| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 114040 | 2010-11-15 23:11:00 | Annoying Search Redirector Malware | Agahnim (16078) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1153298 | 2010-11-15 23:11:00 | Hi, for the past few weeks, my laptop has been facing Vista related issues. Some vulnerabilities appeared and my computer got infected. Using various anti-virus and spyware programs, I cleaned up the rest. Now the only thing that remains is something that redirects me to spam sites when I click on a search link in Google or any other search engine. None of my anti-spyware programs are detecting it and looking at HiJackThis, there were stuff in it I was unsure of but I wasn't going to start fixing it without second opinion from those who would know this better than I do. I am trying to clean out all this junk before I upgrade to Windows 7 later this month. Here is the HijackThis Log I saved during reboot. Can someone point out if there is anything in it that can be removed and cleared out? Thanks. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:22:47 PM, on 11/15/2010 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Windows\SYSTEM32\WISPTIS.EXE C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Program Files\DellTPad\Apoint.exe C:\Windows\OEM02Mon.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe C:\Program Files\Absolute Software\Absolute Notifier\AbsoluteNotifier.exe C:\Program Files\Dell\MediaDirect\PCMService.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Windows\ehome\ehmsas.exe C:\Windows\system32\WTablet\Pen_TabletUser.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\DellTPad\ApMsgFwd.exe C:\Program Files\DellTPad\HidFind.exe C:\Program Files\DellTPad\Apntex.exe C:\Program Files\Spyware Terminator\SpywareTerminator.exe C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe C:\Program Files\Mozilla Firefox\plugin-container.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = g.msn.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = g.msn.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ww2.cox.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = g.msn.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: & Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\ Yahoo! \Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\ Yahoo! \Companion\Installs\cpn0\YTSingleInsta nce.dll O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe O4 - HKLM\..\Run: [dscactivate] c:\dell\dsca.exe 3 O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [Absolute Notifier] "C:\Program Files\Absolute Software\Absolute Notifier\AbsoluteNotifier.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe" O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe" O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O13 - Gopher Prefix: O15 - Trusted Zone: *.moove.com O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - www.nvidia.com O16 - DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} (SonyOnlineInstallerX) - launcher.station.sony.com O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - gfx1.hotmail.com O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - platformdl.adobe.com O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\system32\rpcnet.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\ Yahoo! \SoftwareUpdate\YahooAUService.exe -- End of file - 9492 bytes |
Agahnim (16078) | ||
| 1153299 | 2010-11-16 00:07:00 | This sounds very much like a rootkit I had to clean out a while ago on a friend's computer. Being a rootkit, std av progs won't find it. Worth looking here support.kaspersky.com |
linw (53) | ||
| 1153300 | 2010-11-16 00:16:00 | I would install the service packs for a start. Once you remove this You can tick these then tick fix checked Close browsers. Disable system restore Uninstall all versions of Java then install the latest only. Its out of date This maybe the prob, uninstall it O4 - HKLM\..\Run: [Absolute Notifier] "C:\Program Files\Absolute Software\Absolute Notifier\AbsoluteNotifier.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe" Uninstall adaware and spybot, then reboot, then install malwarebytes and a virus scanner. Then scan the whole hdd |
Speedy Gonzales (78) | ||
| 1153301 | 2010-11-16 00:30:00 | Its fixable . . . . . Please run both these programs . . Please download Malwarebytes' Anti-Malware from one of these places: . majorgeeks . com/Malwarebytes_Anti-Malware_d5756 . html" target="_blank">www . majorgeeks . com . besttechie . net/tools/mbam-setup . exe" target="_blank">www . besttechie . net Double Click mbam-setup . exe to install the application . * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish . * If an update is found, it will download and install the latest version . * Once the program has loaded, select "Perform Quick Scan", then click Scan . * The scan may take some time to finish,so please be patient . * When the scan is complete, click OK, then Show Results to view the results . * Make sure that everything is checked, and click Remove Selected . * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart . Do so . * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM . * Copy&Paste the entire report in your next reply . =============================================== Download Combofix and place it on your Desktop . . bleepingcomputer . com/sUBs/ComboFix . exe" target="_blank">download . bleepingcomputer . com Alternate link: GeeksToGo . com . geekstogo . com/ComboFix . exe" target="_blank">subs . geekstogo . com * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix . Combofix may be slow to start and appear to be doing nothing before it starts scanning . Just leave it,it will start . You can get help on disabling your protection programs here : . bleepingcomputer . com/forums/topic114351 . html" target="_blank">www . bleepingcomputer . com Please include the C:\ComboFix . txt in your next reply for further review . Caution . . . . . Never use this program to remove files . Only use it with help from an experienced user . Wrongful use can damage your computer . This tool is not a toy and not for everyday use . ComboFix SHOULD NOT be used unless requested by a qualified helper |
Pancake (6359) | ||
| 1153302 | 2010-11-16 00:32:00 | Thanks thanks, I will do these steps. It should work. | Agahnim (16078) | ||
| 1153303 | 2010-11-16 03:43:00 | @ Pancake, I did your steps . Sorry for late reply . Here are the logs . MalWareBytes was updated and came up clean . It did catch a Hijacker the other day . ComboFix stated it found a rootkit and did the reboot . There must be some leftover stuff because I uninstalled AVG 2011 awhile back and uninstalled Spyware Terminator recently yet it still read these programs as active . Windows Defender does not start up . It was damaged by a virus in the past that I fixed and forgot to repair it . Here are the logs . I hope this helps . If anything else is needed, let me know: Malwarebytes: Malwarebytes' Anti-Malware 1 . 46 www . malwarebytes . org Database version: 5123 Windows 6 . 0 . 6000 Internet Explorer 8 . 0 . 6001 . 18783 11/15/2010 9:34:32 PM mbam-log-2010-11-15 (21-34-32) . txt Scan type: Quick scan Objects scanned: 145688 Time elapsed: 6 minute(s), 25 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ComboFix: ComboFix 10-11-15 . 05 - Avanious 11/15/2010 21:12:01 . 1 . 2 - x86 Microsoft® Windows Vista™ Home Premium 6 . 0 . 6000 . 0 . 1252 . 1 . 1033 . 18 . 2045 . 1016 [GMT -6:00] Running from: c:\users\Avanious\Desktop\ComboFix . exe AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604} SP: AVG Anti-Virus Free Edition 2011 *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9} SP: Spyware Terminator *enabled* (Updated) {55EE49A8-16BE-4601-BBE6-607B7F7317DE} SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7} SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Install . exe . \\ . \PhysicalDrive0 - Bootkit TDL4 was found and disinfected . ((((((((((((((((((((((((( Files Created from 2010-10-16 to 2010-11-16 ))))))))))))))))))))))))))))))) . 2010-11-16 03:22 . 2010-11-16 03:22 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-11-16 03:22 . 2010-11-16 03:22 -------- d-----w- c:\users\Avanious\AppData\Local\temp 2010-11-16 02:05 . 2010-11-16 02:09 -------- d-----w- c:\users\Avanious\AppData\Roaming\Software Informer 2010-11-16 02:05 . 2010-11-16 02:05 -------- d-----w- c:\program files\Software Informer 2010-11-15 23:29 . 2010-11-16 00:04 -------- d-----w- c:\users\Avanious\AppData\Local\AIM 2010-11-15 23:29 . 2010-11-15 23:29 -------- d-----w- c:\users\Avanious\AppData\Local\AOL 2010-11-15 22:29 . 2010-11-15 22:30 -------- d-----w- c:\users\Avanious\AppData\Local\Adobe 2010-11-12 17:02 . 2010-11-12 17:02 -------- d-----w- C:\VundoFix Backups 2010-11-11 16:47 . 2010-11-11 16:47 -------- d-----w- c:\users\Avanious\AppData\Local\SecondLife 2010-11-08 20:05 . 2010-11-13 02:12 -------- d-----w- c:\users\Avanious\AppData\Local\Kirstens S20 2010-11-08 20:04 . 2010-11-08 20:04 -------- d-----w- c:\programdata\Tarma Installer 2010-11-08 19:35 . 2010-11-08 20:25 -------- d-----w- c:\programdata\Yahoo! Companion 2010-11-06 05:20 . 2010-11-06 05:20 98392 ----a-w- c:\windows\system32\drivers\SBREDrv . sys 2010-11-05 01:12 . 2010-11-05 01:12 -------- d-----w- C:\found . 001 2010-10-28 23:21 . 2010-10-28 23:21 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\L ocal\Sunbelt Software 2010-10-26 03:10 . 2010-10-26 03:10 -------- d-----w- C:\found . 000 2010-10-25 03:27 . 2010-11-16 02:57 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2010-10-25 03:27 . 2010-10-25 03:28 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-10-25 00:23 . 2010-10-25 00:23 -------- d-----w- c:\users\Avanious\AppData\Local\Sunbelt Software 2010-10-25 00:16 . 2010-10-26 02:20 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\L ocal\Google 2010-10-23 12:45 . 2010-10-23 12:45 -------- d-----w- c:\users\Avanious\AppData\Roaming\AVG10 2010-10-23 12:44 . 2010-10-23 12:44 -------- d--h--w- c:\programdata\Common Files 2010-10-23 12:42 . 2010-10-26 17:09 -------- d-----w- c:\programdata\AVG10 2010-10-20 18:05 . 2010-10-20 18:08 -------- d-----w- c:\program files\SecondLifeViewer2 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2010-11-16 03:08 . 2008-06-20 18:25 17408 ----a-w- c:\windows\system32\rpcnetp . exe 2010-11-16 03:08 . 2008-06-20 18:30 57752 ----a-w- c:\windows\system32\rpcnet . dll 2010-11-08 19:20 . 2008-06-20 18:27 17408 ----a-w- c:\windows\system32\rpcnetp . dll 2010-10-17 04:28 . 2010-03-31 14:41 413696 ----a-w- c:\windows\system32\wrap_oal . dll 2010-10-17 04:28 . 2010-03-31 14:41 110592 ----a-w- c:\windows\system32\OpenAL32 . dll 2010-10-16 05:30 . 2010-10-16 05:30 29184 ----a-w- c:\windows\system32\CtLoJack . dll 2010-08-18 21:49 . 2010-08-18 21:49 187808 ----a-w- c:\programdata\Microsoft\VBExpress\9 . 0\1033\Resour ceCache . dll 2010-08-18 21:48 . 2010-08-18 21:48 416 ----a-w- c:\programdata\Microsoft\MSDN\9 . 0\1033\ResourceCac he . dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "DellSupport"="c:\program files\DellSupport\DSAgnt . exe" [2007-03-15 460784] "ehTray . exe"="c:\windows\ehome\ehTray . exe" [2006-11-02 125440] "HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis . exe" [2008-06-20 396288] "Software Informer"="c:\program files\Software Informer\softinfo . exe" [2010-06-29 2322501] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "Apoint"="c:\program files\DellTPad\Apoint . exe" [2007-04-18 159744] "dscactivate"="c:\dell\dsca . exe" [2007-07-30 16384] "OEM02Mon . exe"="c:\windows\OEM02Mon . exe" [2007-08-29 36864] "NVHotkey"="c:\windows\system32\nvHotkey . dll" [2008-06-09 96800] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1 . 0\AdobeARM . exe" [2010-09-21 932288] "PCMService"="c:\program files\Dell\MediaDirect\PCMService . exe" [2007-04-16 184320] "ECenter"="c:\dell\E-Center\EULALauncher . exe" [2007-05-25 17920] "DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr . exe" [2007-07-27 118784] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5 . 0\apdproxy . exe" [2006-12-22 67752] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Digital Line Detect . lnk - c:\program files\Digital Line Detect\DLG . exe [2007-11-15 50688] QuickSet . lnk - c:\program files\Dell\QuickSet\quickset . exe [2007-7-20 1180952] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system] "EnableLUA"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH . DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO . dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "mixer"=wdmaud . drv [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Wind ows^Start Menu^Programs^Startup^WeGame . lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WeGame . lnk backup=c:\windows\pss\WeGame . lnk . CommonStartup backupExtension= . CommonStartup [HKLM\~\startupfolder\C:^Users^Avanious^AppData^Roa ming^Microsoft^Windows^Start Menu^Programs^Startup^hamachi . lnk] path=c:\users\Avanious\AppData\Roaming\Microsoft\W indows\Start Menu\Programs\Startup\hamachi . lnk backup=c:\windows\pss\hamachi . lnk . Startup backupExtension= . Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender] %ProgramFiles%\Windows Defender\MSASCui . exe -hide [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Absolute Notifier] 2010-10-08 15:01 86184 ----a-w- c:\program files\Absolute Software\Absolute Notifier\AbsoluteNotifier . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-05-27 15:50 413696 ----a-w- c:\program files\QuickTime\QTTask . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2010-01-13 22:44 37888 ----a-w- c:\program files\Winamp\winampa . exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3479455144-3011864409-1369270203-1002] "EnableNotificationsRef"=dword:00000001 R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer . sys [x] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM . SYS [2010-03-03 12872] R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio . sys [2009-12-01 34384] R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService . exe [2007-01-04 24652] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV . SYS [2010-03-03 12872] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL . sys [2010-06-29 67656] S2 AbsoluteNotifier;Absolute Notifier;c:\program files\Absolute Software\Absolute Notifier\AbsoluteNotifierService . exe [2010-10-08 10408] S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv . exe [2007-09-20 73728] S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec . exe [2009-01-26 1153368] S2 TabletServicePen;TabletServicePen;c:\windows\syste m32\Pen_Tablet . exe [2007-09-07 1373480] . Contents of the 'Scheduled Tasks' folder 2010-11-16 c:\windows\Tasks\User_Feed_Synchronization-{17F02C0E-98D9-4CFC-9DAD-C5D4E1E7F716} . job - c:\windows\system32\msfeedssync . exe [2009-07-09 11:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://ww2 . cox . com/myconnection/neworleans/home . cox mStart Page = hxxp://www . yahoo . com FF - ProfilePath - c:\users\Avanious\AppData\Roaming\Mozilla\Firefox\ Profiles\chrlm1vi . default\ FF - prefs . js: browser . search . defaulturl - hxxp://search . yahoo . com/search?fr=ffsp1&p= FF - prefs . js: browser . search . selectedEngine - Yahoo FF - prefs . js: browser . startup . homepage - hxxp://www . yahoo . com FF - prefs . js: keyword . URL - hxxp://search . yahoo . com/search?fr=ffds1&p= FF - component: c:\users\Avanious\AppData\Roaming\Mozilla\Firefox\ Profiles\chrlm1vi . default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer . dll FF - component: c:\users\Avanious\AppData\Roaming\Mozilla\Firefox\ Profiles\chrlm1vi . default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert . dll FF - component: c:\users\Avanious\AppData\Roaming\Mozilla\Firefox\ Profiles\chrlm1vi . default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore . dll FF - component: c:\users\Avanious\AppData\Roaming\Mozilla\Firefox\ Profiles\chrlm1vi . default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil . dll FF - plugin: c:\program files\JustLeapIn\WebPlayer\loader\npLeap32 . dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW . dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2 . dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk . dll FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin . dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG . dll FF - plugin: c:\users\Avanious\AppData\Roaming\Move Networks\plugins\npqmp071503000010 . dll FF - plugin: c:\users\Avanious\Documents\Sparkplay Media\Sparkplayer (Beta)\npSparkPlayerNS . dll FF - plugin: c:\windows\Downloaded Program Files\npsoe . dll ---- FIREFOX POLICIES ---- FF - user . js: network . protocol-handler . warn-external . dnupdate - false);user_pref(network . protocol-handler . warn-external . dnupdate, false);user_pref(yahoo . ytff . general . dontshowhpoffe r, true c:\program files\Mozilla Firefox\greprefs\all . js - pref("network . IDN . whitelist . xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all . js - pref("network . IDN . whitelist . xn--fiqz9s", true); // Traditional c:\program files\Mozilla Firefox\greprefs\all . js - pref("network . IDN . whitelist . xn--fiqs8s", true); // Simplified c:\program files\Mozilla Firefox\greprefs\all . js - pref("network . IDN . whitelist . xn--j6w193g", true); c:\program files\Mozilla Firefox\greprefs\all . js - pref("network . IDN . whitelist . xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all . js - pref("network . IDN . whitelist . xn--mgberp4a5d4a87g", true); c:\program files\Mozilla Firefox\greprefs\all . js - pref("network . IDN . whitelist . xn--mgbqly7c0a67fbc", true); c:\program files\Mozilla Firefox\greprefs\all . js - pref("network . IDN . whitelist . xn--mgbqly7cvafr", true); c:\program files\Mozilla Firefox\greprefs\all . js - pref("network . IDN . whitelist . xn--kpry57d", true); // Traditional c:\program files\Mozilla Firefox\greprefs\all . js - pref("network . IDN . whitelist . xn--kprw13d", true); // Simplified c:\program files\Mozilla Firefox\defaults\pref\firefox . js - pref("dom . ipc . plugins . enabled", false); . - - - - ORPHANS REMOVED - - - - WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) HKCU-Run-fsm - (no file) HKLM-Run-SigmatelSysTrayApp - %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray . exe MSConfigStartUp-Steam - c:\program files\steam\steam . exe AddRemove-_{0C180787-F8C8-42FD-A9D3-689BA44BEAAF} - c:\program files\Corel\Corel Painter Essentials 3\MSILauncher {0C180787-F8C8-42FD-A9D3-689BA44BEAAF} ************************************************** ************************ catchme 0 . 3 . 1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www . gmer . net Rootkit scan 2010-11-15 21:22 Windows 6 . 0 . 6000 NTFS scanning hidden processes . . . scanning hidden autostart entries . . . scanning hidden files . . . scan completed successfully hidden files: 0 ************************************************** ************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3479455144-3011864409-1369270203-1002\Software\SecuROM\License information*] "datasecu"=hex:26,d8,f9,8f,36,29,20,79,55,81,64,a7,5f,a9,7a, e7,12,28,a2,c8,79, 0b,95,e2,b1,0d,58,30,68,89,d3,15,9b,3d,6f,34,1b,9f ,43,bd,7e,e1,52,72,38,35,\ "rkeysecu"=hex:dd,f3,9e,c6,03,a4,68,15,50,46,21,46,e7,45,1c, b4 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Completion time: 2010-11-15 21:24:57 ComboFix-quarantined-files . txt 2010-11-16 03:24 Pre-Run: 52,232,495,104 bytes free Post-Run: 52,135,337,984 bytes free - - End Of File - - 390FA61DB0342D18BC777391E3B361F0 |
Agahnim (16078) | ||
| 1153304 | 2010-11-16 04:02:00 | Ok thats good . The rootkit has been fixed and the rest of the log is malware free . All I advise you to do now is to uninstall c:\program files\Viewpoint from Add/Remove as this is a resource hog . This will clear away any of the files and folders that were created by ComboFix . Go to : Start > Run then copy and paste the following highlighted (blue) text below into the box and click OK . ComboFix /Uninstall Please read these for future reference it may save you future problems with malware: . pchelpforum . com/fixed-hijackthis-logs/59327-now-you-all-clean-afterwork . html" target="_blank">www . pchelpforum . com . pchelpforum . com/fixed-hijackthis-logs/64964-so-you-want-prevent-happening . html" target="_blank">www . pchelpforum . com . pchelpforum . com/fixed-hijackthis-logs/57400-how-did-i-get-infected . html" target="_blank">www . pchelpforum . com . telenet . be/bluepatchy/miekiemoes/prevention . html" target="_blank">users . telenet . be |
Pancake (6359) | ||
| 1153305 | 2010-11-16 05:05:00 | Thank you so much. Everything is all clear and I am not getting anything redirecting me in search. Thanks a mill! | Agahnim (16078) | ||
| 1153306 | 2010-11-16 05:43:00 | Your welcome. | Pancake (6359) | ||
| 1 | |||||