Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Redirected Searches

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Redirected Searches

Unread postby rex_abbey » April 13th, 2009, 9:08 pm

i believe my browser has been hijacked, i am redirected when clicking on search results and my browsers are constantly crashing. any help would be greatly appreciated. i'm using windows XP professional version 2002 service pack 3 . thanking you in advance!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:22 PM, on 4/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\vphc700.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Philips\SPC 700NC PC Camera\TrayMin700.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [phc700] C:\WINDOWS\vphc700.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: TrayMin700.exe.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5771 bytes
rex_abbey
Active Member
 
Posts: 5
Joined: April 13th, 2009, 8:54 pm
Advertisement
Register to Remove

Re: Redirected Searches

Unread postby jpshortstuff » April 14th, 2009, 7:31 am

Hi,

Please download DaonolFix from the link below and save it to your Desktop
Download Mirror #1
  • Double-click DaonolFix.exe to run it.
  • Select 1. Find Daonol (no fix) by typing 1 and pressing Enter.
  • You will see a lot of files being listed - don't worry, they are just being scanned.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called DaonolFix.txt).


Download ComboFix by sUBs from here or here

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

**Save it to your desktop**

Double click on ComboFix.exe & follow the prompts. If you are prompted to install the Recovery Console I recommend you go ahead and hit yes.
When finished, it shall produce a log for you. Please save that log to post in your next reply along with a fresh HJT log

Notes:
  1. Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
  4. ComboFix disconnects your machine from the internet when it runs. This connection should be automatically restored when ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Thanks.
User avatar
jpshortstuff
WTT Malware Team
WTT Malware Team
 
Posts: 973
Joined: May 1st, 2007, 12:56 pm

Re: Redirected Searches

Unread postby rex_abbey » April 14th, 2009, 11:22 am

thanks so much for your help, i'm trying to follow rules/instructions as best i can,... but not only is this my first tech support, it's also my first time on a forum. thanks again.

DaonolFix (14.04.09) by jpshortstuff
Log created at 09:34 on 14/04/2009 by Rex
Running from C:\Documents and Settings\Rex\Desktop\DaonolFix.exe

=====Find Daonol=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux"="wdmaud.drv"
"aux1"="wdmaud.drv"
"aux2"="wdmaud.drv"
"aux3"="wdmaud.drv"
"aux4"="wdmaud.drv"
"aux5"="wdmaud.drv"
"aux8"="C:\DOCUME~1\Rex\LOCALS~1\Temp\..\rfxsvwb.trc"
"midi"="wdmaud.drv"
"MIDI1"="SYNCOR11.DLL"
"midi2"="wdmaud.drv"
"midi3"="wdmaud.drv"
"midi4"="wdmaud.drv"
"midi5"="wdmaud.drv"
"midi6"="wdmaud.drv"
"midi7"="wdmaud.drv"
"midimapper"="midimap.dll"
"mixer"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"mixer2"="wdmaud.drv"
"mixer3"="wdmaud.drv"
"mixer4"="wdmaud.drv"
"mixer5"="wdmaud.drv"
"mixer6"="wdmaud.drv"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.l3acm"="C:\WINDOWS\system32\l3codeca.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msaudio1"="msaud32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msg723"="msg723.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.trspch"="tssoft32.acm"
"MSVideo8"="VfWWDM32.dll"
"VIDC.ACDV"="ACDV.dll"
"vidc.cvid"="iccvid.dll"
"vidc.DIVX"="DivX.dll"
"vidc.dvsd"="dvc.dll"
"VIDC.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.M261"="msh261.drv"
"vidc.M263"="msh263.drv"
"VIDC.MP42"="mpg4c32.dll"
"VIDC.MP43"="mpg4c32.dll"
"VIDC.MPG4"="mpg4c32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"VIDC.UYVY"="msyuv.dll"
"VIDC.YUY2"="msyuv.dll"
"vidc.yv12"="DivX.dll"
"VIDC.YVU9"="tsbyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"wave"="wdmaud.drv"
"wave1"="wdmaud.drv"
"wave2"="wdmaud.drv"
"wave3"="wdmaud.drv"
"wave4"="wdmaud.drv"
"wave5"="wdmaud.drv"
"wave6"="wdmaud.drv"
"wavemapper"="msacm32.drv"

-=Daonol Files=-
(none found)

-=End Of File=-

ComboFix 09-04-14.09 - Rex 04/14/2009 9:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.34 [GMT -5:00]
Running from: c:\documents and settings\Rex\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Rex\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\Rex\LOCALS~1\Temp\tmp2.tmp

.
((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.

2009-04-13 16:46 . 2009-04-14 11:32 4195256 ----a-w c:\windows\pfirewall.log.old
2009-04-13 16:02 . 2009-04-13 16:03 -------- d-----w c:\windows\system32\NtmsData
2009-04-13 06:21 . 2009-04-13 06:21 7680 --sha-w c:\windows\Thumbs.db
2009-04-13 05:59 . 2007-09-15 20:11 27136 ----a-w c:\windows\system32\PCWizard.cpl
2009-04-12 19:58 . 2009-04-12 21:25 -------- d-----w C:\rsit
2009-04-12 16:03 . 2009-04-12 16:03 -------- d-----w c:\windows\system32\KB905474
2009-04-12 16:03 . 2009-03-11 03:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-12 16:03 . 2009-03-11 03:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-12 16:03 . 2009-02-09 23:51 12490 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-12 02:35 . 2009-04-13 00:22 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-12 01:38 . 2008-10-16 19:06 27496 ----a-w c:\windows\system32\mucltui.dll.mui
2009-04-12 01:38 . 2008-10-16 19:06 208744 ----a-w c:\windows\system32\muweb.dll
2009-04-12 01:38 . 2008-10-16 19:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-04-11 20:28 . 2009-04-11 20:28 -------- d-----w c:\documents and settings\Rex\Application Data\Malwarebytes
2009-04-11 20:28 . 2009-04-11 20:28 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-11 19:47 . 2008-12-20 23:15 52224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-11 19:47 . 2008-12-20 23:15 459264 -c----w c:\windows\system32\dllcache\msfeeds.dll
2009-04-11 19:47 . 2008-12-20 23:15 267776 -c----w c:\windows\system32\dllcache\iertutil.dll
2009-04-11 19:47 . 2008-12-20 23:15 63488 -c----w c:\windows\system32\dllcache\icardie.dll
2009-04-11 19:47 . 2008-12-20 23:15 383488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
2009-04-11 19:47 . 2008-12-19 09:10 13824 -c----w c:\windows\system32\dllcache\ieudinit.exe
2009-04-11 19:47 . 2007-04-17 09:32 2455488 -c----w c:\windows\system32\dllcache\ieapfltr.dat
2009-04-11 19:47 . 2007-03-08 05:10 991232 -c----w c:\windows\system32\dllcache\ieframe.dll.mui
2009-04-11 19:47 . 2008-12-20 23:15 6066688 -c----w c:\windows\system32\dllcache\ieframe.dll
2009-04-10 03:10 . 2009-04-10 03:16 -------- d-----w c:\documents and settings\Rex\Application Data\IBP
2009-04-01 15:34 . 2009-04-01 15:35 -------- d-----w c:\documents and settings\Rex\Local Settings\Application Data\Thunderbird
2009-04-01 15:34 . 2009-04-01 15:34 -------- d-----w c:\documents and settings\Rex\Application Data\Thunderbird
2009-03-29 02:34 . 1998-07-08 22:30 18944 ----a-r c:\windows\eraser.exe
2009-03-29 00:55 . 2009-03-29 00:55 -------- d-----w c:\windows\system32\scripting
2009-03-29 00:54 . 2009-03-29 00:54 -------- d-----w c:\windows\l2schemas
2009-03-29 00:54 . 2009-03-29 00:54 -------- d-----w c:\windows\system32\en
2009-03-21 19:42 . 2005-02-23 19:58 11776 ----a-w c:\windows\system32\drivers\afc.sys
2009-03-21 19:42 . 2004-08-04 12:52 413696 ----a-r c:\windows\system32\msvcd0cb.rra
2009-03-21 19:41 . 2009-03-23 14:39 -------- d-----w c:\documents and settings\All Users\Application Data\EPSON
