Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

google redirects resubmitted

This is a discussion on google redirects resubmitted within the Resolved HJT Threads forums, part of the Tech Support Forum category. Initial request was closed because of lack of response. I was out of town at a family wedding so couldn't


 
 
Thread Tools Search this Thread
Old 08-07-2011, 06:26 PM   #1
Registered Member
 
Join Date: Jun 2011
Posts: 27
OS: xp 2



Initial request was closed because of lack of response. I was out of town at a family wedding so couldn't respond. sorry. Initial request posted here:

google redirect to "fake" anti-malware sites

I will now download and run combofix.

__________________
mmont is offline  
Old 08-07-2011, 07:33 PM   #2
Registered Member
 
Join Date: Jun 2011
Posts: 27
OS: xp 2



I couldn't figure out how to edit my post so I guess I'm replying to my own new thread. Here is the result of combofix:
ComboFix 11-08-07.03 - Dan 08/07/2011 21:38:54.3.2 - x86
Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\98v222lk.default\extensions\{443d8295-3b7c-4052-9a68-8fbc4abccf03}
c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\98v222lk.default\extensions\{443d8295-3b7c-4052-9a68-8fbc4abccf03}\chrome.manifest
c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\98v222lk.default\extensions\{443d8295-3b7c-4052-9a68-8fbc4abccf03}\chrome\xulcache.jar
c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\98v222lk.default\extensions\{443d8295-3b7c-4052-9a68-8fbc4abccf03}\defaults\preferences\xulcache.js
c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\98v222lk.default\extensions\{443d8295-3b7c-4052-9a68-8fbc4abccf03}\install.rdf
c:\documents and settings\Dan\WINDOWS
c:\documents and settings\Dan\zzgtccatce.tmp
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-07-08 to 2011-08-08 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 23:52 . 2010-07-02 20:06 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2010-07-02 20:06 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-04 11:43 . 2010-07-05 16:41 40112 ----a-w- c:\windows\avastSS.scr
2011-07-04 11:43 . 2010-07-05 15:11 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-07-04 11:36 . 2011-06-29 02:54 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-04 11:36 . 2010-07-05 15:11 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-04 11:35 . 2010-07-05 15:11 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-04 11:35 . 2010-07-05 15:11 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-07-04 11:35 . 2010-07-05 15:11 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-07-04 11:32 . 2010-07-05 15:11 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-04 11:32 . 2010-07-05 15:11 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-07-04 11:32 . 2010-07-05 15:11 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-06-27 18:05 . 2011-06-27 18:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2008-04-14 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-06-27 18:04 . 2011-05-27 19:35 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"AudioSetup"="c:\program files\IDT\setup.exe" [2007-07-27 117200]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"CardDetectorHUAWEI1752_1552"="c:\program files\CardDetector\HUAWEI1752_1552\CardDetector.exe" [2009-08-27 282624]
"IEWINTERNET-SPSessionManager"="c:\program files\Orange\Internet Everywhere\SessionManager\SessionManager.exe" [2009-08-27 140016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
PHOTOfunSTUDIO 5.0.lnk - c:\program files\Common Files\Panasonic\PHOTOfunSTUDIO AutoStart\AutoStartupService.exe [2010-9-9 172544]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Orange\\Internet Everywhere\\Connectivity\\ConnectivityManager.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/28/2011 10:54 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/5/2010 11:11 AM 309848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/5/2010 11:11 AM 19544]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [7/5/2010 9:51 PM 88176]
S0 cerc6;cerc6; [x]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [9/30/2010 2:55 PM 102656]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
TCP: DhcpNameServer = 192.168.1.1 71.243.0.12
FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\98v222lk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-08-07 22:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,c5,00,a3,e7,dc,2e,42,b8,91,ee,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,c5,00,a3,e7,dc,2e,42,b8,91,ee,\
.
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\¬ *×*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3632)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\progra~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-08-07 22:17:49 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-08 02:17
.
Pre-Run: 3,106,390,016 bytes free
Post-Run: 3,748,339,712 bytes free
.
- - End Of File - - A484E1AF3F2F24641DC65856DA5ECD48

__________________
mmont is offline  
Old 08-07-2011, 07:37 PM   #3
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,837
OS: XP Pro; XP Home; Win7 x86 & x64



Welcome back. Clark76 is on break but I'll help finish this.

Have the redirects stopped?

I see that you have Malwarebytes' Anti-Malware installed.

Please update it's definitions, and run a new Quick Scan.
  • Launch Malwarebytes' Anti-malware
  • On the updates tab, click on Check for Updates
  • If an update is found, it will begin. Once the update is complete..
  • Click on the Scanner tab. Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 08-08-2011, 10:46 AM   #4
Registered Member
 
Join Date: Jun 2011
Posts: 27
OS: xp 2



I conducted a number of google searches, and the redirects seem to have stopped, at least for the moment.

Malwarebytes didn't find any infected objects. Here are the results of the scan:

Malwarebytes' Anti-Malware 1.51.1.1800
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 7411

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/8/2011 1:31:13 PM
mbam-log-2011-08-08 (13-31-13).txt

Scan type: Quick scan
Objects scanned: 154011
Time elapsed: 19 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thank you for the help.
__________________
mmont is offline  
Old 08-08-2011, 10:56 AM   #5
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,837
OS: XP Pro; XP Home; Win7 x86 & x64



Ok, good.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

J2SE Runtime Environment 5.0 Update 6

These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

Leave Java(TM) 6 Update 26 alone, as it has the most recent security updates.

---------------------------------------------------------------------------------------------


Go here to run an online scannner from ESET.
  • Note: For FireFox users, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 08-09-2011, 05:01 AM   #6
Registered Member
 
Join Date: Jun 2011
Posts: 27
OS: xp 2



The scan found 5 infected files. The log is included below. The redirects haven't occurred in a while, but my computer seems to be running significantly slower than normal. Here's the log:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=4356d22a6d8bd7479f59b4dc97bad3a7
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-08-09 05:58:32
# local_time=2011-08-09 01:58:32 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 33593378 33593378 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=67375
# found=5
# cleaned=0
# scan_time=11881
C:\Documents and Settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\9\1dc579c9-63bed303 a variant of Win32/Kryptik.QWJ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\98v222lk.default\extensions\{443d8295-3b7c-4052-9a68-8fbc4abccf03}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\98v222lk.default\extensions\{443d8295-3b7c-4052-9a68-8fbc4abccf03}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{7028DA9A-2DDE-4585-8F7E-8B31A9858440}\RP145\A0031790.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{7028DA9A-2DDE-4585-8F7E-8B31A9858440}\RP149\A0032047.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
__________________
mmont is offline  
Old 08-09-2011, 06:55 AM   #7
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,837
OS: XP Pro; XP Home; Win7 x86 & x64



Good job...next steps...

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    File::
    C:\Documents and Settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\9\1dc579c9-63bed303

    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe
  3. ComboFix may request an update; please allow it.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.


    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 08-09-2011, 10:08 AM   #8
Registered Member
 
Join Date: Jun 2011
Posts: 27
OS: xp 2



OK. I think I did everything exactly as the instructions indicated. Here are the results:

ComboFix 11-08-09.02 - Dan 08/09/2011 12:26:55.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.522 [GMT -4:00]
Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\9\1dc579c9-63bed303"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\9\1dc579c9-63bed303
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-07-09 to 2011-08-09 )))))))))))))))))))))))))))))))
.
.
2011-08-09 02:29 . 2011-08-09 02:29 -------- d-----w- c:\program files\ESET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 23:52 . 2010-07-02 20:06 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2010-07-02 20:06 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-04 11:43 . 2010-07-05 16:41 40112 ----a-w- c:\windows\avastSS.scr
2011-07-04 11:43 . 2010-07-05 15:11 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-07-04 11:36 . 2011-06-29 02:54 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-04 11:36 . 2010-07-05 15:11 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-04 11:35 . 2010-07-05 15:11 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-04 11:35 . 2010-07-05 15:11 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-07-04 11:35 . 2010-07-05 15:11 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-07-04 11:32 . 2010-07-05 15:11 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-04 11:32 . 2010-07-05 15:11 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-07-04 11:32 . 2010-07-05 15:11 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-06-27 18:05 . 2011-06-27 18:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2008-04-14 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-06-27 18:04 . 2011-05-27 19:35 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-08_02.03.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-09 16:45 . 2011-08-09 16:45 16384 c:\windows\Temp\Perflib_Perfdata_70.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"AudioSetup"="c:\program files\IDT\setup.exe" [2007-07-27 117200]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"CardDetectorHUAWEI1752_1552"="c:\program files\CardDetector\HUAWEI1752_1552\CardDetector.exe" [2009-08-27 282624]
"IEWINTERNET-SPSessionManager"="c:\program files\Orange\Internet Everywhere\SessionManager\SessionManager.exe" [2009-08-27 140016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
PHOTOfunSTUDIO 5.0.lnk - c:\program files\Common Files\Panasonic\PHOTOfunSTUDIO AutoStart\AutoStartupService.exe [2010-9-9 172544]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Orange\\Internet Everywhere\\Connectivity\\ConnectivityManager.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/28/2011 10:54 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/5/2010 11:11 AM 309848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/5/2010 11:11 AM 19544]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [7/5/2010 9:51 PM 88176]
S0 cerc6;cerc6; [x]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [9/30/2010 2:55 PM 102656]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
TCP: DhcpNameServer = 192.168.1.1 71.243.0.12
FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\98v222lk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-08-09 12:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,c5,00,a3,e7,dc,2e,42,b8,91,ee,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,c5,00,a3,e7,dc,2e,42,b8,91,ee,\
.
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\¬ *×*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2156)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\progra~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2011-08-09 12:59:24 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-09 16:59
ComboFix2.txt 2011-08-08 02:17
.
Pre-Run: 3,989,618,688 bytes free
Post-Run: 3,977,830,400 bytes free
.
- - End Of File - - DB403E05A33F1155557A2CCA10CD621E
__________________
mmont is offline  
Old 08-09-2011, 10:11 AM   #9
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,837
OS: XP Pro; XP Home; Win7 x86 & x64



The other items Eset found are in ComboFix quarantine or System restore's cache, and will be addressed by uninstalling ComboFix as instructed below.

Other than that....We should be done here. Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.


Disconnect from the internet and disable your AntiVirus temporarily.

Go to -> Run -> copy/paste in the following single line command & click OK

ComboFix /Uninstall
This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

---------------------------------------------------------------------------------------------

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update - Microsoft Windows Update
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

  • Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • Scan here OSI - Consumer - Products for out of date & vulnerable common applications on your computer

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look here:
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 08-10-2011, 11:25 AM   #10
Registered Member
 
Join Date: Jun 2011
Posts: 27
OS: xp 2



I uninstalled combofix and deleted the other programs and the logs I could find on the desktop. I'll follow your advice for maintaining my system. Thank you for all of the help!
__________________
mmont is offline  
Old 08-10-2011, 01:22 PM   #11
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,837
OS: XP Pro; XP Home; Win7 x86 & x64



You're quite welcome, I'm happy to have helped.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.

__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
((((Google Redirects))))
So this morning i was infected with the win7 anti virus 2012 software and used the instructions on this website hxxp://www.wiki-security.com/wiki/Parasite/Win7AntiVirus2012/ to manually remove the parasite from my computer. I was able to successfully remove the software by following the...
blackbrawler Inactive Malware Help Topics 12 08-19-2011 09:42 AM
Google Redirects
Getting redirected from Google Search result links. MS Security Essentials has "removed" the following items only to have them instantly reappear. TrojanDownloader:Win32/Tracur.Q TrojanDownloader:Win32/Tracur.Y I've installed Malwarebytes and it has blocked the entry to these redirected...
specialj24 Resolved HJT Threads 11 08-07-2011 07:13 AM
Google building Postini features into Apps
Google has started to move email security features from its Postini service into Google Apps, so that IT administrators who use both products don't have to toggle back and forth. "Today, we're excited to announce our first step in creating a unified Google Apps experience by moving some Postini...
Glaswegian Computer Security News 0 07-18-2011 01:12 PM
Trojan.flystudi.gen, google redirects, partially removed but computer still slow
Hello all, this is my first post though I've read through some threads before. I noticed my browser was redirecting my searches to other advertising sites randomly, so I ran malwarebytes (after ccleaner) to see what was going on. It found a couple things, including Trojan.FlyStudi.Gen in the...
moosirin Resolved HJT Threads 12 04-10-2011 06:04 AM
computer freezes redirects to different sites on google
Please help. My computer has been running slow and many times when I upload a page it says it is not responding. The other issue is that when I do a search on google and click on the correct search,it directs me to another soliciting site. I have tried to run GMER both ways and it just will not...
lubo1 Inactive Malware Help Topics 8 02-21-2011 09:28 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 05:49 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts