Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Constant page re-directing and trojan horse
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 12-02-2008, 07:32 AM   #1 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 9
OS: WINXP


Constant page re-directing and trojan horse
Hi,
My son has been using my computer last couple of days and now i keep getting re-directed to web pages unknown to me i have done virus scan which says i have a trojan down loader but i think that has been removed. I have done a S&D scan in safe mode which says has fixed some problems but i just cant seem to get rid of the re-directing of web pages. Here are all my logs


DDS (Version 1.0) - NTFSx86
Run by mick at 14:21:08.81 on 02/12/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1381 [GMT 0:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\mick\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - c:\program files\windows live\messenger\wlchtc.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [kdx] c:\program files\KHost.exe -all
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [ScanSoft OmniPage SE 4.0-reminder] "c:\program files\scansoft\omnipagese4.0\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\omnipagese4.0\ereg\ereg.ini"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [btbb_wcm_McciTrayApp] "c:\program files\bt broadband desktop help\btbb_wcm\McciTrayApp.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\exif launcher\QuickDCF.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: DisableTaskMgr = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoDispScrSavPage = 0 (0x0)
uPolicies-system: NoDispCPL = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
mPolicies-system: DisableTaskMgr = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {D0C0394E-F79C-40F4-B706-0798889DE8EF} = 85.255.112.145;85.255.112.150
TCP: {F348B908-B114-4C14-8F27-849D438116FA} = 85.255.112.145;85.255.112.150
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-10 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-10 26824]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-5 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-5 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-10 76040]
R2 McciCMService;McciCMService;"c:\program files\common files\motive\McciCMService.exe" [2008-10-31 303104]
R3 MRESP50;MRESP50 NDIS Protocol Driver;\??\c:\progra~1\common~1\motive\MRESP50.SYS [2008-10-31 20096]
R3 SIS163u;SiS 163 usb Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [2008-11-16 167424]
S2 713xTVCard;SAA7134 TV Card;c:\windows\system32\drivers\SAA713x.sys [2005-3-15 277504]
S3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2008-1-2 945920]
S3 Cap7134;Philips Cap7134 Capture;c:\windows\system32\drivers\Cap7134.sys []
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-7-6 31592]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-5-23 13352]
S3 MREMP50;MREMP50 NDIS Protocol Driver;\??\c:\progra~1\common~1\motive\MREMP50.SYS [2008-10-31 21248]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;\??\c:\progra~1\common~1\motive\MREMP50a64.SYS []
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;\??\c:\progra~1\common~1\motive\MRESP50a64.SYS []
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-11-6 175872]

=============== Created Last 30 ================

2008-12-02 14:03 250 a------- c:\windows\gmer.ini
2008-12-02 13:14 <DIR> --d----- C:\VundoFix Backups
2008-12-01 22:18 241 a------- c:\windows\wininit.ini
2008-12-01 16:18 <DIR> --dshr-- C:\resycled
2008-12-01 13:28 860,160 a------- c:\windows\system32\xVideoOCX.ocx
2008-12-01 13:28 137,000 a------- c:\windows\system32\msmapi32.ocx
2008-12-01 13:28 103,744 a------- c:\windows\system32\MSCOMM32.ocx
2008-12-01 13:28 26,896 a------- c:\windows\system32\hh.exe
2008-12-01 13:28 <DIR> --d----- c:\program files\Studio Surveillance
2008-12-01 00:32 2,657 a------- C:\timhillone.mov
2008-12-01 00:32 785 a------- C:\qtviewer.html
2008-12-01 00:32 620 a------- C:\qtviewer.smil
2008-12-01 00:18 <DIR> --d----- C:\TimHO_Rec
2008-12-01 00:11 <DIR> --d----- c:\program files\LEDSET
2008-11-24 11:42 <DIR> --d-h--- c:\docume~1\alluse~1\applic~1\{174BEB07-CB76-4EAC-91FD-95CD34E9901B}
2008-11-24 11:42 <DIR> --d----- c:\program files\Karaoke Zip Scanner
2008-11-22 16:35 <DIR> a-d----- C:\Myriad
2008-11-16 19:18 0 a------- c:\windows\system32\swunilog.ini
2008-11-16 19:18 237,568 a----r-- c:\windows\system32\SiSWPars.dll
2008-11-16 19:18 167,424 a----r-- c:\windows\system32\drivers\sis163u.sys
2008-11-16 19:18 155,648 a----r-- c:\windows\system32\SiSWInst.dll
2008-11-16 19:18 49,152 a----r-- c:\windows\system32\SiSWBase.dll
2008-11-13 08:12 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-13 08:12 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-06 19:27 175,872 a------- c:\windows\system32\drivers\RTL8187.sys

==================== Find3M ====================

2008-12-02 11:41 <DIR> --d----- c:\program files\eMule
2008-12-01 23:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-01 21:10 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-30 20:27 <DIR> --d----- c:\program files\MP3+G Toolz .NET 4
2008-11-23 13:04 <DIR> --d----- c:\program files\Karaoke Song List Creator
2008-11-18 07:06 <DIR> --d----- c:\program files\Xfire
2008-11-17 21:16 <DIR> --d----- c:\docume~1\mick\applic~1\Xfire
2008-11-03 20:23 183,120 a------- c:\windows\system32\PnkBstrB.exe
2008-10-31 09:57 <DIR> --d----- c:\program files\BT Broadband Desktop Help
2008-10-31 09:56 <DIR> --d----- c:\program files\common files\Motive
2008-10-30 01:24 42,320 a------- c:\windows\system32\xfcodec.dll
2008-10-20 23:25 <DIR> --d----- c:\program files\SpeedFan
2008-10-20 15:03 <DIR> --d----- c:\program files\Total Video2DVD Author
2008-10-20 15:02 <DIR> --d----- c:\program files\Sony Ericsson
2008-10-20 15:01 <DIR> --d----- c:\program files\k4uTool
2008-10-20 15:00 <DIR> --d----- c:\program files\IKEA Home Planner Kitchen
2008-10-20 15:00 <DIR> --d----- c:\program files\Canon
2008-10-20 15:00 <DIR> --d----- c:\program files\dvdSanta
2008-10-20 14:59 <DIR> --d----- c:\program files\BulletProof MP3 Ripper
2008-10-20 14:59 <DIR> --d----- c:\program files\Axis Communications
2008-10-20 14:58 <DIR> --d-h--- c:\docume~1\alluse~1\applic~1\ActiveSMART
2008-10-18 18:53 <DIR> --d----- c:\program files\MagicISO
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-13 05:22 <DIR> --d----- c:\program files\Microsoft
2008-10-13 05:21 <DIR> --d----- c:\program files\common files\Windows Live
2008-10-05 19:18 <DIR> --d----- c:\program files\Devnz
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-17 22:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Maxtor
2008-09-15 12:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-10 18:06 <DIR> --d----- c:\docume~1\mick\applic~1\TVU Networks
2008-09-10 18:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TVU Networks
2008-09-10 01:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-08 23:03 51,712 a------- c:\windows\system32\sirenacm.dll
2008-09-04 17:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-08-23 10:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\IM
2008-08-23 10:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\IncrediMail
2008-07-07 06:40 <DIR> --d----- c:\docume~1\mick\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-06-21 09:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kontiki
2008-06-21 09:28 <DIR> --d----- c:\docume~1\mick\applic~1\{3F3C1848-EDD1-411D-B240-F91B269B86A0}
2008-06-18 19:15 <DIR> --d----- c:\docume~1\mick\applic~1\vlc
2008-06-05 11:24 <DIR> --d----- c:\docume~1\mick\applic~1\Samsung
2008-06-02 21:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2008-05-23 16:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sony Ericsson
2008-05-10 10:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-05-04 14:02 <DIR> --d----- c:\docume~1\mick\applic~1\SopCast
2008-05-04 13:55 <DIR> --d----- c:\docume~1\mick\applic~1\PPMate
2008-03-12 08:42 <DIR> --d----- c:\docume~1\mick\applic~1\MSN6
2008-02-14 10:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MSN6
2008-01-05 22:37 <DIR> --d----- c:\docume~1\mick\applic~1\Canon
2008-01-05 22:19 <DIR> --d----- c:\docume~1\mick\applic~1\ScanSoft
2008-01-03 21:18 <DIR> --d----- c:\docume~1\mick\applic~1\mIRC
2008-07-13 06:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071320080714\index.dat

============= FINISH: 14:21:21.06 ===============
Attached Files
File Type: txt Gmer.txt (25.7 KB, 2 views)
File Type: txt Attach.txt (5.4 KB, 3 views)
MICKFLAN is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 12-02-2008, 03:38 PM   #2 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,580
OS: Vista


Re: Constant page re-directing and trojan horse
Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-03-2008, 09:15 AM   #3 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 9
OS: WINXP


Re: Constant page re-directing and trojan horse
thanks for the reply here is the combofix log.

ComboFix 08-12-01.03 - mick 2008-12-02 23:29:30.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1441 [GMT 0:00]
Running from: c:\documents and settings\mick\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-12-19 22:20 . 2008-06-19 19:27 <DIR> d-------- c:\documents and settings\Administrator
2008-12-19 22:19 . 2008-12-19 22:19 268 --ah----- C:\sqmdata02.sqm
2008-12-19 22:19 . 2008-12-19 22:19 244 --ah----- C:\sqmnoopt02.sqm
2008-12-19 22:15 . 2008-12-19 22:15 <DIR> d-------- c:\windows\Sun
2008-12-19 22:15 . 2008-12-19 22:15 268 --ah----- C:\sqmdata01.sqm
2008-12-19 22:15 . 2008-12-19 22:15 244 --ah----- C:\sqmnoopt01.sqm
2008-12-19 22:14 . 2008-09-24 17:19 <DIR> d-------- c:\program files\Java
2008-12-19 22:11 . 2008-12-19 22:11 <DIR> d-------- c:\program files\Common Files\Java
2008-12-02 14:03 . 2008-12-02 14:06 250 --a------ c:\windows\gmer.ini
2008-12-02 13:14 . 2008-12-02 13:14 <DIR> d-------- C:\VundoFix Backups
2008-12-01 22:18 . 2008-12-02 09:57 241 --a------ c:\windows\wininit.ini
2008-12-01 13:28 . 2008-12-01 13:28 <DIR> d-------- c:\program files\Studio Surveillance
2008-12-01 13:28 . 2005-09-10 20:09 860,160 --a------ c:\windows\system32\xVideoOCX.ocx
2008-12-01 13:28 . 1998-06-24 00:00 137,000 --a------ c:\windows\system32\msmapi32.ocx
2008-12-01 13:28 . 1998-06-24 00:00 103,744 --a------ c:\windows\system32\MSCOMM32.ocx
2008-12-01 13:28 . 2001-05-08 05:00 26,896 --a------ c:\windows\system32\hh.exe
2008-12-01 00:32 . 2008-12-01 00:32 2,657 --a------ C:\timhillone.mov
2008-12-01 00:32 . 2008-12-01 00:32 785 --a------ C:\qtviewer.html
2008-12-01 00:32 . 2008-12-01 00:32 620 --a------ C:\qtviewer.smil
2008-12-01 00:18 . 2008-12-01 16:17 <DIR> d-------- C:\TimHO_Rec
2008-12-01 00:11 . 2008-12-01 00:11 <DIR> d-------- c:\program files\LEDSET
2008-11-30 11:29 . 2008-12-02 14:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-11-24 11:42 . 2008-11-24 11:42 <DIR> d-------- c:\program files\Karaoke Zip Scanner
2008-11-24 11:42 . 2008-11-24 11:42 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{174BEB07-CB76-4EAC-91FD-95CD34E9901B}
2008-11-22 16:35 . 2008-11-28 22:27 <DIR> d-a------ C:\Myriad
2008-11-16 19:18 . 2004-09-27 04:54 237,568 -ra------ c:\windows\system32\SiSWPars.dll
2008-11-16 19:18 . 2004-12-31 07:47 167,424 -ra------ c:\windows\system32\drivers\sis163u.sys
2008-11-16 19:18 . 2004-09-27 04:54 155,648 -ra------ c:\windows\system32\SiSWInst.dll
2008-11-16 19:18 . 2004-09-27 04:54 49,152 -ra------ c:\windows\system32\SiSWBase.dll
2008-11-16 19:18 . 2008-11-16 19:18 0 --a------ c:\windows\system32\swunilog.ini
2008-11-13 08:12 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 08:12 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-06 19:27 . 2006-05-22 19:35 175,872 --a------ c:\windows\system32\drivers\RTL8187.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 11:41 --------- d-----w c:\program files\eMule
2008-12-01 23:39 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-01 21:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-30 20:27 --------- d-----w c:\program files\MP3+G Toolz .NET 4
2008-11-30 11:30 --------- d-----w c:\program files\Google
2008-11-30 09:19 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-24 17:08 67,864 ----a-w c:\documents and settings\mick\Application Data\GDIPFONTCACHEV1.DAT
2008-11-23 13:04 --------- d-----w c:\program files\Karaoke Song List Creator
2008-11-18 07:06 --------- d-----w c:\program files\Xfire
2008-11-17 21:16 --------- d-----w c:\documents and settings\mick\Application Data\Xfire
2008-11-03 20:23 183,120 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-03 20:23 137,480 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-10-31 10:03 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2008-10-31 09:58 --------- d-----w c:\documents and settings\mick\Application Data\Motive
2008-10-31 09:57 --------- d-----w c:\program files\BT Broadband Desktop Help
2008-10-31 09:56 --------- d-----w c:\program files\Common Files\Motive
2008-10-30 01:24 42,320 ----a-w c:\windows\system32\xfcodec.dll
2008-10-26 09:08 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 22:36 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-20 23:25 --------- d-----w c:\program files\SpeedFan
2008-10-20 15:03 --------- d-----w c:\program files\Total Video2DVD Author
2008-10-20 15:02 --------- d-----w c:\program files\Sony Ericsson
2008-10-20 15:01 --------- d-----w c:\program files\k4uTool
2008-10-20 15:00 --------- d-----w c:\program files\IKEA Home Planner Kitchen
2008-10-20 15:00 --------- d-----w c:\program files\dvdSanta
2008-10-20 15:00 --------- d-----w c:\program files\Canon
2008-10-20 14:59 --------- d-----w c:\program files\BulletProof MP3 Ripper
2008-10-20 14:59 --------- d-----w c:\program files\Axis Communications
2008-10-20 14:58 --------- d--h--w c:\documents and settings\All Users\Application Data\ActiveSMART
2008-10-20 14:58 --------- d-----w c:\program files\ArcSoft
2008-10-18 18:53 --------- d-----w c:\program files\MagicISO
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-13 05:22 --------- d-----w c:\program files\Microsoft
2008-10-13 05:21 --------- d-----w c:\program files\Common Files\Windows Live
2008-10-05 19:18 --------- d-----w c:\program files\Devnz
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-08 23:03 51,712 ----a-w c:\windows\system32\sirenacm.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-07-13 06:49 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071320080714\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-09-08 3513344]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-13 7557120]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-02-13 86016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"ScanSoft OmniPage SE 4.0-reminder"="c:\program files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" [2005-06-03 729088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-08 185896]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2008-09-11 1517056]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"btbb_wcm_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe" [2008-08-28 1516032]
"nwiz"="nwiz.exe" [2006-02-13 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - c:\program files\Exif Launcher\QuickDCF.exe [2008-08-27 188416]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Gigabyte\\BIOS\\gwf32.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Gigabyte\\BIOS\\gwflash.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\fsx.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Documents and Settings\\mick\\Desktop\\combat flight sim\\COMBATFS.EXE"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=
"c:\\Myriad\\mirc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-10 97928]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-05 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-05 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-05-10 76040]
R2 McciCMService;McciCMService;"c:\program files\Common Files\Motive\McciCMService.exe" [2008-10-31 303104]
R3 MRESP50;MRESP50 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MRESP50.SYS [2008-10-31 20096]
R3 SIS163u;SiS 163 usb Wireless LAN Adapter Driver;c:\windows\system32\DRIVERS\sis163u.sys [2008-11-16 167424]
S2 713xTVCard;SAA7134 TV Card;c:\windows\system32\DRIVERS\SAA713x.sys [2005-03-15 277504]
S3 3xHybrid;3xHybrid service;c:\windows\system32\DRIVERS\3xHybrid.sys [2008-01-02 945920]
S3 Cap7134;Philips Cap7134 Capture;c:\windows\system32\DRIVERS\Cap7134.sys []
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-07-06 31592]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2008-05-23 13352]
S3 MREMP50;MREMP50 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MREMP50.SYS [2008-10-31 21248]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MRESP50a64.SYS []
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-11-06 175872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{789f5c52-b8a7-11dc-b2cf-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fa3d234-6d5b-11dd-ba06-00120e825303}]
\Shell\AutoRun\command - nideiect.com
\Shell\explore\Command - nideiect.com
\Shell\open\Command - nideiect.com

*Newly Created Service* - CATCHME
*Newly Created Service* - GMER
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://magnet.2020.net/virtualplanner/Core/Player/2020PlayerAX_Win32.cab
c:\windows\Downloaded Program Files\2020Player.inf

O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://79.148.110.209:8080/activex/AMC.cab
c:\windows\Downloaded Program Files\setup.inf

c:\windows\system32\MSCOMCTL.OCX - c:\windows\system32\msvbvm60.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\stdole2.tlb
c:\windows\system32\comcat.dll
c:\windows\Downloaded Program Files\toolkit_widget.gif
c:\windows\Downloaded Program Files\common.dat
c:\windows\Downloaded Program Files\unknown.dat
c:\windows\system32\Codejock.PropertyGrid.v10.4.0.ocx
c:\windows\system32\Codejock.DockingPane.v10.4.0.ocx
c:\windows\system32\Codejock.CommandBars.v10.4.0.ocx
c:\windows\system32\Codejock.ReportControl.v10.4.0.ocx
c:\windows\Downloaded Program Files\DGTx.ocx
O16 -: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D}
hxxp://66.98.130.69/DGTx.CAB
c:\windows\Downloaded Program Files\DGTx.INF
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 23:30:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-02 23:31:08
ComboFix-quarantined-files.txt 2008-12-02 23:30:48
ComboFix2.txt 2008-12-02 18:12:56
ComboFix3.txt 2008-12-02 18:07:21

Pre-Run: 94,214,516,736 bytes free
Post-Run: 94,222,049,280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

238 --- E O F --- 2008-11-13 08:18:14
MICKFLAN is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-03-2008, 10:22 AM   #4 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,580
OS: Vista


Re: Constant page re-directing and trojan horse
Hi,

It seems that you ran combofix thrice..

Can you post the contents of C:\Qoobox\Combofix3.txt
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-03-2008, 02:05 PM   #5 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 9
OS: WINXP


Re: Constant page re-directing and trojan horse
Yes foolishly i thought i could fix myself, heres combofix3 txt.
ComboFix 08-12-01.03 - mick 2008-12-02 18:04:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1412 [GMT 0:00]
Running from: c:\documents and settings\mick\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc10.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc11.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc12.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc13.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc14.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc15.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc16.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc22.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc23.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc28.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc29.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc2A.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc2D.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc30.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc31.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc3A.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc4.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc57.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc59.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc5A.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc72.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc89.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc8E.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mccA6.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mccC.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mccD.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mccE.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mccF.tmp
C:\resycled
c:\windows\Downloaded Program Files\setup.inf
F:\resycled
f:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-12-19 22:20 . 2008-06-19 19:27 <DIR> d-------- c:\documents and settings\Administrator
2008-12-19 22:19 . 2008-12-19 22:19 268 --ah----- C:\sqmdata02.sqm
2008-12-19 22:19 . 2008-12-19 22:19 244 --ah----- C:\sqmnoopt02.sqm
2008-12-19 22:15 . 2008-12-19 22:15 <DIR> d-------- c:\windows\Sun
2008-12-19 22:15 . 2008-12-19 22:15 268 --ah----- C:\sqmdata01.sqm
2008-12-19 22:15 . 2008-12-19 22:15 244 --ah----- C:\sqmnoopt01.sqm
2008-12-19 22:14 . 2008-09-24 17:19 <DIR> d-------- c:\program files\Java
2008-12-19 22:11 . 2008-12-19 22:11 <DIR> d-------- c:\program files\Common Files\Java
2008-12-02 14:03 . 2008-12-02 14:06 250 --a------ c:\windows\gmer.ini
2008-12-02 13:14 . 2008-12-02 13:14 <DIR> d-------- C:\VundoFix Backups
2008-12-01 22:18 . 2008-12-02 09:57 241 --a------ c:\windows\wininit.ini
2008-12-01 13:28 . 2008-12-01 13:28 <DIR> d-------- c:\program files\Studio Surveillance
2008-12-01 13:28 . 2005-09-10 20:09 860,160 --a------ c:\windows\system32\xVideoOCX.ocx
2008-12-01 13:28 . 1998-06-24 00:00 137,000 --a------ c:\windows\system32\msmapi32.ocx
2008-12-01 13:28 . 1998-06-24 00:00 103,744 --a------ c:\windows\system32\MSCOMM32.ocx
2008-12-01 13:28 . 2001-05-08 05:00 26,896 --a------ c:\windows\system32\hh.exe
2008-12-01 00:32 . 2008-12-01 00:32 2,657 --a------ C:\timhillone.mov
2008-12-01 00:32 . 2008-12-01 00:32 785 --a------ C:\qtviewer.html
2008-12-01 00:32 . 2008-12-01 00:32 620 --a------ C:\qtviewer.smil
2008-12-01 00:18 . 2008-12-01 16:17 <DIR> d-------- C:\TimHO_Rec
2008-12-01 00:11 . 2008-12-01 00:11 <DIR> d-------- c:\program files\LEDSET
2008-11-30 11:29 . 2008-12-02 14:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-11-24 11:42 . 2008-11-24 11:42 <DIR> d-------- c:\program files\Karaoke Zip Scanner
2008-11-24 11:42 . 2008-11-24 11:42 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{174BEB07-CB76-4EAC-91FD-95CD34E9901B}
2008-11-22 16:35 . 2008-11-28 22:27 <DIR> d-a------ C:\Myriad
2008-11-16 19:18 . 2004-09-27 04:54 237,568 -ra------ c:\windows\system32\SiSWPars.dll
2008-11-16 19:18 . 2004-12-31 07:47 167,424 -ra------ c:\windows\system32\drivers\sis163u.sys
2008-11-16 19:18 . 2004-09-27 04:54 155,648 -ra------ c:\windows\system32\SiSWInst.dll
2008-11-16 19:18 . 2004-09-27 04:54 49,152 -ra------ c:\windows\system32\SiSWBase.dll
2008-11-16 19:18 . 2008-11-16 19:18 0 --a------ c:\windows\system32\swunilog.ini
2008-11-13 08:12 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 08:12 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-06 19:27 . 2006-05-22 19:35 175,872 --a------ c:\windows\system32\drivers\RTL8187.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 11:41 --------- d-----w c:\program files\eMule
2008-12-01 23:39 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-01 21:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-30 20:27 --------- d-----w c:\program files\MP3+G Toolz .NET 4
2008-11-30 11:30 --------- d-----w c:\program files\Google
2008-11-30 09:19 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-24 17:08 67,864 ----a-w c:\documents and settings\mick\Application Data\GDIPFONTCACHEV1.DAT
2008-11-23 13:04 --------- d-----w c:\program files\Karaoke Song List Creator
2008-11-18 07:06 --------- d-----w c:\program files\Xfire
2008-11-17 21:16 --------- d-----w c:\documents and settings\mick\Application Data\Xfire
2008-11-03 20:23 183,120 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-03 20:23 137,480 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-10-31 10:03 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2008-10-31 09:58 --------- d-----w c:\documents and settings\mick\Application Data\Motive
2008-10-31 09:57 --------- d-----w c:\program files\BT Broadband Desktop Help
2008-10-31 09:56 --------- d-----w c:\program files\Common Files\Motive
2008-10-30 01:24 42,320 ----a-w c:\windows\system32\xfcodec.dll
2008-10-26 09:08 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 22:36 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-20 23:25 --------- d-----w c:\program files\SpeedFan
2008-10-20 15:03 --------- d-----w c:\program files\Total Video2DVD Author
2008-10-20 15:02 --------- d-----w c:\program files\Sony Ericsson
2008-10-20 15:01 --------- d-----w c:\program files\k4uTool
2008-10-20 15:00 --------- d-----w c:\program files\IKEA Home Planner Kitchen
2008-10-20 15:00 --------- d-----w c:\program files\dvdSanta
2008-10-20 15:00 --------- d-----w c:\program files\Canon
2008-10-20 14:59 --------- d-----w c:\program files\BulletProof MP3 Ripper
2008-10-20 14:59 --------- d-----w c:\program files\Axis Communications
2008-10-20 14:58 --------- d--h--w c:\documents and settings\All Users\Application Data\ActiveSMART
2008-10-20 14:58 --------- d-----w c:\program files\ArcSoft
2008-10-18 18:53 --------- d-----w c:\program files\MagicISO
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-13 05:22 --------- d-----w c:\program files\Microsoft
2008-10-13 05:21 --------- d-----w c:\program files\Common Files\Windows Live
2008-10-05 19:18 --------- d-----w c:\program files\Devnz
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-08 23:03 51,712 ----a-w c:\windows\system32\sirenacm.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-07-13 06:49 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071320080714\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-09-08 3513344]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-13 7557120]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-02-13 86016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"ScanSoft OmniPage SE 4.0-reminder"="c:\program files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" [2005-06-03 729088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-08 185896]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2008-09-11 1517056]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"btbb_wcm_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe" [2008-08-28 1516032]
"nwiz"="nwiz.exe" [2006-02-13 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - c:\program files\Exif Launcher\QuickDCF.exe [2008-08-27 188416]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Gigabyte\\BIOS\\gwf32.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Gigabyte\\BIOS\\gwflash.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\fsx.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Documents and Settings\\mick\\Desktop\\combat flight sim\\COMBATFS.EXE"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=
"c:\\Myriad\\mirc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-10 97928]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-05 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-05 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-05-10 76040]
R2 McciCMService;McciCMService;"c:\program files\Common Files\Motive\McciCMService.exe" [2008-10-31 303104]
R3 MRESP50;MRESP50 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MRESP50.SYS [2008-10-31 20096]
R3 SIS163u;SiS 163 usb Wireless LAN Adapter Driver;c:\windows\system32\DRIVERS\sis163u.sys [2008-11-16 167424]
S2 713xTVCard;SAA7134 TV Card;c:\windows\system32\DRIVERS\SAA713x.sys [2005-03-15 277504]
S3 3xHybrid;3xHybrid service;c:\windows\system32\DRIVERS\3xHybrid.sys [2008-01-02 945920]
S3 Cap7134;Philips Cap7134 Capture;c:\windows\system32\DRIVERS\Cap7134.sys []
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-07-06 31592]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2008-05-23 13352]
S3 MREMP50;MREMP50 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MREMP50.SYS [2008-10-31 21248]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MRESP50a64.SYS []
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-11-06 175872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{789f5c52-b8a7-11dc-b2cf-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fa3d234-6d5b-11dd-ba06-00120e825303}]
\Shell\AutoRun\command - nideiect.com
\Shell\explore\Command - nideiect.com
\Shell\open\Command - nideiect.com

*Newly Created Service* - CATCHME
*Newly Created Service* - GMER
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-kdx - c:\program files\KHost.exe
HKLM-Run-NWEReboot - (no file)
Notify-svrme - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://magnet.2020.net/virtualplanner/Core/Player/2020PlayerAX_Win32.cab
c:\windows\Downloaded Program Files\2020Player.inf

O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://79.148.110.209:8080/activex/AMC.cab
c:\windows\Downloaded Program Files\setup.inf

c:\windows\system32\MSCOMCTL.OCX - c:\windows\system32\msvbvm60.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\stdole2.tlb
c:\windows\system32\comcat.dll
c:\windows\Downloaded Program Files\toolkit_widget.gif
c:\windows\Downloaded Program Files\common.dat
c:\windows\Downloaded Program Files\unknown.dat
c:\windows\system32\Codejock.PropertyGrid.v10.4.0.ocx
c:\windows\system32\Codejock.DockingPane.v10.4.0.ocx
c:\windows\system32\Codejock.CommandBars.v10.4.0.ocx
c:\windows\system32\Codejock.ReportControl.v10.4.0.ocx
c:\windows\Downloaded Program Files\DGTx.ocx
O16 -: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D}
hxxp://66.98.130.69/DGTx.CAB
c:\windows\Downloaded Program Files\DGTx.INF
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 1821
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-02 18:07:20
ComboFix-quarantined-files.txt 2008-12-02 18:07:00

Pre-Run: 94,068,969,472 bytes free
Post-Run: 94,267,162,624 bytes free

270 --- E O F --- 2008-11-13 08:18:14
MICKFLAN is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-04-2008, 11:18 AM   #6 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,580
OS: Vista


Re: Constant page re-directing and trojan horse
Hi,

*I see you have P2P software ( eMule ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here, here, and here.

I would strongly recommend that you uninstall it, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> add/remove programs

If you decide to uninstall the p2p applications, also delete these Folder if it still exists:

C:\Program Files\eMule


*While both Tea timer and SpyBot are closed
Right click here and click save link as
Save it as resetteatimer.bat to your desktop
  • Run Spybot-S&D
  • Go to the Mode menu, and make sure "Advanced Mode" is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer" and OK any prompts
  • Restart your computer.
Double click on resetteatimer.bat and wait for it to finish

Since it will not be needed again delete ResetTeaTimer.bat.

You may turn the Tea timer back on via SpyBots' tools> resident page when your computer is clean.

Note: If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.


*delete this folder: C:\VundoFix Backups


*Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

Quote:
REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fa3d234-6d5b-11dd-ba06-00120e825303}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\windows\\system32\\userinit.exe,"
Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.


*Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java(TM) 6 Update 7
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


*Next, it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply


On your next reply, please include a
  • Fresh DDS log (do not run the optional scan)
  • kaspersky scan log
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-04-2008, 05:17 PM   #7 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 9
OS: WINXP


Re: Constant page re-directing and trojan horse
Thank you for all that help heres the logs you aked for:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 5, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, December 04, 2008 16:03:39
Records in database: 1436568
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 113198
Threat name: 3
Infected objects: 6
Suspicious objects: 1
Duration of the scan: 01:43:12


File name / Threat name / Threats count
C:\Documents and Settings\mick\Desktop\myriad-private.zip Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
C:\Documents and Settings\mick\Desktop\New Folder\Myriad ( karaoke4u).zip Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
C:\Documents and Settings\mick\Desktop\programmes\karoke burnt dics\karaoke4u-myriad.zip Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
C:\Documents and Settings\mick\Local Settings\Application Data\Identities\{7420A198-0694-492C-A04D-B7602741BBC1}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Myriad\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
C:\Share\essential karaoke\Essential Karaoke Party Cd G Vol 16 From.zip Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
C:\WINDOWS\Motive\btbb\UninstallHelper.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 1

The selected area was scanned.


DDS (Version 1.0) - NTFSx86
Run by mick at 0:12:59.21 on 05/12/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1328 [GMT 0:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\Documents and Settings\mick\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - c:\program files\windows live\messenger\wlchtc.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [ScanSoft OmniPage SE 4.0-reminder] "c:\program files\scansoft\omnipagese4.0\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\omnipagese4.0\ereg\ereg.ini"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [btbb_wcm_McciTrayApp] "c:\program files\bt broadband desktop help\btbb_wcm\McciTrayApp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\exif launcher\QuickDCF.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-10 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-10 26824]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-5 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-5 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-10 76040]
R2 McciCMService;McciCMService;"c:\program files\common files\motive\McciCMService.exe" [2008-10-31 303104]
R3 MRESP50;MRESP50 NDIS Protocol Driver;\??\c:\progra~1\common~1\motive\MRESP50.SYS [2008-10-31 20096]
R3 SIS163u;SiS 163 usb Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [2008-11-16 167424]
S2 713xTVCard;SAA7134 TV Card;c:\windows\system32\drivers\SAA713x.sys [2005-3-15 277504]
S3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2008-1-2 945920]
S3 Cap7134;Philips Cap7134 Capture;c:\windows\system32\drivers\Cap7134.sys []
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-7-6 31592]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-5-23 13352]
S3 MREMP50;MREMP50 NDIS Protocol Driver;\??\c:\progra~1\common~1\motive\MREMP50.SYS [2008-10-31 21248]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;\??\c:\progra~1\common~1\motive\MREMP50a64.SYS []
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;\??\c:\progra~1\common~1\motive\MRESP50a64.SYS []
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-11-6 175872]

=============== Created Last 30 ================

2008-12-04 22:15 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-02 23:29 <DIR> a-dshr-- C:\cmdcons
2008-12-02 23:28 <DIR> --d----- C:\ComboFix
2008-12-02 18:04 161,792 a------- c:\windows\SWREG.exe
2008-12-02 18:04 98,816 a------- c:\windows\sed.exe
2008-12-02 14:03 250 a------- c:\windows\gmer.ini
2008-12-01 22:18 241 a------- c:\windows\wininit.ini
2008-12-01 13:28 860,160 a------- c:\windows\system32\xVideoOCX.ocx
2008-12-01 13:28 137,000 a------- c:\windows\system32\msmapi32.ocx
2008-12-01 13:28 103,744 a------- c:\windows\system32\MSCOMM32.ocx
2008-12-01 13:28 26,896 a------- c:\windows\system32\hh.exe
2008-12-01 13:28 <DIR> --d----- c:\program files\Studio Surveillance
2008-12-01 00:32 2,657 a------- C:\timhillone.mov
2008-12-01 00:32 785 a------- C:\qtviewer.html
2008-12-01 00:32 620 a------- C:\qtviewer.smil
2008-12-01 00:18 <DIR> --d----- C:\TimHO_Rec
2008-12-01 00:11 <DIR> --d----- c:\program files\LEDSET
2008-11-24 11:42 <DIR> --d-h--- c:\docume~1\alluse~1\applic~1\{174BEB07-CB76-4EAC-91FD-95CD34E9901B}
2008-11-24 11:42 <DIR> --d----- c:\program files\Karaoke Zip Scanner
2008-11-22 16:35 <DIR> a-d----- C:\Myriad
2008-11-16 19:18 0 a------- c:\windows\system32\swunilog.ini
2008-11-16 19:18 237,568 a----r-- c:\windows\system32\SiSWPars.dll
2008-11-16 19:18 167,424 a----r-- c:\windows\system32\drivers\sis163u.sys
2008-11-16 19:18 155,648 a----r-- c:\windows\system32\SiSWInst.dll
2008-11-16 19:18 49,152 a----r-- c:\windows\system32\SiSWBase.dll
2008-11-13 08:12 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-13 08:12 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-06 19:27 175,872 a------- c:\windows\system32\drivers\RTL8187.sys

==================== Find3M ====================

2008-12-01 23:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-01 21:10 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-30 20:27 <DIR> --d----- c:\program files\MP3+G Toolz .NET 4
2008-11-23 13:04 <DIR> --d----- c:\program files\Karaoke Song List Creator
2008-11-18 07:06 <DIR> --d----- c:\program files\Xfire
2008-11-17 21:16 <DIR> --d----- c:\docume~1\mick\applic~1\Xfire
2008-11-03 20:23 183,120 a------- c:\windows\system32\PnkBstrB.exe
2008-10-31 09:57 <DIR> --d----- c:\program files\BT Broadband Desktop Help
2008-10-31 09:56 <DIR> --d----- c:\program files\common files\Motive
2008-10-30 01:24 42,320 a------- c:\windows\system32\xfcodec.dll
2008-10-20 23:25 <DIR> --d----- c:\program files\SpeedFan
2008-10-20 15:03 <DIR> --d----- c:\program files\Total Video2DVD Author
2008-10-20 15:02 <DIR> --d----- c:\program files\Sony Ericsson
2008-10-20 15:01 <DIR> --d----- c:\program files\k4uTool
2008-10-20 15:00 <DIR> --d----- c:\program files\IKEA Home Planner Kitchen
2008-10-20 15:00 <DIR> --d----- c:\program files\Canon
2008-10-20 15:00 <DIR> --d----- c:\program files\dvdSanta
2008-10-20 14:59 <DIR> --d----- c:\program files\BulletProof MP3 Ripper
2008-10-20 14:59 <DIR> --d----- c:\program files\Axis Communications
2008-10-20 14:58 <DIR> --d-h--- c:\docume~1\alluse~1\applic~1\ActiveSMART
2008-10-18 18:53 <DIR> --d----- c:\program files\MagicISO
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-13 05:22 <DIR> --d----- c:\program files\Microsoft
2008-10-13 05:21 <DIR> --d----- c:\program files\common files\Windows Live
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-17 22:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Maxtor
2008-09-15 12:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-10 18:06 <DIR> --d----- c:\docume~1\mick\applic~1\TVU Networks
2008-09-10 18:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TVU Networks
2008-09-10 01:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-08 23:03 51,712 a------- c:\windows\system32\sirenacm.dll
2008-08-23 10:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\IM
2008-08-23 10:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\IncrediMail
2008-07-07 06:40 <DIR> --d----- c:\docume~1\mick\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-06-21 09:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kontiki
2008-06-21 09:28 <DIR> --d----- c:\docume~1\mick\applic~1\{3F3C1848-EDD1-411D-B240-F91B269B86A0}
2008-06-18 19:15 <DIR> --d----- c:\docume~1\mick\applic~1\vlc
2008-06-05 11:24 <DIR> --d----- c:\docume~1\mick\applic~1\Samsung
2008-06-02 21:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2008-05-23 16:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sony Ericsson
2008-05-10 10:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-05-04 14:02 <DIR> --d----- c:\docume~1\mick\applic~1\SopCast
2008-05-04 13:55 <DIR> --d----- c:\docume~1\mick\applic~1\PPMate
2008-03-12 08:42 <DIR> --d----- c:\docume~1\mick\applic~1\MSN6
2008-02-14 10:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MSN6
2008-01-05 22:37 <DIR> --d----- c:\docume~1\mick\applic~1\Canon
2008-01-05 22:19 <DIR> --d----- c:\docume~1\mick\applic~1\ScanSoft
2008-01-03 21:18 <DIR> --d----- c:\docume~1\mick\applic~1\mIRC
2008-07-13 06:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071320080714\index.dat

============= FINISH: 0:13:27.00 ===============
MICKFLAN is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-04-2008, 10:16 PM   #8 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,580
OS: Vista


Re: Constant page re-directing and trojan horse
Hi,

looks good..most of what kaspersky found were related to mirc -which it sees as a risk.

it detected one suspicious mail from your outlook inbox, but with what the report showed, I can't tell which one is it so you just need to be careful with that or you could empty your inbox too.

how is your computer running?
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-05-2008, 12:18 AM   #9 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 9
OS: WINXP


Re: Constant page re-directing and trojan horse
Computer is running fine at the moment no re-directing or anything
MICKFLAN is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-05-2008, 12:51 AM   #10 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,580
OS: Vista


Re: Constant page re-directing and trojan horse
Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

And miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-05-2008, 12:06 PM   #11 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 9
OS: WINXP


Re: Constant page re-directing and trojan horse
Thank you angelfire777 you have been a great help. Much appreciated.
MICKFLAN is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 06:37 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85