2009-03-21 19:36 . 2009-03-21 19:36 25 ----a-w c:\windows\EPSCX9400Fax.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 00:14 . 2009-04-12 19:58 -------- d-----w c:\program files\trend micro
2009-04-13 22:30 . 2006-03-26 06:54 -------- d-----w c:\program files\Ahead
2009-04-13 22:30 . 2006-03-26 06:54 -------- d-----w c:\program files\Common Files\Ahead
2009-04-13 05:59 . 2009-04-13 05:59 -------- d-----w c:\program files\PC Wizard 2008
2009-04-13 00:22 . 2009-04-12 02:35 -------- d-----w c:\program files\Lavasoft
2009-04-12 23:47 . 2009-04-12 16:10 444 ----a-w C:\aaw7boot.log
2009-04-12 16:01 . 2008-02-16 17:54 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-12 06:24 . 2006-10-19 03:01 -------- d-----w c:\program files\Yahoo!
2009-04-05 12:58 . 2006-06-08 03:00 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-05 12:58 . 2006-06-08 03:00 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-05 12:58 . 2006-06-08 03:00 -------- d-----w c:\program files\Symantec
2009-04-01 03:42 . 2009-04-01 03:42 -------- d-----w c:\program files\AVG
2009-03-29 03:07 . 2009-03-29 02:33 -------- d-----w c:\program files\LeechFTP
2009-03-29 01:20 . 2009-03-29 01:20 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009032820090329\index.dat
2009-03-29 01:03 . 2005-08-21 03:41 86327 ----a-w c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-03-29 00:42 . 2002-08-29 12:00 250048 --sha-r C:\ntldr
2009-03-23 19:40 . 2009-03-21 19:36 -------- d-----w c:\program files\epson
2009-03-23 14:40 . 2005-08-21 04:03 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-23 14:37 . 2009-03-21 19:42 -------- d-----w c:\program files\ArcSoft
2009-03-23 14:36 . 2007-01-03 01:17 -------- d-----w c:\documents and settings\Rex\Application Data\ArcSoft
2009-03-01 21:33 . 2006-02-23 21:07 -------- d-----w c:\program files\Common Files\ACD Systems
2009-03-01 21:33 . 2009-03-01 21:33 -------- d-----w c:\documents and settings\All Users\Application Data\ACD Systems
2009-03-01 21:33 . 2009-03-01 21:33 -------- d-----w c:\program files\ACD Systems
2009-02-09 11:13 . 2002-08-29 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-03 13:19 . 2005-08-21 06:06 38336 ----a-w c:\documents and settings\Rex\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-20 15:16 . 2007-01-03 05:33 921624 ----a-w C:\img2-001.raw
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-03-19 90112]
"IMONTRAY"="c:\program files\Intel\Intel(R) Active Monitor\imontray.exe" [2002-05-03 32768]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"phc700"="c:\windows\vphc700.exe" [2005-07-21 339968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
TrayMin700.exe.lnk - c:\program files\Philips\SPC 700NC PC Camera\TrayMin700.exe [2007-1-2 278528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.dvsd"= dvc.dll
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LeechFTP\\Leechftp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification

R3 PCIDATA;PCIDATA; [x]
R3 s3m;s3m;c:\windows\system32\DRIVERS\s3m.sys [2001-08-17 166720]
R3 UsbCmxp;Scientific Atlanta WebSTAR 2000 series Cable Modem; [x]
S3 phc700;USB PC Camera (phc700);c:\windows\system32\DRIVERS\phc700.sys [2005-06-07 541568]
S3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver;c:\windows\system32\DRIVERS\PRISMUSB.sys [2003-04-10 636416]

.
Contents of the 'Scheduled Tasks' folder

2009-04-14 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-06-08 17:23]

2009-04-14 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-12 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Rex\Application Data\Mozilla\Firefox\Profiles\1jixv2bb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: keyword.URL - hxxp://searchservice.myspace.com/index. ... MC-FF&qry=
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 09:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4004)
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Intel(R) Active Monitor\imonNT.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: ~,10time:~,-3machine was rebootedCombobatch-by
ComboFix-quarantined-files.txt 2009-04-14 15:01

Pre-Run: 13,635,125,248 bytes free
Post-Run: 13,969,346,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

189 --- E O F --- 2009-04-13 08:01

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:20 AM, on 4/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\vphc700.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Philips\SPC 700NC PC Camera\TrayMin700.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\trend micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [phc700] C:\WINDOWS\vphc700.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: TrayMin700.exe.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5576 bytes
rex_abbey
Active Member
 
Posts: 5
Joined: April 13th, 2009, 8:54 pm

Re: Redirected Searches

Unread postby jpshortstuff » April 14th, 2009, 11:31 am

Hi,

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: Select all
File::
c:\windows\system32\msvcd0cb.rra
C:\Documents and Settings\Rex\Local Settings\rfxsvwb.trc

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux8"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt.


Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

You don't appear to be running any Anti-Virus software.

Install Anti-Virus software! Without any anti-virus software, your computer is wide open to infection. If you don't have any Anti-Virus software I strongly recommend you download Avast! or AVG Free

Let me know how things are running now. Please post a new HijackThis log as well.

Thanks.
User avatar
jpshortstuff
WTT Malware Team
WTT Malware Team
 
Posts: 973
Joined: May 1st, 2007, 12:56 pm

Re: Redirected Searches

Unread postby rex_abbey » April 14th, 2009, 1:35 pm

hi, thanks for sticking it out w/ me. i had AVG free at the time this showed up, i uninstalled it because this got thru. i'll reinstall when you say all's clear to do so.

one of the last 2 scans/tests came up briefly w/ an error warning about something like "only working w/ 98, ME, XP OS's" ,... it disappeared before i could read it.

also, i must have missed "Show Results" on Malwarebyte so i didn't get to the "Remove Selected", but i don't think it found anything, please lemmie know if i need to run again or something.

ComboFix 09-04-14.09 - Rex 04/14/2009 11:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.30 [GMT -5:00]
Running from: c:\documents and settings\Rex\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rex\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\Rex\Local Settings\rfxsvwb.trc
c:\windows\system32\msvcd0cb.rra
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Rex\Local Settings\rfxsvwb.trc
c:\windows\system32\msvcd0cb.rra

.
((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.

