Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google / Bing Search Engine results hijacked .Help!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Google / Bing Search Engine results hijacked .Help!

Unread postby outta » December 22nd, 2009, 11:42 am

I also ran DDS and picked up this from the event log.
I'm guess that it was the TDSSkiller script that killed these services.
12/21/2009 9:24:11 PM, error: Service Control Manager [7034] - The ODLDQ service terminated unexpectedly. It has done this 1 time(s).
12/21/2009 8:23:12 PM, error: Service Control Manager [7034] - The HRJZCDH service terminated unexpectedly. It has done this 1 time(s).
12/21/2009 8:05:39 PM, error: Service Control Manager [7034] - The JMJMJJ service terminated unexpectedly. It has done this 1 time(s).
outta
Regular Member
 
Posts: 17
Joined: December 8th, 2009, 11:57 am
Advertisement
Register to Remove

Re: Google / Bing Search Engine results hijacked .Help!

Unread postby deltalima » December 23rd, 2009, 4:24 am

Hi outta,

Run Combofix:

Temporarily disable any antispyware, antivirus and or antimalware real-time protection as they may interfere with running of ComboFix.

Download ComboFix from here to your Desktop.

For more information about Combofix please see here.

Close all programs.

Double click combofix.exe and follow the prompts.

If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures, if not, then follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Once installed, you should see the following message:

The recovery console was successfuly installed.
Click ‘YES’ to continue scanning for malware
Click ‘NO’ for exit

Click the YES button.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your “drive access” light. If it is flashing, Combofix is still at work.

When finished ComboFix will produce a log file. Please post the contents of the log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Google / Bing Search Engine results hijacked .Help!

Unread postby outta » December 24th, 2009, 1:07 am

I disabled the scanners as requesters. Some like prevx don't give you a shutdown option so I had to disable for 15 minutes.
I downloaded Combofix and it requested and got an update.
It downloaded the Recovery Console then it scanned.
It picked up a few files that i didn't think were suspect but as I had turned off there services it deleted them anyway.
No big loss I'm sure.
It rebooted and when it came back up and put up that window that it was preparing the log.
Now it could be that once it rebooted my PC, the scanners were active again but the window saying it was going to output the log seemed to hang.
I let it run for a few hours and it never opened the log.
I had to reboot to get control back and when I looked for a log, there wasn't one.

I haven't seen my browser do strange things and its running faster.

What next?
Should I run combofix again?

Thanks for your help
outta
Regular Member
 
Posts: 17
Joined: December 8th, 2009, 11:57 am

Re: Google / Bing Search Engine results hijacked .Help!

Unread postby outta » December 24th, 2009, 3:03 am

I ended up running it again and this time it ran to completion.
I'm attaching the output.
You do not have the required permissions to view the files attached to this post.
outta
Regular Member
 
Posts: 17
Joined: December 8th, 2009, 11:57 am

Re: Google / Bing Search Engine results hijacked .Help!

Unread postby Elrond » December 24th, 2009, 2:23 pm

Please do not attache logs but post them in the topic if not specifically asked to attach them. It makes it much more difficult for the helpers to analyze the logs.
This is the last attached log copied to this post.


ComboFix 09-12-23.02 - Colin 12/23/2009 21:10:32.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.2756 [GMT -8:00]
Running from: c:\documents and settings\Colin\Desktop\ComboFix.exe
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Outdated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Colin\Start Menu\Programs\Startup\ePrompter.lnk
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

-- Previous Run --

c:\windows\system32\proquota.exe . . . is missing!!

--------

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-11-24 to 2009-12-24 )))))))))))))))))))))))))))))))
.

2009-12-17 15:26 . 2009-12-17 15:26 -------- d-----w- c:\documents and settings\Colin\Local Settings\Application Data\Threat Expert
2009-12-16 07:20 . 2009-12-16 07:20 -------- d-----w- c:\documents and settings\Colin\Application Data\CheckPoint
2009-12-16 07:19 . 2009-12-16 07:19 -------- d-----w- c:\program files\CheckPoint
2009-12-16 07:18 . 2009-12-16 07:18 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-12-16 07:12 . 2009-11-22 23:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-12-16 07:12 . 2009-11-22 23:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-12-16 07:11 . 2009-11-22 23:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-12-16 07:11 . 2009-12-16 07:18 -------- d-----w- c:\windows\system32\ZoneLabs
2009-12-16 07:11 . 2009-12-16 07:11 -------- d-----w- c:\program files\Zone Labs
2009-12-16 07:10 . 2009-12-24 05:10 -------- d-----w- c:\windows\Internet Logs
2009-12-15 07:21 . 2009-12-15 07:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-12-14 06:08 . 2009-12-15 07:36 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-13 21:26 . 2009-12-13 21:26 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-12-13 21:10 . 2009-12-13 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-13 21:10 . 2009-12-13 21:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-07 15:57 . 2009-12-07 15:57 -------- d-----w- c:\documents and settings\Colin\Local Settings\Application Data\Sophos
2009-12-07 15:52 . 2009-12-07 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2009-12-07 15:50 . 2009-12-07 15:51 -------- d-----w- C:\sophos-detector-stdtsa
2009-12-07 04:26 . 2009-12-17 15:43 -------- d-----w- c:\program files\Sophos
2009-12-07 00:28 . 2009-12-06 20:22 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-06 20:22 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-06 20:19 . 2009-12-06 20:19 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-06 20:18 . 2009-12-06 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-06 20:18 . 2009-12-06 20:18 -------- d-----w- c:\program files\Lavasoft
2009-12-05 06:37 . 2009-12-05 06:37 -------- d-----w- c:\documents and settings\Colin\mbox
2009-12-05 06:37 . 2009-12-05 06:37 -------- d-----w- c:\documents and settings\Colin\attachments
2009-12-05 04:30 . 2009-12-05 04:30 -------- d-----w- c:\program files\Trend Micro
2009-12-03 15:53 . 2009-12-20 21:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2
2009-12-02 16:13 . 2009-12-02 16:13 -------- d-----w- C:\found.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-24 05:23 . 2008-07-28 19:59 16608 ----a-w- c:\windows\gdrv.sys
2009-12-24 05:08 . 2009-08-10 23:26 -------- d-----w- c:\program files\Trillian
2009-12-24 05:08 . 2008-08-03 03:18 -------- d-----w- c:\documents and settings\Colin\Application Data\Skype
2009-12-24 02:47 . 2008-08-03 03:22 -------- d-----w- c:\documents and settings\Colin\Application Data\skypePM
2009-12-23 16:15 . 2009-12-23 16:15 20171276 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_thread_2009_12_23_07_59_51_full.dmp.zip
2009-12-23 16:09 . 2009-12-16 07:51 2610289 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-12-23 15:59 . 2009-12-24 02:44 414208 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2009-12-23 15:59 . 2009-12-24 02:44 1647104 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2009-12-23 15:48 . 2009-08-15 22:57 -------- d-----w- c:\program files\ePrompter
2009-12-23 15:42 . 2009-07-14 03:36 -------- d-----w- c:\documents and settings\Colin\Application Data\vlc
2009-12-23 07:20 . 2009-07-07 04:33 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-12-23 04:17 . 2008-09-28 04:01 -------- d-----w- c:\documents and settings\Colin\Application Data\dvdcss
2009-12-23 04:08 . 2009-05-09 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-22 05:24 . 2009-12-22 05:24 65024 ----a-w- c:\windows\system32\drivers\jraid.tsk
2009-12-21 15:31 . 2009-12-21 15:31 120037 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_12_21_07_25_54_small.dmp.zip
2009-12-21 15:26 . 2009-12-21 15:26 792064 ----a-w- c:\windows\Internet Logs\xDB95.tmp
2009-12-20 23:25 . 2008-08-31 05:52 -------- d-----w- c:\documents and settings\Colin\Application Data\mjusbsp
2009-12-20 18:41 . 2008-09-12 06:20 -------- d-----w- c:\program files\Google
2009-12-19 23:30 . 2009-12-19 23:31 69632 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-12-19 23:29 . 2009-12-19 23:31 1598976 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2009-12-19 17:27 . 2009-12-19 17:29 891392 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-12-19 17:27 . 2009-12-19 17:29 1656320 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-12-19 17:26 . 2009-12-19 17:29 1656320 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-12-18 03:28 . 2008-08-01 03:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-17 15:24 . 2008-07-29 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-12-17 15:21 . 2008-07-29 05:32 -------- d-----w- c:\program files\Comodo
2009-12-15 03:10 . 2008-07-29 05:32 99408 -c--a-w- c:\documents and settings\Colin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-12 06:06 . 2009-07-02 14:08 -------- d-----w- c:\program files\Windows Live Safety Center
2009-12-05 23:04 . 2008-09-13 22:27 -------- d-----w- c:\program files\FlashGet
2009-12-04 06:34 . 2009-07-07 04:33 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys
2009-12-04 06:34 . 2009-07-07 04:33 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys
2009-12-04 03:53 . 2009-07-24 02:17 -------- d-----w- c:\program files\MediaCoder
2009-12-04 00:14 . 2009-01-03 20:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 00:13 . 2009-01-03 20:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 15:26 . 2008-07-31 20:00 -------- d-----w- c:\documents and settings\Colin\Application Data\AdobeUM
2009-11-26 19:06 . 2009-08-14 19:37 -------- d-----w- c:\documents and settings\Colin\Application Data\U3
2009-11-26 18:18 . 2008-08-01 04:03 -------- d-----w- c:\program files\Java
2009-11-26 02:51 . 2008-09-04 05:16 -------- d-----w- c:\documents and settings\Colin\Application Data\uTorrent
2009-11-18 15:41 . 2009-11-18 15:41 -------- d-----w- c:\documents and settings\Colin\Application Data\Helios
2009-11-18 15:41 . 2009-11-18 15:41 -------- d-----w- c:\program files\TextPad 5
2009-11-04 11:16 . 2009-08-12 10:06 831176 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-03 07:26 . 2009-06-18 14:15 -------- d-----r- c:\program files\Skype
2009-11-03 07:26 . 2009-11-03 07:26 -------- d-----w- c:\program files\Common Files\Skype
2009-11-03 07:26 . 2008-08-03 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-29 05:48 . 2004-08-04 07:56 662016 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 06:00 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 06:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-04 07:56 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-04 07:56 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-04 07:56 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-11 12:17 . 2008-11-23 06:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-29 15:26 . 2006-09-29 02:53 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-09-29 15:26 . 2006-09-29 02:53 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-25 05:56 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Colin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-05 133104]
"TaggedFrog"="c:\program files\TaggedFrog\TaggedFrog.exe" [2009-07-13 317952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-09 39408]
"Meebo Notifier"="c:\documents and settings\Colin\Local Settings\Application Data\Meebo\Meebo Notifier\MeeboNotifier.exe" [2009-08-21 790528]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-12-08 1884160]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
"cdloader"="c:\documents and settings\Colin\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"GEST"="c:\program files\GIGABYTE\GEST\RUN.exe" [2007-12-14 236040]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-08-29 1966080]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-21 182808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-29 198160]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-27 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-7-31 656896]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-16 65588]
SnagIt 8.lnk - d:\program files\Snagit\SnagIt32.exe [2007-5-1 6395464]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\FlashGet.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\WS_FTP Pro\\wsftppro.exe"=
"c:\\Program Files\\altme\\altme.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\downloads\\grahans rebol chatter\\browser.exe"=
"d:\\downloads\\grahans rebol chatter\\browser3.exe"=
"d:\\downloads\\grahans rebol chatter\\browser4.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\NCH Swift Sound\\BroadWave\\broadwave.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\Colin\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"85:TCP"= 85:TCP:*:Disabled:BroadWave Web Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/6/2009 12:22 PM 64288]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [7/6/2009 8:33 PM 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [7/6/2009 8:33 PM 27656]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [7/6/2009 8:33 PM 4368952]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 5:30 AM 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [10/14/2009 5:30 AM 476528]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 3:17 AM 1181328]
R3 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\GEST\GSvr.exe [7/28/2008 12:01 PM 47624]
R3 PIAFCTM;NetworkActiv PIAFCTM Packet Driver Miniport;c:\windows\system32\drivers\PIAFCTM.sys [8/1/2008 8:45 PM 15488]
S2 gupdate1c9d0c5fcbe0f7e;Google Update Service (gupdate1c9d0c5fcbe0f7e);c:\program files\Google\Update\GoogleUpdate.exe [5/9/2009 8:48 AM 133104]
S3 HRJZCDH;HRJZCDH;c:\docume~1\Colin\LOCALS~1\Temp\HRJZCDH.exe --> c:\docume~1\Colin\LOCALS~1\Temp\HRJZCDH.exe [?]
S3 JMJMJJ;JMJMJJ;c:\docume~1\Colin\LOCALS~1\Temp\JMJMJJ.exe --> c:\docume~1\Colin\LOCALS~1\Temp\JMJMJJ.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\44.tmp --> c:\windows\system32\44.tmp [?]
S3 ODLDQ;ODLDQ;c:\docume~1\Colin\LOCALS~1\Temp\ODLDQ.exe --> c:\docume~1\Colin\LOCALS~1\Temp\ODLDQ.exe [?]
S4 CVCGCV;CVCGCV;c:\docume~1\Colin\LOCALS~1\Temp\CVCGCV.exe --> c:\docume~1\Colin\LOCALS~1\Temp\CVCGCV.exe [?]
S4 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [7/1/2009 9:46 PM 1205760]
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: {0FD48D82-ED3E-45A6-873A-94F7CFA0845B} = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\Colin\Application Data\Mozilla\Firefox\Profiles\errowjpz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&o ... &gfns=1&q=
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Colin\Application Data\Mozilla\Firefox\Profiles\errowjpz.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\Colin\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Notify-WgaLogon - (no file)
AddRemove-{F59AC46C-10C3-4023-882C-4212A92283B3}_is1 - c:\windows\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-23 21:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\JRAID]
"ImagePath"="system32\Drivers\jraid.tsk"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\44.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1088)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(1144)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(2864)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-12-23 21:27:37
ComboFix-quarantined-files.txt 2009-12-24 05:27

Pre-Run: 4,280,025,088 bytes free
Post-Run: 4,201,082,880 bytes free

- - End Of File - - 2BC080CFD486547F54E7684E9D1C10AD
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Re: Google / Bing Search Engine results hijacked .Help!

Unread postby deltalima » December 27th, 2009, 7:06 pm

Hi outta,

Please ensure that logs are pasted into your reply, attachments make extra work for anyone reading the thread.

Delete bad services
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat Please save it on your desktop.

@echo off
sc stop HRJZCDH
sc config HRJZCDH start= disabled
sc delete HRJZCDH
sc stop JMJMJJ
sc config JMJMJJ start= disabled
sc delete JMJMJJ
sc stop ODLDQ
sc config ODLDQ start= disabled
sc delete ODLDQ
sc stop CVCGCV
sc config CVCGCV start= disabled
sc delete CVCGCV
exit


Double click FixServices.bat. A window will open and close. This is normal.

ComboFix - CFScript
This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
  1. Please open Notepad and copy/paste all the text below... into the window:
    Code: Select all
    File::
    c:\windows\Internet Logs\xDB95.tmp
    c:\windows\Internet Logs\xDB4.tmp
    c:\windows\Internet Logs\xDB5.tmp
    c:\windows\Internet Logs\xDB1.tmp
    c:\windows\Internet Logs\xDB2.tmp
    c:\windows\Internet Logs\xDB3.tmp
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    HRJZCDH=-
    JMJMJJ=-
    ODLDQ=-
    CVCGCV=-
  2. Save it to your desktop as CFScript.txt
  3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
    *Only* when the 2 items above (Step 3) have been taken care of...
  4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
    Image
    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!
  5. When finished ComboFix will create a log file... you can save this file to a convenient place.
Please copy/paste the ComboFix log file in your next reply.
** Enable your Antivirus and Firewall, before connecting to the Internet again! **
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Google / Bing Search Engine results hijacked .Help!

Unread postby outta » December 27th, 2009, 9:49 pm

ComboFix 09-12-26.05 - Colin 12/27/2009 17:17:34.3.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.2803 [GMT -8:00]
Running from: c:\documents and settings\Colin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Colin\Desktop\CFScript.txt
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Outdated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\Internet Logs\xDB1.tmp"
"c:\windows\Internet Logs\xDB2.tmp"
"c:\windows\Internet Logs\xDB3.tmp"
"c:\windows\Internet Logs\xDB4.tmp"
"c:\windows\Internet Logs\xDB5.tmp"
"c:\windows\Internet Logs\xDB95.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LOG.TXT
c:\windows\Internet Logs\xDB1.tmp
c:\windows\Internet Logs\xDB2.tmp
c:\windows\Internet Logs\xDB3.tmp
c:\windows\Internet Logs\xDB4.tmp
c:\windows\Internet Logs\xDB5.tmp
c:\windows\Internet Logs\xDB95.tmp

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-28 )))))))))))))))))))))))))))))))
.

2009-12-25 04:19 . 2009-12-27 07:40 -------- d-----w- c:\documents and settings\Colin\DoctorWeb
2009-12-17 15:26 . 2009-12-17 15:26 -------- d-----w- c:\documents and settings\Colin\Local Settings\Application Data\Threat Expert
2009-12-16 07:20 . 2009-12-16 07:20 -------- d-----w- c:\documents and settings\Colin\Application Data\CheckPoint
2009-12-16 07:19 . 2009-12-16 07:19 -------- d-----w- c:\program files\CheckPoint
2009-12-16 07:18 . 2009-12-16 07:18 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-12-16 07:12 . 2009-11-22 23:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-12-16 07:12 . 2009-11-22 23:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-12-16 07:11 . 2009-11-22 23:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-12-16 07:11 . 2009-12-16 07:18 -------- d-----w- c:\windows\system32\ZoneLabs
2009-12-16 07:11 . 2009-12-16 07:11 -------- d-----w- c:\program files\Zone Labs
2009-12-16 07:10 . 2009-12-28 01:26 -------- d-----w- c:\windows\Internet Logs
2009-12-15 07:21 . 2009-12-15 07:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-12-14 06:08 . 2009-12-15 07:36 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-13 21:26 . 2009-12-13 21:26 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-12-13 21:10 . 2009-12-13 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-13 21:10 . 2009-12-13 21:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-07 15:57 . 2009-12-07 15:57 -------- d-----w- c:\documents and settings\Colin\Local Settings\Application Data\Sophos
2009-12-07 15:52 . 2009-12-07 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2009-12-07 15:50 . 2009-12-07 15:51 -------- d-----w- C:\sophos-detector-stdtsa
2009-12-07 04:26 . 2009-12-17 15:43 -------- d-----w- c:\program files\Sophos
2009-12-07 00:28 . 2009-12-06 20:22 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-06 20:22 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-06 20:19 . 2009-12-06 20:19 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-06 20:18 . 2009-12-06 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-06 20:18 . 2009-12-06 20:18 -------- d-----w- c:\program files\Lavasoft
2009-12-05 06:37 . 2009-12-05 06:37 -------- d-----w- c:\documents and settings\Colin\mbox
2009-12-05 06:37 . 2009-12-05 06:37 -------- d-----w- c:\documents and settings\Colin\attachments
2009-12-05 04:30 . 2009-12-05 04:30 -------- d-----w- c:\program files\Trend Micro
2009-12-03 15:53 . 2009-12-20 21:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2
2009-12-02 16:13 . 2009-12-02 16:13 -------- d-----w- C:\found.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 01:29 . 2008-07-28 19:59 16608 ----a-w- c:\windows\gdrv.sys
2009-12-28 01:27 . 2008-08-03 03:18 -------- d-----w- c:\documents and settings\Colin\Application Data\Skype
2009-12-28 01:17 . 2009-12-16 07:51 15925248 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-12-28 01:03 . 2008-08-03 03:22 -------- d-----w- c:\documents and settings\Colin\Application Data\skypePM
2009-12-27 18:53 . 2009-08-10 23:26 -------- d-----w- c:\program files\Trillian
2009-12-27 18:32 . 2009-07-07 04:33 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-12-26 23:00 . 2009-07-14 03:36 -------- d-----w- c:\documents and settings\Colin\Application Data\vlc
2009-12-23 16:15 . 2009-12-23 16:15 20171276 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_thread_2009_12_23_07_59_51_full.dmp.zip
2009-12-23 15:59 . 2009-12-24 02:44 414208 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2009-12-23 15:59 . 2009-12-24 02:44 1647104 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2009-12-23 15:48 . 2009-08-15 22:57 -------- d-----w- c:\program files\ePrompter
2009-12-23 04:17 . 2008-09-28 04:01 -------- d-----w- c:\documents and settings\Colin\Application Data\dvdcss
2009-12-23 04:08 . 2009-05-09 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-22 05:24 . 2009-12-22 05:24 65024 ----a-w- c:\windows\system32\drivers\jraid.tsk
2009-12-21 15:31 . 2009-12-21 15:31 120037 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_12_21_07_25_54_small.dmp.zip
2009-12-20 23:25 . 2008-08-31 05:52 -------- d-----w- c:\documents and settings\Colin\Application Data\mjusbsp
2009-12-20 18:41 . 2008-09-12 06:20 -------- d-----w- c:\program files\Google
2009-12-18 03:28 . 2008-08-01 03:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-17 15:24 . 2008-07-29 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-12-17 15:21 . 2008-07-29 05:32 -------- d-----w- c:\program files\Comodo
2009-12-15 03:10 . 2008-07-29 05:32 99408 -c--a-w- c:\documents and settings\Colin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-12 06:06 . 2009-07-02 14:08 -------- d-----w- c:\program files\Windows Live Safety Center
2009-12-05 23:04 . 2008-09-13 22:27 -------- d-----w- c:\program files\FlashGet
2009-12-04 06:34 . 2009-07-07 04:33 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys
2009-12-04 06:34 . 2009-07-07 04:33 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys
2009-12-04 03:53 . 2009-07-24 02:17 -------- d-----w- c:\program files\MediaCoder
2009-12-04 00:14 . 2009-01-03 20:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 00:13 . 2009-01-03 20:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 15:26 . 2008-07-31 20:00 -------- d-----w- c:\documents and settings\Colin\Application Data\AdobeUM
2009-11-26 19:06 . 2009-08-14 19:37 -------- d-----w- c:\documents and settings\Colin\Application Data\U3
2009-11-26 18:18 . 2008-08-01 04:03 -------- d-----w- c:\program files\Java
2009-11-26 02:51 . 2008-09-04 05:16 -------- d-----w- c:\documents and settings\Colin\Application Data\uTorrent
2009-11-18 15:41 . 2009-11-18 15:41 -------- d-----w- c:\documents and settings\Colin\Application Data\Helios
2009-11-18 15:41 . 2009-11-18 15:41 -------- d-----w- c:\program files\TextPad 5
2009-11-04 11:16 . 2009-08-12 10:06 831176 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-03 07:26 . 2009-06-18 14:15 -------- d-----r- c:\program files\Skype
2009-11-03 07:26 . 2009-11-03 07:26 -------- d-----w- c:\program files\Common Files\Skype
2009-11-03 07:26 . 2008-08-03 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-29 05:48 . 2004-08-04 07:56 662016 ------w- c:\windows\system32\wininet.dll
2009-10-21 06:00 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 06:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-04 07:56 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-04 07:56 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-04 07:56 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-11 12:17 . 2008-11-23 06:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-29 15:26 . 2006-09-29 02:53 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-09-29 15:26 . 2006-09-29 02:53 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-12-24_05.20.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-28 00:59 . 2009-12-28 00:59 16384 c:\windows\Temp\Perflib_Perfdata_64c.dat
+ 2008-07-28 19:46 . 2009-12-28 01:08 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-28 19:46 . 2009-12-24 02:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-12-25 02:53 . 2009-12-28 01:08 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-10-04 00:20 . 2009-12-28 01:00 224361 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Colin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-05 133104]
"TaggedFrog"="c:\program files\TaggedFrog\TaggedFrog.exe" [2009-07-13 317952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-09 39408]
"Meebo Notifier"="c:\documents and settings\Colin\Local Settings\Application Data\Meebo\Meebo Notifier\MeeboNotifier.exe" [2009-08-21 790528]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-12-08 1884160]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
"cdloader"="c:\documents and settings\Colin\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"GEST"="c:\program files\GIGABYTE\GEST\RUN.exe" [2007-12-14 236040]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-08-29 1966080]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-21 182808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-29 198160]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-27 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-7-31 656896]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-16 65588]
SnagIt 8.lnk - d:\program files\Snagit\SnagIt32.exe [2007-5-1 6395464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\FlashGet.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\WS_FTP Pro\\wsftppro.exe"=
"c:\\Program Files\\altme\\altme.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\downloads\\grahans rebol chatter\\browser.exe"=
"d:\\downloads\\grahans rebol chatter\\browser3.exe"=
"d:\\downloads\\grahans rebol chatter\\browser4.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\NCH Swift Sound\\BroadWave\\broadwave.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\Colin\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"85:TCP"= 85:TCP:*:Disabled:BroadWave Web Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/6/2009 12:22 PM 64288]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [7/6/2009 8:33 PM 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [7/6/2009 8:33 PM 27656]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [7/6/2009 8:33 PM 4368952]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 5:30 AM 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [10/14/2009 5:30 AM 476528]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 3:17 AM 1181328]
R3 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\GEST\GSvr.exe [7/28/2008 12:01 PM 47624]
R3 PIAFCTM;NetworkActiv PIAFCTM Packet Driver Miniport;c:\windows\system32\drivers\PIAFCTM.sys [8/1/2008 8:45 PM 15488]
S2 gupdate1c9d0c5fcbe0f7e;Google Update Service (gupdate1c9d0c5fcbe0f7e);c:\program files\Google\Update\GoogleUpdate.exe [5/9/2009 8:48 AM 133104]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\44.tmp --> c:\windows\system32\44.tmp [?]
S4 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [7/1/2009 9:46 PM 1205760]
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: {0FD48D82-ED3E-45A6-873A-94F7CFA0845B} = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\Colin\Application Data\Mozilla\Firefox\Profiles\errowjpz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&o ... &gfns=1&q=
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Colin\Application Data\Mozilla\Firefox\Profiles\errowjpz.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\Colin\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 17:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\JRAID]
"ImagePath"="system32\Drivers\jraid.tsk"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\44.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1088)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(1144)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2009-12-27 17:34:26
ComboFix-quarantined-files.txt 2009-12-28 01:34
ComboFix2.txt 2009-12-24 05:27

Pre-Run: 511,868,928 bytes free
Post-Run: 469,573,632 bytes free

- - End Of File - - 8962B9515062685C0B6B6F841F230A46
outta
Regular Member
 
Posts: 17
Joined: December 8th, 2009, 11:57 am

Re: Google / Bing Search Engine results hijacked .Help!

Unread postby deltalima » December 28th, 2009, 11:31 am

Hi outta,

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log and also let me know how your computer is running now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Google / Bing Search Engine results hijacked .Help!

Unread postby outta » December 29th, 2009, 3:56 am

PC has been running faster and I haven't noticed any search page hijacks since a few iterations back.
Here is the hijack log.
==============================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:16 PM, on 12/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\GIGABYTE\GEST\GEST.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TaggedFrog\TaggedFrog.exe
C:\Documents and Settings\Colin\Local Settings\Application Data\Meebo\Meebo Notifier\MeeboNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\GIGABYTE\GEST\GSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\eFax Messenger 4.4\J2GTray.exe
D:\Program Files\Snagit\SnagIt32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Snagit\TSCHelp.exe
D:\Program Files\Snagit\SnagPriv.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Colin\Local Settings\Temp\jkos-Colin\binaries\ScanningProcess.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\Snagit\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\Snagit\SnagItIEAddin.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [GEST] "C:\Program Files\GIGABYTE\GEST\RUN.exe"
O4 - HKLM\..\Run: [RTHDCPL] "RTHDCPL.EXE"
O4 - HKLM\..\Run: [36X Raid Configurer] "C:\WINDOWS\system32\xRaidSetup.exe" boot
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Colin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [TaggedFrog] C:\Program Files\TaggedFrog\TaggedFrog.exe /tray
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Meebo Notifier] "C:\Documents and Settings\Colin\Local Settings\Application Data\Meebo\Meebo Notifier\MeeboNotifier.exe" /startup
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Colin\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax 4.4.lnk = C:\Program Files\eFax Messenger 4.4\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SnagIt 8.lnk = D:\Program Files\Snagit\SnagIt32.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se8942.cab
O16 - DPF: {9E065E4A-BD9D-4547-8F90-985DC62A5591} (PlayerPT Control) - http://203.97.234.193/PlayerPT.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FD48D82-ED3E-45A6-873A-94F7CFA0845B}: NameServer = 8.8.8.8,8.8.4.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{0FD48D82-ED3E-45A6-873A-94F7CFA0845B}: NameServer = 8.8.8.8,8.8.4.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{0FD48D82-ED3E-45A6-873A-94F7CFA0845B}: NameServer = 8.8.8.8,8.8.4.4
O17 - HKLM\System\CS3\Services\Tcpip\..\{0FD48D82-ED3E-45A6-873A-94F7CFA0845B}: NameServer = 8.8.8.8,8.8.4.4
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: Google Update Service (gupdate1c9d0c5fcbe0f7e) (gupdate1c9d0c5fcbe0f7e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11593 bytes

I haven't been able to get a log out of Kaspersky Online scanner as it seems to hang and it went on for hours.
I'll post as soon as I do.

Thanks for your help!
outta
Regular Member
 
Posts: 17
Joined: December 8th, 2009, 11:57 am

Re: Google / Bing Search Engine results hijacked .Help!

Unread postby outta » December 30th, 2009, 11:33 am

Here is the Kaspersky output.
The 2nd time I ran it overnight - I came back to a BSOD.
Here is run #3.
==============================
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, December 30, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, December 30, 2009 07:49:45
Records in database: 3416507
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: no
Scan e-mail databases: no

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
I:\
J:\
K:\
L:\
M:\

Scan statistics:
Objects scanned: 295683
Threats found: 4
Infected objects found: 7
Suspicious objects found: 18
Scan duration: 03:04:24


File name / Threat / Threats count
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail Outta\Inbox\1F9F5B7A-0000350E.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail Outta\Inbox\246D1232-000023D4.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail Outta\Inbox\60A50731-0000357F.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail Outta\Inbox\785E1A92-00003579.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail Outta\Junk E-mail\02FF68E6-00001005.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail Outta\Junk E-mail\06751E28-00002D30.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail Outta\Junk E-mail\194274DE-000025BA.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail Outta\Junk E-mail\22FD7C3F-00000C4F.eml Infected: Trojan-Clicker.HTML.IFrame.aiz 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail Outta\Junk E-mail\24325C4B-00000AFC.eml Infected: Trojan-Clicker.HTML.IFrame.aiz 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail Outta\Junk E-mail\5C7368E8-000025BB.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail Outta\Junk E-mail\6E9F551B-00002807.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail Outta\Junk E-mail\7B641E69-00000AF6.eml Infected: Trojan-Clicker.HTML.IFrame.aiz 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Deleted Items\06EF4F41-00000A56.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Deleted Items\07016562-00000A7B.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Deleted Items\0BEF3043-00000C2A.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Deleted Items\0E7D23E1-00000A39.eml Infected: Trojan-Clicker.HTML.IFrame.aiz 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Deleted Items\110E0C2C-00000BE0.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Deleted Items\5ACF51C3-00000A26.eml Infected: Trojan-Clicker.HTML.IFrame.aiz 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Deleted Items\693B583C-00000ACA.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Deleted Items\696105EA-00000ACF.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Deleted Items\7C034D47-00000AD0.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Inbox\Outta\1CAF1D85-0000643A.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Inbox\Outta\59CF2FEB-00006439.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Colin\My Documents\Downloads\Video Cache Viewer\VideoCacheView.exe Infected: not-a-virus:PSWTool.Win32.NetPass.ke 1
D:\downloads\ebooks\David Blaine Mega magic\davidblainmegamagic.exe Infected: Trojan-PSW.Win32.Agent.klk 1

Selected area has been scanned.
outta
Regular Member
 
Posts: 17
Joined: December 8th, 2009, 11:57 am

Re: Google / Bing Search Engine results hijacked .Help!

Unread postby deltalima » December 30th, 2009, 2:50 pm

Hi outta,

Most of the infections identified by Kaspersky are stored within emails in your Windows Live email account.

First please delete the Files

C:\Documents and Settings\Colin\My Documents\Downloads\Video Cache Viewer\VideoCacheView.exe

and

D:\downloads\ebooks\David Blaine Mega magic\davidblainmegamagic.exe

Please open Windows Live Mail click on the Junk e-mail folder then right click and select Empty ‘junk e-mail’ folder.

Now do the same for the Deleted items folder.

The remaining items in the Inbox and Outta folder will need to be identified manually. Please review the emails in there and delete any that you consider to be from a suspicious source or no longer required.

Now please run another online Kaspersky scan and post the log back here.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Google / Bing Search Engine results hijacked .Help!

Unread postby outta » January 1st, 2010, 12:26 pm

looking good!

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, January 1, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, January 01, 2010 04:29:09
Records in database: 3414454
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: no
Scan e-mail databases: no

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
I:\
J:\
K:\
L:\
M:\

Scan statistics:
Objects scanned: 274814
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 04:59:10

No threats found. Scanned area is clean.

Selected area has been scanned.
outta
Regular Member
 
Posts: 17
Joined: December 8th, 2009, 11:57 am

Re: Google / Bing Search Engine results hijacked .Help!

Unread postby deltalima » January 3rd, 2010, 3:20 pm

Hi outta,

looking good!


Great news! Indeed it is looking good now.

We need to ensure Adobe reader and Java are the latest versions and then we are done.

Remove old Java
  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs,
    highlight Java(TM) 6 Update 7
    click Remove
  • Close the Add or Remove Programs and the Control Panel windows.

You should Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.
All versions numbered lower than 9.2 are vulnerable.
  • Go HERE and click on AdbeRdr920_en_US.exe to download the latest version of Adobe Acrobat Reader.
  • Save this file to your desktop and run it to install the latest version of Adobe Reader.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Now lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK

Next please delete the DDS icon from your desktop.

  • Update your AntiVirus Software and keep your other programs up-to-date
    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
    You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

    Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Google / Bing Search Engine results hijacked .Help!

Unread postby outta » January 4th, 2010, 2:21 am

I updated my Java and Acrobat as instructed.
I've downloaded and installed those other products and they look pretty cool for trapping the kind of infection that got to my PC.
This removal took a lot of cycles and I wouldn't have been able to do it by myself so I'm grateful for all the volunteers on this board.
I'm not a PC novice by any stretch but I had no idea on just how deep the arts of malware and rootkits had evolved or just how hard it would be to remove them. Originally I thought that once a scanner had located a file, I could take the drive offline and remove it in Safe Mode or booting up in BartPE.
That underestimated the sophistication of the malware out there. I couldn't even boot into Safe Mode and then under BartPE, the files were gone!
Registry entries can be hidden from Regedit so you can't even nuke the ones that scanners find easily.

Many thanks for the help and I hope that his post helps others that get infected or helps others from getting caught!

Happy New Year

-outta
outta
Regular Member
 
Posts: 17
Joined: December 8th, 2009, 11:57 am

Re: Google / Bing Search Engine results hijacked .Help!

Unread postby Elrond » January 4th, 2010, 8:37 am

outta this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 491 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware