Tech Support Forum - View Single Post - Browser Hijacked -- How troublesome...

Wanderer_Stars · 08-07-2007, 06:03 PM

Combofix Log after d/l'ing Microsoft Update:

2007-08-07 16:57 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-07 16:54 359,808 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2007-08-07 15:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-07 15:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-07 15:05 288 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000005-00000000-00000007-00001102-00000004-10091102}.dat
2007-08-07 15:05 288 --a------ C:\WINDOWS\system32\DVCState-{00000005-00000000-00000007-00001102-00000004-10091102}.dat
2007-08-07 15:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 14:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-07 14:04 <DIR> d-------- C:\Deckard
2007-08-07 13:54 21,312 --a------ C:\WINDOWS\choice.exe
2007-08-07 13:14 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-08-07 13:14 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-07 02:03 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-05 14:24 <DIR> d-------- C:\DOCUME~1\Illidan\APPLIC~1\Yahoo!
2007-08-05 14:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-08-05 14:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-08-05 14:18 <DIR> d-------- C:\Program Files\Yahoo!
2007-08-04 22:50 <DIR> d-------- C:\Program Files\Debugging Tools for Windows
2007-08-04 20:36 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-08-03 18:40 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-07-31 13:37 <DIR> d-------- C:\DOCUME~1\Illidan\APPLIC~1\Publish Providers
2007-07-31 13:34 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll
2007-07-31 13:34 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-07-31 13:34 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll
2007-07-31 13:34 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-07-31 13:34 <DIR> d-------- C:\DOCUME~1\Illidan\APPLIC~1\Sony
2007-07-31 13:33 <DIR> d-------- C:\Program Files\Sony
2007-07-30 06:07 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-07-29 19:51 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-28 01:22 <DIR> d-------- C:\Program Files\AVSMedia
2007-07-25 20:27 76,474 --a------ C:\WINDOWS\War3Unin.dat
2007-07-25 20:27 2,829 --a------ C:\WINDOWS\War3Unin.pif
2007-07-25 20:27 139,264 --a------ C:\WINDOWS\War3Unin.exe
2007-07-25 20:11 <DIR> d-------- C:\WINDOWS\system32\defaults
2007-07-25 20:11 <DIR> d-------- C:\WINDOWS\system32\data
2007-07-23 14:22 1,082 --a------ C:\WINDOWS\checkip.dat
2007-07-11 12:32 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-11 11:37 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-07-11 11:25 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-07-10 17:08 <DIR> d-------- C:\DOCUME~1\Illidan\APPLIC~1\Apple Computer
2007-07-10 17:05 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-10 17:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 02:40 --------- d-------- C:\Program Files\Messenger
2007-08-07 02:39 --------- d-------- C:\Program Files\Google
2007-08-05 23:13 --------- d-------- C:\Program Files\Warcraft III
2007-08-05 14:17 --------- d-------- C:\Program Files\Trillian
2007-07-29 20:05 --------- d-------- C:\Program Files\Common Files\AVSMedia
2007-07-28 01:24 --------- d-------- C:\DOCUME~1\Illidan\APPLIC~1\AVSMedia
2007-07-25 19:44 --------- d-------- C:\Program Files\LimeWire
2007-07-12 19:02 --------- d-------- C:\Program Files\QuickTime
2007-07-12 11:22 --------- d-------- C:\DOCUME~1\Illidan\APPLIC~1\LimeWire
2007-07-06 10:44 --------- d-------- C:\Program Files\Game Cam v1.4
2007-06-25 18:35 --------- d-------- C:\DOCUME~1\Illidan\APPLIC~1\Help
2007-06-14 20:40 --------- d-------- C:\Program Files\Movie Maker
2007-06-12 22:44 --------- d-------- C:\DOCUME~1\Illidan\APPLIC~1\AVS4YOU

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-04-29 18:22]
"SoundMan"="SOUNDMAN.EXE" [2005-10-23 23:45 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43]
"nwiz"="nwiz.exe" [2006-08-11 21:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 21:43]
"CTHelper"="CTHELPER.EXE" [2003-05-28 12:59 C:\WINDOWS\system32\cthelper.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-20 18:02]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-07-16 15:17]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Illidan^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Illidan\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 NVTCP;NVIDIA TCP/IP Protocol Driver;C:\WINDOWS\system32\DRIVERS\NVTcp.sys
R2 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM);C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
R3 ltmodem5;LT Modem Driver;C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\system32\drivers\msmpu401.sys
R3 MTsensor;ATK0110 ACPI UTILITY;C:\WINDOWS\system32\DRIVERS\ASACPI.sys
S3 MSSQL$SONY_MEDIAMGR;MSSQL$SONY_MEDIAMGR;C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -sSONY_MEDIAMGR
S3 SQLAgent$SONY_MEDIAMGR;SQLAgent$SONY_MEDIAMGR;C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -i SONY_MEDIAMGR

Contents of the 'Scheduled Tasks' folder
2007-08-03 15:47:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 17:01:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-07 17:02:10
C:\ComboFix-quarantined-files.txt ... 2007-08-07 17:02
C:\ComboFix2.txt ... 2007-08-07 17:01
C:\ComboFix3.txt ... 2007-08-07 15:41

--- E O F ---

08-07-2007, 06:03 PM	#14 (permalink)
Wanderer_Stars Registered User Join Date: Aug 2007 Posts: 12 OS: XP	Re: Browser Hijacked -- How troublesome... Combofix Log after d/l'ing Microsoft Update: 2007-08-07 16:57 <DIR> d-------- C:\WINDOWS\LastGood 2007-08-07 16:54 359,808 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys 2007-08-07 15:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-08-07 15:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab 2007-08-07 15:05 288 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000005-00000000-00000007-00001102-00000004-10091102}.dat 2007-08-07 15:05 288 --a------ C:\WINDOWS\system32\DVCState-{00000005-00000000-00000007-00001102-00000004-10091102}.dat 2007-08-07 15:04 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-07 14:07 <DIR> d-------- C:\Program Files\Trend Micro 2007-08-07 14:04 <DIR> d-------- C:\Deckard 2007-08-07 13:54 21,312 --a------ C:\WINDOWS\choice.exe 2007-08-07 13:14 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL 2007-08-07 13:14 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-08-07 02:03 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-08-05 14:24 <DIR> d-------- C:\DOCUME~1\Illidan\APPLIC~1\Yahoo! 2007-08-05 14:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion 2007-08-05 14:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! 2007-08-05 14:18 <DIR> d-------- C:\Program Files\Yahoo! 2007-08-04 22:50 <DIR> d-------- C:\Program Files\Debugging Tools for Windows 2007-08-04 20:36 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2007-08-03 18:40 4 --a------ C:\WINDOWS\system32\stfv.bin 2007-07-31 13:37 <DIR> d-------- C:\DOCUME~1\Illidan\APPLIC~1\Publish Providers 2007-07-31 13:34 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll 2007-07-31 13:34 306,688 --a------ C:\WINDOWS\IsUninst.exe 2007-07-31 13:34 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll 2007-07-31 13:34 <DIR> d-------- C:\Program Files\Microsoft SQL Server 2007-07-31 13:34 <DIR> d-------- C:\DOCUME~1\Illidan\APPLIC~1\Sony 2007-07-31 13:33 <DIR> d-------- C:\Program Files\Sony 2007-07-30 06:07 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google 2007-07-29 19:51 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-07-28 01:22 <DIR> d-------- C:\Program Files\AVSMedia 2007-07-25 20:27 76,474 --a------ C:\WINDOWS\War3Unin.dat 2007-07-25 20:27 2,829 --a------ C:\WINDOWS\War3Unin.pif 2007-07-25 20:27 139,264 --a------ C:\WINDOWS\War3Unin.exe 2007-07-25 20:11 <DIR> d-------- C:\WINDOWS\system32\defaults 2007-07-25 20:11 <DIR> d-------- C:\WINDOWS\system32\data 2007-07-23 14:22 1,082 --a------ C:\WINDOWS\checkip.dat 2007-07-11 12:32 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2007-07-11 11:37 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2007-07-11 11:25 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-07-10 17:08 <DIR> d-------- C:\DOCUME~1\Illidan\APPLIC~1\Apple Computer 2007-07-10 17:05 <DIR> d-------- C:\Program Files\Apple Software Update 2007-07-10 17:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-07 02:40 --------- d-------- C:\Program Files\Messenger 2007-08-07 02:39 --------- d-------- C:\Program Files\Google 2007-08-05 23:13 --------- d-------- C:\Program Files\Warcraft III 2007-08-05 14:17 --------- d-------- C:\Program Files\Trillian 2007-07-29 20:05 --------- d-------- C:\Program Files\Common Files\AVSMedia 2007-07-28 01:24 --------- d-------- C:\DOCUME~1\Illidan\APPLIC~1\AVSMedia 2007-07-25 19:44 --------- d-------- C:\Program Files\LimeWire 2007-07-12 19:02 --------- d-------- C:\Program Files\QuickTime 2007-07-12 11:22 --------- d-------- C:\DOCUME~1\Illidan\APPLIC~1\LimeWire 2007-07-06 10:44 --------- d-------- C:\Program Files\Game Cam v1.4 2007-06-25 18:35 --------- d-------- C:\DOCUME~1\Illidan\APPLIC~1\Help 2007-06-14 20:40 --------- d-------- C:\Program Files\Movie Maker 2007-06-12 22:44 --------- d-------- C:\DOCUME~1\Illidan\APPLIC~1\AVS4YOU ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-04-29 18:22] "SoundMan"="SOUNDMAN.EXE" [2005-10-23 23:45 C:\WINDOWS\soundman.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43] "nwiz"="nwiz.exe" [2006-08-11 21:43 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 21:43] "CTHelper"="CTHELPER.EXE" [2003-05-28 12:59 C:\WINDOWS\system32\cthelper.exe] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:56] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-20 18:02] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-07-16 15:17] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Illidan^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=C:\Documents and Settings\Illidan\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys R1 NVTCP;NVIDIA TCP/IP Protocol Driver;C:\WINDOWS\system32\DRIVERS\NVTcp.sys R2 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM);C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe R3 ltmodem5;LT Modem Driver;C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\system32\drivers\msmpu401.sys R3 MTsensor;ATK0110 ACPI UTILITY;C:\WINDOWS\system32\DRIVERS\ASACPI.sys S3 MSSQL$SONY_MEDIAMGR;MSSQL$SONY_MEDIAMGR;C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -sSONY_MEDIAMGR S3 SQLAgent$SONY_MEDIAMGR;SQLAgent$SONY_MEDIAMGR;C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -i SONY_MEDIAMGR Contents of the 'Scheduled Tasks' folder 2007-08-03 15:47:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe ************************************************************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-07 17:01:51 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-08-07 17:02:10 C:\ComboFix-quarantined-files.txt ... 2007-08-07 17:02 C:\ComboFix2.txt ... 2007-08-07 17:01 C:\ComboFix3.txt ... 2007-08-07 15:41 --- E O F ---