Thread: allsecurepages.com has hijacked my browser
View Single Post
Old 06-26-2007, 08:14 PM   #5 (permalink)
nhoribe
Registered User
 
Join Date: Jun 2007
Posts: 4
OS: Win 2000


Re: allsecurepages.com has hijacked my browser
I have uploaded the catchme.zip to the website.

"nobu" - 06/26/2007 16:39:55 - ComboFix 07-06-27.4 - Service Pack 4 NTFS
Command switches used :: C:\Documents and Settings\Administrator\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\afkvvy.dll


((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))


2007-06-25 15:13 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-25 14:58 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_130.dat
2007-06-24 20:18 <DIR> d-------- C:\Deckard
2007-06-24 20:01 <DIR> d-------- C:\ie-spyad
2007-06-24 19:55 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-24 19:09 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-06-23 17:03 66,048 --a------ C:\WINNT\system32\wmerrenu.dll
2007-06-23 17:03 53,248 --a------ C:\WINNT\system32\mspmspsv.exe
2007-06-23 17:03 466,944 --a------ C:\WINNT\system32\wmv8dmoe.dll
2007-06-23 17:03 446,464 --a------ C:\WINNT\system32\wmvdmoe.dll
2007-06-23 17:03 368,710 --a------ C:\WINNT\system32\msisam11.dll
2007-06-23 17:03 335,360 --a------ C:\WINNT\system32\wmstream.dll
2007-06-23 17:03 32,768 --a------ C:\WINNT\system32\asferror.dll
2007-06-23 17:03 309,584 --a------ C:\WINNT\system32\wmv8dmod.dll
2007-06-23 17:03 270,336 --a------ C:\WINNT\system32\pdbrowse.dll
2007-06-23 17:03 241,725 --a------ C:\WINNT\system32\msuni11.dll
2007-06-23 17:03 24,064 --a------ C:\WINNT\system32\wmdmlog.dll
2007-06-23 17:03 221,184 --a------ C:\WINNT\system32\msscp.dll
2007-06-23 17:03 188,416 --a------ C:\WINNT\system32\mspmsp.dll
2007-06-23 17:03 184,320 --a------ C:\WINNT\system32\wmpcd.dll
2007-06-23 17:03 163,840 --a------ C:\WINNT\system32\mindex.dll
2007-06-23 17:03 16,384 --a------ C:\WINNT\system32\wmdmps.dll
2007-06-23 17:03 159,744 --a------ C:\WINNT\system32\mswmdm.dll
2007-06-23 17:03 147,456 --a------ C:\WINNT\system32\CEWMDM.dll
2007-06-23 17:03 118,784 --a------ C:\WINNT\system32\wmsdmoe.dll
2007-06-23 17:03 1,290,240 --a------ C:\WINNT\system32\wmploc.dll
2007-06-23 17:03 1,122,304 --a------ C:\WINNT\system32\wmpui.dll
2007-06-22 04:42 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2d8.dat
2007-06-22 04:39 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_540.dat
2007-06-20 14:59 <DIR> d-------- C:\WINNT\system32\SoftwareDistribution
2007-06-20 14:58 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4fc.dat
2007-06-19 15:34 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_234.dat
2007-06-14 16:36 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4ec.dat
2007-06-13 05:25 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4e4.dat
2007-06-08 05:18 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_314.dat
2007-06-07 15:09 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_524.dat
2007-05-26 16:15 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_518.dat
2007-05-25 08:54 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2d4.dat
2007-05-17 10:39 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterVideo
2007-05-13 12:10 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_520.dat
2007-05-12 08:41 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2b4.dat
2007-05-12 08:31 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_514.dat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-25 01:32:25 -------- d-----w C:\Program Files\QuickTime
2007-06-25 01:30:19 -------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-06-25 01:27:16 -------- d-----w C:\Program Files\Common Files\Funk Software
2007-06-22 10:36:02 -------- d-----w C:\Program Files\McAfee
2007-06-14 00:02:16 12,842 ----a-w C:\WINNT\system32\nvModes.dat
2007-05-25 14:56:11 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
2007-04-30 13:16:11 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_504.dat
2007-04-25 07:52:16 147,216 ----a-w C:\WINNT\system32\SCHANNEL.DLL
2007-04-20 1415 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_2cc.dat
2007-04-17 04:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-17 04:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 04:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 04:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 04:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 04:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 04:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-17 04:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-17 04:44:20 271,224 ----a-w C:\WINNT\system32\mucltui.dll
2007-04-17 04:44:18 208,248 ----a-w C:\WINNT\system32\muweb.dll
2007-04-16 12:44:08 54,032 ----a-w C:\WINNT\system32\mpr.dll
2007-04-05 07:17:39 2,854,400 ----a-w C:\WINNT\system32\msi.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [11/03/03 04:17p]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\program files\mcafee\virusscan\scriptcl.dll [12/22/06 06:02p]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 01:05p C:\WINNT\system32\mobsync.exe]
"nwiz"="nwiz.exe" [06/24/03 08:32p C:\WINNT\system32\nwiz.exe]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [02/05/07 05:52p]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/01/07 02:40p]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/01/07 02:42p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop


Contents of the 'Scheduled Tasks' folder
2007-04-01 07:00:09 C:\WINNT\tasks\McQcTask.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-26 16:41:21
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 06/26/2007 16:42:18
C:\ComboFix-quarantined-files.txt ... 06/26/07 04:41p
C:\ComboFix2.txt ... 06/25/07 03:16p

--- E O F ---


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, June 26, 2007 7:38:29 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 27/06/2007
Kaspersky Anti-Virus database records: 353970
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 22270
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:29:55

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\catchme.zip/afkvvy.dll Infected: Trojan-Downloader.Win32.Agent.bkd skipped
C:\Documents and Settings\Administrator\Desktop\catchme.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007062620070627\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF7CC3.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF7CD3.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{A1FE0399-F8C2-4577-B96B-43AE789F0AB8}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{F10FE249-2C53-4020-888C-A4687F7A8ECB}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{9A9E724A-52B4-4199-97AF-40A81AC00961}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_130.dat Object is locked skipped
C:\WINNT\Temp\mcafee_KcztGT66OcfMnJD Object is locked skipped
C:\WINNT\Temp\mcafee_ss5XiT70t3ZKYe7 Object is locked skipped
C:\WINNT\Temp\mcmsc_9hLeCZVeavoJxun Object is locked skipped
C:\WINNT\Temp\mcmsc_Aec3ynY9hsIXzU9 Object is locked skipped
C:\WINNT\Temp\mcmsc_aKYajmroXRfezCe Object is locked skipped
C:\WINNT\Temp\mcmsc_kSxN1Bs4wyYHXYi Object is locked skipped
C:\WINNT\Temp\mcmsc_vhsDdrXgJg9kzNe Object is locked skipped
C:\WINNT\Temp\mcmsc_zXYMYUsZQplNIrE Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 7:42:26 PM, on 6/26/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\program files\mcafee\msc\mcshell.exe
C:\WINNT\hh.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
Attached Files
File Type: txt Kasperskyscan.txt (9.7 KB, 1 views)
File Type: txt hijackthislog.txt (5.2 KB, 2 views)
File Type: txt ComboFix.txt (6.6 KB, 1 views)
Last edited by sUBs; 06-26-2007 at 11:31 PM.
nhoribe is offline