Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Browser Redirection Hijack: log info here please help
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 08-22-2008, 01:04 PM   #1 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 10
OS: Windows Vista 32-Bit


Browser Redirection Hijack: log info here please help
I think there a browser hijack has occurred on my computer, here's the sequence of events.

1. I go to Google and search a random term or phrase
2. I click on any item on the returned list
3. Sometimes but not always, I am redirected to a web site selling something related to what I originally Googled or a page where my original search term is pasted into a different site's search engine. This happens randomly and most of the time, when I Google and click on a result I am not redirected.
5. The redirect appears to be random, not to the same site every time but always showing the original term I Googled.

I've run several anti-spyware products (AVG, ad-aware and spybot) but nothing helps. Any help would be much appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 4:28:45 AM, on 23/08/2008
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Windows\ASScrPro.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Windows\system32\prevhost.exe
C:\Windows\system32\prevhost.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Personal Files\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: CSS2 module - {7A9077BD-05AE-4fdf-AB2E-4128C43C4635} - C:\Windows\system32\css2_32.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ATKOSD2] "C:\Program Files\ATKOSD2\ATKOSD2.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{B415DF91-319A-4ABA-85BC-228DF3D942F7}: NameServer = 192.231.203.132,192.231.203.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\Windows\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\Windows\system32\ifxtcs.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Windows\system32\IfxPsdSv.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
onime1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 08-26-2008, 05:24 AM   #2 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 10
OS: Windows Vista 32-Bit


Re: Browser Redirection Hijack: log info here please help
Bump, please.
onime1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-31-2008, 07:55 AM   #3 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 10
OS: Windows Vista 32-Bit


Re: Browser Redirection Hijack: log info here please help
Bump, please.
onime1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-04-2008, 01:05 AM   #4 (permalink)
Analyst, Security Team
 
screen317's Avatar
 
Join Date: Mar 2006
Location: Los Angeles
Posts: 627
OS: Windows XP Home SP3

My System

Send a message via AIM to screen317
Re: Browser Redirection Hijack: log info here please help
Hi,

Please go to VirusTotal, and upload the following file for analysis:
C:\Windows\system32\css2_32.dll


Post the results in your reply.

After that, please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

-screen317
__________________
†Gospodine, smiluj se nama†
screen317 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-04-2008, 03:02 AM   #5 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 10
OS: Windows Vista 32-Bit


Re: Browser Redirection Hijack: log info here please help
Hi! Thanks for the reply.

Here is the report for the Virustotal scan:

File css2_32.dll received on 08.10.2008 03:09:26 (CET)
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - -
K7AntiVirus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - Suspicious file
PCTools - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - -
ViRobot - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: f09363b55c029889afc82aaac69ce3f5
SHA1: fa714c46357192bec3830d9f27334de0d02591ee
SHA256: 468730482bffee1e9bc59bd6e1e43b9c492cd0096d5e011bacf59ae5ecd473b6
SHA512: 194c92dcde2abad5f957f3a08d93891f43427187b7518a8cd7873ef2c1ae2068a718c381e049b74bd1e644181098f906a703fa2f71cc9702e396b3c9da0b7b8c

Next was the Malwarebytes Anti-malware scan; result and report:

Malwarebytes' Anti-Malware 1.26
Database version: 1112
Windows 6.0.6001 Service Pack 1

4/09/2008 6:26:46 PM
mbam-log-2008-09-04 (18-26-46).txt

Scan type: Quick Scan
Objects scanned: 40775
Time elapsed: 3 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Peter Avina\AppData\Local\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Finally the Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:29:27 PM, on 4/09/2008
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Windows\ASScrPro.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Explorer.EXE
D:\Personal Files\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CSS2 module - {7A9077BD-05AE-4fdf-AB2E-4128C43C4635} - C:\Windows\system32\css2_32.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ATKOSD2] "C:\Program Files\ATKOSD2\ATKOSD2.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{B415DF91-319A-4ABA-85BC-228DF3D942F7}: NameServer = 192.231.203.132,192.231.203.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\Windows\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\Windows\system32\ifxtcs.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Windows\system32\IfxPsdSv.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

Just a few sidenotes: I switched to using Mozilla Firefox instead of IE7 and the problem doesn't occur however it occurs on other computers on my home network which still use IE7. And could you tell me why Malwarebytes' Anti-malware was able to detect that infected file while my other programs didn't?
Thanks a lot!
onime1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-04-2008, 12:32 PM   #6 (permalink)
Analyst, Security Team
 
screen317's Avatar
 
Join Date: Mar 2006
Location: Los Angeles
Posts: 627
OS: Windows XP Home SP3

My System

Send a message via AIM to screen317
Re: Browser Redirection Hijack: log info here please help
Quote:
Just a few sidenotes: I switched to using Mozilla Firefox instead of IE7 and the problem doesn't occur however it occurs on other computers on my home network which still use IE7.
Means your other computers are infected too...

Quote:
And could you tell me why Malwarebytes' Anti-malware was able to detect that infected file while my other programs didn't?
For lack of better explanation, MBAM detects today's malware, while other programs are straggling behind.

With that said, next we'll use ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/comb...o-use-combofix
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317
__________________
†Gospodine, smiluj se nama†
screen317 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-04-2008, 07:20 PM   #7 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 10
OS: Windows Vista 32-Bit


Re: Browser Redirection Hijack: log info here please help
Thanks. Don't worry about the other computers, they don't have much on them and I was planning to reformat soon. Anyway, here's the Combofix log:

ComboFix 08-09-04.02 - Peter Avina 2008-09-05 10:15:49.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1151 [GMT 9.5:30]
Running from: C:\Users\Peter Avina\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))
.

2008-09-04 18:15 . 2008-09-04 18:15 <DIR> d-------- C:\Users\Peter Avina\AppData\Roaming\Malwarebytes
2008-09-04 18:15 . 2008-09-04 18:15 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-09-04 18:15 . 2008-09-04 18:15 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-09-04 18:15 . 2008-09-04 18:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-04 18:15 . 2008-09-02 00:16 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-09-04 18:15 . 2008-09-02 00:16 17,200 --a------ C:\Windows\System32\drivers\mbam.sys
2008-09-04 17:47 . 2008-07-19 14:39 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-09-04 17:47 . 2008-07-19 13:14 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-09-04 17:47 . 2008-07-19 14:40 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-09-04 17:47 . 2008-07-19 14:40 45,768 --a------ C:\Windows\System32\wups2.dll
2008-09-04 17:46 . 2008-07-19 14:39 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-09-04 17:46 . 2008-07-18 22:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-09-04 17:46 . 2008-07-19 13:14 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-09-04 17:46 . 2008-07-19 14:40 36,552 --a------ C:\Windows\System32\wups.dll
2008-09-04 17:46 . 2008-07-18 20:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-23 17:35 . 2008-08-23 17:35 <DIR> d-------- C:\Users\Peter Avina\AppData\Roaming\ScanSoft
2008-08-23 17:35 . 2008-08-23 17:35 <DIR> d-------- C:\Users\All Users\ScanSoft
2008-08-23 17:35 . 2008-08-23 17:35 <DIR> d-------- C:\Users\All Users\InstallShield
2008-08-23 17:35 . 2008-08-23 17:35 <DIR> d-------- C:\ProgramData\ScanSoft
2008-08-23 17:35 . 2008-08-23 17:35 <DIR> d-------- C:\ProgramData\InstallShield
2008-08-23 17:35 . 2008-08-23 17:35 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-08-23 17:35 . 2008-08-23 17:35 412 --a------ C:\Windows\MAXLINK.INI
2008-08-23 17:34 . 2008-08-23 17:34 <DIR> d-------- C:\Program Files\ScanSoft
2008-08-23 17:31 . 2008-08-23 17:31 <DIR> d-------- C:\Users\Peter Avina\AppData\Roaming\Canon
2008-08-23 16:35 . 2008-08-23 16:35 <DIR> d-------- C:\Program Files\Common Files\CANON
2008-08-23 16:34 . 2008-08-23 16:34 <DIR> d--h----- C:\Users\All Users\CanonBJ
2008-08-23 16:34 . 2008-08-23 16:34 <DIR> d--h----- C:\ProgramData\CanonBJ
2008-08-23 16:33 . 2008-08-23 16:33 <DIR> d--h----- C:\Windows\System32\CanonIJ Uninstaller Information
2008-08-23 16:32 . 2007-04-16 05:30 215,040 --a------ C:\Windows\System32\CNMLM93.DLL
2008-08-23 16:31 . 2008-08-23 16:31 <DIR> d--h----- C:\Program Files\CanonBJ
2008-08-23 16:31 . 2007-03-23 17:00 1,400,832 --a------ C:\Windows\System32\CNC610C.DLL
2008-08-23 16:31 . 2007-04-13 15:16 200,704 --a------ C:\Windows\System32\CNC610L.DLL
2008-08-23 16:31 . 2007-03-15 14:42 188,416 --a------ C:\Windows\System32\CNC610O.DLL
2008-08-23 16:31 . 2007-03-23 16:59 98,304 --a------ C:\Windows\System32\CNC610I.DLL
2008-08-23 16:29 . 2008-08-23 16:35 <DIR> d-------- C:\Program Files\Canon
2008-08-23 03:45 . 2008-08-23 03:46 <DIR> d-------- C:\Program Files\RegCure
2008-08-23 02:57 . 2008-08-23 02:57 <DIR> d-------- C:\Users\All Users\WindowsSearch
2008-08-23 02:57 . 2008-08-23 02:57 <DIR> d-------- C:\ProgramData\WindowsSearch
2008-08-22 16:43 . 2008-08-22 16:43 <DIR> d-------- C:\Program Files\MSECache
2008-08-21 19:27 . 2008-08-21 19:27 <DIR> dr------- C:\Users\Public\Documents
2008-08-21 19:04 . 2008-08-21 19:04 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-08-21 19:03 . 2008-08-21 19:03 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-08-21 19:02 . 2008-08-21 19:02 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-08-21 18:58 . 2008-08-21 18:58 <DIR> dr-h----- C:\MSOCache
2008-08-21 13:50 . 2008-08-21 14:00 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-08-21 13:50 . 2008-08-21 14:00 <DIR> d-------- C:\ProgramData\Lavasoft
2008-08-21 13:50 . 2008-08-21 13:50 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-21 13:49 . 2008-08-21 13:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-15 21:13 . 2008-08-15 21:13 176,132 --a------ C:\Windows\System32\css2_32.dll
2008-08-15 21:13 . 2006-10-26 19:56 32,592 --a------ C:\Windows\System32\msonpmon.dll
2008-08-15 21:10 . 2008-08-21 19:19 <DIR> d-------- C:\Program Files\Microsoft Works
2008-08-15 20:59 . 2008-08-21 18:53 <DIR> d-------- C:\Users\All Users\Microsoft Help
2008-08-15 20:59 . 2008-08-21 18:53 <DIR> d-------- C:\ProgramData\Microsoft Help
2008-08-15 20:56 . 2008-08-15 20:56 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-08-15 20:49 . 2008-08-15 20:49 <DIR> d-------- C:\Users\Peter Avina\AppData\Roaming\DAEMON Tools
2008-08-15 20:49 . 2008-08-15 20:49 717,296 --a------ C:\Windows\System32\drivers\sptd.sys
2008-08-14 16:26 . 2008-07-16 11:02 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-14 16:20 . 2008-06-27 11:25 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-14 16:20 . 2008-06-27 13:45 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-14 16:20 . 2008-06-19 13:01 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-14 16:20 . 2008-04-18 15:18 269,312 --a------ C:\Windows\System32\es.dll
2008-08-14 15:26 . 2005-01-23 04:42 679,936 --a------ C:\Windows\System32\D3DX81ab.dll
2008-08-14 15:25 . 2008-08-14 15:39 <DIR> d-------- C:\Program Files\WC3Banlist
2008-08-14 15:24 . 2008-08-14 15:24 <DIR> d-------- C:\Program Files\WinPcap
2008-08-13 21:38 . 2008-08-30 14:56 <DIR> d-------- C:\Program Files\Garena
2008-08-12 22:54 . 2008-08-12 22:57 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-12 22:53 . 2008-08-12 22:53 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-08-12 22:53 . 2008-08-12 22:53 <DIR> d-------- C:\ProgramData\WLInstaller
2008-08-12 22:53 . 2008-08-12 22:59 <DIR> d-------- C:\Program Files\Windows Live
2008-08-10 16:19 . 2008-08-10 16:19 66 --a------ C:\Windows\wininit.ini
2008-08-10 13:48 . 2008-08-20 03:56 <DIR> dr-h----- C:\$VAULT$.AVG
2008-08-09 22:42 . 2008-08-23 03:46 <DIR> d-------- C:\Users\Peter Avina\AppData\Roaming\Azureus
2008-08-09 22:42 . 2008-08-09 22:42 <DIR> d-------- C:\Users\All Users\Azureus
2008-08-09 22:42 . 2008-08-09 22:42 <DIR> d-------- C:\ProgramData\Azureus
2008-08-09 22:41 . 2008-08-09 22:42 <DIR> d-------- C:\Program Files\Vuze
2008-08-09 18:07 . 2008-08-09 18:07 <DIR> dr------- C:\Users\Public\Recorded TV
2008-08-07 17:45 . 2008-08-07 17:45 <DIR> d-------- C:\Users\Peter Avina\AppData\Roaming\PeerNetworking
2008-08-05 18:59 . 2002-04-01 17:53 102,400 --a------ C:\Windows\System32\TrackerNET.dll
2008-08-05 18:57 . 2001-07-31 10:55 217,088 --a------ C:\Windows\System32\libmySQL.dll
2008-08-05 18:32 . 1998-10-30 22:21 1,022,976 --a------ C:\Windows\System32\SierraNW.dll
2008-08-05 18:32 . 1998-10-30 22:21 231,936 --a------ C:\Windows\System32\SNWValid.dll
2008-08-05 18:31 . 1997-07-14 17:42 314,880 --a------ C:\Windows\IsUninst.exe
2008-08-05 18:31 . 2008-08-05 18:34 494 --a------ C:\Windows\SIERRA.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 00:29 28,409 ----a-w C:\Users\Peter Avina\AppData\Roaming\nvModes.dat
2008-09-05 00:09 --------- d-----w C:\Program Files\Warcraft III
2008-09-04 10:06 45,056 ----a-w C:\Windows\System32\acovcnt.exe
2008-08-28 04:37 --------- d-----w C:\ProgramData\ASUS
2008-08-27 14:46 --------- d-----w C:\Users\Peter Avina\AppData\Roaming\AVG7
2008-08-23 08:05 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-21 09:22 --------- d-----w C:\Program Files\MSBuild
2008-08-13 12:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 10:44 --------- d-----w C:\Users\Peter Avina\AppData\Roaming\Winamp
2008-08-07 22:38 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-08-07 22:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-19 05:26 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-17 22:17 174 --sha-w C:\Program Files\desktop.ini
2008-06-17 21:52 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-06-17 21:52 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-06-14 22:00 988,216 ----a-w C:\Windows\System32\winload.exe
2008-06-14 22:00 927,288 ----a-w C:\Windows\System32\winresume.exe
2008-06-14 22:00 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-06-14 22:00 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-06-14 22:00 378,368 ----a-w C:\Windows\System32\srcore.dll
2008-06-14 22:00 318,464 ----a-w C:\Windows\System32\rstrui.exe
2008-06-14 22:00 14,848 ----a-w C:\Windows\System32\srdelayed.exe
2008-06-14 21:59 615,992 ----a-w C:\Windows\System32\ci.dll
2008-06-14 21:59 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll
2008-06-14 21:59 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-06-14 20:02 458,752 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-06-14 20:02 4,240,384 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-06-14 20:02 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-06-14 20:02 2,153,984 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-06-14 20:02 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-06-14 20:02 1,695,744 ----a-w C:\Windows\System32\gameux.dll
2008-06-14 19:21 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-06-14 19:21 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-06-14 19:21 181,760 ----a-w C:\Windows\System32\fsquirt.exe
2008-06-14 19:20 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-06-14 19:20 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-06-14 08:30 9,216 ----a-w C:\Windows\System32\avgwlntf.dll
2008-06-14 08:30 499,712 ----a-w C:\Windows\System32\msvcp71.dll
2008-06-14 08:23 2,829 ----a-w C:\Windows\War3Unin.pif
2008-06-14 08:23 139,264 ----a-w C:\Windows\War3Unin.exe
2008-06-14 06:36 606,848 ----a-w C:\Windows\flashax.exe
2008-06-14 06:36 33,136 ----a-w C:\Windows\ASScrPro.exe
2008-06-14 06:36 12,288 ----a-w C:\Windows\impborl.dll
2008-06-14 06:17 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-06-14 06:17 315,392 ----a-w C:\Windows\HideWin.exe
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 125952]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATKOSD2"="C:\Program Files\ATKOSD2\ATKOSD2.exe" [2007-10-17 7737344]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-08-28 655360]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"ATKMEDIA"="C:\Program Files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"ASUS Screen Saver Protector"="C:\Windows\ASScrPro.exe" [2008-06-14 33136]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-15 579584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-05 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-05 8534560]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-05 81920]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-03 C:\Windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-08-03 C:\Windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-06-14 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-06-14 18:00 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IFXSPMGT]
--a------ 2007-02-26 12:59 677408 C:\Windows\System32\IFXSPMGT.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-06-01 10:05 1057328 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-06-20 12:49 451872 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerForPhone]
--a------ 2007-08-02 20:52 778240 C:\Program Files\P4P\P4P.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a------ 2007-06-01 10:06 1629744 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-03-27 16:05 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3238483802-2760087049-2391800019-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{2049D4A5-57E8-4DBD-AB07-63AED08B77B1}C:\\program files\\warcraft iii\\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{A5B8402B-9097-4A9D-95B9-7430B028A2C5}C:\\program files\\warcraft iii\\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{242FC5F0-7BF9-40E9-A478-6A4D00A4718B}C:\\program files\\sierra\\half-life\\hl.exe"= UDP:C:\program files\sierra\half-life\hl.exe:Half-Life Launcher
"UDP Query User{B16E4647-4A99-43A5-99A9-8407F43693DD}C:\\program files\\sierra\\half-life\\hl.exe"= TCP:C:\program files\sierra\half-life\hl.exe:Half-Life Launcher
"TCP Query User{CD360F69-ED0F-46D8-99D0-5D9C71086653}C:\\program files\\warcraft iii\\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{BC7A4298-C4FF-4AB0-A90F-053705C9C86B}C:\\program files\\warcraft iii\\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{155E0F1E-9333-46AC-BC02-5C1045EAE93D}C:\\program files\\vuze\\azureus.exe"= UDP:C:\program files\vuze\azureus.exe:Azureus
"UDP Query User{835AADF0-C329-4C94-AA72-8AFB8CEEDEDE}C:\\program files\\vuze\\azureus.exe"= TCP:C:\program files\vuze\azureus.exe:Azureus
"{EFE18C42-1746-4EFD-9950-67744A56BC7A}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{556C06FB-497F-4EAD-B444-63790CE6F6F0}C:\\program files\\garena\\garena.exe"= UDP:C:\program files\garena\garena.exe:Garena
"UDP Query User{9D1137F8-BF31-4B4E-BC8D-D0BA70BD2B1B}C:\\program files\\garena\\garena.exe"= TCP:C:\program files\garena\garena.exe:Garena
"TCP Query User{87CBB9F5-F938-41F3-804F-25A1A41A8D77}C:\\program files\\garena\\garena.exe"= UDP:C:\program files\garena\garena.exe:Garena
"UDP Query User{8E35C9BC-6216-4F6A-B3E2-8AF7ED9191FA}C:\\program files\\garena\\garena.exe"= TCP:C:\program files\garena\garena.exe:Garena
"{5B64A948-43B7-4E93-A834-89E60459D433}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{9463D8A1-6D0D-4882-92F0-E9F769B78F79}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3103C05B-7141-42DB-BC60-570143970DD2}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{06E53254-A41D-4EEA-B19E-6F58836C4983}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 PersonalSecureDrive;PersonalSecureDrive;C:\Windows\system32\drivers\psd.sys [2007-01-23 39080]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-30 809296]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\Windows\system32\DRIVERS\l160x86.sys [2007-10-31 46592]
R3 Ltn_hyd7700pc;TV tuner device ;C:\Windows\system32\Drivers\Ltn_hyd7700pc.sys [2007-05-18 374144]
R3 NPF;NetGroup Packet Filter Driver;C:\Windows\system32\drivers\npf.sys [2007-11-07 34064]
S3 Asushwio;Asushwio;C:\Windows\system32\drivers\Asushwio.sys [2006-10-10 10288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc1cd40d-50ca-11dd-a1a4-001e8cdc9c68}]
\shell\AutoRun\command - G:\Officer.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Peter Avina\AppData\Roaming\Mozilla\Firefox\Profiles\yy5uqdrb.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-05 10:27:40
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-05 10:29:14
ComboFix-quarantined-files.txt 2008-09-05 00:58:56

Pre-Run: 52,950,298,624 bytes free
Post-Run: 51,918,434,304 bytes free

256 --- E O F --- 2008-09-03 13:49:05

And the latest Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:50:19 AM, on 5/09/2008
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Windows\ASScrPro.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\Explorer.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Personal Files\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7A9077BD-05AE-4fdf-AB2E-4128C43C4635} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ATKOSD2] "C:\Program Files\ATKOSD2\ATKOSD2.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{B415DF91-319A-4ABA-85BC-228DF3D942F7}: NameServer = 192.231.203.132,192.231.203.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\Windows\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\Windows\system32\ifxtcs.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Windows\system32\IfxPsdSv.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

Thanks a lot for your help!
onime1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-04-2008, 08:49 PM   #8 (permalink)
Analyst, Security Team
 
screen317's Avatar
 
Join Date: Mar 2006
Location: Los Angeles
Posts: 627
OS: Windows XP Home SP3

My System

Send a message via AIM to screen317
Re: Browser Redirection Hijack: log info here please help
Hi,

Before we continue, please go to this website, and complete the form as follows:



Link to topic where this file was requested: http://www.techsupportforum.com/secu...ease-help.html

Browse to the file you want to submit:

Click Browse, and navigate to the following file:

C:\Windows\System32\css2_32.dll

Leave any comments, further information about this file, or contact information: From screen317 for TonyKlein


Repeat with this file:
C:\Windows\System32\msonpmon.dll

-screen317
__________________
†Gospodine, smiluj se nama†
screen317 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2008, 02:39 AM   #9 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 10
OS: Windows Vista 32-Bit


Re: Browser Redirection Hijack: log info here please help
Done and done.
onime1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2008, 03:34 PM   #10 (permalink)
Analyst, Security Team
 
screen317's Avatar
 
Join Date: Mar 2006
Location: Los Angeles
Posts: 627
OS: Windows XP Home SP3

My System

Send a message via AIM to screen317
Re: Browser Redirection Hijack: log info here please help
Hi,

Please open Notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the Code box below into Notepad:

Quote:
http://www.techsupportforum.com/security-center/hijackthis-log-help/283540-browser-redirection-hijack-log-info-here-please-help.html
KILLALL::
Collect::
C:\Windows\System32\css2_32.dll
C:\Windows\System32\msonpmon.dll
Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


Additonally, when ComboFix finishes running, it will display its log and it will prompt you to submit a file for analysis; please follow its instructions.

-screen317
__________________
†Gospodine, smiluj se nama†
screen317 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2008, 11:01 PM   #11 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 10
OS: Windows Vista 32-Bit


Re: Browser Redirection Hijack: log info here please help
Here's the latest Combofix log:

ComboFix 08-09-04.02 - Peter Avina 2008-09-06 13:08:28.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1124 [GMT 9.5:30]
Running from: C:\Users\Peter Avina\Desktop\ComboFix.exe
Command switches used :: C:\Users\Peter Avina\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\System32\css2_32.dll
C:\Windows\System32\msonpmon.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-06 to 2008-09-06 )))))))))))))))))))))))))))))))
.

2008-09-04 18:15 . 2008-09-04 18:15 <DIR> d-------- C:\Users\Peter Avina\AppData\Roaming\Malwarebytes
2008-09-04 18:15 . 2008-09-04 18:15 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-09-04 18:15 . 2008-09-04 18:15 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-09-04 18:15 . 2008-09-04 18:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-04 18:15 . 2008-09-02 00:16 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-09-04 18:15 . 2008-09-02 00:16 17,200 --a------ C:\Windows\System32\drivers\mbam.sys
2008-09-04 17:47 . 2008-07-19 14:39 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-09-04 17:47 . 2008-07-19 13:14 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-09-04 17:47 . 2008-07-19 14:40 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-09-04 17:47 . 2008-07-19 14:40 45,768 --a------ C:\Windows\System32\wups2.dll
2008-09-04 17:46 . 2008-07-19 14:39 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-09-04 17:46 . 2008-07-18 22:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-09-04 17:46 . 2008-07-19 13:14 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-09-04 17:46 . 2008-07-19 14:40 36,552 --a------ C:\Windows\System32\wups.dll
2008-09-04 17:46 . 2008-07-18 20:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-23 17:35 . 2008-08-23 17:35 <DIR> d-------- C:\Users\Peter Avina\AppData\Roaming\ScanSoft
2008-08-23 17:35 . 2008-08-23 17:35 <DIR> d-------- C:\Users\All Users\ScanSoft
2008-08-23 17:35 . 2008-08-23 17:35 <DIR> d-------- C:\Users\All Users\InstallShield
2008-08-23 17:35 . 2008-08-23 17:35 <DIR> d-------- C:\ProgramData\ScanSoft
2008-08-23 17:35 . 2008-08-23 17:35 <DIR> d-------- C:\ProgramData\InstallShield
2008-08-23 17:35 . 2008-08-23 17:35 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-08-23 17:35 . 2008-08-23 17:35 412 --a------ C:\Windows\MAXLINK.INI
2008-08-23 17:34 . 2008-08-23 17:34 <DIR> d-------- C:\Program Files\ScanSoft
2008-08-23 17:31 . 2008-08-23 17:31 <DIR> d-------- C:\Users\Peter Avina\AppData\Roaming\Canon
2008-08-23 16:35 . 2008-08-23 16:35 <DIR> d-------- C:\Program Files\Common Files\CANON
2008-08-23 16:34 . 2008-08-23 16:34 <DIR> d--h----- C:\Users\All Users\CanonBJ
2008-08-23 16:34 . 2008-08-23 16:34 <DIR> d--h----- C:\ProgramData\CanonBJ
2008-08-23 16:33 . 2008-08-23 16:33 <DIR> d--h----- C:\Windows\System32\CanonIJ Uninstaller Information
2008-08-23 16:32 . 2007-04-16 05:30 215,040 --a------ C:\Windows\System32\CNMLM93.DLL
2008-08-23 16:31 . 2008-08-23 16:31 <DIR> d--h----- C:\Program Files\CanonBJ
2008-08-23 16:31 . 2007-03-23 17:00 1,400,832 --a------ C:\Windows\System32\CNC610C.DLL
2008-08-23 16:31 . 2007-04-13 15:16 200,704 --a------ C:\Windows\System32\CNC610L.DLL
2008-08-23 16:31 . 2007-03-15 14:42 188,416 --a------ C:\Windows\System32\CNC610O.DLL
2008-08-23 16:31 . 2007-03-23 16:59 98,304 --a------ C:\Windows\System32\CNC610I.DLL
2008-08-23 16:29 . 2008-08-23 16:35 <DIR> d-------- C:\Program Files\Canon
2008-08-23 03:45 . 2008-08-23 03:46 <DIR> d-------- C:\Program Files\RegCure
2008-08-23 02:57 . 2008-08-23 02:57 <DIR> d-------- C:\Users\All Users\WindowsSearch
2008-08-23 02:57 . 2008-08-23 02:57 <DIR> d-------- C:\ProgramData\WindowsSearch
2008-08-22 16:43 . 2008-08-22 16:43 <DIR> d-------- C:\Program Files\MSECache
2008-08-21 19:27 . 2008-08-21 19:27 <DIR> dr------- C:\Users\Public\Documents
2008-08-21 19:04 . 2008-08-21 19:04 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-08-21 19:03 . 2008-08-21 19:03 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-08-21 19:02 . 2008-08-21 19:02 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-08-21 18:58 . 2008-08-21 18:58 <DIR> dr-h----- C:\MSOCache
2008-08-21 13:50 . 2008-08-21 14:00 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-08-21 13:50 . 2008-08-21 14:00 <DIR> d-------- C:\ProgramData\Lavasoft
2008-08-21 13:50 . 2008-08-21 13:50 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-21 13:49 . 2008-08-21 13:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-15 21:10 . 2008-08-21 19:19 <DIR> d-------- C:\Program Files\Microsoft Works
2008-08-15 20:59 . 2008-08-21 18:53 <DIR> d-------- C:\Users\All Users\Microsoft Help
2008-08-15 20:59 . 2008-08-21 18:53 <DIR> d-------- C:\ProgramData\Microsoft Help
2008-08-15 20:56 . 2008-08-15 20:56 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-08-15 20:49 . 2008-08-15 20:49 <DIR> d-------- C:\Users\Peter Avina\AppData\Roaming\DAEMON Tools
2008-08-15 20:49 . 2008-08-15 20:49 717,296 --a------ C:\Windows\System32\drivers\sptd.sys
2008-08-14 16:26 . 2008-07-16 11:02 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-14 16:20 . 2008-06-27 11:25 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-14 16:20 . 2008-06-27 13:45 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-14 16:20 . 2008-06-19 13:01 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-14 16:20 . 2008-04-18 15:18 269,312 --a------ C:\Windows\System32\es.dll
2008-08-14 15:26 . 2005-01-23 04:42 679,936 --a------ C:\Windows\System32\D3DX81ab.dll
2008-08-14 15:25 . 2008-08-14 15:39 <DIR> d-------- C:\Program Files\WC3Banlist
2008-08-14 15:24 . 2008-08-14 15:24 <DIR> d-------- C:\Program Files\WinPcap
2008-08-13 21:38 . 2008-09-05 22:05 <DIR> d-------- C:\Program Files\Garena
2008-08-12 22:54 . 2008-08-12 22:57 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-12 22:53 . 2008-08-12 22:53 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-08-12 22:53 . 2008-08-12 22:53 <DIR> d-------- C:\ProgramData\WLInstaller
2008-08-12 22:53 . 2008-08-12 22:59 <DIR> d-------- C:\Program Files\Windows Live
2008-08-10 16:19 . 2008-08-10 16:19 66 --a------ C:\Windows\wininit.ini
2008-08-10 13:48 . 2008-08-20 03:56 <DIR> dr-h----- C:\$VAULT$.AVG
2008-08-09 22:42 . 2008-08-23 03:46 <DIR> d-------- C:\Users\Peter Avina\AppData\Roaming\Azureus
2008-08-09 22:42 . 2008-08-09 22:42 <DIR> d-------- C:\Users\All Users\Azureus
2008-08-09 22:42 . 2008-08-09 22:42 <DIR> d-------- C:\ProgramData\Azureus
2008-08-09 22:41 . 2008-08-09 22:42 <DIR> d-------- C:\Program Files\Vuze
2008-08-09 18:07 . 2008-08-09 18:07 <DIR> dr------- C:\Users\Public\Recorded TV
2008-08-07 17:45 . 2008-08-07 17:45 <DIR> d-------- C:\Users\Peter Avina\AppData\Roaming\PeerNetworking

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-06 04:32 45,056 ----a-w C:\Windows\System32\acovcnt.exe
2008-09-06 02:08 --------- d-----w C:\Users\Peter Avina\AppData\Roaming\AVG7
2008-09-05 16:27 28,409 ----a-w C:\Users\Peter Avina\AppData\Roaming\nvModes.dat
2008-09-05 16:23 --------- d-----w C:\Program Files\Warcraft III
2008-08-28 04:37 --------- d-----w C:\ProgramData\ASUS
2008-08-23 08:05 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-21 09:22 --------- d-----w C:\Program Files\MSBuild
2008-08-13 12:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 10:44 --------- d-----w C:\Users\Peter Avina\AppData\Roaming\Winamp
2008-08-07 22:38 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-08-07 22:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-19 05:26 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-17 22:17 174 --sha-w C:\Program Files\desktop.ini
2008-06-17 21:52 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-06-17 21:52 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-06-14 22:00 988,216 ----a-w C:\Windows\System32\winload.exe
2008-06-14 22:00 927,288 ----a-w C:\Windows\System32\winresume.exe
2008-06-14 22:00 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-06-14 22:00 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-06-14 22:00 378,368 ----a-w C:\Windows\System32\srcore.dll
2008-06-14 22:00 318,464 ----a-w C:\Windows\System32\rstrui.exe
2008-06-14 22:00 14,848 ----a-w C:\Windows\System32\srdelayed.exe
2008-06-14 21:59 615,992 ----a-w C:\Windows\System32\ci.dll
2008-06-14 21:59 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll
2008-06-14 21:59 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-06-14 20:02 458,752 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-06-14 20:02 4,240,384 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-06-14 20:02 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-06-14 20:02 2,153,984 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-06-14 20:02 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-06-14 20:02 1,695,744 ----a-w C:\Windows\System32\gameux.dll
2008-06-14 19:21 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-06-14 19:21 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-06-14 19:21 181,760 ----a-w C:\Windows\System32\fsquirt.exe
2008-06-14 19:20 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-06-14 19:20 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-06-14 08:30 9,216 ----a-w C:\Windows\System32\avgwlntf.dll
2008-06-14 08:30 499,712 ----a-w C:\Windows\System32\msvcp71.dll
2008-06-14 08:23 2,829 ----a-w C:\Windows\War3Unin.pif
2008-06-14 08:23 139,264 ----a-w C:\Windows\War3Unin.exe
2008-06-14 06:36 606,848 ----a-w C:\Windows\flashax.exe
2008-06-14 06:36 33,136 ----a-w C:\Windows\ASScrPro.exe
2008-06-14 06:36 12,288 ----a-w C:\Windows\impborl.dll
2008-06-14 06:17 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-06-14 06:17 315,392 ----a-w C:\Windows\HideWin.exe
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
.

((((((((((((((((((((((((((((( snapshot@2008-09-05_10.28.12.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-04 1031 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-09-06 04:32:14 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-09-06 04:32:14 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-09-04 1026 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-09-06 04:32:14 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-09-06 04:32:14 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-09-03 0740 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-06 01:03:41 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-09-03 0740 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-06 01:03:41 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-03 0740 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-06 01:03:41 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-04 23:00:28 105,852 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-09-06 01:10:41 105,852 ----a-w C:\Windows\System32\perfc009.dat
- 2008-09-04 23:00:28 600,378 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-09-06 01:10:41 600,378 ----a-w C:\Windows\System32\perfh009.dat
- 2008-09-04 10:07:33 7,326 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3238483802-2760087049-2391800019-1000_UserData.bin
+ 2008-09-06 0115 7,326 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3238483802-2760087049-2391800019-1000_UserData.bin
- 2008-09-04 10:07:33 74,026 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-06 0115 74,336 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-09-04 10:07:32 40,476 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-09-06 0114 40,492 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 125952]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-30 1829712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATKOSD2"="C:\Program Files\ATKOSD2\ATKOSD2.exe" [2007-10-17 7737344]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-08-28 655360]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"ATKMEDIA"="C:\Program Files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"ASUS Screen Saver Protector"="C:\Windows\ASScrPro.exe" [2008-06-14 33136]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-15 579584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-05 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-05 8534560]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-05 81920]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-03 C:\Windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-08-03 C:\Windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-06-14 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-06-14 18:00 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IFXSPMGT]
--a------ 2007-02-26 12:59 677408 C:\Windows\System32\IFXSPMGT.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-06-01 10:05 1057328 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-06-20 12:49 451872 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerForPhone]
--a------ 2007-08-02 20:52 778240 C:\Program Files\P4P\P4P.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a------ 2007-06-01 10:06 1629744 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-03-27 16:05 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3238483802-2760087049-2391800019-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{2049D4A5-57E8-4DBD-AB07-63AED08B77B1}C:\\program files\\warcraft iii\\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{A5B8402B-9097-4A9D-95B9-7430B028A2C5}C:\\program files\\warcraft iii\\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{242FC5F0-7BF9-40E9-A478-6A4D00A4718B}C:\\program files\\sierra\\half-life\\hl.exe"= UDP:C:\program files\sierra\half-life\hl.exe:Half-Life Launcher
"UDP Query User{B16E4647-4A99-43A5-99A9-8407F43693DD}C:\\program files\\sierra\\half-life\\hl.exe"= TCP:C:\program files\sierra\half-life\hl.exe:Half-Life Launcher
"TCP Query User{CD360F69-ED0F-46D8-99D0-5D9C71086653}C:\\program files\\warcraft iii\\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{BC7A4298-C4FF-4AB0-A90F-053705C9C86B}C:\\program files\\warcraft iii\\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{155E0F1E-9333-46AC-BC02-5C1045EAE93D}C:\\program files\\vuze\\azureus.exe"= UDP:C:\program files\vuze\azureus.exe:Azureus
"UDP Query User{835AADF0-C329-4C94-AA72-8AFB8CEEDEDE}C:\\program files\\vuze\\azureus.exe"= TCP:C:\program files\vuze\azureus.exe:Azureus
"{EFE18C42-1746-4EFD-9950-67744A56BC7A}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{556C06FB-497F-4EAD-B444-63790CE6F6F0}C:\\program files\\garena\\garena.exe"= UDP:C:\program files\garena\garena.exe:Garena
"UDP Query User{9D1137F8-BF31-4B4E-BC8D-D0BA70BD2B1B}C:\\program files\\garena\\garena.exe"= TCP:C:\program files\garena\garena.exe:Garena
"TCP Query User{87CBB9F5-F938-41F3-804F-25A1A41A8D77}C:\\program files\\garena\\garena.exe"= UDP:C:\program files\garena\garena.exe:Garena
"UDP Query User{8E35C9BC-6216-4F6A-B3E2-8AF7ED9191FA}C:\\program files\\garena\\garena.exe"= TCP:C:\program files\garena\garena.exe:Garena
"{5B64A948-43B7-4E93-A834-89E60459D433}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{9463D8A1-6D0D-4882-92F0-E9F769B78F79}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3103C05B-7141-42DB-BC60-570143970DD2}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{06E53254-A41D-4EEA-B19E-6F58836C4983}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

R1 PersonalSecureDrive;PersonalSecureDrive;C:\Windows\system32\drivers\psd.sys [2007-01-23 39080]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-30 809296]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\Windows\system32\DRIVERS\l160x86.sys [2007-10-31 46592]
R3 Ltn_hyd7700pc;TV tuner device ;C:\Windows\system32\Drivers\Ltn_hyd7700pc.sys [2007-05-18 374144]
S3 Asushwio;Asushwio;C:\Windows\system32\drivers\Asushwio.sys [2006-10-10 10288]
S3 NPF;NetGroup Packet Filter Driver;C:\Windows\system32\drivers\npf.sys [2007-11-07 34064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc1cd40d-50ca-11dd-a1a4-001e8cdc9c68}]
\shell\AutoRun\command - G:\Officer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-06 14:02:22
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\ATK Hotkey\AsLdrSrv.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Windows\System32\IFXTCS.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
C:\Windows\System32\IfxPsdSv.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Program Files\ATK Hotkey\HControl.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\P4G\BatteryLife.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Windows\System32\ACEngSvr.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\ATK Hotkey\KBFiltr.exe
C:\Program Files\ATK Hotkey\WDC.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2008-09-06 14:07:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-06 04:37:11
ComboFix2.txt 2008-09-05 00:59:15

Pre-Run: 51,778,244,608 bytes free
Post-Run: 51,342,127,104 bytes free

301 --- E O F --- 2008-09-06 01:24:12

And the latest Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:28:40 PM, on 6/09/2008
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Windows\ASScrPro.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\Explorer.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\prevhost.exe
D:\Personal Files\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATKOSD2] "C:\Program Files\ATKOSD2\ATKOSD2.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{B415DF91-319A-4ABA-85BC-228DF3D942F7}: NameServer = 192.231.203.132,192.231.203.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\Windows\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\Windows\system32\ifxtcs.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Windows\system32\IfxPsdSv.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

Thanks!
onime1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2008, 03:17 AM   #12 (permalink)
Analyst, Security Team
 
screen317's Avatar
 
Join Date: Mar 2006
Location: Los Angeles
Posts: 627
OS: Windows XP Home SP3

My System

Send a message via AIM to screen317
Re: Browser Redirection Hijack: log info here please help
Hi,

Note that the antivirus on your computer, AVG7, is outdated and has been replaced by AVG8-- however, AVG8 now bundles AVG Antispyware and some BHOs that really slow things down... I recommend uninstalling AVG7 and replacing it with either avast! (which I use) or AntiVir which is also excellent.

After that, please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


After that, please download JavaRa and unzip it to your Desktop.

Double click JavaRa.exe then click Remove Older Versions.

Follow any prompts; a log will popup (JavaRa.log)-- please post the contents of this log.

-screen317
__________________
†Gospodine, smiluj se nama†
screen317 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-08-2008, 03:58 AM   #13 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 10
OS: Windows Vista 32-Bit


Re: Browser Redirection Hijack: log info here please help
Ok thanks for the tip, I uninstalled AVG and installed avast!.

I then did the subsequent steps as described, using IE7 to open the Kaspersky Online Scanner tool. I had never installed this before, and closed all windows and turned off other real time scanners as suggested. Everything went fine, however there were no infected files detected; I went to save the report file as a text file however I could not see it after I exited the 'save window' and manually went to the location where I had apparently saved it i.e. desktop. I don't know whether that's because there was nothing to report?

With the Javara, I followed the instructions and the prompts up to the point where it said 'JavaRa will now open its logfile' after 'finished searching...'. I clicked ok to close the window expecting the logfile to be opened but nothing came up even after i waited several minutes. I then tried to manually go to the location where it said the logfile was saved i.e. C Drive but it wasn' there (for this and the previous I had show hidden files and protected system files checked).

I don't know where I could have gone wrong. By the way, is there a purpose to this? I think the original problem of google search redirection is gone but if you're helping me to clear my system then that is certainly still welcome!
onime1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-09-2008, 04:18 PM   #14 (permalink)
Analyst, Security Team
 
screen317's Avatar
 
Join Date: Mar 2006
Location: Los Angeles
Posts: 627
OS: Windows XP Home SP3

My System

Send a message via AIM to screen317
Re: Browser Redirection Hijack: log info here please help
Hi,

Good that Kaspersky didn't find anything.

Don't worry about JavaRa; feel free to delete it; it just clears old Java versions.

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Post a fresh HijackThis log (hopefully the last one), then if all is clear, I'll send you home with recommendations for keeping your computer safe in the future.

screen317
__________________
†Gospodine, smiluj se nama†
screen317 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-09-2008, 05:19 PM   #15 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 10
OS: Windows Vista 32-Bit


Re: Browser Redirection Hijack: log info here please help
Cool, here's the latest Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:47:33 AM, on 10/09/2008
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\ASScrPro.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Vuze\Azureus.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Personal Files\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [ATKOSD2] "C:\Program Files\ATKOSD2\ATKOSD2.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{B415DF91-319A-4ABA-85BC-228DF3D942F7}: NameServer = 192.231.203.132,192.231.203.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

Thanks!
onime1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-09-2008, 09:38 PM   #16 (permalink)
Analyst, Security Team
 
screen317's Avatar
 
Join Date: Mar 2006
Location: Los Angeles
Posts: 627
OS: Windows XP Home SP3

My System

Send a message via AIM to screen317
Re: Browser Redirection Hijack: log info here please help
Hi,

Good work. Your log appears to be clean!

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Comodo
Kerio
Outpost

2) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

3) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

4) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

5) Be sure to update your Antivirus and Antispyware programs often!


Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?




Safe surfing,

-screen317
__________________
†Gospodine, smiluj se nama†
screen317 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-10-2008, 02:27 AM   #17 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 10
OS: Windows Vista 32-Bit


Re: Browser Redirection Hijack: log info here please help
Thankyou so much! I'll be sure to follow your instructions which by the way were always so clear and straightforward. I really didn't want to reformat so you have saved me a lot of trouble. Thanks again!
onime1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 02:26 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85