Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page search-daily.com
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 10-13-2007, 05:42 PM   #1 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 41
OS: XP Home


search-daily.com
Hi
I have a problem that happens with IE and Firefox. When I google for something the search results are displayed but when I select one it goes to "search-daily.com". If I type the address in the bar it goes to the page but not from the search results. I have updated and ran Ad-aware,Spybot and AVG, I have also installed Spywareblaster and Spywareguard. I ran HJT and here is my log.
Thank you
Parvo.




Logfile of HijackThis v1.99.1
Scan saved at 2:53:00 PM, on 13/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ninemsn.com.au
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7C8EBE48-EFFC-43B4-AB0B-0DD6FD2F85A1} - C:\WINDOWS\system32\consol.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C:\DOCUME~1\Carol\LOCALS~1\Temp\update.exe] C:\DOCUME~1\Carol\LOCALS~1\Temp\update.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.ninemsn.com.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{964F7E7E-6D49-43C0-9DB8-7B0CEBAF2415}: Domain = vic.bigpond.net.au
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Parvo is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 10-14-2007, 03:37 AM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,486
OS: N/A


Re: search-daily.com
I need to take a look at this file

C:\WINDOWS\system32\consol.dll

Please upload it to this website: http://www.bleepingcomputer.com/subm....php?channel=4

Kindly include a link to this topic in the message.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-15-2007, 08:31 PM   #3 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 41
OS: XP Home


Re: search-daily.com
Thanks subs, I have submitted the file for you to look at.
Parvo is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-15-2007, 09:50 PM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,486
OS: N/A


Re: search-daily.com
Do a HijackThis scan & place a check next to these items and select "Fix checked":

O2 - BHO: (no name) - {7C8EBE48-EFFC-43B4-AB0B-0DD6FD2F85A1} - C:\WINDOWS\system32\consol.dll
O4 - HKLM\..\Run: [C:\DOCUME~1\Carol\LOCALS~1\Temp\update.exe] C:\DOCUME~1\Carol\LOCALS~1\Temp\update.exe


---------------


1. Download & Save this file to Desktop -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that & a fresh Hijackthis log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-15-2007, 10:16 PM   #5 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 41
OS: XP Home


Re: search-daily.com
I got one error msg while running combofix. It said " sed.cfexe has encountered a problem and needs to close ~etc" I pressed don't send and the scan continued. Heres the logs.



Logfile of HijackThis v1.99.1
Scan saved at 2:08:05 PM, on 16/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ninemsn.com.au
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7C8EBE48-EFFC-43B4-AB0B-0DD6FD2F85A1} - C:\WINDOWS\system32\consol.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.ninemsn.com.au
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{964F7E7E-6D49-43C0-9DB8-7B0CEBAF2415}: Domain = vic.bigpond.net.au
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE






ComboFix 07-10-15.1 - Dave 2007-10-16 14:00:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.88 [GMT 10:00]
Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\Dave\Application Data\DriveCleaner Freeware
C:\Documents and Settings\Dave\Application Data\DriveCleaner Freeware\Logs\update.log
C:\Documents and Settings\Dave\Application Data\DriveCleaner Freeware\Logs\update.log
C:\Documents and Settings\Dave\err.log
C:\Documents and Settings\Guest\err.log
C:\WINDOWS\144.exe
C:\WINDOWS\2.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-16 to 2007-10-16 )))))))))))))))))))))))))))))))
.

2007-10-16 13:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-13 15:47 <DIR> d-------- C:\Documents and Settings\Dave\.housecall6.6
2007-10-13 14:45 <DIR> d-------- C:\HJT
2007-10-13 14:33 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-13 14:33 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-13 12:58 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-13 12:56 <DIR> d-------- C:\Program Files\SpywareGuard
2007-10-13 12:49 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-13 12:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-13 12:33 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\AVG7
2007-10-13 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-13 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-13 11:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-13 11:56 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-13 11:56 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Lavasoft
2007-10-07 11:44 17,664 C:\WINDOWS\system32\drivers\srcunaky.dat
2007-10-07 11:44 5,120 C:\WINDOWS\system32\drivers\ufigxvaw.dat
2007-09-21 17:07 104,145 --a------ C:\WINDOWS\system32\consol.dll
2007-09-21 17:07 57,344 --a------ C:\WINDOWS\system32\dpne.dll
2007-09-21 17:06 57,344 --a------ C:\WINDOWS\system32\acctre.dll
2007-09-21 17:06 17,408 --a------ C:\WINDOWS\system32\drivers\srcunaky.sys
2007-09-19 19:27 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-09-19 19:27 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-09-19 19:27 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-09-19 19:27 89,088 --a------ C:\WINDOWS\system32\atl71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-28 00:02 --------- d-----w C:\Program Files\Lexmark X1100 Series
2007-09-19 09:34 --------- d-----w C:\Program Files\Numbers Up!2 Baggin' the Dragon V1.2
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 09:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 09:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 09:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 09:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 09:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 09:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 09:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 09:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C8EBE48-EFFC-43B4-AB0B-0DD6FD2F85A1}]
2004-08-04 22:00 104145 --a------ C:\WINDOWS\system32\consol.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2004-09-30 16:44]
"SMSERIAL"="sm56hlpr.exe" [2004-06-30 13:42 C:\WINDOWS\sm56hlpr.exe]
"CHotkey"="mHotkey.exe" [2002-01-17 05:54 C:\WINDOWS\mHotkey.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 00:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-13 11:56]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-14 09:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 17:11]

C:\Documents and Settings\Dave\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-03-22 11:00:00]

R0 mtgbwqbe;mtgbwqbe;C:\WINDOWS\system32\drivers\srcunaky.dat

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-16 14:04:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-16 14:05:45
.
--- E O F ---
Parvo is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-15-2007, 10:29 PM   #6 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,486
OS: N/A


Re: search-daily.com
Open notepad and copy/paste the text in the quotebox below into it:

Code:
File::
C:\WINDOWS\system32\drivers\srcunaky.dat
C:\WINDOWS\system32\drivers\ufigxvaw.dat
C:\WINDOWS\system32\consol.dll
C:\WINDOWS\system32\dpne.dll
C:\WINDOWS\system32\acctre.dll
C:\WINDOWS\system32\drivers\srcunaky.sys
Driver::
mtgbwqbe
Netsvc::
mtgbwqbe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C8EBE48-EFFC-43B4-AB0B-0DD6FD2F85A1}]
Save this as "CFScript"




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-16-2007, 02:31 AM   #7 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 41
OS: XP Home


Re: search-daily.com
I got the same error msg but it still completed.



ComboFix 07-10-15.1 - Dave 2007-10-16 17:07:55.2 - NTFSx86
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dave\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\acctre.dll
C:\WINDOWS\system32\consol.dll
C:\WINDOWS\system32\dpne.dll
C:\WINDOWS\system32\drivers\srcunaky.dat
C:\WINDOWS\system32\drivers\srcunaky.sys
C:\WINDOWS\system32\drivers\ufigxvaw.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\acctre.dll
C:\WINDOWS\system32\consol.dll
C:\WINDOWS\system32\dpne.dll
C:\WINDOWS\system32\drivers\srcunaky.dat
C:\WINDOWS\system32\drivers\srcunaky.sys
C:\WINDOWS\system32\drivers\ufigxvaw.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MTGBWQBE
-------\mtgbwqbe


((((((((((((((((((((((((( Files Created from 2007-09-16 to 2007-10-16 )))))))))))))))))))))))))))))))
.

2007-10-16 13:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-13 15:47 <DIR> d-------- C:\Documents and Settings\Dave\.housecall6.6
2007-10-13 14:45 <DIR> d-------- C:\HJT
2007-10-13 14:33 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-13 14:33 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-13 12:58 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-13 12:56 <DIR> d-------- C:\Program Files\SpywareGuard
2007-10-13 12:49 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-13 12:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-13 12:33 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\AVG7
2007-10-13 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-13 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-13 11:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-13 11:56 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-13 11:56 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Lavasoft
2007-09-19 19:27 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-09-19 19:27 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-09-19 19:27 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-09-19 19:27 89,088 --a------ C:\WINDOWS\system32\atl71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-28 00:02 --------- d-----w C:\Program Files\Lexmark X1100 Series
2007-09-19 09:34 --------- d-----w C:\Program Files\Numbers Up!2 Baggin' the Dragon V1.2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2004-09-30 16:44]
"SMSERIAL"="sm56hlpr.exe" [2004-06-30 13:42 C:\WINDOWS\sm56hlpr.exe]
"CHotkey"="mHotkey.exe" [2002-01-17 05:54 C:\WINDOWS\mHotkey.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 00:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-13 11:56]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-14 09:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 17:11]

C:\Documents and Settings\Dave\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-03-22 11:00:00]


.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-16 18:17:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-16 18:19:45 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-16 14:05
.
--- E O F ---
Parvo is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-16-2007, 02:36 AM   #8 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,486
OS: N/A


Re: search-daily.com
Quote:
I got the same error msg but it still completed.
Can you remember which stage it occured at?
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-16-2007, 02:38 AM   #9 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,486
OS: N/A


Re: search-daily.com
Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-16-2007, 05:38 AM   #10 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 41
OS: XP Home


Re: search-daily.com
The error msg occured at stage 7.
Parvo is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-16-2007, 07:28 AM   #11 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 41
OS: XP Home


Re: search-daily.com
sorry I think it had completed stage 7
Parvo is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-16-2007, 07:49 AM   #12 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,486
OS: N/A


Re: search-daily.com
Please perform the Kaspersky scan
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-17-2007, 01:21 AM   #13 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 41
OS: XP Home


Re: search-daily.com
Hi subs.
I am having trouble posting the kaspersky scan. It's 13.6 mb, seems rather large to me. When I paste it into the post the browser (IE and Firefox both) becomes non responsive. It happens on my other comp as well. Maybe if I attach it to a post?
Parvo is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-17-2007, 05:36 AM   #14 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 41
OS: XP Home


Re: search-daily.com
I've tried about twenty times to post this scan and every time the browser becomes non responsive. As you can see I can post here, just not the scan log. Unless there is another way then I'd say I cannot post the scan you need. Sorry.
Parvo is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-17-2007, 07:05 AM   #15 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,486
OS: N/A


Re: search-daily.com
Zip/Archive the file up. That should make it much smaller.

Then upload it to this website --> http://www.bleepingcomputer.com/subm....php?channel=4
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-18-2007, 01:58 AM   #16 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 41
OS: XP Home


Re: search-daily.com
Hi,
I've submitted/uploaded the log for you subs.
Parvo is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-18-2007, 02:15 AM   #17 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,486
OS: N/A


Re: search-daily.com
Quote:
C:\WINDOWS\system32\consol.1 Object is locked skipped
Please reboot the machine & then post a fresh copy of ComboFix log
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-18-2007, 02:49 AM   #18 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 41
OS: XP Home


Re: search-daily.com
ComboFix 07-10-15.1 - Dave 2007-10-18 18:44:32.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.85 [GMT 10:00]
Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-18 to 2007-10-18 )))))))))))))))))))))))))))))))
.

2007-10-16 21:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-16 21:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-16 21:48 <DIR> d---s---- C:\Documents and Settings\Dave\UserData
2007-10-16 13:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-13 15:47 <DIR> d-------- C:\Documents and Settings\Dave\.housecall6.6
2007-10-13 14:45 <DIR> d-------- C:\HJT
2007-10-13 14:33 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-13 14:33 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-13 12:58 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-13 12:56 <DIR> d-------- C:\Program Files\SpywareGuard
2007-10-13 12:49 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-13 12:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-13 12:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-13 12:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-13 12:33 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\AVG7
2007-10-13 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-13 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-13 11:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-13 11:56 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-13 11:56 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Lavasoft
2007-09-19 19:27 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-09-19 19:27 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-09-19 19:27 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-09-19 19:27 89,088 --a------ C:\WINDOWS\system32\atl71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-28 00:02 --------- d-----w C:\Program Files\Lexmark X1100 Series
2007-09-19 09:34 --------- d-----w C:\Program Files\Numbers Up!2 Baggin' the Dragon V1.2
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 09:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 09:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 09:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 09:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 09:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 09:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 09:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 09:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-16_14.05.00.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 02:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 05:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 05:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2004-09-30 16:44]
"SMSERIAL"="sm56hlpr.exe" [2004-06-30 13:42 C:\WINDOWS\sm56hlpr.exe]
"CHotkey"="mHotkey.exe" [2002-01-17 05:54 C:\WINDOWS\mHotkey.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 00:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-13 11:56]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-14 09:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 17:11]

C:\Documents and Settings\Dave\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-03-22 11:00:00]


.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-18 18:46:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-18 18:47:24
.
--- E O F ---
Parvo is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-18-2007, 02:51 AM   #19 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,486
OS: N/A


Re: search-daily.com
Delete this file --> C:\WINDOWS\system32\consol.1

Let me know if it resist deletions
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-18-2007, 02:59 AM   #20 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 41
OS: XP Home


Re: search-daily.com
It did not resist deletion subs. There are two files named consol.2 and consol.3 stil in the system 32 folder, are these ones ok to leave there?
Parvo is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 05:28 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85