2009-04-14 16:03 . 2009-04-14 16:03 -------- d-----w C:\32788R22FWJFW
2009-04-14 14:46 . 2006-03-03 05:42 73728 ----a-w C:\pv.exe
2009-04-13 16:46 . 2009-04-14 11:32 4195256 ----a-w c:\windows\pfirewall.log.old
2009-04-13 16:02 . 2009-04-13 16:03 -------- d-----w c:\windows\system32\NtmsData
2009-04-13 06:21 . 2009-04-13 06:21 7680 --sha-w c:\windows\Thumbs.db
2009-04-13 05:59 . 2007-09-15 20:11 27136 ----a-w c:\windows\system32\PCWizard.cpl
2009-04-12 19:58 . 2009-04-12 21:25 -------- d-----w C:\rsit
2009-04-12 16:03 . 2009-04-12 16:03 -------- d-----w c:\windows\system32\KB905474
2009-04-12 16:03 . 2009-03-11 03:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-12 16:03 . 2009-03-11 03:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-12 16:03 . 2009-02-09 23:51 12490 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-12 02:35 . 2009-04-13 00:22 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-12 01:38 . 2008-10-16 19:06 27496 ----a-w c:\windows\system32\mucltui.dll.mui
2009-04-12 01:38 . 2008-10-16 19:06 208744 ----a-w c:\windows\system32\muweb.dll
2009-04-12 01:38 . 2008-10-16 19:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-04-11 20:28 . 2009-04-11 20:28 -------- d-----w c:\documents and settings\Rex\Application Data\Malwarebytes
2009-04-11 20:28 . 2009-04-11 20:28 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-11 19:47 . 2008-12-20 23:15 52224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-11 19:47 . 2008-12-20 23:15 459264 -c----w c:\windows\system32\dllcache\msfeeds.dll
2009-04-11 19:47 . 2008-12-20 23:15 267776 -c----w c:\windows\system32\dllcache\iertutil.dll
2009-04-11 19:47 . 2008-12-20 23:15 63488 -c----w c:\windows\system32\dllcache\icardie.dll
2009-04-11 19:47 . 2008-12-20 23:15 383488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
2009-04-11 19:47 . 2008-12-19 09:10 13824 -c----w c:\windows\system32\dllcache\ieudinit.exe
2009-04-11 19:47 . 2007-04-17 09:32 2455488 -c----w c:\windows\system32\dllcache\ieapfltr.dat
2009-04-11 19:47 . 2007-03-08 05:10 991232 -c----w c:\windows\system32\dllcache\ieframe.dll.mui
2009-04-11 19:47 . 2008-12-20 23:15 6066688 -c----w c:\windows\system32\dllcache\ieframe.dll
2009-04-10 03:10 . 2009-04-10 03:16 -------- d-----w c:\documents and settings\Rex\Application Data\IBP
2009-04-01 15:34 . 2009-04-01 15:35 -------- d-----w c:\documents and settings\Rex\Local Settings\Application Data\Thunderbird
2009-04-01 15:34 . 2009-04-01 15:34 -------- d-----w c:\documents and settings\Rex\Application Data\Thunderbird
2009-03-29 02:34 . 1998-07-08 22:30 18944 ----a-r c:\windows\eraser.exe
2009-03-29 00:55 . 2009-03-29 00:55 -------- d-----w c:\windows\system32\scripting
2009-03-29 00:54 . 2009-03-29 00:54 -------- d-----w c:\windows\l2schemas
2009-03-29 00:54 . 2009-03-29 00:54 -------- d-----w c:\windows\system32\en
2009-03-21 19:42 . 2005-02-23 19:58 11776 ----a-w c:\windows\system32\drivers\afc.sys
2009-03-21 19:41 . 2009-03-23 14:39 -------- d-----w c:\documents and settings\All Users\Application Data\EPSON
2009-03-21 19:36 . 2009-03-21 19:36 25 ----a-w c:\windows\EPSCX9400Fax.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 16:03 . 2009-04-14 16:03 1068 ----a-w C:\Bug.txt
2009-04-14 00:14 . 2009-04-12 19:58 -------- d-----w c:\program files\trend micro
2009-04-13 22:30 . 2006-03-26 06:54 -------- d-----w c:\program files\Ahead
2009-04-13 22:30 . 2006-03-26 06:54 -------- d-----w c:\program files\Common Files\Ahead
2009-04-13 05:59 . 2009-04-13 05:59 -------- d-----w c:\program files\PC Wizard 2008
2009-04-13 00:22 . 2009-04-12 02:35 -------- d-----w c:\program files\Lavasoft
2009-04-12 23:47 . 2009-04-12 16:10 444 ----a-w C:\aaw7boot.log
2009-04-12 16:01 . 2008-02-16 17:54 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-12 06:24 . 2006-10-19 03:01 -------- d-----w c:\program files\Yahoo!
2009-04-05 12:58 . 2006-06-08 03:00 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-05 12:58 . 2006-06-08 03:00 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-05 12:58 . 2006-06-08 03:00 -------- d-----w c:\program files\Symantec
2009-04-01 03:42 . 2009-04-01 03:42 -------- d-----w c:\program files\AVG
2009-03-29 03:07 . 2009-03-29 02:33 -------- d-----w c:\program files\LeechFTP
2009-03-29 01:20 . 2009-03-29 01:20 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009032820090329\index.dat
2009-03-29 01:03 . 2005-08-21 03:41 86327 ----a-w c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-03-29 00:42 . 2002-08-29 12:00 250048 --sha-r C:\ntldr
2009-03-23 19:40 . 2009-03-21 19:36 -------- d-----w c:\program files\epson
2009-03-23 14:40 . 2005-08-21 04:03 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-23 14:37 . 2009-03-21 19:42 -------- d-----w c:\program files\ArcSoft
2009-03-23 14:36 . 2007-01-03 01:17 -------- d-----w c:\documents and settings\Rex\Application Data\ArcSoft
2009-03-01 21:33 . 2006-02-23 21:07 -------- d-----w c:\program files\Common Files\ACD Systems
2009-03-01 21:33 . 2009-03-01 21:33 -------- d-----w c:\documents and settings\All Users\Application Data\ACD Systems
2009-03-01 21:33 . 2009-03-01 21:33 -------- d-----w c:\program files\ACD Systems
2009-02-09 11:13 . 2002-08-29 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-03 13:19 . 2005-08-21 06:06 38336 ----a-w c:\documents and settings\Rex\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-20 15:16 . 2007-01-03 05:33 921624 ----a-w C:\img2-001.raw
.

((((((((((((((((((((((((((((( SnapShot@2009-04-14_14.57.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-14 16:08 . 2005-10-21 01:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-04-14 14:54 . 2005-10-21 01:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-03-19 90112]
"IMONTRAY"="c:\program files\Intel\Intel(R) Active Monitor\imontray.exe" [2002-05-03 32768]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"phc700"="c:\windows\vphc700.exe" [2005-07-21 339968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
TrayMin700.exe.lnk - c:\program files\Philips\SPC 700NC PC Camera\TrayMin700.exe [2007-1-2 278528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.dvsd"= dvc.dll
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LeechFTP\\Leechftp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification

R3 PCIDATA;PCIDATA; [x]
R3 s3m;s3m;c:\windows\system32\DRIVERS\s3m.sys [2001-08-17 166720]
R3 UsbCmxp;Scientific Atlanta WebSTAR 2000 series Cable Modem; [x]
S3 phc700;USB PC Camera (phc700);c:\windows\system32\DRIVERS\phc700.sys [2005-06-07 541568]
S3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver;c:\windows\system32\DRIVERS\PRISMUSB.sys [2003-04-10 636416]

.
Contents of the 'Scheduled Tasks' folder

2009-04-14 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-06-08 17:23]

2009-04-14 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-12 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Rex\Application Data\Mozilla\Firefox\Profiles\1jixv2bb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: keyword.URL - hxxp://searchservice.myspace.com/index. ... MC-FF&qry=
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 11:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Intel(R) Active Monitor\imonNT.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: ~,10time:~,-3machine was rebootedCombobatch-by
ComboFix-quarantined-files.txt 2009-04-14 16:16
ComboFix2.txt 2009-04-14 15:01

Pre-Run: 13,972,914,176 bytes free
Post-Run: 13,959,737,344 bytes free

192 --- E O F --- 2009-04-13 08:01

Malwarebytes' Anti-Malware 1.36
Database version: 1982
Windows 5.1.2600 Service Pack 3

4/14/2009 11:37:20 AM
mbam-log-2009-04-14 (11-37-20).txt

Scan type: Quick Scan
Objects scanned: 71971
Time elapsed: 8 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:43 AM, on 4/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\vphc700.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Philips\SPC 700NC PC Camera\TrayMin700.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\trend micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [phc700] C:\WINDOWS\vphc700.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: TrayMin700.exe.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5722 bytes
rex_abbey
Active Member
 
Posts: 5
Joined: April 13th, 2009, 8:54 pm

Re: Redirected Searches

Unread postby jpshortstuff » April 14th, 2009, 2:00 pm

Hi,

I just want a sample of something you had. Please go to this site:
Bleeping Computer Submission

Please paste a link to this topic in the first field. Browse to the following file:
C:\QooBox\Quarantine\c\documents and settings\Rex\Local Settings\rfxsvwb.trc.vir

Click Send File.

How are things running? Your logs look good, so if things are running fine with you then we can start to wrap this up.
User avatar
jpshortstuff
WTT Malware Team
WTT Malware Team
 
Posts: 973
Joined: May 1st, 2007, 12:56 pm

Re: Redirected Searches

Unread postby jpshortstuff » April 14th, 2009, 2:36 pm

Received - thanks.

How's the computer running?
User avatar
jpshortstuff
WTT Malware Team
WTT Malware Team
 
Posts: 973
Joined: May 1st, 2007, 12:56 pm

Re: Redirected Searches

Unread postby rex_abbey » April 14th, 2009, 3:58 pm

hey there, you're my hero!!

i just cut and pasted the link outta my browser, hope this was what you wanted, lemmie know if not.

i just went and did a few searches, clicked on a few results, and had no probs w/ being redirected, so, so far so good.

thank you so much for your time thus far. if you don't mind, i'd be grateful if you could guide me thru a bit of "house cleaning" and "prevention measures" on this end. if i should be posting these questions elsewhere just lemmie know.

first of all, you tell me what to and what not to do,... and that'll be the computer gospel to me. i would like to :
1. remove EVERYTHING i don't use, don't want, or shouldn't have.
can/should i remove this virus file? can/should i go thru and delete any folders of uninstalled software that's remaining, like :
C:\Program Files\Morpheus\morpheustoolbar.exe
(someone installed morpheus at one time and i uninstalled a long time ago, but this remains.)
how about the non-evil stuff i've uninstalled but is still around like :
C:\Program Files\Microsoft Expression\Web 2\MEDIA\CAGCAT10\1033\CAGCAT10.MML
2. empty my recycle bin
3. run chkdsk and defrag
4. download and install all that i should have (i'm limited to free at this time) i.e. AVG free?, ad-aware? plus any and everything you recommend.
5. avoid evil stuff like the plague it can and often is.

thanks
rex_abbey
Active Member
 
Posts: 5
Joined: April 13th, 2009, 8:54 pm

Re: Redirected Searches

Unread postby jpshortstuff » April 14th, 2009, 4:39 pm

Hi,

Log looks good :thumbup:

Your upload was fine, I've got everything I need.

Click Start >> Run, and then type ComboFix /u and hit enter.
You can now delete any other tools I had you download and use, unless you wish to keep them.

Take a look at this guide:
http://www.malwareremoval.com/tutorials ... slowly.php

This should contain all the information you need to clear out the things you don't need as well as performing the other maintenance items you wished to perform. Programs should be uninstalled via Add/Remove Programs if possible rather than just deleting them.


Now that your system appears to be clean, there's just a few steps I'd like you to take to prevent any future infections.

  • Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis.

  • You don't appear to be running any third party Firewall software.

    Install a firewall! Without a firewall you are very susceptible to being hacked, and people could gain access to your computer. If you don't have a firewall I strongly recommend you download ONE of the following:
    1) Comodo
    2) Agnitum
    3) Sunbelt/Kerio

  • Make sure you update your Anti-Virus software regularly, new viruses are being developed all the time.

  • Some more programs that it would be useful to have [OPTIONAL but RECOMMENDED]:

    Download Spybot Search and Destroy 1.5 from here
    Check for Updates/ Immunize and run a Full System Scan on a regular basis.

    SpywareBlaster is another real-time scanner that prevents most spyware from even being installed.
    Freely available: Download SpywareBlaster

    Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

Also, please read this great article by Tony Klein: So How Did I Get Infected In First Place

Glad we could be of assistance.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Stay Clean!

jpshortstuff
User avatar
jpshortstuff
WTT Malware Team
WTT Malware Team
 
Posts: 973
Joined: May 1st, 2007, 12:56 pm

Re: Redirected Searches

Unread postby rex_abbey » April 14th, 2009, 5:25 pm

all is well and i'm as happy as i can be. thanks so much for all the help! looks like i got quite a bit of work ahead of me tightening up everything and taking some preventative steps, but after that "virus boot camp", think i'll take a break for the rest of the day.

once again, thanks for the help,
Rex
rex_abbey
Active Member
 
Posts: 5
Joined: April 13th, 2009, 8:54 pm

Re: Redirected Searches

Unread postby jpshortstuff » April 15th, 2009, 4:07 am

No problem, glad I could help :thumbup:
User avatar
jpshortstuff
WTT Malware Team
WTT Malware Team
 
Posts: 973
Joined: May 1st, 2007, 12:56 pm

Re: Redirected Searches

Unread postby NonSuch » April 15th, 2009, 12:37 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 330 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware