|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
08-07-2007, 01:57 AM
|
#1 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 12
OS: XP
|
Browser Hijacked -- How troublesome...
I know you guys are really busy, but before I delete anything I would like to have a tech look at it. Really appreciate it.
~Wanderer of the Stars~ Heres the log: Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\drwtsn32.exe C:\WINDOWS\system32\drwtsn32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Illidan\Desktop\HiJackThis_v2.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.planetgamecam.com/index.php?locid=tutorials R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file) O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file) O2 - BHO: (no name) - {000006b1-19b5-414a-849f-2a3c64ae6939} - (no file) O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file) O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file) O2 - BHO: msscds32.msdn_hlp - {279A05E3-C129-4189-BA16-F0DB908C89B0} - C:\WINDOWS\system32\msscds32.dll O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file) O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file) O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file) O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file) O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file) O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file) O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file) O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file) O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file) O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file) O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file) O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file) O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file) O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1181879059489 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C3D289D8-6E5F-49F9-B3D0-60F0A2420152}: NameServer = 213.246.33.228 O17 - HKLM\System\CCS\Services\Tcpip\..\{EFB6AD7A-C23E-4260-A824-002447FBD892}: NameServer = 213.246.33.228 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe |
|
     |
| Sponsored Links |
|
08-07-2007, 08:54 AM
|
#2 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
Re: Browser Hijacked -- How troublesome...
Do you have an antivirus program installed on this machine?
If the answer is yes, tell me it's name & the last time you did a full system scan. If the answer is no, then tell me if you have considered wiping the machine.
__________________
|
|
|
|
|
08-07-2007, 01:48 PM
|
#3 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 12
OS: XP
|
Re: Browser Hijacked -- How troublesome...
Ouch, is it really that bad.
Ive been trying to go through your five step program but its been hell. Along with my websites redirecting, I also get the 'blue screen of death' occasionally and my linksys router keeps dropping a signal. I am trying to resolve both. As for wiping my system, that would be a last option. After about 4 tries I was able to connect and scan with the Panda Active Scan you guys offer in your 5 step program. I can post the results, but I'll warn you....its not pretty. ~Wanderer of the Stars~ |
|
|
|
|
08-07-2007, 02:16 PM
|
#5 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 12
OS: XP
|
Re: Browser Hijacked -- How troublesome...
No anti-virus, probably because I am a newb.
I have a decent firewall, I just dont manage it properly. I still dont know how to penetrate workgroups on a LAN without dropping firewall. So I would drop my firewall to exchange files then completely forget about resetting it. As for anti-virus, I didnt think it was necessary with firewall and I wouldnt use one unless recomended. The vibe I'm getting from you is that NOT having anti-virus software is a major no no.....I'm sorry!! (btw sUBs, thx for the time you are taking to help me) ~Wanderer of the Stars~ |
|
|
|
|
08-07-2007, 02:22 PM
|
#6 (permalink) | |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
Re: Browser Hijacked -- How troublesome...
Quote:
Go straight to Step #5. It will produce the logs I require.
__________________
|
|
|
|
|
|
08-07-2007, 02:47 PM
|
#7 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 12
OS: XP
|
Re: Browser Hijacked -- How troublesome...
Yes, Ill d/l any anti-virus
Here is the main.txt log: Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 62: 2007-08-07 21:05:38 UTC - RP87 - Deckard's System Scanner Restore Point 61: 2007-08-07 10:40:01 UTC - RP86 - System Checkpoint 60: 2007-08-06 08:21:59 UTC - RP85 - System Checkpoint 59: 2007-08-05 05:50:44 UTC - RP84 - Installed Debugging Tools for Windows 58: 2007-08-05 02:42:49 UTC - RP83 - System Checkpoint -- First Restore Point -- 1: 2007-06-13 05:43:46 UTC - RP26 - Installed Windows Media Format 9 Series Runtime Setup Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Illidan.exe) --------------------------------------------- Unable to find log (file not found); running clone. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of HijackThis v1.99.1 Scan saved at 2007-08-07 14:10:09 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (6.00.2900.2180) Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\explorer.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe C:\WINDOWS\soundman.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\cthelper.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\Illidan\Desktop\dss.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.planetgamecam.com/index.php?locid=tutorials R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file) O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file) O2 - BHO: (no name) - {000006b1-19b5-414a-849f-2a3c64ae6939} - (no file) O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file) O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file) O2 - BHO: msscds32.msdn_hlp - {279A05E3-C129-4189-BA16-F0DB908C89B0} - C:\WINDOWS\system32\msscds32.dll O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file) O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file) O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file) O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file) O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file) O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file) O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file) O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file) O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file) O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file) O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file) O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file) O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file) O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKEY_LOCAL_MACHINE\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKEY_LOCAL_MACHINE\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKEY_LOCAL_MACHINE\..\Run: [nwiz] nwiz.exe /install O4 - HKEY_LOCAL_MACHINE\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKEY_LOCAL_MACHINE\..\Run: [CTHelper] CTHELPER.EXE O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe O4 - HKEY_LOCAL_MACHINE\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra 'Tools' menuitem: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} () - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1186520408045 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{C3D289D8-6E5F-49F9-B3D0-60F0A2420152}: NameServer = 213.246.33.228 O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{EFB6AD7A-C23E-4260-A824-002447FBD892}: NameServer = 213.246.33.228 O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - "C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R2 ZWCWDEJS - c:\windows\system32\zwcwdejs.afp S2 vdo_b76-4b6b - c:\windows\system32\vdo_b76-4b6b.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 ForceWare Intelligent Application Manager (IAM) - c:\program files\nvidia corporation\networkaccessmanager\bin\nsvcappflt.exe <Not Verified; ; app_filter Module> R2 ForcewareWebInterface (Forceware Web Interface) - "c:\program files\nvidia corporation\networkaccessmanager\apache group\apache2\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server> R2 nSvcIp (ForceWare IP service) - c:\program files\nvidia corporation\networkaccessmanager\bin\nsvcip.exe <Not Verified; NVIDIA; NVIDIA nSvcIp> R2 nSvcLog (ForceWare user log service) - c:\program files\nvidia corporation\networkaccessmanager\bin\nsvclog.exe <Not Verified; NVIDIA; NVIDIA nSvcLog> -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2007-08-03 08:47:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2007-07-07 and 2007-08-07 ----------------------------- 2007-08-07 14:07:04 0 d-------- C:\Program Files\Trend Micro 2007-08-07 14:00:14 0 d-------- C:\WINDOWS\LastGood 2007-08-07 13:54:45 21312 --a------ C:\WINDOWS\choice.exe 2007-08-07 13:14:18 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library> 2007-08-07 13:14:17 0 d-------- C:\Program Files\SpywareBlaster 2007-08-07 02:03:13 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-08-05 14:24:53 0 d-------- C:\Documents and Settings\Illidan\Application Data\Yahoo! 2007-08-05 14:24:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2007-08-05 14:19:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! 2007-08-05 14:18:50 0 d-------- C:\Program Files\Yahoo! 2007-08-04 22:50:45 0 d-------- C:\Program Files\Debugging Tools for Windows 2007-08-04 20:36:31 0 d--h----- C:\WINDOWS\system32\GroupPolicy 2007-08-03 18:40:44 4 --a------ C:\WINDOWS\system32\stfv.bin 2007-08-03 17:09:14 18432 --a------ C:\WINDOWS\sysrlb32.exe <Not Verified; Microsoft Corp.; Project1> 2007-08-03 16:31:33 26112 --a------ C:\WINDOWS\vxddsk.exe 2007-08-03 16:31:32 29696 --a------ C:\WINDOWS\wml.exe 2007-08-03 16:31:32 20224 --a------ C:\WINDOWS\system32\wml.exe 2007-08-03 16:31:32 21248 --a------ C:\WINDOWS\system32\vxddsk.exe 2007-08-03 16:31:32 12800 --a------ C:\WINDOWS\SUSP.exe 2007-08-03 16:31:32 14336 --a------ C:\WINDOWS\satmat.exe 2007-08-03 16:31:32 17152 --a------ C:\WINDOWS\Biprep.exe 2007-08-03 16:31:32 14080 --a------ C:\WINDOWS\bi.dll 2007-08-03 16:31:32 15616 --a------ C:\WINDOWS\7search.dll 2007-08-03 16:31:31 23296 --a------ C:\WINDOWS\voiceip.dll 2007-08-03 16:31:31 26624 --a------ C:\WINDOWS\swin32.dll 2007-08-03 16:31:31 20992 --a------ C:\WINDOWS\stcloader.exe 2007-08-03 16:31:31 19712 --a------ C:\WINDOWS\pbar.dll 2007-08-03 16:31:31 12800 --a------ C:\WINDOWS\flt.dll 2007-08-03 16:31:31 17152 --a------ C:\WINDOWS\764.exe 2007-08-03 16:31:30 18432 --a------ C:\WINDOWS\mssvr.exe 2007-08-03 16:31:30 30720 --a------ C:\WINDOWS\mspphe.dll 2007-08-03 16:31:30 13312 --a------ C:\WINDOWS\cdsm32.dll 2007-08-03 16:31:30 31744 --a------ C:\WINDOWS\bokja.exe 2007-08-03 16:31:29 20992 --a------ C:\WINDOWS\system32\WER8274.DLL 2007-08-03 16:31:29 8960 --a------ C:\WINDOWS\system32\MSIXU.DLL 2007-08-03 16:31:29 9728 --a------ C:\WINDOWS\bjam.dll 2007-08-03 16:31:29 27136 --a------ C:\WINDOWS\2020search2.dll 2007-08-03 16:31:29 28928 --a------ C:\WINDOWS\2020search.dll 2007-08-03 16:31:29 31744 --a------ C:\WINDOWS\180ax.exe 2007-08-03 16:31:28 19968 --a------ C:\WINDOWS\updatetc.exe 2007-08-03 16:31:28 17664 --a------ C:\WINDOWS\salm.exe 2007-08-03 16:31:28 11264 --a------ C:\WINDOWS\saiemod.dll 2007-08-03 16:31:22 25088 --a------ C:\WINDOWS\system32\msscds32.dll <Not Verified; Microsoft; Windows Explorer cdrom optimizer> 2007-08-03 16:31:21 12 --a------ C:\WINDOWS\system32\gtv_sd.bin 2007-08-03 16:31:12 10756 --a------ C:\WINDOWS\system32\uqpzttri.exe <Not Verified; Microsoft; Project1> 2007-08-03 16:31:11 8705 --a------ C:\WINDOWS\system32\rdovyjbw.exe 2007-07-31 13:37:35 0 d-------- C:\Documents and Settings\Illidan\Application Data\Publish Providers 2007-07-31 13:34:51 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller> 2007-07-31 13:34:39 0 d-------- C:\Program Files\Microsoft SQL Server 2007-07-31 13:34:25 0 d-------- C:\Documents and Settings\Illidan\Application Data\Sony 2007-07-31 13:33:32 0 d-------- C:\Program Files\Sony 2007-07-30 06:19:36 3072 --a------ C:\Documents and Settings\Illidan\open.exe 2007-07-30 06:07:08 0 dr------- C:\Documents and Settings\LocalService\Favorites 2007-07-30 06:07:08 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google 2007-07-30 06:07:03 3073 --a------ C:\WINDOWS\system32\open.exe 2007-07-29 19:51:13 0 d-------- C:\Documents and Settings\Administrator\Desktop 2007-07-29 19:51:13 0 d---s---- C:\Documents and Settings\Administrator\Cookies 2007-07-29 19:51:13 0 dr-h----- C:\Documents and Settings\Administrator\Application Data 2007-07-29 19:51:13 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2007-07-29 19:51:12 0 d--h----- C:\Documents and Settings\Administrator\Templates 2007-07-29 19:51:12 0 dr------- C:\Documents and Settings\Administrator\Start Menu 2007-07-29 19:51:12 0 dr-h----- C:\Documents and Settings\Administrator\SendTo 2007-07-29 19:51:12 0 d--h----- C:\Documents and Settings\Administrator\Recent 2007-07-29 19:51:12 0 d--h----- C:\Documents and Settings\Administrator\PrintHood 2007-07-29 19:51:12 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT 2007-07-29 19:51:12 0 d--h----- C:\Documents and Settings\Administrator\NetHood 2007-07-29 19:51:12 0 d-------- C:\Documents and Settings\Administrator\My Documents 2007-07-29 19:51:12 0 d--h----- C:\Documents and Settings\Administrator\Local Settings 2007-07-29 19:51:12 0 d-------- C:\Documents and Settings\Administrator\Favorites 2007-07-28 01:22:48 0 d-------- C:\Program Files\AVSMedia 2007-07-27 10:20:44 113157 --a------ C:\WINDOWS\spooldr.exe 2007-07-27 10:19:40 8296 --a------ C:\WINDOWS\system32\tilishpy.exe 2007-07-25 20:27:25 2829 --a------ C:\WINDOWS\War3Unin.pif 2007-07-25 20:27:25 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller> 2007-07-25 20:27:25 76474 --a------ C:\WINDOWS\War3Unin.dat 2007-07-25 20:11:18 0 d-------- C:\WINDOWS\system32\defaults 2007-07-25 20:11:17 0 d-------- C:\WINDOWS\system32\data 2007-07-23 14:22:12 1082 --a------ C:\WINDOWS\checkip.dat 2007-07-19 23:23:55 8662 --a------ C:\WINDOWS\system32\magdfovj.exe 2007-07-12 17:44:43 0 d-------- C:\WINDOWS\Sun 2007-07-12 17:44:43 0 d-------- C:\Documents and Settings\Illidan\Application Data\Sun 2007-07-11 11:37:26 0 d-------- C:\Program Files\Common Files\Download Manager 2007-07-10 17:08:17 0 d-------- C:\Documents and Settings\Illidan\Application Data\Apple Computer 2007-07-10 17  45 1755 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache2007-07-10 17:05:59 0 d-------- C:\Program Files\Apple Software Update 2007-07-10 17:05:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer -- Find3M Report --------------------------------------------------------------- 2007-08-07 02:40:28 0 d-------- C:\Program Files\Messenger 2007-08-07 02:39:31 0 d-------- C:\Program Files\Google 2007-08-05 23:13:14 0 d-------- C:\Program Files\Warcraft III 2007-08-05 14:17:54 0 d-------- C:\Program Files\Trillian 2007-08-03 19:24:45 0 d-------- C:\Program Files\Java 2007-07-29 20:05:13 0 d-------- C:\Program Files\Common Files\AVSMedia 2007-07-28 01:24:23 0 d-------- C:\Documents and Settings\Illidan\Application Data\AVSMedia 2007-07-25 19:44:16 0 d-------- C:\Program Files\LimeWire 2007-07-12 19:02:16 0 d-------- C:\Program Files\QuickTime 2007-07-12 11:22:01 0 d-------- C:\Documents and Settings\Illidan\Application Data\LimeWire 2007-07-11 11:37:26 0 d-------- C:\Program Files\Common Files 2007-07-06 10:44:07 0 d-------- C:\Program Files\Game Cam v1.4 2007-06-25 18:35:06 0 d-------- C:\Documents and Settings\Illidan\Application Data\Help 2007-06-14 20:40:57 0 d-------- C:\Program Files\Movie Maker 2007-06-12 22:44:03 0 d-------- C:\Documents and Settings\Illidan\Application Data\AVS4YOU -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000026-8735-428D-B81F-DD098223B25F}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{000006b1-19b5-414a-849f-2a3c64ae6939}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{279A05E3-C129-4189-BA16-F0DB908C89B0}] 08/03/2007 04:31 PM 25088 --a------ C:\WINDOWS\system32\msscds32.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30000273-8230-4dd4-be4f-6889d1e74167}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77701e16-9bfe-4b63-a5b4-7bd156758a37}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bb936323-19fa-4521-ba29-eca6a121bc78}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [04/29/2005 06:22 PM] "SoundMan"="SOUNDMAN.EXE" [10/23/2005 11:45 PM C:\WINDOWS\soundman.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [08/11/2006 09:43 PM] "nwiz"="nwiz.exe" [08/11/2006 09:43 PM C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [08/11/2006 09:43 PM] "CTHelper"="CTHELPER.EXE" [05/28/2003 12:59 PM C:\WINDOWS\system32\cthelper.exe] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/2007 03:43 AM] "KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/04/2004 12:56 AM] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/20/2007 06:02 PM] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [07/16/2007 03:17 PM] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Illidan^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=C:\Documents and Settings\Illidan\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}] C:\WINDOWS\system32\msbind32.exe -- End of Deckard's System Scanner: finished at 2007-08-07 at 14:10:42 --------- And as directed, I attached the extra.txt ~Wanderer of the Stars~ |
|
|
|
|
08-07-2007, 02:56 PM
|
#8 (permalink) | |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
Re: Browser Hijacked -- How troublesome...
Quote:
--------------- Do a HijackThis scan & place a check next to these items and select "Fix checked": O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file) O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file) O2 - BHO: (no name) - {000006b1-19b5-414a-849f-2a3c64ae6939} - (no file) O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file) O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file) O2 - BHO: msscds32.msdn_hlp - {279A05E3-C129-4189-BA16-F0DB908C89B0} - C:\WINDOWS\system32\msscds32.dll O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file) O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file) O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file) O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file) O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file) O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file) O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file) O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file) O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file) O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file) O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file) O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file) O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file) O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file) O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file) O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file) --------------- 1. Download & Save this file to Desktop -> http://download.bleepingcomputer.com...a/ComboFix.exe 2. Double click on combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________
|
|
|
|
|
|
08-07-2007, 03:10 PM
|
#9 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 12
OS: XP
|
Re: Browser Hijacked -- How troublesome...
Ok, here is the combofix log
ComboFix 07-08-07.6 - "Illidan" 2007-08-07 15:04:40.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1110 [GMT -7:00] * Created a new restore point ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\Illidan\Desktop\internet.lnk C:\Documents and Settings\Illidan\spooldr.ini C:\WINDOWS\180ax.exe C:\WINDOWS\2020search.dll C:\WINDOWS\2020search2.dll C:\WINDOWS\764.exe C:\WINDOWS\7search.dll C:\WINDOWS\bi.dll C:\WINDOWS\biprep.exe C:\WINDOWS\bjam.dll C:\WINDOWS\bokja.exe C:\WINDOWS\cdsm32.dll C:\WINDOWS\flt.dll C:\WINDOWS\mspphe.dll C:\WINDOWS\mssvr.exe C:\WINDOWS\pbar.dll C:\WINDOWS\saiemod.dll C:\WINDOWS\salm.exe C:\WINDOWS\satmat.exe C:\WINDOWS\spooldr.exe C:\WINDOWS\stcloader.exe C:\WINDOWS\susp.exe C:\WINDOWS\swin32.dll C:\WINDOWS\system32\gmc.exe.exe C:\WINDOWS\system32\gtv_sd.bin C:\WINDOWS\system32\msixu.dll C:\WINDOWS\system32\vxddsk.exe C:\WINDOWS\system32\wer8274.dll C:\WINDOWS\system32\wml.exe C:\WINDOWS\system32\wmvds32.dll C:\WINDOWS\updatetc.exe C:\WINDOWS\voiceip.dll C:\WINDOWS\wml.exe ((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 ))))))))))))))))))))))))))))))) 2007-08-07 15:05 288 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000005-00000000-00000007-00001102-00000004-10091102}.dat 2007-08-07 15:05 288 --a------ C:\WINDOWS\system32\DVCState-{00000005-00000000-00000007-00001102-00000004-10091102}.dat 2007-08-07 15:04 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-07 14:07 <DIR> d-------- C:\Program Files\Trend Micro 2007-08-07 14:04 <DIR> d-------- C:\Deckard 2007-08-07 14:00 <DIR> d-------- C:\WINDOWS\LastGood.Tmp 2007-08-07 13:54 21,312 --a------ C:\WINDOWS\choice.exe 2007-08-07 13:14 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL 2007-08-07 13:14 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-08-07 02:03 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-08-05 14:24 <DIR> d-------- C:\DOCUME~1\Illidan\APPLIC~1\Yahoo! 2007-08-05 14:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion 2007-08-05 14:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! 2007-08-05 14:18 <DIR> d-------- C:\Program Files\Yahoo! 2007-08-04 22:50 <DIR> d-------- C:\Program Files\Debugging Tools for Windows 2007-08-04 20:36 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2007-08-03 18:40 4 --a------ C:\WINDOWS\system32\stfv.bin 2007-08-03 17:09 18,432 --a------ C:\WINDOWS\sysrlb32.exe 2007-08-03 16:31 8,705 --a------ C:\WINDOWS\system32\rdovyjbw.exe 2007-08-03 16:31 26,112 --a------ C:\WINDOWS\vxddsk.exe 2007-08-03 16:31 10,756 --a------ C:\WINDOWS\system32\uqpzttri.exe 2007-07-31 13:37 <DIR> d-------- C:\DOCUME~1\Illidan\APPLIC~1\Publish Providers 2007-07-31 13:34 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll 2007-07-31 13:34 306,688 --a------ C:\WINDOWS\IsUninst.exe 2007-07-31 13:34 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll 2007-07-31 13:34 <DIR> d-------- C:\Program Files\Microsoft SQL Server 2007-07-31 13:34 <DIR> d-------- C:\DOCUME~1\Illidan\APPLIC~1\Sony 2007-07-31 13:33 <DIR> d-------- C:\Program Files\Sony 2007-07-30 06:19 3,072 --a------ C:\DOCUME~1\Illidan\open.exe 2007-07-30 06:07 3,073 --a------ C:\WINDOWS\system32\open.exe 2007-07-30 06:07 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google 2007-07-29 19:51 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-07-28 01:22 <DIR> d-------- C:\Program Files\AVSMedia 2007-07-27 10:19 8,296 --a------ C:\WINDOWS\system32\tilishpy.exe 2007-07-25 20:27 76,474 --a------ C:\WINDOWS\War3Unin.dat 2007-07-25 20:27 2,829 --a------ C:\WINDOWS\War3Unin.pif 2007-07-25 20:27 139,264 --a------ C:\WINDOWS\War3Unin.exe 2007-07-25 20:11 <DIR> d-------- C:\WINDOWS\system32\defaults 2007-07-25 20:11 <DIR> d-------- C:\WINDOWS\system32\data 2007-07-23 14:22 1,082 --a------ C:\WINDOWS\checkip.dat 2007-07-19 23:23 8,662 --a------ C:\WINDOWS\system32\magdfovj.exe 2007-07-11 12:32 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2007-07-11 11:37 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2007-07-11 11:25 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-07-10 17:08 <DIR> d-------- C:\DOCUME~1\Illidan\APPLIC~1\Apple Computer 2007-07-10 17:05 <DIR> d-------- C:\Program Files\Apple Software Update 2007-07-10 17:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-07 02:40 --------- d-------- C:\Program Files\Messenger 2007-08-07 02:39 --------- d-------- C:\Program Files\Google 2007-08-07 00:14 374272 --a------ C:\WINDOWS\system32\drivers\tcpip.sys 2007-08-05 23:13 --------- d-------- C:\Program Files\Warcraft III 2007-08-05 14:17 --------- d-------- C:\Program Files\Trillian 2007-08-03 16:31 979 --a------ C:\WINDOWS\system32\drivers\product_2_name_small.gif 2007-08-03 16:31 918 --a------ C:\WINDOWS\system32\drivers\s_detect.htm 2007-08-03 16:31 837 --a------ C:\WINDOWS\system32\drivers\blank.gif 2007-08-03 16:31 835 --a------ C:\WINDOWS\system32\drivers\style.css 2007-08-03 16:31 6575 --a------ C:\WINDOWS\system32\drivers\remove_spyware_button.gif 2007-08-03 16:31 65 --a------ C:\WINDOWS\system32\drivers\sep_hor.gif 2007-08-03 16:31 64 --a------ C:\WINDOWS\system32\drivers\close_icon.gif 2007-08-03 16:31 639 --a------ C:\WINDOWS\system32\drivers\star.gif 2007-08-03 16:31 6373 --a------ C:\WINDOWS\system32\drivers\secuity_center_logo.gif 2007-08-03 16:31 550 --a------ C:\WINDOWS\system32\drivers\star_small.gif 2007-08-03 16:31 53 --a------ C:\WINDOWS\system32\drivers\sep_vert.gif 2007-08-03 16:31 49 --a------ C:\WINDOWS\system32\drivers\spacer.gif 2007-08-03 16:31 48933 --a------ C:\WINDOWS\system32\drivers\pt.htm 2007-08-03 16:31 425 --a------ C:\WINDOWS\system32\drivers\star_gray.gif 2007-08-03 16:31 3877 --a------ C:\WINDOWS\system32\drivers\warning_icon.gif 2007-08-03 16:31 360 --a------ C:\WINDOWS\system32\drivers\header_bg.gif 2007-08-03 16:31 3080 --a------ C:\WINDOWS\system32\drivers\product_3_header.gif 2007-08-03 16:31 2922 --a------ C:\WINDOWS\system32\drivers\footer_back.jpg 2007-08-03 16:31 291 --a------ C:\WINDOWS\system32\drivers\v.gif 2007-08-03 16:31 28459 --a------ C:\WINDOWS\system32\drivers\header_1.gif 2007-08-03 16:31 283 --a------ C:\WINDOWS\system32\drivers\x.gif 2007-08-03 16:31 2604 --a------ C:\WINDOWS\system32\drivers\product_1_header.gif 2007-08-03 16:31 2238 --a------ C:\WINDOWS\system32\drivers\download_box.gif 2007-08-03 16:31 223 --a------ C:\WINDOWS\system32\drivers\star_gray_small.gif 2007-08-03 16:31 2214 --a------ C:\WINDOWS\system32\drivers\product_2_header.gif 2007-08-03 16:31 2186 --a------ C:\WINDOWS\system32\drivers\alert_icon.gif 2007-08-03 16:31 215 --a------ C:\WINDOWS\system32\drivers\main_back.gif 2007-08-03 16:31 2090 --a------ C:\WINDOWS\system32\drivers\shadow.jpg 2007-08-03 16:31 1791 --a------ C:\WINDOWS\system32\drivers\win_logo.gif 2007-08-03 16:31 1714 --a------ C:\WINDOWS\system32\drivers\product_3_name_small.gif 2007-08-03 16:31 1647 --a------ C:\WINDOWS\system32\drivers\button_freescan.gif 2007-08-03 16:31 1619 --a------ C:\WINDOWS\system32\drivers\button_buynow.gif 2007-08-03 16:31 15421 --a------ C:\WINDOWS\system32\drivers\header_2.gif 2007-08-03 16:31 13618 --a------ C:\WINDOWS\system32\drivers\spy_away_box.jpg 2007-08-03 16:31 1330 --a------ C:\WINDOWS\system32\drivers\product_features.gif 2007-08-03 16:31 1253 --a------ C:\WINDOWS\system32\drivers\product_1_name_small.gif 2007-08-03 16:31 12326 --a------ C:\WINDOWS\system32\drivers\box_3.gif 2007-08-03 16:31 12313 --a------ C:\WINDOWS\system32\drivers\box_1.gif 2007-08-03 16:31 1204 --a------ C:\WINDOWS\system32\drivers\infected.gif 2007-08-03 16:31 11927 --a------ C:\WINDOWS\system32\drivers\box_2.gif 2007-08-03 16:31 11077 --a------ C:\WINDOWS\system32\drivers\header_4.gif 2007-08-03 16:31 10260 --a------ C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg 2007-08-03 16:31 10193 --a------ C:\WINDOWS\system32\drivers\header_3.gif 2007-08-03 16:31 1014 --a------ C:\WINDOWS\system32\drivers\icon_warning.gif 2007-07-29 20:05 --------- d-------- C:\Program Files\Common Files\AVSMedia 2007-07-28 01:24 --------- d-------- C:\DOCUME~1\Illidan\APPLIC~1\AVSMedia 2007-07-25 19:44 --------- d-------- C:\Program Files\LimeWire 2007-07-12 19:02 --------- d-------- C:\Program Files\QuickTime 2007-07-12 11:22 --------- d-------- C:\DOCUME~1\Illidan\APPLIC~1\LimeWire 2007-07-06 10:44 --------- d-------- C:\Program Files\Game Cam v1.4 2007-06-25 18:35 --------- d-------- C:\DOCUME~1\Illidan\APPLIC~1\Help 2007-06-14 20:40 --------- d-------- C:\Program Files\Movie Maker 2007-06-12 22:44 --------- d-------- C:\DOCUME~1\Illidan\APPLIC~1\AVS4YOU C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below) 332,928 2002-08-29 01:58:12 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys 359,040 2004-08-04 06:14:42 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys 374,272 2007-08-07 07:14:35 C:\WINDOWS\system32\drivers\tcpip.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-04-29 18:22] "SoundMan"="SOUNDMAN.EXE" [2005-10-23 23:45 C:\WINDOWS\soundman.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43] "nwiz"="nwiz.exe" [2006-08-11 21:43 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 21:43] "CTHelper"="CTHELPER.EXE" [2003-05-28 12:59 C:\WINDOWS\system32\cthelper.exe] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:56] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-20 18:02] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-07-16 15:17] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Illidan^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=C:\Documents and Settings\Illidan\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys R1 NVTCP;NVIDIA TCP/IP Protocol Driver;C:\WINDOWS\system32\DRIVERS\NVTcp.sys R2 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM);C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe R2 ZWCWDEJS;ZWCWDEJS;\??\C:\WINDOWS\system32\zwcwdejs.afp R3 ltmodem5;LT Modem Driver;C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\system32\drivers\msmpu401.sys R3 MTsensor;ATK0110 ACPI UTILITY;C:\WINDOWS\system32\DRIVERS\ASACPI.sys S2 vdo_b76-4b6b;vdo_b76-4b6b;\??\C:\WINDOWS\system32\vdo_b76-4b6b.sys S3 MSSQL$SONY_MEDIAMGR;MSSQL$SONY_MEDIAMGR;C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -sSONY_MEDIAMGR S3 SQLAgent$SONY_MEDIAMGR;SQLAgent$SONY_MEDIAMGR;C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -i SONY_MEDIAMGR Contents of the 'Scheduled Tasks' folder 2007-08-03 15:47:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-07 15 12Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-07 15:07:14 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-08-07 15:07 --- E O F --- And here is the refreshed HJT log: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 3:08:05 PM, on 8/7/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Illidan\Desktop\HiJackThis_v2.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.planetgamecam.com/index.php?locid=tutorials R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1186520408045 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C3D289D8-6E5F-49F9-B3D0-60F0A2420152}: NameServer = 213.246.33.228 O17 - HKLM\System\CCS\Services\Tcpip\..\{EFB6AD7A-C23E-4260-A824-002447FBD892}: NameServer = 213.246.33.228 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 6567 bytes |
|
|
|
|
08-07-2007, 03:28 PM
|
#10 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
Re: Browser Hijacked -- How troublesome...
Do a HijackThis scan & place a check next to these items and select "Fix checked":
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file) --------------- Open notepad and copy/paste the text in the quotebox below into it: Code:
http://www.techsupportforum.com/security-center/hijackthis-log-help/172612-browser-hijacked-how-troublesome.html#post1019688>
Collect::
C:\WINDOWS\system32\vdo_b76-4b6b.sys
C:\WINDOWS\system32\msbind32.exe
c:\windows\system32\zwcwdejs.afp
C:\WINDOWS\sysrlb32.exe
C:\WINDOWS\system32\rdovyjbw.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\system32\uqpzttri.exe
C:\WINDOWS\system32\open.exe
C:\WINDOWS\system32\tilishpy.exe
C:\WINDOWS\system32\magdfovj.exe
DirLook::
C:\WINDOWS\system32\defaults
C:\WINDOWS\system32\data
File::
C:\DOCUME~1\Illidan\open.exe
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
Driver::
vdo_b76-4b6b
ZWCWDEJS
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]
 Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Additonally, ComboFix will generate a zipped file on your Desktop, called Submit [Date Time].zip Please submit this file to: http://www.bleepingcomputer.com/subm....php?channel=4 The file must be uploaded before proceeding to the next step. --------------- Click here perform an online scan >> Online Scanner --------------- In your next post, please include fresh logs from:
__________________
Last edited by sUBs; 08-07-2007 at 03:29 PM. |
|
|
|
|
08-07-2007, 03:33 PM
|
#11 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
Re: Browser Hijacked -- How troublesome...
When you have posted the required logs, download & install this Microsoft update -> http://www.microsoft.com/downloads/d...e-5b957986efbf
I shall require another fresh ComboFix log after that.
__________________
|
|
|
|
|
08-07-2007, 03:41 PM
|
#12 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
Re: Browser Hijacked -- How troublesome...
When you have posted the ComboFix log for the above post, go to this website: http://www.free-av.com/antivirus/allinonen.html
Download & install that
__________________
|
|
|
|
|
08-07-2007, 04:44 PM
|
#13 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 12
OS: XP
|
Re: Browser Hijacked -- How troublesome...
HJT log:
ogfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 4:42:44 PM, on 8/7/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Illidan\Desktop\HiJackThis_v2.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.planetgamecam.com/index.php?locid=tutorials R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1186520408045 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C3D289D8-6E5F-49F9-B3D0-60F0A2420152}: NameServer = 213.246.33.228 O17 - HKLM\System\CCS\Services\Tcpip\..\{EFB6AD7A-C23E-4260-A824-002447FBD892}: NameServer = 213.246.33.228 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe Online Scan Log: Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ J:\ Scan Statistics: Total number of scanned objects: 51199 Number of viruses found: 18 Number of infected objects: 123 Number of suspicious objects: 0 Duration of the scan process: 00:35:25 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\Illidan\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Illidan\Desktop\backups\backup-20070807-150318-167.dll Infected: Trojan-Downloader.Win32.VB.apq skipped C:\Documents and Settings\Illidan\Desktop\[4]-Submit_2007-08-07_153848.90.zip/msbind32.exe Infected: not-virus:Hoax.Win32.Renos.fn skipped C:\Documents and Settings\Illidan\Desktop\[4]-Submit_2007-08-07_153848.90.zip/zwcwdejs.afp Infected: Trojan-Clicker.Win32.Small.js skipped C:\Documents and Settings\Illidan\Desktop\[4]-Submit_2007-08-07_153848.90.zip/sysrlb32.exe Infected: Trojan.Win32.VB.azo skipped C:\Documents and Settings\Illidan\Desktop\[4]-Submit_2007-08-07_153848.90.zip/rdovyjbw.exe Infected: Trojan-Downloader.Win32.Tibs.mv skipped C:\Documents and Settings\Illidan\Desktop\[4]-Submit_2007-08-07_153848.90.zip/tilishpy.exe Infected: Trojan-Downloader.Win32.Tibs.ms skipped C:\Documents and Settings\Illidan\Desktop\[4]-Submit_2007-08-07_153848.90.zip/magdfovj.exe Infected: Packed.Win32.Tibs.aw skipped C:\Documents and Settings\Illidan\Desktop\[4]-Submit_2007-08-07_153848.90.zip ZIP: infected - 6 skipped C:\Documents and Settings\Illidan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Illidan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Illidan\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Illidan\Local Settings\History\History.IE5\MSHist012007080720070808\index.dat Object is locked skipped C:\Documents and Settings\Illidan\Local Settings\Temp\Perflib_Perfdata_4a0.dat Object is locked skipped C:\Documents and Settings\Illidan\Local Settings\Temp\~DF404B.tmp Object is locked skipped C:\Documents and Settings\Illidan\Local Settings\Temp\~DFA3C9.tmp Object is locked skipped C:\Documents and Settings\Illidan\Local Settings\Temp\~DFBF50.tmp Object is locked skipped C:\Documents and Settings\Illidan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Illidan\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Illidan\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\access_log Object is locked skipped C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error.log Object is locked skipped C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error_log Object is locked skipped C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\ssl_request_log Object is locked skipped C:\Program Files\Yahoo!\Messenger\logs\billing_Illidan.log Object is locked skipped C:\Program Files\Yahoo!\Messenger\logs\client_Illidan.log Object is locked skipped C:\Program Files\Yahoo!\Messenger\logs\network_Illidan.log Object is locked skipped C:\QooBox\Quarantine\C\WINDOWS\spooldr.exe.vir Infected: Trojan-Downloader.Win32.Tibs.mv skipped C:\QooBox\Quarantine\C\WINDOWS\system32\gmc.exe.exe.vir Infected: Trojan-Downloader.Win32.Tibs.mv skipped C:\QooBox\Quarantine\C\WINDOWS\system32\wmvds32.dll.vir Infected: Trojan-Downloader.Win32.VB.asx skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP69\A0154349.exe Infected: Packed.Win32.Tibs.aw skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP69\A0155337.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP69\A0155338.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP69\A0156341.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP69\A0156342.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP69\A0158337.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP69\A0158338.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP69\A0159337.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP69\A0159338.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP69\A0160337.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP69\A0160338.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP69\A0161337.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP69\A0161338.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP69\A0162337.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP69\A0162338.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP71\A0165460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP71\A0165461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP71\A0166460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP71\A0166461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP72\A0167460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP72\A0167461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP72\A0169460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP72\A0169461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP72\A0170460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP72\A0170461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP72\A0171457.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP72\A0171458.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP76\A0172460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP76\A0172461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP76\A0173460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP76\A0173461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP76\A0174460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP76\A0176460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP76\A0176461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP77\A0177460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP77\A0177461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP77\A0178460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP77\A0178461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP78\A0179460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP78\A0179461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP78\A0180460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP78\A0180461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP78\A0180481.exe Infected: Packed.Win32.Tibs.ay skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP78\A0180482.exe Infected: Packed.Win32.Tibs.ay skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP79\A0180485.exe Infected: Trojan.Win32.VB.azo skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP79\A0181460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP79\A0181461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP79\A0181467.exe Infected: Trojan.Win32.VB.azo skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP82\A0182460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP82\A0182461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP82\A0183457.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP82\A0183458.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP82\A0184460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP82\A0184461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP82\A0185460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP82\A0185461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP82\A0186460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP82\A0186461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP82\A0187460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP82\A0187462.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP82\A0188460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP82\A0188461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP83\A0189460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP83\A0189461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP84\A0190460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP84\A0190461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP84\A0191460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP84\A0191461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP84\A0192460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP84\A0192461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP84\A0193460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP84\A0193461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP84\A0194460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP84\A0194461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP84\A0195460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP84\A0196460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP84\A0196461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP84\A0197460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP84\A0197461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP84\A0198460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP84\A0198461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP84\A0199460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP84\A0199461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP85\A0201457.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP85\A0201458.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP85\A0202460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP85\A0202461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP85\A0203460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP85\A0203461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP85\A0204460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP85\A0204461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP85\A0205460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP85\A0205461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP85\A0206460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP85\A0206461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP85\A0207460.sys Infected: Packed.Win32.Tibs.ap skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP85\A0207461.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP85\A0207470.sys Infected: Packed.Win32.Tibs.w skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP87\A0208486.dll Infected: Trojan-Downloader.Win32.VB.apq skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP88\A0208504.exe Infected: Trojan-Downloader.Win32.Tibs.mv skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP88\A0208507.dll Infected: Trojan-Downloader.Win32.VB.asx skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP88\A0208549.exe Infected: Trojan-Downloader.Win32.Tibs.mv skipped C:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP90\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\tcpip.sys Infected: Trojan.Win32.Patched.ad skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\system32\_nvidia_xxx_.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped C:\WINDOWS\{00000005-00000000-00000007-00001102-00000004-10091102}.CDF Object is locked skipped D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped D:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP90\change.log Object is locked skipped E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped E:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP90\change.log Object is locked skipped J:\back up\Program Files\Altnet\Download Manager\adm25.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped J:\back up\Program Files\Altnet\Download Manager\adm4.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped J:\back up\Program Files\Altnet\Download Manager\adm4005.exe Infected: not-a-virus:AdWare.Win32.Altnet.a skipped J:\back up\Program Files\Altnet\Download Manager\admdloader.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3039 skipped J:\back up\Program Files\Altnet\Download Manager\admfdi.dll Infected: not-a-virus:AdWare.Win32.Altnet.j skipped J:\back up\Program Files\Altnet\Download Manager\admprog.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped J:\back up\Program Files\Altnet\Download Manager\altnetuninstall.exe Infected: not-a-virus:AdWare.Win32.Altnet.g skipped J:\back up\Program Files\Altnet\Download Manager\asm.exe Infected: not-a-virus:AdWare.Win32.Altnet.l skipped J:\back up\Program Files\Altnet\Download Manager\asmps.dll Infected: not-a-virus:AdWare.Win32.Altnet.b skipped J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped J:\System Volume Information\_restore{D515BC84-344B-41EB-AF7B-C0AD4128F75E}\RP90\change.log Object is locked skipped Scan process completed. ComboFix Log: FILE:: C:\DOCUME~1\Illidan\open.exe C:\WINDOWS\system32\drivers\product_2_name_small.gif C:\WINDOWS\system32\drivers\s_detect.htm C:\WINDOWS\system32\drivers\blank.gif C:\WINDOWS\system32\drivers\style.css C:\WINDOWS\system32\drivers\remove_spyware_button.gif C:\WINDOWS\system32\drivers\sep_hor.gif C:\WINDOWS\system32\drivers\close_icon.gif C:\WINDOWS\system32\drivers\star.gif C:\WINDOWS\system32\drivers\secuity_center_logo.gif C:\WINDOWS\system32\drivers\star_small.gif C:\WINDOWS\system32\drivers\sep_vert.gif C:\WINDOWS\system32\drivers\spacer.gif C:\WINDOWS\system32\drivers\pt.htm C:\WINDOWS\system32\drivers\star_gray.gif C:\WINDOWS\system32\drivers\warning_icon.gif C:\WINDOWS\system32\drivers\header_bg.gif C:\WINDOWS\system32\drivers\product_3_header.gif C:\WINDOWS\system32\drivers\footer_back.jpg C:\WINDOWS\system32\drivers\v.gif C:\WINDOWS\system32\drivers\header_1.gif C:\WINDOWS\system32\drivers\x.gif C:\WINDOWS\system32\drivers\product_1_header.gif C:\WINDOWS\system32\drivers\download_box.gif C:\WINDOWS\system32\drivers\star_gray_small.gif C:\WINDOWS\system32\drivers\product_2_header.gif C:\WINDOWS\system32\drivers\alert_icon.gif C:\WINDOWS\system32\drivers\main_back.gif C:\WINDOWS\system32\drivers\shadow.jpg C:\WINDOWS\system32\drivers\win_logo.gif C:\WINDOWS\system32\drivers\product_3_name_small.gif C:\WINDOWS\system32\drivers\button_freescan.gif C:\WINDOWS\system32\drivers\button_buynow.gif C:\WINDOWS\system32\drivers\header_2.gif C:\WINDOWS\system32\drivers\spy_away_box.jpg C:\WINDOWS\system32\drivers\product_features.gif C:\WINDOWS\system32\drivers\product_1_name_small.gif C:\WINDOWS\system32\drivers\box_3.gif C:\WINDOWS\system32\drivers\box_1.gif C:\WINDOWS\system32\drivers\infected.gif C:\WINDOWS\system32\drivers\box_2.gif C:\WINDOWS\system32\drivers\header_4.gif C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg C:\WINDOWS\system32\drivers\header_3.gif C:\WINDOWS\system32\drivers\icon_warning.gif ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\Illidan\open.exe C:\WINDOWS\sysrlb32.exe C:\WINDOWS\system32\drivers\alert_icon.gif C:\WINDOWS\system32\drivers\blank.gif C:\WINDOWS\system32\drivers\box_1.gif C:\WINDOWS\system32\drivers\box_2.gif C:\WINDOWS\system32\drivers\box_3.gif C:\WINDOWS\system32\drivers\button_buynow.gif C:\WINDOWS\system32\drivers\button_freescan.gif C:\WINDOWS\system32\drivers\close_icon.gif C:\WINDOWS\system32\drivers\download_box.gif C:\WINDOWS\system32\drivers\footer_back.jpg C:\WINDOWS\system32\drivers\header_1.gif C:\WINDOWS\system32\drivers\header_2.gif C:\WINDOWS\system32\drivers\header_3.gif C:\WINDOWS\system32\drivers\header_4.gif C:\WINDOWS\system32\drivers\header_bg.gif C:\WINDOWS\system32\drivers\icon_warning.gif C:\WINDOWS\system32\drivers\infected.gif C:\WINDOWS\system32\drivers\main_back.gif C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg C:\WINDOWS\system32\drivers\product_1_header.gif C:\WINDOWS\system32\drivers\product_1_name_small.gif C:\WINDOWS\system32\drivers\product_2_header.gif C:\WINDOWS\system32\drivers\product_2_name_small.gif C:\WINDOWS\system32\drivers\product_3_header.gif C:\WINDOWS\system32\drivers\product_3_name_small.gif C:\WINDOWS\system32\drivers\product_features.gif C:\WINDOWS\system32\drivers\pt.htm C:\WINDOWS\system32\drivers\remove_spyware_button.gif C:\WINDOWS\system32\drivers\s_detect.htm C:\WINDOWS\system32\drivers\secuity_center_logo.gif C:\WINDOWS\system32\drivers\sep_hor.gif C:\WINDOWS\system32\drivers\sep_vert.gif C:\WINDOWS\system32\drivers\shadow.jpg C:\WINDOWS\system32\drivers\spacer.gif C:\WINDOWS\system32\drivers\spy_away_box.jpg C:\WINDOWS\system32\drivers\star.gif C:\WINDOWS\system32\drivers\star_gray.gif C:\WINDOWS\system32\drivers\star_gray_small.gif C:\WINDOWS\system32\drivers\star_small.gif C:\WINDOWS\system32\drivers\style.css C:\WINDOWS\system32\drivers\v.gif C:\WINDOWS\system32\drivers\warning_icon.gif C:\WINDOWS\system32\drivers\win_logo.gif C:\WINDOWS\system32\drivers\x.gif C:\WINDOWS\system32\magdfovj.exe C:\WINDOWS\system32\msbind32.exe C:\WINDOWS\system32\open.exe C:\WINDOWS\system32\rdovyjbw.exe C:\WINDOWS\system32\tilishpy.exe C:\WINDOWS\system32\uqpzttri.exe c:\windows\system32\zwcwdejs.afp C:\WINDOWS\vxddsk.exe ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_VDO_B76-4B6B -------\LEGACY_ZWCWDEJS -------\vdo_b76-4b6b -------\ZWCWDEJS ((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 ))))))))))))))))))))))))))))))) 2007-08-07 15:05 288 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000005-00000000-00000007-00001102-00000004-10091102}.dat 2007-08-07 15:05 288 --a------ C:\WINDOWS\system32\DVCState-{00000005-00000000-00000007-00001102-00000004-10091102}.dat 2007-08-07 15:04 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-07 14:07 <DIR> d-------- C:\Program Files\Trend Micro 2007-08-07 14:04 <DIR> d-------- C:\Deckard 2007-08-07 13:54 21,312 --a------ C:\WINDOWS\choice.exe 2007-08-07 13:14 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL 2007-08-07 13:14 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-08-07 02:03 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-08-05 14:24 <DIR> d-------- C:\DOCUME~1\Illidan\APPLIC~1\Yahoo! 2007-08-05 14:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion 2007-08-05 14:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! 2007-08-05 14:18 <DIR> d-------- C:\Program Files\Yahoo! 2007-08-04 22:50 <DIR> d-------- C:\Program Files\Debugging Tools for Windows 2007-08-04 20:36 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2007-08-03 18:40 4 --a------ C:\WINDOWS\system32\stfv.bin 2007-07-31 13:37 <DIR> d-------- C:\DOCUME~1\Illidan\APPLIC~1\Publish Providers 2007-07-31 13:34 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll 2007-07-31 13:34 306,688 --a------ C:\WINDOWS\IsUninst.exe 2007-07-31 13:34 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll 2007-07-31 13:34 <DIR> d-------- C:\Program Files\Microsoft SQL Server 2007-07-31 13:34 <DIR> d-------- C:\DOCUME~1\Illidan\APPLIC~1\Sony 2007-07-31 13:33 <DIR> d-------- C:\Program Files\Sony 2007-07-30 06:07 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google 2007-07-29 19:51 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-07-28 01:22 <DIR> d-------- C:\Program Files\AVSMedia 2007-07-25 20:27 76,474 --a------ C:\WINDOWS\War3Unin.dat 2007-07-25 20:27 2,829 --a------ C:\WINDOWS\War3Unin.pif 2007-07-25 20:27 139,264 --a------ C:\WINDOWS\War3Unin.exe 2007-07-25 20:11 <DIR> d-------- C:\WINDOWS\system32\defaults 2007-07-25 20:11 <DIR> d-------- C:\WINDOWS\system32\data 2007-07-23 14:22 1,082 --a------ C:\WINDOWS\checkip.dat 2007-07-11 12:32 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2007-07-11 11:37 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2007-07-11 11:25 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-07-10 17:08 <DIR> d-------- C:\DOCUME~1\Illidan\APPLIC~1\Apple Computer 2007-07-10 17:05 <DIR> d-------- C:\Program Files\Apple Software Update 2007-07-10 17:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-07 02:40 --------- d-------- C:\Program Files\Messenger 2007-08-07 02:39 --------- d-------- C:\Program Files\Google 2007-08-07 00:14 374272 --a------ C:\WINDOWS\system32\drivers\tcpip.sys 2007-08-05 23:13 --------- d-------- C:\Program Files\Warcraft III 2007-08-05 14:17 --------- d-------- C:\Program Files\Trillian 2007-07-29 20:05 --------- d-------- C:\Program Files\Common Files\AVSMedia 2007-07-28 01:24 --------- d-------- C:\DOCUME~1\Illidan\APPLIC~1\AVSMedia 2007-07-25 19:44 --------- d-------- C:\Program Files\LimeWire 2007-07-12 19:02 --------- d-------- C:\Program Files\QuickTime 2007-07-12 11:22 --------- d-------- C:\DOCUME~1\Illidan\APPLIC~1\LimeWire 2007-07-06 10:44 --------- d-------- C:\Program Files\Game Cam v1.4 2007-06-25 18:35 --------- d-------- C:\DOCUME~1\Illidan\APPLIC~1\Help 2007-06-14 20:40 --------- d-------- C:\Program Files\Movie Maker 2007-06-12 22:44 --------- d-------- C:\DOCUME~1\Illidan\APPLIC~1\AVS4YOU C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below) 332,928 2002-08-29 01:58:12 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys 359,040 2004-08-04 06:14:42 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys 374,272 2007-08-07 07:14:35 C:\WINDOWS\system32\drivers\tcpip.sys (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ---- Directory of C:\WINDOWS\system32\defaults ---- 2007-07-25 20:11 1995 --a------ C:\WINDOWS\system32\defaults\MX0004_10091102{B591EC40-11D1-DBC3-A000-9D9D737F8EC9}.rdf 2007-07-25 20:11 1995 --a------ C:\WINDOWS\system32\defaults\MX0004_10091102{9D74D2A0-11D1-DAE5-A000-9D9D737F8EC9}.rdf 2007-07-25 20:11 1995 --a------ C:\WINDOWS\system32\defaults\MX0004_10091102{8C0F8B81-11D1-DE1A-4544-24B700005453}.rdf 2007-07-25 20:11 1995 --a------ C:\WINDOWS\system32\defaults\MX0004_10091102{59639116-11D1-D955-A000-9D9D737F8EC9}.rdf 2007-07-25 20:11 1995 --a------ C:\WINDOWS\system32\defaults\MX0004_10091102{1B2D3721-11d6-5795-D000-869CD73B8EB7}.rdf ---- Directory of C:\WINDOWS\system32\data ---- 2003-05-28 12:57 294360 --a------ C:\WINDOWS\system32\data\ctp0249w.dat ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-04-29 18:22] "SoundMan"="SOUNDMAN.EXE" [2005-10-23 23:45 C:\WINDOWS\soundman.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43] "nwiz"="nwiz.exe" [2006-08-11 21:43 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 21:43] "CTHelper"="CTHELPER.EXE" [2003-05-28 12:59 C:\WINDOWS\system32\cthelper.exe] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:56] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-20 18:02] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-07-16 15:17] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Illidan^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=C:\Documents and Settings\Illidan\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys R1 NVTCP;NVIDIA TCP/IP Protocol Driver;C:\WINDOWS\system32\DRIVERS\NVTcp.sys R2 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM);C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe R3 ltmodem5;LT Modem Driver;C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\system32\drivers\msmpu401.sys R3 MTsensor;ATK0110 ACPI UTILITY;C:\WINDOWS\system32\DRIVERS\ASACPI.sys S3 MSSQL$SONY_MEDIAMGR;MSSQL$SONY_MEDIAMGR;C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -sSONY_MEDIAMGR S3 SQLAgent$SONY_MEDIAMGR;SQLAgent$SONY_MEDIAMGR;C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -i SONY_MEDIAMGR Contents of the 'Scheduled Tasks' folder 2007-08-03 15:47:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-07 15:40:45 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-07 15:41:29 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-08-07 15:41 C:\ComboFix2.txt ... 2007-08-07 15:07 --- E O F --- |
|
|
|
|
08-07-2007, 05:03 PM
|
#14 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 12
OS: XP
|
Re: Browser Hijacked -- How troublesome...
Combofix Log after d/l'ing Microsoft Update:
2007-08-07 16:57 <DIR> d-------- C:\WINDOWS\LastGood 2007-08-07 16:54 359,808 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys 2007-08-07 15:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-08-07 15:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab 2007-08-07 15:05 288 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000005-00000000-00000007-00001102-00000004-10091102}.dat 2007-08-07 15:05 288 --a------ C:\WINDOWS\system32\DVCState-{00000005-00000000-00000007-00001102-00000004-10091102}.dat 2007-08-07 15:04 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-07 14:07 <DIR> d-------- C:\Program Files\Trend Micro 2007-08-07 14:04 <DIR> d-------- C:\Deckard 2007-08-07 13:54 21,312 --a------ C:\WINDOWS\choice.exe 2007-08-07 13:14 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL 2007-08-07 13:14 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-08-07 02:03 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-08-05 14:24 <DIR> d-------- C:\DOCUME~1\Illidan\APPLIC~1\Yahoo! 2007-08-05 14:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion 2007-08-05 14:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! 2007-08-05 14:18 <DIR> d-------- C:\Program Files\Yahoo! 2007-08-04 22:50 <DIR> d-------- C:\Program Files\Debugging Tools for Windows 2007-08-04 20:36 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2007-08-03 18:40 4 --a------ C:\WINDOWS\system32\stfv.bin 2007-07-31 13:37 <DIR> d-------- C:\DOCUME~1\Illidan\APPLIC~1\Publish Providers 2007-07-31 13:34 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll 2007-07-31 13:34 306,688 --a------ C:\WINDOWS\IsUninst.exe 2007-07-31 13:34 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll 2007-07-31 13:34 <DIR> d-------- C:\Program Files\Microsoft SQL Server 2007-07-31 13:34 <DIR> d-------- C:\DOCUME~1\Illidan\APPLIC~1\Sony 2007-07-31 13:33 <DIR> d-------- C:\Program Files\Sony 2007-07-30 06:07 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google 2007-07-29 19:51 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-07-28 01:22 <DIR> d-------- C:\Program Files\AVSMedia 2007-07-25 20:27 76,474 --a------ C:\WINDOWS\War3Unin.dat 2007-07-25 20:27 2,829 --a------ C:\WINDOWS\War3Unin.pif 2007-07-25 20:27 139,264 --a------ C:\WINDOWS\War3Unin.exe 2007-07-25 20:11 <DIR> d-------- C:\WINDOWS\system32\defaults 2007-07-25 20:11 <DIR> d-------- C:\WINDOWS\system32\data 2007-07-23 14:22 1,082 --a------ C:\WINDOWS\checkip.dat 2007-07-11 12:32 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2007-07-11 11:37 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2007-07-11 11:25 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-07-10 17:08 <DIR> d-------- C:\DOCUME~1\Illidan\APPLIC~1\Apple Computer 2007-07-10 17:05 <DIR> d-------- C:\Program Files\Apple Software Update 2007-07-10 17:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-07 02:40 --------- d-------- C:\Program Files\Messenger 2007-08-07 02:39 --------- d-------- C:\Program Files\Google 2007-08-05 23:13 --------- d-------- C:\Program Files\Warcraft III 2007-08-05 14:17 --------- d-------- C:\Program Files\Trillian 2007-07-29 20:05 --------- d-------- C:\Program Files\Common Files\AVSMedia 2007-07-28 01:24 --------- d-------- C:\DOCUME~1\Illidan\APPLIC~1\AVSMedia 2007-07-25 19:44 --------- d-------- C:\Program Files\LimeWire 2007-07-12 19:02 --------- d-------- C:\Program Files\QuickTime 2007-07-12 11:22 --------- d-------- C:\DOCUME~1\Illidan\APPLIC~1\LimeWire 2007-07-06 10:44 --------- d-------- C:\Program Files\Game Cam v1.4 2007-06-25 18:35 --------- d-------- C:\DOCUME~1\Illidan\APPLIC~1\Help 2007-06-14 20:40 --------- d-------- C:\Program Files\Movie Maker 2007-06-12 22:44 --------- d-------- C:\DOCUME~1\Illidan\APPLIC~1\AVS4YOU ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-04-29 18:22] "SoundMan"="SOUNDMAN.EXE" [2005-10-23 23:45 C:\WINDOWS\soundman.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43] "nwiz"="nwiz.exe" [2006-08-11 21:43 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 21:43] "CTHelper"="CTHELPER.EXE" [2003-05-28 12:59 C:\WINDOWS\system32\cthelper.exe] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:56] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-20 18:02] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-07-16 15:17] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Illidan^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=C:\Documents and Settings\Illidan\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys R1 NVTCP;NVIDIA TCP/IP Protocol Driver;C:\WINDOWS\system32\DRIVERS\NVTcp.sys R2 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM);C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe R3 ltmodem5;LT Modem Driver;C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\system32\drivers\msmpu401.sys R3 MTsensor;ATK0110 ACPI UTILITY;C:\WINDOWS\system32\DRIVERS\ASACPI.sys S3 MSSQL$SONY_MEDIAMGR;MSSQL$SONY_MEDIAMGR;C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -sSONY_MEDIAMGR S3 SQLAgent$SONY_MEDIAMGR;SQLAgent$SONY_MEDIAMGR;C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -i SONY_MEDIAMGR Contents of the 'Scheduled Tasks' folder 2007-08-03 15:47:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-07 17:01:51 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-07 17:02:10 C:\ComboFix-quarantined-files.txt ... 2007-08-07 17:02 C:\ComboFix2.txt ... 2007-08-07 17:01 C:\ComboFix3.txt ... 2007-08-07 15:41 --- E O F --- |
|
|
|
|
08-07-2007, 07:58 PM
|
#15 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
Re: Browser Hijacked -- How troublesome...
Open notepad and copy/paste the text in the quotebox below into it:
Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"
for %%g in (
"C:\Documents and Settings\Illidan\Desktop\[4]-Submit_2007-08-07_153848.90.zip"
) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
for %%g in (
"C:\Documents and Settings\Illidan\Desktop\backups"
"J:\back up\Program Files\Altnet"
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
echo.GetObject("winmgmts:" ^& "{impersonationLevel=impersonate}!\\" ^& "." ^& "\root\default").Get("SystemRestore").Disable("")>SR.vbs
echo.GetObject("winmgmts:" ^& "{impersonationLevel=impersonate}!\\" ^& "." ^& "\root\default").Get("SystemRestore").Enable("")>>SR.vbs
wscript SR.vbs
(
echo.REGEDIT4&echo.
echo.[hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced]
echo."hidden"=dword:00000002
echo."hidefileext"=dword:00000001
echo."showsuperhidden"=dword:00000000
)>rehide.reg
regedit /s rehide.reg
del rehide.reg SR.vbs
nircmd wait 7000
del %0
It should look like this:  Double click on fix.bat & allow it to run Post back to tell me what it says
__________________
|
|
|
|
|
08-07-2007, 08:22 PM
|
#19 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
Re: Browser Hijacked -- How troublesome...
Your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:
Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day.  Kindly respond to this thread once more so we can mark this thread as resolved.
__________________
|
|
|
|
|
08-07-2007, 08:27 PM
|
#20 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 12
OS: XP
|
Re: Browser Hijacked -- How troublesome...
sUBs, thanks for everything. You are Gosu.
My computer is working flawlessly now, I realized it as soon as high jack 'fixed' the files you told me to fix. I will keep AntiVir up as well as spyware blaster. One question concerning my firewall, its no big deal I was just curious if you knew..... How do I penetrate it on my LAN so I can use simple file sharing w/out having to drop the firewall? Youve done so much for me already, if you dont know this dont bother with it. Not a big deal at all. Thanks so much again-- ~Wanderer of the Stars~ |
|
|
|
| Thread Tools | |
|
|
