JamLab Installer (JamLabInstallerService) - M-Audio - C:\Program Files\M-Audio\JamLab\JamLabInst.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 5401 bytes
maritimer
Active Member
 
Posts: 10
Joined: November 24th, 2007, 3:14 pm
Advertisement
Register to Remove

Re: Web search is redirected....

Unread postby Bob4 » November 25th, 2007, 12:07 pm

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!

  • All hijackthis logs I ask for should be done in normal mode ( not safe mode)
  • These logs should be done last after you have followed my instructions in the previous post.



Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!



______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - Global Startup: Image Transfer.lnk = ?
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\CDS300\__CDS2.dll (file missing)
O21 - SSODL: E404Helper - {a2a30590-dc0b-4bed-a057-3ea00eb47332} - e404d.dll (file missing)



_____________________________
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste these filepaths: 1 at a time.


C:\Documents and Settings\Mike & Sharon\xxy_bbvx.exe


Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html



______________________________
1. Download Combo fix from one of these locations. ( Please save it to your desktop )
http://www.techsupportforum.com/sectool ... mboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

combofix.exe

2.Close all open windows
3. Double click combofix.exe & follow the prompts.
4. When finished, it shall produce a log for you. Post that log in your next reply . (c:\comboFix.txt)

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





__________________________________

Please download HoxtXpert.

  1. Unzip HostsXpert.zip
  2. Open a new txt document on your desktop.
    Name it Hostfile.txt
    Leave it open.

    Next

  3. Double click on HostsXpert.exe
  4. Then click on "EDITING"
  5. Click on [b]Copy to clicpboard/b]
  6. Click on copy host file.
  7. Close program when complete.
  8. Paste (cntrl v) that into the txt file you created
  9. Post the contents of that file here for me.

_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from Jottis/virus total
  • The report from Combofix
  • The hoster file
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Web search is redirected....

Unread postby maritimer » November 25th, 2007, 2:58 pm

Hi Bob4,
Thank you so much for doing this!

As requested, logs as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:57 PM, on 25/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\M-Audio\JamLab\JamLabInst.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\WINDOWS\System32\DeltTray.exe
C:\WINDOWS\System32\msg32.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\hello.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [xxy_Shell] C:\Documents and Settings\Mike & Sharon\xxy_bbvx.exe
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1784500375
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/acti ... 0.0.10.cab?
O21 - SSODL: E404Helper - {a2a30590-dc0b-4bed-a057-3ea00eb47332} - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JamLab Installer (JamLabInstallerService) - M-Audio - C:\Program Files\M-Audio\JamLab\JamLabInst.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4962 bytes


VIRUS TOTAL REPLY


File has already been analysed:
MD5: 64deaf017196164de5ce201c2fc9baed
Date: 10.28.2007 03:22:56 (CET) [>28D]
Results: 29/31
Permalink: resultado.html?c6b940a25b16b79208957a0106bcfa10





ComboFix 07-11-19.3 - Mike & Sharon 2007-11-25 14:44:42.2 - NTFSx86
Running from: C:\Documents and Settings\Mike & Sharon\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\avp.exe
C:\WINDOWS\system32\msvcrtdm.dll
H:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SVCHOST




((((((((((((((((((((((((( Files Created from 2007-10-25 to 2007-11-25 )))))))))))))))))))))))))))))))
.

2007-11-24 14:50 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-24 13:26 <DIR> d-------- C:\Program Files\SpywareGuard
2007-11-24 12:10 <DIR> d-------- C:\cwshred
2007-11-23 22:05 0 C:\Documents and Settings\Mike 2007-11-23 22:05 0 Sharon\xxy_tempopt.bin
2007-11-23 10:25 41,472 --a------ C:\WINDOWS\SYSTEM32\e404d.dll
2007-10-29 10:17 <DIR> d-------- C:\DiskTemp
2007-10-26 10:26 <DIR> d-------- C:\Program Files\CamStudio
2007-10-26 09:52 <DIR> d-------- C:\Program Files\GeoVid
2007-10-26 09:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-25 18:43 0 ----a-w C:\Documents and Settings\Mike & Sharon\xxy_tempopt.bin
2007-11-23 17:00 --------- d-----w C:\Program Files\EPSON Print CD
2007-11-08 19:48 100,416 ----a-w C:\Documents and Settings\Mike & Sharon\Application Data\GDIPFONTCACHEV1.DAT
2007-10-26 15:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-10-22 19:51 --------- d-----w C:\Program Files\Blender Foundation
2007-10-18 17:19 --------- d-----w C:\Program Files\iZotope
2007-09-26 16:54 --------- d-----w C:\Program Files\GoldWave
2007-05-18 18:49 33,344 ----a-w C:\Documents and Settings\Mike & Sharon\xxy_bbvx.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-25_14.25.52.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-24 18:44:23 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2007-11-25 18:42:58 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2007-11-24 18:44:23 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2007-11-25 18:42:58 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2007-11-24 18:44:23 49,152 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2007-11-25 18:42:58 49,152 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RunDLL32.exe" [2002-08-29 07:00 C:\WINDOWS\SYSTEM32\RUNDLL32.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2002-08-29 07:00 C:\WINDOWS\SYSTEM32\RUNDLL32.EXE]
"DeltTray"="DeltTray.exe" [2002-12-06 16:19 C:\WINDOWS\SYSTEM32\delttray.exe]
"EW Message Server"="msg32.exe" [2003-02-26 19:03 C:\WINDOWS\SYSTEM32\Msg32.exe]
"nwiz"="nwiz.exe" [2003-10-06 13:16 C:\WINDOWS\SYSTEM32\nwiz.exe]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-02 11:40]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 03:00]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 20:22]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 15:04]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 16:24]
"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [2006-02-01 09:24]
"xxy_Shell"="C:\Documents and Settings\Mike & Sharon\xxy_bbvx.exe" [2007-05-18 14:49]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mike & Sharon^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Mike & Sharon\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-02-23 14:45 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"svchost"=2 (0x2)
"runbatch"=2 (0x2)
"ntsysvers"=2 (0x2)

*Newly Created Service* - FILESPY
*Newly Created Service* - NSTATION
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 14:47:59
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-25 14:48:50
.
--- E O F ---



HOSTER FILE

127.0.0.1 localhost
maritimer
Active Member
 
Posts: 10
Joined: November 24th, 2007, 3:14 pm

Re: Web search is redirected....

Unread postby maritimer » November 25th, 2007, 4:32 pm

I forgot to mention when running combofix, the program stopped at one point and and said the application failed to start and that msvcrtdm.dll was not found.
This same message appears now when trying to to open a .pdf file.
maritimer
Active Member
 
Posts: 10
Joined: November 24th, 2007, 3:14 pm

Re: Web search is redirected....

Unread postby Bob4 » November 25th, 2007, 6:59 pm

Ok combo got some of what I saw.

As for the errors lets continue to remove malware then try to fix anything it borked.

__________________________________

Your virus total log looks incomplete.
Let's do it again sending the file elswhere to scan along with one other.


_____________________________
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste these filepaths: 1 at a time.


C:\WINDOWS\SYSTEM32\e404d.dll


Make sure this second one you try at both places please.

C:\Documents and Settings\Mike & Sharon\xxy_bbvx.exe


Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html


______________________________

Download and install CCleaner from here


If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.

  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Reset Temp File Removal for Regular Use.
    Click on the Options block on the left. Select the Advanced button.
    Check "Only delete files in Windows Temp folders older than 48 hours".


    Now run the program and click on Run Cleaner
    ( Do not use the Registry function to clean anything with this program. Having anything auto clean your regisrty is risky).


AVG Anti-Spyware:
________________________________________
Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open. Do not run a scan yet.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).



    Reboot your computer in Safe Mode.
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    • Open up AVG anti Malware
Please set up the program as follows:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports.
    • Under What to scan? - Select Scan every file.
Close all open windows.
  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
  • Make sure that Set all elements to: shows Quarantine
  • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
  • When the program has finished, it will display the message All actions have been applied.
  • Then click the Save Scan Report button.
  • Click the Save Report as button.
  • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
  • Reboot in normal mode.



_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from Jottis/Virus total
  • The report from AVG anti spyware
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Web search is redirected....

Unread postby maritimer » November 25th, 2007, 9:43 pm

As per your request.

C:\WINDOWS\SYSTEM32\e404d.dll

Scan taken on 25 Nov 2007 23:35:30 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found AdWare.BHO.Ihbo
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/Heuri-E
VirusBuster Found nothing
VBA32 Found nothing



C:\Documents and Settings\Mike & Sharon\xxy_bbvx.exe
Scan taken on 25 Nov 2007 23:40:10 (GMT)
A-Squared Found Trojan-PSW.Win32.Small.bs
AntiVir Found TR/PSW.Small.BS.149
ArcaVir Found Trojan.Psw.Small.Bs
Avast Found Win32:Small-FAV
AVG Antivirus Found PSW.Generic3.XJF
BitDefender Found Trojan.PWS.Small.BS
ClamAV Found PUA.Packed.UPack-2
CPsecure Found Troj.PSW.W32.Small.bs
Dr.Web Found Trojan.DownLoader.24600
F-Prot Antivirus Found W32/Agent.DIT
F-Secure Anti-Virus Found Trojan-PSW.Win32.Small.bs
Fortinet Found W32/Agent.PUD!tr
Ikarus Found Trojan-Downloader.Win32.Zlob.and
Kaspersky Anti-Virus Found Trojan-PSW.Win32.Small.bs
NOD32 Found Win32/TrojanDownloader.Small.CHK
Norman Virus Control Found W32/Suspicious_U.gen
Panda Antivirus Found Trj/Spyforms.AG
Rising Antivirus Found Trojan.PSW.Small.hl
Sophos Antivirus Found Troj/Small-EJE
VirusBuster Found Trojan.PWS.Small.UHA
VBA32 Found Trojan.Win32.TrojanDownloader.Small.CHK




File xxy_bbvx.exe received on 10.28.2007 03:22:56 (CET)
Current status: finished
Result: 29/31 (93.55%)
Compact
Print results
Email:



Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/PSW.Small.BS.149
Authentium - - W32/Agent.DIT
Avast - - Win32:Small-FAV
AVG - - PSW.Generic3.XJF
BitDefender - - Trojan.PWS.Small.BS
CAT-QuickHeal - - TrojanPSW.Small.bs
ClamAV - - PUA.Packed.UPack-2
DrWeb - - Trojan.DownLoader.24600
eSafe - - Win32.Small.bs
eTrust-Vet - - Win32/Ursnif.AQ
Ewido - - Trojan.Small.bs
FileAdvisor - - High threat detected
Fortinet - - W32/Agent.PUD!tr
F-Prot - - W32/Agent.DIT
F-Secure - - Trojan-PSW.Win32.Small.bs
Ikarus - - Trojan-Downloader.Win32.Zlob.and
Kaspersky - - Trojan-PSW.Win32.Small.bs
McAfee - - Generic PWS
Microsoft - - TrojanSpy:Win32/Ursnif
NOD32v2 - - Win32/TrojanDownloader.Small.CHK
Norman - - W32/Suspicious_U.gen
Panda - - Trj/Spyforms.AG
Prevx1 - - -
Rising - - Trojan.PSW.Small.hl
Sophos - - Troj/Small-EJE
Sunbelt - - Trojan-PSW.Win32.Small.bs
Symantec - - Downloader
TheHacker - - Trojan/PSW.Small.bs
VBA32 - - Trojan.Win32.TrojanDownloader.Small.CHK
VirusBuster - - Trojan.PWS.Small.UHA
Additional information
MD5: 64deaf017196164de5ce201c2fc9baed


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:51 PM, on 25/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\M-Audio\JamLab\JamLabInst.exe
C:\WINDOWS\System32\DeltTray.exe
C:\WINDOWS\System32\msg32.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\hello.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [xxy_Shell] C:\Documents and Settings\Mike & Sharon\xxy_bbvx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1784500375
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/acti ... 0.0.10.cab?
O21 - SSODL: E404Helper - {a2a30590-dc0b-4bed-a057-3ea00eb47332} - (no file)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JamLab Installer (JamLabInstallerService) - M-Audio - C:\Program Files\M-Audio\JamLab\JamLabInst.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 5345 bytes
maritimer
Active Member
 
Posts: 10
Joined: November 24th, 2007, 3:14 pm

Re: Web search is redirected....

Unread postby Bob4 » November 26th, 2007, 7:47 am

I need the AVG anti spyware report please.


______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked


O4 - HKLM\..\Run: [xxy_Shell] C:\Documents and Settings\Mike & Sharon\xxy_bbvx.exe

O21 - SSODL: E404Helper - {a2a30590-dc0b-4bed-a057-3ea00eb47332} - (no file)



________________________________________
Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\Documents and Settings\Mike & Sharon\xxy_bbvx.exe
C:\WINDOWS\SYSTEM32\e404d.dll



Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.

_________________________________
Please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:

Extended (If available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK

Now under select a target to scan select My Computer


Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.


_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from AVG anti Spyware
  • The report from ComboFix
  • The report from Kasperskys
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Web search is redirected....

Unread postby maritimer » November 26th, 2007, 7:54 am

Sorry, here it is. The rest will follow.

Thanks!

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:29:36 PM 25/11/2007

+ Scan result:



C:\WINDOWS\SYSTEM32\DLLCACHE\userlist.exe -> Backdoor.Iroffer.1213.a : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\DLLCACHE\clearlogs.exe -> Not-A-Virus.HackTool.Win32.Clearlog : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\DLLCACHE\firedaemon.exe -> Not-A-Virus.RemoteAdmin.Win32.RA.3826 : Cleaned with backup (quarantined).
C:\Documents and Settings\Mike & Sharon\xxy_bbvx.exe -> Trojan.Small.bs : Cleaned with backup (quarantined).


::Report end
maritimer
Active Member
 
Posts: 10
Joined: November 24th, 2007, 3:14 pm

Re: Web search is redirected....

Unread postby maritimer » November 26th, 2007, 9:35 am

Just to note that ComboFix still could not find the file msvcrtdm.dll. ComboFix stalled and had to be restarted.


ComboFix 07-11-19.3 - Mike & Sharon 2007-11-26 8:31:18.4 - NTFSx86
Running from: C:\Documents and Settings\Mike & Sharon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mike & Sharon\Desktop\CFScript.txt

FILE
C:\Documents and Settings\Mike & Sharon\xxy_bbvx.exe
C:\WINDOWS\SYSTEM32\e404d.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\SYSTEM32\e404d.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-26 to 2007-11-26 )))))))))))))))))))))))))))))))
.

2007-11-25 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-25 20:03 <DIR> C:\Documents and Settings\Mike 2007-11-25 20:03 <DIR> Sharon\Application Data\Grisoft
2007-11-25 20:02 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-11-25 20:00 <DIR> C:\Documents and Settings\Mike 2007-11-25 20:00 <DIR> Sharon\Recent
2007-11-25 19:53 <DIR> d-------- C:\Program Files\CCleaner
2007-11-24 14:50 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-24 13:26 <DIR> d-------- C:\Program Files\SpywareGuard
2007-11-24 12:10 <DIR> d-------- C:\cwshred
2007-11-23 22:05 0 C:\Documents and Settings\Mike 2007-11-23 22:05 0 Sharon\xxy_tempopt.bin
2007-10-29 10:17 <DIR> d-------- C:\DiskTemp
2007-10-26 10:26 <DIR> d-------- C:\Program Files\CamStudio
2007-10-26 09:52 <DIR> d-------- C:\Program Files\GeoVid
2007-10-26 09:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 00:03 --------- d-----w C:\Documents and Settings\Mike & Sharon\Application Data\Grisoft
2007-11-26 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-25 18:43 0 ----a-w C:\Documents and Settings\Mike & Sharon\xxy_tempopt.bin
2007-11-23 17:00 --------- d-----w C:\Program Files\EPSON Print CD
2007-11-08 19:48 100,416 ----a-w C:\Documents and Settings\Mike & Sharon\Application Data\GDIPFONTCACHEV1.DAT
2007-10-26 15:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-10-22 19:51 --------- d-----w C:\Program Files\Blender Foundation
2007-10-18 17:19 --------- d-----w C:\Program Files\iZotope
2007-09-26 16:54 --------- d-----w C:\Program Files\GoldWave
.

((((((((((((((((((((((((((((( snapshot@2007-11-25_14.25.52.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-24 18:44:23 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2007-11-25 18:42:58 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2007-11-24 18:44:23 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2007-11-25 18:42:58 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2007-11-24 18:44:23 49,152 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2007-11-25 18:42:58 49,152 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2007-11-25 18:21:27 262,144 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT
+ 2007-11-26 12:05:49 262,144 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RunDLL32.exe" [2002-08-29 07:00 C:\WINDOWS\SYSTEM32\RUNDLL32.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2002-08-29 07:00 C:\WINDOWS\SYSTEM32\RUNDLL32.EXE]
"DeltTray"="DeltTray.exe" [2002-12-06 16:19 C:\WINDOWS\SYSTEM32\delttray.exe]
"EW Message Server"="msg32.exe" [2003-02-26 19:03 C:\WINDOWS\SYSTEM32\Msg32.exe]
"nwiz"="nwiz.exe" [2003-10-06 13:16 C:\WINDOWS\SYSTEM32\nwiz.exe]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-02 11:40]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 03:00]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 20:22]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 15:04]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 16:24]
"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [2006-02-01 09:24]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-11-25 20:04]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mike & Sharon^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Mike & Sharon\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-02-23 14:45 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"svchost"=2 (0x2)
"runbatch"=2 (0x2)
"ntsysvers"=2 (0x2)

*Newly Created Service* - EWAVE
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-26 08:33:54
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-26 8:34:38
C:\ComboFix2.txt ... 2007-11-25 14:48
.
--- E O F ---

KASPERSKY ONLINE SCANNER REPORT
Monday, November 26, 2007 9:31:28 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/11/2007
Kaspersky Anti-Virus database records: 465922

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
G:\

Scan Statistics
Total number of scanned objects 51727
Number of viruses found 3
Number of infected objects 3
Number of suspicious objects 0
Duration of the scan process 00:34:41

Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Mike & Sharon\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Mike & Sharon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Mike & Sharon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Mike & Sharon\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Mike & Sharon\Local Settings\History\History.IE5\MSHist012007112620071127\index.dat Object is locked skipped

C:\Documents and Settings\Mike & Sharon\Local Settings\Temp\~DF1C10.tmp Object is locked skipped

C:\Documents and Settings\Mike & Sharon\Local Settings\Temp\~DFE3DF.tmp Object is locked skipped

C:\Documents and Settings\Mike & Sharon\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Mike & Sharon\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Mike & Sharon\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\qoobox\Quarantine\C\WINDOWS\avp.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\DLLCACHE\bnc.exe Infected: not-a-virus:Server-Proxy.Win32.IrcProxy.264 skipped

C:\WINDOWS\SYSTEM32\DLLCACHE\mybot.log.2003-w39 Object is locked skipped

C:\WINDOWS\SYSTEM32\DLLCACHE\mybot.log.2004-w08 Object is locked skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\tgaxkfr.exe Infected: Trojan.Win32.Agent.ass skipped

C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

C:\WINDOWS\WIASERVC.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:06 AM, on 26/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\M-Audio\JamLab\JamLabInst.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\WINDOWS\System32\DeltTray.exe
C:\WINDOWS\System32\msg32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\hello.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1784500375
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/acti ... 0.0.10.cab?
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JamLab Installer (JamLabInstallerService) - M-Audio - C:\Program Files\M-Audio\JamLab\JamLabInst.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 5221 bytes
maritimer
Active Member
 
Posts: 10
Joined: November 24th, 2007, 3:14 pm

Re: Web search is redirected....

Unread postby Bob4 » November 26th, 2007, 3:16 pm

A few more text documents .
Don't get them confused. :lol:
Just kidding. This should be simple.

________________________________________
Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\SYSTEM32\DLLCACHE\bnc.exe
C:\WINDOWS\tgaxkfr.exe
C:\Documents and Settings\Mike & Sharon\xxy_tempopt.bin


Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]



Save this as CFScript.txt, in the same location as ComboFix.exe
If asked over write the last one we did.


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.




NEXT: Will try and sort that error out.
__________________________________

Open note pad and copy the text in the box exactly to notepad.


Code: Select all
@ECHO OFF
If exist Report.txt Del Report.txt
ECHO Working.......
For /F "TOKENS=*" %%g IN ('dir /s /a /b %windir%\imm32.dll'
) Do @echo "%%~g" %%~zg %%~tg >>report.txt 2>nul
start notepad Report.txt & exit 




Then click on the FILE menu and select save as
Save the file as Locatefiles.bat Save the file to the desktop.
IMPORTANT: make sure to save the file as "all types" and NOT as a text file.

Now double click the file on the desktop .
A new text document will open post the contents of that file for me.

If it doesn't open there should be a copy on your desktop called report.txt
Just open that and post the contents.




_________________________
In your next reply I would like to see:
  • The report.txt file from the desktop
  • The report from ComboFix
  • Are you still being redirected any longer?
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Web search is redirected....

Unread postby maritimer » November 26th, 2007, 4:43 pm

Sorry, forgot to mention the redirection no longer happens. Also a memory leak I had in explorer.exe has also been fixed…..GREAT JOB! Thank you!!

ComboFix 07-11-19.3 - Mike & Sharon 2007-11-26 16:30:36.6 - NTFSx86
Running from: C:\Documents and Settings\Mike & Sharon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mike & Sharon\Desktop\CFScript.txt

FILE
C:\Documents and Settings\Mike & Sharon\xxy_tempopt.bin
C:\WINDOWS\SYSTEM32\DLLCACHE\bnc.exe
C:\WINDOWS\tgaxkfr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Mike & Sharon\xxy_tempopt.bin
C:\WINDOWS\SYSTEM32\DLLCACHE\bnc.exe
C:\WINDOWS\tgaxkfr.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-26 to 2007-11-26 )))))))))))))))))))))))))))))))
.

2007-11-26 08:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-26 08:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-25 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-25 20:03 <DIR> C:\Documents and Settings\Mike 2007-11-25 20:03 <DIR> Sharon\Application Data\Grisoft
2007-11-25 20:02 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-11-25 20:00 <DIR> C:\Documents and Settings\Mike 2007-11-25 20:00 <DIR> Sharon\Recent
2007-11-25 19:53 <DIR> d-------- C:\Program Files\CCleaner
2007-11-24 14:50 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-24 13:26 <DIR> d-------- C:\Program Files\SpywareGuard
2007-11-24 12:10 <DIR> d-------- C:\cwshred
2007-10-29 10:17 <DIR> d-------- C:\DiskTemp
2007-10-26 10:26 <DIR> d-------- C:\Program Files\CamStudio
2007-10-26 09:52 <DIR> d-------- C:\Program Files\GeoVid
2007-10-26 09:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 00:03 --------- d-----w C:\Documents and Settings\Mike & Sharon\Application Data\Grisoft
2007-11-26 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-23 17:00 --------- d-----w C:\Program Files\EPSON Print CD
2007-11-08 19:48 100,416 ----a-w C:\Documents and Settings\Mike & Sharon\Application Data\GDIPFONTCACHEV1.DAT
2007-10-26 15:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-10-22 19:51 --------- d-----w C:\Program Files\Blender Foundation
2007-10-18 17:19 --------- d-----w C:\Program Files\iZotope
2007-09-26 16:54 --------- d-----w C:\Program Files\GoldWave
.

((((((((((((((((((((((((((((( snapshot@2007-11-25_14.25.52.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-24 18:44:23 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2007-11-25 18:42:58 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2007-11-24 18:44:23 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2007-11-25 18:42:58 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2007-11-25 18:21:27 262,144 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT
+ 2007-11-26 12:05:49 262,144 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RunDLL32.exe" [2002-08-29 07:00 C:\WINDOWS\SYSTEM32\RUNDLL32.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2002-08-29 07:00 C:\WINDOWS\SYSTEM32\RUNDLL32.EXE]
"DeltTray"="DeltTray.exe" [2002-12-06 16:19 C:\WINDOWS\SYSTEM32\delttray.exe]
"EW Message Server"="msg32.exe" [2003-02-26 19:03 C:\WINDOWS\SYSTEM32\Msg32.exe]
"nwiz"="nwiz.exe" [2003-10-06 13:16 C:\WINDOWS\SYSTEM32\nwiz.exe]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-02 11:40]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 03:00]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 20:22]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 15:04]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 16:24]
"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [2006-02-01 09:24]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-11-25 20:04]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mike & Sharon^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Mike & Sharon\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-02-23 14:45 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"svchost"=2 (0x2)
"runbatch"=2 (0x2)
"ntsysvers"=2 (0x2)

*Newly Created Service* - EWAVE
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-26 16:33:15
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-26 16:33:57
C:\ComboFix2.txt ... 2007-11-26 08:34
C:\ComboFix3.txt ... 2007-11-25 14:48
.
--- E O F ---

FROM REPORT.TXT
"C:\WINDOWS\SYSTEM32\imm32.dll" 104448 09/07/2007 06:36 PM
maritimer
Active Member
 
Posts: 10
Joined: November 24th, 2007, 3:14 pm

Re: Web search is redirected....

Unread postby Bob4 » November 26th, 2007, 5:49 pm

maritimer wrote:FROM REPORT.TXT
"C:\WINDOWS\SYSTEM32\imm32.dll" 104448 09/07/2007 06:36 PM


That's all the report.txt had to offer ?

Ok I'll do some checking around and get us an answer.

Few questions:

Do you have an XP installation cd ?

Are you on dial up or high speed?

Any other problems other than a few programs give you the msvcrtdm.dll missing/errors ?
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Web search is redirected....

Unread postby maritimer » November 26th, 2007, 7:06 pm

That's all the report.txt had to offer ? ....Yes

Ok I'll do some checking around and get us an answer......I did do a google search on msvcrtdm.dll and some posts did point to a change in the file that report.txt found.

Few questions:

Do you have an XP installation cd ?.....I have a Dell reinstallation CD

Are you on dial up or high speed?..........high speed here.

Any other problems other than a few programs give you the msvcrtdm.dll missing/errors ?.....No other problems....at least not with the computer. :lol:
maritimer
Active Member
 
Posts: 10
Joined: November 24th, 2007, 3:14 pm

Re: Web search is redirected....

Unread postby Bob4 » November 26th, 2007, 7:37 pm

Alright and Thanks for the answers.
Give me just a bit of time to get some answers.
Part of the infection you had changed that file so we need to get you a known good copy of it.

Shouldn't be to long.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Web search is redirected....

Unread postby Bob4 » November 27th, 2007, 7:32 am

Download this file to your desktop.
imm32.dll download

Once it's there right click on the file and choose copy.
Navigate to
c:/windows/system32

Once inside the system32 folder
Right click anywhere in a blank area and choose paste.
You will see windows telling you the file already exists "do you want to replace it"
Click yes.

Reboot the computer and try opening a PDF file. ( adobe)
Hopefuly this should sort this problem out.

Let me know please.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 409 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware