Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Google/Yahoo redirect issue (possible trojan)
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 04-12-2009, 09:10 AM   #1 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 12
OS: Windows XP


Google/Yahoo redirect issue (possible trojan)
Hi,

My issue stems around Google and Yahoo search results redirecting me to unknown websites. When this started, my security software (McAfee) began displaying error notices when it automatically tried to download updates. Additionally, my computer began running very slowly.

I ran a scan and found two possible trojans:
- New Malware.j
- Generic!Artemis

I am running Windows XP, IE8, and McAfee.

I downloaded DDS, but received the following error when attempting to run:

"This application has failed to start because wbemcomn.dll was not found."

However, I was able to run gmer and I have the "ark.txt" file zipped in the attach.zip file.

Please advise as to how to get DDS to work and/or other steps that need to be taken. Thank you.

-CJ
Attached Files
File Type: zip attach.zip (1.4 KB, 7 views)
element1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 04-18-2009, 09:15 AM   #2 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 12
OS: Windows XP


Re: Google/Yahoo redirect issue (possible trojan)
^^^bump^^^ can anyone help?
element1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-18-2009, 05:19 PM   #3 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,941
OS: WinXP and Vista


Re: Google/Yahoo redirect issue (possible trojan)
Hello element1,

It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT- Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on combofix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-21-2009, 08:53 PM   #4 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 12
OS: Windows XP


Re: Google/Yahoo redirect issue (possible trojan)
Thanks for replying. Below is the log generated by Combofix:

ComboFix 09-04-22.02 - Admin 04/21/2009 22:42.1 - NTFSx86
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Helper
c:\program files\Ultimate Cleaner

.
((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-15 23:30 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 23:30 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 23:30 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 23:30 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 23:30 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 23:30 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 23:30 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 23:30 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 23:30 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 23:30 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 23:28 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 23:28 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 23:28 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-09 02:02 . 2009-04-09 02:02 -------- d--h--w c:\windows\PIF
2009-04-09 01:59 . 2009-04-09 01:59 -------- d-----w c:\documents and settings\Admin\Local Settings\Application Data\Mozilla
2009-04-06 23:32 . 2009-04-06 23:32 54156 ---ha-w c:\windows\QTFont.qfn
2009-04-06 23:32 . 2009-04-06 23:32 1409 ----a-w c:\windows\QTFont.for
2009-04-02 03:32 . 2009-04-02 03:32 -------- d-sh--w c:\documents and settings\Admin\IECompatCache
2009-04-02 03:29 . 2009-04-02 03:29 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-02 03:26 . 2009-04-02 03:26 -------- d-sh--w c:\documents and settings\Admin\PrivacIE
2009-04-02 03:24 . 2009-04-02 03:24 -------- d-sh--w c:\documents and settings\Admin\IETldCache
2009-04-02 03:21 . 2009-04-02 04:24 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-02 03:21 . 2009-04-02 03:21 -------- d-----w c:\documents and settings\Admin\Application Data\Yahoo!
2009-04-02 03:17 . 2009-04-02 03:19 -------- dc-h--w c:\windows\ie8
2009-04-02 03:16 . 2009-04-02 03:22 -------- d--h--w c:\windows\msdownld.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 14:04 . 2009-01-25 14:28 -------- d-----w c:\documents and settings\Admin\Application Data\Move Networks
2009-04-18 11:20 . 2008-02-08 00:03 -------- d-----w c:\program files\McAfee
2009-04-09 01:52 . 2005-01-17 05:24 -------- d-----w c:\program files\Eazy VCD
2009-04-09 01:40 . 2005-01-03 16:04 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-08 23:45 . 2006-03-08 03:10 -------- d-----w c:\program files\Microsoft Money
2009-04-08 23:43 . 2007-01-14 06:05 -------- d-----w c:\program files\BitTorrent
2009-04-07 00:38 . 2009-04-07 00:38 -------- d-----w c:\program files\Trend Micro
2009-04-02 22:09 . 2005-04-25 01:05 -------- d-----w c:\program files\Yahoo!
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-08 18:09 . 2006-11-07 08:27 391536 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 18:09 . 2006-10-17 17:04 638816 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-03-08 08:41 . 2006-05-19 15:08 5937152 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-03-08 08:39 . 2007-05-09 02:19 11063808 ----a-w c:\windows\system32\dllcache\ieframe.dll
2009-03-08 08:34 . 2006-05-10 05:23 914944 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-08 08:34 . 2004-08-04 08:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2006-05-10 05:23 1206784 ----a-w c:\windows\system32\dllcache\urlmon.dll
2009-03-08 08:34 . 2006-11-08 02:03 236544 ----a-w c:\windows\system32\dllcache\webcheck.dll
2009-03-08 08:34 . 2006-10-17 17:05 43008 ----a-w c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 08:34 . 2004-08-04 08:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:34 . 2006-10-17 17:05 105984 ----a-w c:\windows\system32\dllcache\url.dll
2009-03-08 08:34 . 2006-10-17 17:04 109568 ----a-w c:\windows\system32\dllcache\occache.dll
2009-03-08 08:34 . 2006-05-10 05:23 193536 ----a-w c:\windows\system32\dllcache\msrating.dll
2009-03-08 08:33 . 2006-09-18 14:15 759296 ----a-w c:\windows\system32\dllcache\VGX.dll
2009-03-08 08:33 . 2009-03-08 08:33 18944 ------w c:\windows\system32\dllcache\corpol.dll
2009-03-08 08:33 . 2004-08-04 08:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2006-05-10 05:22 25600 ----a-w c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 08:33 . 2008-05-09 10:53 726528 ----a-w c:\windows\system32\dllcache\jscript.dll
2009-03-08 08:33 . 2006-11-07 08:27 229376 ----a-w c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 08:33 . 2008-05-09 10:53 420352 ----a-w c:\windows\system32\dllcache\vbscript.dll
2009-03-08 08:33 . 2004-08-04 08:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:33 . 2006-11-07 08:26 125952 ----a-w c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 08:32 . 2006-11-07 08:26 72704 ----a-w c:\windows\system32\dllcache\admparse.dll
2009-03-08 08:32 . 2004-08-04 08:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2006-11-07 08:26 173056 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 08:32 . 2006-11-07 08:25 163840 ----a-w c:\windows\system32\dllcache\ieakui.dll
2009-03-08 08:32 . 2006-11-07 08:26 71680 ----a-w c:\windows\system32\dllcache\iesetup.dll
2009-03-08 08:32 . 2006-11-07 08:26 55808 ----a-w c:\windows\system32\dllcache\iernonce.dll
2009-03-08 08:32 . 2004-08-04 08:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:32 . 2006-11-07 08:26 128512 ----a-w c:\windows\system32\dllcache\advpack.dll
2009-03-08 08:32 . 2006-05-10 05:22 94720 ----a-w c:\windows\system32\dllcache\inseng.dll
2009-03-08 08:32 . 2007-05-09 02:19 594432 ----a-w c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 08:32 . 2007-05-09 02:19 1985024 ----a-w c:\windows\system32\dllcache\iertutil.dll
2009-03-08 08:32 . 2006-05-10 05:23 611840 ----a-w c:\windows\system32\dllcache\mstime.dll
2009-03-08 08:24 . 2006-10-17 16:44 68608 ----a-w c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 08:22 . 2006-11-08 02:03 156160 ----a-w c:\windows\system32\dllcache\msls31.dll
2009-03-08 08:22 . 2004-08-04 08:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-08 08:11 . 2007-05-09 02:19 445952 ----a-w c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 14:22 . 2004-08-04 08:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-04 00:55 . 2009-03-04 00:54 -------- d-----w c:\documents and settings\Admin\Application Data\Image Zone Express
2009-02-27 00:50 . 2008-11-08 20:55 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-09 12:10 . 2004-08-04 08:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 08:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 08:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 08:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-10-14 23:40 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-04 08:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2008-10-14 23:40 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-07 23:02 . 2004-08-04 08:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-07 01:07 . 2007-05-09 02:19 3698584 ----a-w c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 11:11 . 2004-08-04 08:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-14 23:40 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:08 . 2004-08-04 08:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-14 23:40 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:39 . 2004-08-04 08:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-10-14 23:40 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-04 08:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-12-09 03:02 . 2005-02-01 03:17 64008 ----a-w c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-01-27 06:05 . 2007-01-27 06:05 128 ----a-w c:\documents and settings\Admin\Local Settings\Application Data\fusioncache.dat
2006-07-08 15:43 . 2006-01-04 17:55 64008 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-09-12 12:07 . 2008-09-12 12:07 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091220080913\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-08 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-07 4730880]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-05-23 483328]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 286720]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-19 155648]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DeviceDiscovery"="c:\program files\HP\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HostManager"="c:\program files\Common Files\AOL\1201498247\ee\AOLSoftware.exe" [2006-09-26 50736]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-01-30 88363]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-04-07 323584]

c:\documents and settings\Admin\Start Menu\Programs\Startup\
PowerReg SchedulerV2.exe [2005-10-25 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-1-3 36954]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - AliIde
*Deregistered* - AOL ACS
*Deregistered* - ASCTRM
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - Compbatt
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - eabfiltr
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - ImapiService
*Deregistered* - IntelIde
*Deregistered* - IpFilterDriver
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mcmscsvc
*Deregistered* - McNASvc
*Deregistered* - McProxy
*Deregistered* - McShield
*Deregistered* - McSysmon
*Deregistered* - mfeavfk
*Deregistered* - mfebopk
*Deregistered* - mfehidk
*Deregistered* - mfesmfk
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MPFP
*Deregistered* - MpfService
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - Serial
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SoundMAX Agent Service (default)
*Deregistered* - Spooler
*Deregistered* - sptd
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - ViaIde
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - wanatw
*Deregistered* - WANMiniportService
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-02-08 17:32]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-02-08 17:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BackupNotify - c:\program files\HP\Digital Imaging\bin\backupnotify.exe
HKCU-Run-RecordNow! - (no file)
HKLM-Run-HPHUPD05 - c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HKLM-Run-DXDllRegExe - dxdllreg.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\pffpr6w3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-21 22:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????0?2?7?7??`???? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2580)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-22 22:48
ComboFix-quarantined-files.txt 2009-04-22 02:47

Pre-Run: 52,501,594,112 bytes free
Post-Run: 52,637,745,152 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
335 --- E O F --- 2009-04-16 10:03
element1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-21-2009, 09:26 PM   #5 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,941
OS: WinXP and Vista


Re: Google/Yahoo redirect issue (possible trojan)
Hello element1,

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

DDS::
uInternet Connection Wizard,ShellNext = iexplore

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\StubInstaller.exe"=-

FixCSet::
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt


--------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior

Are you still getting redirected?
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-23-2009, 05:10 AM   #6 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 12
OS: Windows XP


Re: Google/Yahoo redirect issue (possible trojan)
COMBOFIX:

ComboFix 09-04-22.02 - Admin 04/22/2009 19:20.2 - NTFSx86
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-15 23:30 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 23:30 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 23:30 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 23:30 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 23:30 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 23:30 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 23:30 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 23:30 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 23:30 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 23:30 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 23:28 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 23:28 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 23:28 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-09 02:02 . 2009-04-09 02:02 -------- d--h--w c:\windows\PIF
2009-04-09 01:59 . 2009-04-09 01:59 -------- d-----w c:\documents and settings\Admin\Local Settings\Application Data\Mozilla
2009-04-06 23:32 . 2009-04-06 23:32 54156 ---ha-w c:\windows\QTFont.qfn
2009-04-06 23:32 . 2009-04-06 23:32 1409 ----a-w c:\windows\QTFont.for
2009-04-02 03:32 . 2009-04-02 03:32 -------- d-sh--w c:\documents and settings\Admin\IECompatCache
2009-04-02 03:29 . 2009-04-02 03:29 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-02 03:26 . 2009-04-02 03:26 -------- d-sh--w c:\documents and settings\Admin\PrivacIE
2009-04-02 03:24 . 2009-04-02 03:24 -------- d-sh--w c:\documents and settings\Admin\IETldCache
2009-04-02 03:21 . 2009-04-02 04:24 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-02 03:21 . 2009-04-02 03:21 -------- d-----w c:\documents and settings\Admin\Application Data\Yahoo!
2009-04-02 03:17 . 2009-04-02 03:19 -------- dc-h--w c:\windows\ie8
2009-04-02 03:16 . 2009-04-02 03:22 -------- d--h--w c:\windows\msdownld.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 14:04 . 2009-01-25 14:28 -------- d-----w c:\documents and settings\Admin\Application Data\Move Networks
2009-04-18 11:20 . 2008-02-08 00:03 -------- d-----w c:\program files\McAfee
2009-04-09 01:52 . 2005-01-17 05:24 -------- d-----w c:\program files\Eazy VCD
2009-04-09 01:40 . 2005-01-03 16:04 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-08 23:45 . 2006-03-08 03:10 -------- d-----w c:\program files\Microsoft Money
2009-04-08 23:43 . 2007-01-14 06:05 -------- d-----w c:\program files\BitTorrent
2009-04-07 00:38 . 2009-04-07 00:38 -------- d-----w c:\program files\Trend Micro
2009-04-02 22:09 . 2005-04-25 01:05 -------- d-----w c:\program files\Yahoo!
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-08 18:09 . 2006-11-07 08:27 391536 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 18:09 . 2006-10-17 17:04 638816 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-03-08 08:41 . 2006-05-19 15:08 5937152 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-03-08 08:39 . 2007-05-09 02:19 11063808 ----a-w c:\windows\system32\dllcache\ieframe.dll
2009-03-08 08:34 . 2006-05-10 05:23 914944 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-08 08:34 . 2004-08-04 08:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2006-05-10 05:23 1206784 ----a-w c:\windows\system32\dllcache\urlmon.dll
2009-03-08 08:34 . 2006-11-08 02:03 236544 ----a-w c:\windows\system32\dllcache\webcheck.dll
2009-03-08 08:34 . 2006-10-17 17:05 43008 ----a-w c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 08:34 . 2004-08-04 08:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:34 . 2006-10-17 17:05 105984 ----a-w c:\windows\system32\dllcache\url.dll
2009-03-08 08:34 . 2006-10-17 17:04 109568 ----a-w c:\windows\system32\dllcache\occache.dll
2009-03-08 08:34 . 2006-05-10 05:23 193536 ----a-w c:\windows\system32\dllcache\msrating.dll
2009-03-08 08:33 . 2006-09-18 14:15 759296 ----a-w c:\windows\system32\dllcache\VGX.dll
2009-03-08 08:33 . 2009-03-08 08:33 18944 ------w c:\windows\system32\dllcache\corpol.dll
2009-03-08 08:33 . 2004-08-04 08:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2006-05-10 05:22 25600 ----a-w c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 08:33 . 2008-05-09 10:53 726528 ----a-w c:\windows\system32\dllcache\jscript.dll
2009-03-08 08:33 . 2006-11-07 08:27 229376 ----a-w c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 08:33 . 2008-05-09 10:53 420352 ----a-w c:\windows\system32\dllcache\vbscript.dll
2009-03-08 08:33 . 2004-08-04 08:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:33 . 2006-11-07 08:26 125952 ----a-w c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 08:32 . 2006-11-07 08:26 72704 ----a-w c:\windows\system32\dllcache\admparse.dll
2009-03-08 08:32 . 2004-08-04 08:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2006-11-07 08:26 173056 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 08:32 . 2006-11-07 08:25 163840 ----a-w c:\windows\system32\dllcache\ieakui.dll
2009-03-08 08:32 . 2006-11-07 08:26 71680 ----a-w c:\windows\system32\dllcache\iesetup.dll
2009-03-08 08:32 . 2006-11-07 08:26 55808 ----a-w c:\windows\system32\dllcache\iernonce.dll
2009-03-08 08:32 . 2004-08-04 08:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:32 . 2006-11-07 08:26 128512 ----a-w c:\windows\system32\dllcache\advpack.dll
2009-03-08 08:32 . 2006-05-10 05:22 94720 ----a-w c:\windows\system32\dllcache\inseng.dll
2009-03-08 08:32 . 2007-05-09 02:19 594432 ----a-w c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 08:32 . 2007-05-09 02:19 1985024 ----a-w c:\windows\system32\dllcache\iertutil.dll
2009-03-08 08:32 . 2006-05-10 05:23 611840 ----a-w c:\windows\system32\dllcache\mstime.dll
2009-03-08 08:24 . 2006-10-17 16:44 68608 ----a-w c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 08:22 . 2006-11-08 02:03 156160 ----a-w c:\windows\system32\dllcache\msls31.dll
2009-03-08 08:22 . 2004-08-04 08:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-08 08:11 . 2007-05-09 02:19 445952 ----a-w c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 14:22 . 2004-08-04 08:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-04 00:55 . 2009-03-04 00:54 -------- d-----w c:\documents and settings\Admin\Application Data\Image Zone Express
2009-02-27 00:50 . 2008-11-08 20:55 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-09 12:10 . 2004-08-04 08:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 08:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 08:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 08:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-10-14 23:40 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-04 08:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2008-10-14 23:40 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-07 23:02 . 2004-08-04 08:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-07 01:07 . 2007-05-09 02:19 3698584 ----a-w c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 11:11 . 2004-08-04 08:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-14 23:40 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:08 . 2004-08-04 08:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-14 23:40 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:39 . 2004-08-04 08:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-10-14 23:40 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-04 08:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-12-09 03:02 . 2005-02-01 03:17 64008 ----a-w c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-01-27 06:05 . 2007-01-27 06:05 128 ----a-w c:\documents and settings\Admin\Local Settings\Application Data\fusioncache.dat
2006-07-08 15:43 . 2006-01-04 17:55 64008 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-09-12 12:07 . 2008-09-12 12:07 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091220080913\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-22_02.46.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-01-03 15:32 . 2009-04-22 22:21 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-01-03 15:32 . 2009-04-21 23:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-01-03 15:32 . 2009-04-22 22:21 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-01-03 15:32 . 2009-04-21 23:25 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-08 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-07 4730880]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-05-23 483328]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 286720]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-19 155648]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DeviceDiscovery"="c:\program files\HP\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HostManager"="c:\program files\Common Files\AOL\1201498247\ee\AOLSoftware.exe" [2006-09-26 50736]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-01-30 88363]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-04-07 323584]

c:\documents and settings\Admin\Start Menu\Programs\Startup\
PowerReg SchedulerV2.exe [2005-10-25 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-1-3 36954]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - AliIde
*Deregistered* - AOL ACS
*Deregistered* - ASCTRM
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - Compbatt
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - eabfiltr
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - ImapiService
*Deregistered* - IntelIde
*Deregistered* - IpFilterDriver
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mcmscsvc
*Deregistered* - McNASvc
*Deregistered* - McProxy
*Deregistered* - McShield
*Deregistered* - mfeavfk
*Deregistered* - mfebopk
*Deregistered* - mfehidk
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MPFP
*Deregistered* - MpfService
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - Serial
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SoundMAX Agent Service (default)
*Deregistered* - Spooler
*Deregistered* - sptd
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - ViaIde
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - wanatw
*Deregistered* - WANMiniportService
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-02-08 17:32]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-02-08 17:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\pffpr6w3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 19:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????0?2?7?7??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2196)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\wanmpsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Apoint2K\ApntEx.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\program files\Microsoft Office\OFFICE11\WINWORD.EXE
.
**************************************************************************
.
Completion time: 2009-04-22 19:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-22 23:50
ComboFix2.txt 2009-04-22 02:48

Pre-Run: 52,571,869,184 bytes free
Post-Run: 52,611,719,168 bytes free

340 --- E O F --- 2009-04-16 10:03


----------------------------------------------------------------------------

KASPERSKY RESULTS:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, April 23, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, April 23, 2009 01:25:37
Records in database: 2070180
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 59249
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:53:52


File name / Threat name / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1

The selected area was scanned.

-----------------------------------------------------------------------------

UPDATES ON SYSTEM BEHAVIOR:

I tested out Google and Yahoo searches and it seems like the redirect symptoms have abated. In my opinion, the system is also running faster.

Please let me know of next steps to fully-eradicate the malware. Thank you for your help thus far.
element1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-23-2009, 05:47 AM   #7 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,941
OS: WinXP and Vista


Re: Google/Yahoo redirect issue (possible trojan)
Hi element1,

Kaspersky is only reporting the presence of mIRC. If you installed this yourself, no worries.


Quote:
This application has failed to start because wbemcomn.dll was not found
The malware is gone, but I'd like see if we can fix this problem.


Download and Save Dial-a-fix-v0.60.0.24.zip
  • Extract it to your desktop
  • Run the program but do not click go, instead click the hammer icon (tools)
  • Scroll down to "Reset WMI/WBEM" then click Go, when it is done exit.

Restart your PC

Try again to run a scan with dds.scr. I'd also like you to run ComboFix.exe again and post the C:\ComboFix.txt for review.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-26-2009, 07:57 AM   #8 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 12
OS: Windows XP


Re: Google/Yahoo redirect issue (possible trojan)
I was not able to successfully run Dial A Fix tools; when I clicked on Reset WMI/WBEM, it would start registering the various .dll files, but would never finish. I ran it for 5 hours at one point.

However, I was able to run a scan with DDS (dds.txt) and (attach.txt) and with combofix as well. All three are posted below.

********* DDS.txt ****************

DDS (Ver_09-03-16.01) - NTFSx86
Run by Admin at 9:32:00.42 on Sun 04/26/2009
Internet Explorer: 8.0.6001.18702

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_06\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [DeviceDiscovery] c:\program files\hp\digital imaging\bin\hpotdd01.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [HostManager] c:\program files\common files\aol\1201498247\ee\AOLSoftware.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
StartupFolder: c:\documents and settings\admin\start menu\programs\startup\PowerReg SchedulerV2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash2/cabs/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\pffpr6w3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-04-21 22:41 <DIR> a-dshr-- C:\cmdcons
2009-04-21 22:40 161,792 a------- c:\windows\SWREG.exe
2009-04-21 22:40 98,816 a------- c:\windows\sed.exe
2009-04-15 19:30 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-15 19:30 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-15 19:30 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-04-15 19:30 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-15 19:30 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-15 19:30 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 19:30 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 19:30 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 19:30 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-15 19:30 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-15 19:28 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 19:28 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 19:28 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-08 22:02 <DIR> --d-h--- c:\windows\PIF
2009-04-06 20:38 <DIR> --d----- c:\program files\Trend Micro
2009-04-06 19:32 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-06 19:32 1,409 a------- c:\windows\QTFont.for
2009-04-01 23:32 <DIR> --dsh--- c:\documents and settings\admin\IECompatCache
2009-04-01 23:26 <DIR> --dsh--- c:\documents and settings\admin\PrivacIE
2009-04-01 23:24 <DIR> --dsh--- c:\documents and settings\admin\IETldCache
2009-04-01 23:17 <DIR> -cd-h--- c:\windows\ie8
2009-04-01 23:16 <DIR> --d-h--- c:\windows\msdownld.tmp

==================== Find3M ====================

2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-08 14:09 638,816 a------- c:\windows\system32\dllcache\iexplore.exe
2009-03-08 14:09 391,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 04:41 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-03-08 04:39 11,063,808 a------- c:\windows\system32\dllcache\ieframe.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\dllcache\wininet.dll
2009-03-08 04:34 1,206,784 a------- c:\windows\system32\dllcache\urlmon.dll
2009-03-08 04:34 236,544 a------- c:\windows\system32\dllcache\webcheck.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 04:34 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-03-08 04:34 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-03-08 04:34 109,568 a------- c:\windows\system32\dllcache\occache.dll
2009-03-08 04:33 759,296 a------- c:\windows\system32\dllcache\VGX.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 18,944 -------- c:\windows\system32\dllcache\corpol.dll
2009-03-08 04:33 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 04:33 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-03-08 04:33 229,376 a------- c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\dllcache\vbscript.dll
2009-03-08 04:33 125,952 a------- c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\dllcache\admparse.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 04:32 163,840 a------- c:\windows\system32\dllcache\ieakui.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\dllcache\iesetup.dll
2009-03-08 04:32 55,808 a------- c:\windows\system32\dllcache\iernonce.dll
2009-03-08 04:32 128,512 a------- c:\windows\system32\dllcache\advpack.dll
2009-03-08 04:32 94,720 a------- c:\windows\system32\dllcache\inseng.dll
2009-03-08 04:32 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 04:32 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-03-08 04:32 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-03-08 04:24 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-03-08 04:11 445,952 a------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 21:07 3,698,584 a------- c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2008-09-12 08:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913\index.dat

============= FINISH: 9:33:27.57 ===============


********* attach.txt ****************


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)


==== Disk Partitions =========================


==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 7.1.0
Agere Systems AC'97 Modem
AiO_Scan_CDA
AiOSoftwareNPI
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
AOL Instant Messenger
Athlon 64 Processor Driver
BufferChm
Copy
CreativeProjects
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
dBpowerAMP Mp4 Codec
dBpowerAMP Music Converter
Destinations
DeviceManagementQFolder
DocProc
eSupportQFolder
F300
F300_Help
Fax_CDA
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 7.0
hp deskjet 3600
HP Image Zone 3.5
HP Imaging Device Functions 7.0
HP Photo and Imaging 2.0 - Deskjet Series
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
hp print screen utility
HP Solution Center 7.0
HP Update
HPIZFix3
hpmdtab
HPPhotoSmartExpress
HPProductAssistant
HpSdpAppCoreApp
HPSystemDiagnostics
InstantShare
InstantShareDevicesMFC
InterVideo WinDVD
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 6
Learn2 Player (Uninstall Only)
MarketResearch
McAfee SecurityCenter
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.0.8)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer DVD Edition - HPH
Netflix Movie Viewer
NewCopy_CDA
NVIDIA GART Driver
NVIDIA Windows 2000/XP Display Drivers
PCI 1620 Cardbus Controller and Software
PhotoGallery
Photosmart 140,240,7200,7600,7700,7900 Series
PrimoPDF
ProductContextNPI
PSShortcutsP
QFolder
Quick Launch Buttons 5.00 B3
QuickProjects
QuickTime
Readme
RealPlayer Basic
RecordNow!
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SkinsHP1
SkinsHP2
SolutionCenter
Sonic Update Manager
SoundMAX
Status
TI1620/1520
Toolbox
TrayApp
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WD Diagnostics
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

==== End Of File ===========================
element1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-26-2009, 07:59 AM   #9 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 12
OS: Windows XP


Re: Google/Yahoo redirect issue (possible trojan)
********* COMBOFIX BELOW ****************

ComboFix 09-04-25.A3 - Admin 04/26/2009 9:41.3 - NTFSx86
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-15 23:30 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 23:30 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 23:30 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 23:30 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 23:30 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 23:30 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 23:30 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 23:30 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 23:30 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 23:30 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 23:28 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 23:28 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 23:28 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-09 02:02 . 2009-04-09 02:02 -------- d--h--w c:\windows\PIF
2009-04-09 01:59 . 2009-04-09 01:59 -------- d-----w c:\documents and settings\Admin\Local Settings\Application Data\Mozilla
2009-04-07 00:38 . 2009-04-07 00:38 -------- d-----w c:\program files\Trend Micro
2009-04-06 23:32 . 2009-04-06 23:32 54156 ---ha-w c:\windows\QTFont.qfn
2009-04-06 23:32 . 2009-04-06 23:32 1409 ----a-w c:\windows\QTFont.for
2009-04-02 03:32 . 2009-04-02 03:32 -------- d-sh--w c:\documents and settings\Admin\IECompatCache
2009-04-02 03:29 . 2009-04-02 03:29 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-02 03:26 . 2009-04-02 03:26 -------- d-sh--w c:\documents and settings\Admin\PrivacIE
2009-04-02 03:24 . 2009-04-02 03:24 -------- d-sh--w c:\documents and settings\Admin\IETldCache
2009-04-02 03:21 . 2009-04-02 04:24 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-02 03:21 . 2009-04-02 03:21 -------- d-----w c:\documents and settings\Admin\Application Data\Yahoo!
2009-04-02 03:17 . 2009-04-02 03:19 -------- dc-h--w c:\windows\ie8
2009-04-02 03:16 . 2009-04-02 03:22 -------- d--h--w c:\windows\msdownld.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 14:04 . 2009-01-25 14:28 -------- d-----w c:\documents and settings\Admin\Application Data\Move Networks
2009-04-18 11:20 . 2008-02-08 00:03 -------- d-----w c:\program files\McAfee
2009-04-09 01:52 . 2005-01-17 05:24 -------- d-----w c:\program files\Eazy VCD
2009-04-09 01:40 . 2005-01-03 16:04 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-08 23:45 . 2006-03-08 03:10 -------- d-----w c:\program files\Microsoft Money
2009-04-08 23:43 . 2007-01-14 06:05 -------- d-----w c:\program files\BitTorrent
2009-04-02 22:09 . 2005-04-25 01:05 -------- d-----w c:\program files\Yahoo!
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-08 18:09 . 2006-11-07 08:27 391536 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 18:09 . 2006-10-17 17:04 638816 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-03-08 08:41 . 2006-05-19 15:08 5937152 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-03-08 08:39 . 2007-05-09 02:19 11063808 ----a-w c:\windows\system32\dllcache\ieframe.dll
2009-03-08 08:34 . 2006-05-10 05:23 914944 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-08 08:34 . 2004-08-04 08:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2006-05-10 05:23 1206784 ----a-w c:\windows\system32\dllcache\urlmon.dll
2009-03-08 08:34 . 2006-11-08 02:03 236544 ----a-w c:\windows\system32\dllcache\webcheck.dll
2009-03-08 08:34 . 2006-10-17 17:05 43008 ----a-w c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 08:34 . 2004-08-04 08:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:34 . 2006-10-17 17:05 105984 ----a-w c:\windows\system32\dllcache\url.dll
2009-03-08 08:34 . 2006-10-17 17:04 109568 ----a-w c:\windows\system32\dllcache\occache.dll
2009-03-08 08:34 . 2006-05-10 05:23 193536 ----a-w c:\windows\system32\dllcache\msrating.dll
2009-03-08 08:33 . 2006-09-18 14:15 759296 ----a-w c:\windows\system32\dllcache\VGX.dll
2009-03-08 08:33 . 2009-03-08 08:33 18944 ------w c:\windows\system32\dllcache\corpol.dll
2009-03-08 08:33 . 2004-08-04 08:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2006-05-10 05:22 25600 ----a-w c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 08:33 . 2008-05-09 10:53 726528 ----a-w c:\windows\system32\dllcache\jscript.dll
2009-03-08 08:33 . 2006-11-07 08:27 229376 ----a-w c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 08:33 . 2008-05-09 10:53 420352 ----a-w c:\windows\system32\dllcache\vbscript.dll
2009-03-08 08:33 . 2004-08-04 08:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:33 . 2006-11-07 08:26 125952 ----a-w c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 08:32 . 2006-11-07 08:26 72704 ----a-w c:\windows\system32\dllcache\admparse.dll
2009-03-08 08:32 . 2004-08-04 08:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2006-11-07 08:26 173056 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 08:32 . 2006-11-07 08:25 163840 ----a-w c:\windows\system32\dllcache\ieakui.dll
2009-03-08 08:32 . 2006-11-07 08:26 71680 ----a-w c:\windows\system32\dllcache\iesetup.dll
2009-03-08 08:32 . 2006-11-07 08:26 55808 ----a-w c:\windows\system32\dllcache\iernonce.dll
2009-03-08 08:32 . 2004-08-04 08:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:32 . 2006-11-07 08:26 128512 ----a-w c:\windows\system32\dllcache\advpack.dll
2009-03-08 08:32 . 2006-05-10 05:22 94720 ----a-w c:\windows\system32\dllcache\inseng.dll
2009-03-08 08:32 . 2007-05-09 02:19 594432 ----a-w c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 08:32 . 2007-05-09 02:19 1985024 ----a-w c:\windows\system32\dllcache\iertutil.dll
2009-03-08 08:32 . 2006-05-10 05:23 611840 ----a-w c:\windows\system32\dllcache\mstime.dll
2009-03-08 08:24 . 2006-10-17 16:44 68608 ----a-w c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 08:22 . 2006-11-08 02:03 156160 ----a-w c:\windows\system32\dllcache\msls31.dll
2009-03-08 08:22 . 2004-08-04 08:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-08 08:11 . 2007-05-09 02:19 445952 ----a-w c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 14:22 . 2004-08-04 08:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-04 00:55 . 2009-03-04 00:54 -------- d-----w c:\documents and settings\Admin\Application Data\Image Zone Express
2009-02-27 00:50 . 2008-11-08 20:55 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-09 12:10 . 2004-08-04 08:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 08:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 08:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 08:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-10-14 23:40 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-04 08:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2008-10-14 23:40 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-07 23:02 . 2004-08-04 08:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-07 01:07 . 2007-05-09 02:19 3698584 ----a-w c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 11:11 . 2004-08-04 08:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-14 23:40 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:08 . 2004-08-04 08:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-14 23:40 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:39 . 2004-08-04 08:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-10-14 23:40 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-04 08:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-12-09 03:02 . 2005-02-01 03:17 64008 ----a-w c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-01-27 06:05 . 2007-01-27 06:05 128 ----a-w c:\documents and settings\Admin\Local Settings\Application Data\fusioncache.dat
2006-07-08 15:43 . 2006-01-04 17:55 64008 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-09-12 12:07 . 2008-09-12 12:07 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091220080913\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-22_02.46.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 08:00 . 2004-08-04 08:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2005-01-03 15:32 . 2009-04-26 13:28 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-01-03 15:32 . 2009-04-21 23:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-01-03 15:32 . 2009-04-26 13:28 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-01-03 15:32 . 2009-04-21 23:25 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-25 23:49 . 2008-01-18 15:13 2247 c:\windows\ServicePackFiles\i386\tscdsbl.bat
+ 2008-08-25 23:49 . 2008-01-18 15:13 2247 c:\windows\Installer\tsclientmsitrans\tscdsbl.bat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-08 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-07 4730880]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-05-23 483328]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 286720]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-19 155648]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DeviceDiscovery"="c:\program files\HP\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HostManager"="c:\program files\Common Files\AOL\1201498247\ee\AOLSoftware.exe" [2006-09-26 50736]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-01-30 88363]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-04-07 323584]

c:\documents and settings\Admin\Start Menu\Programs\Startup\
PowerReg SchedulerV2.exe [2005-10-25 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-1-3 36954]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - AliIde
*Deregistered* - AOL ACS
*Deregistered* - ASCTRM
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - Compbatt
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - eabfiltr
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - ImapiService
*Deregistered* - IntelIde
*Deregistered* - IpFilterDriver
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mcmscsvc
*Deregistered* - McNASvc
*Deregistered* - McProxy
*Deregistered* - McShield
*Deregistered* - mfeavfk
*Deregistered* - mfebopk
*Deregistered* - mfehidk
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MPFP
*Deregistered* - MpfService
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - Serial
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SoundMAX Agent Service (default)
*Deregistered* - Spooler
*Deregistered* - sptd
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - ViaIde
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - wanatw
*Deregistered* - WANMiniportService
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-02-08 17:32]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-02-08 17:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 09:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????0?2?7?7??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2252)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-26 9:46
ComboFix-quarantined-files.txt 2009-04-26 13:45
ComboFix2.txt 2009-04-22 23:51
ComboFix3.txt 2009-04-22 02:48

Pre-Run: 52,661,673,984 bytes free
Post-Run: 52,732,375,040 bytes free

323 --- E O F --- 2009-04-16 10:03
element1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-26-2009, 08:29 AM   #10 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,941
OS: WinXP and Vista


Re: Google/Yahoo redirect issue (possible trojan)
Download and run the WMIDiag tool
  • Let it extract to your desktop. Run WMIDiag.vbs by double-clicking it.
  • It takes awhile and runs in the background, wait for either a OK message or a log to open
  • Attach the log please
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-26-2009, 11:38 AM   #11 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 12
OS: Windows XP


Re: Google/Yahoo redirect issue (possible trojan)
Log is attached. Thank you.
element1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-26-2009, 11:32 PM   #12 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,941
OS: WinXP and Vista


Re: Google/Yahoo redirect issue (possible trojan)
Hi element1,

Open Notepad and copy/paste the contents in the quote box below, into Notepad.

Quote:
For /F "TOKENS=*" %%g IN ('dir /s/a-d/b %windir%\wbemcntl.dll,%windir%\wbemcomn.dll,%windir%\wbemcons.dll,%windir%\wbemads.tlb'
) Do @echo "%%~g" %%~zg %%~tg >>report.txt 2>nul
start notepad report.txt & exit

Save this as element1.bat Choose to "Save type as - All Files"
It should look like this:

Double click on element1.bat & allow it to run. Then post the log which it produces
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Last edited by Ried; 04-26-2009 at 11:42 PM.
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2009, 05:03 PM   #13 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 12
OS: Windows XP


Re: Google/Yahoo redirect issue (possible trojan)
"C:\WINDOWS\ServicePackFiles\i386\wbemcntl.dll" 196608 04/13/2008 08:12 PM
"C:\WINDOWS\ServicePackFiles\i386\wbemcomn.dll" 214528 04/13/2008 08:12 PM
"C:\WINDOWS\ServicePackFiles\i386\wbemcons.dll" 71680 04/13/2008 08:12 PM
element1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-28-2009, 01:05 AM   #14 (permalink)
Expert Analyst, Moderator, Security Team
 
Join Date: Sep 2006
Posts: 1,648
OS: xp


Re: Google/Yahoo redirect issue (possible trojan)
Hi element1
Ried will be back with you shortly, until then Copy each one of those files
to the wbem folder located here >
C:\WINDOWS\system32\wbem\
Then restart the PC
If you have difficulty stop we can do it another way.
__________________


Our help is voluntary. But this site needs donations to operate.
LonnyRJones is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-28-2009, 07:09 PM   #15 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 12
OS: Windows XP


Re: Google/Yahoo redirect issue (possible trojan)
Quote:
Originally Posted by LonnyRJones View Post
Hi element1
Ried will be back with you shortly, until then Copy each one of those files
to the wbem folder located here >
C:\WINDOWS\system32\wbem\
Then restart the PC
If you have difficulty stop we can do it another way.
I have done all of the above. What are next steps? Thank you.
element1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-28-2009, 10:15 PM   #16 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,941
OS: WinXP and Vista


Re: Google/Yahoo redirect issue (possible trojan)
Hello element1,

Please run the WMIDiag.vbs again and attach the log.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-30-2009, 08:36 PM   #17 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 12
OS: Windows XP


Re: Google/Yahoo redirect issue (possible trojan)
Log is attached.
element1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-30-2009, 11:43 PM   #18 (permalink)
Expert Analyst, Moderator, Security Team
 
Join Date: Sep 2006
Posts: 1,648
OS: xp


Re: Google/Yahoo redirect issue (possible trojan)
Download the extract this copy of wbemads.tlb, attached near the bottom of post.
Place it in the wbem folder please.
Have you any idea why those files were missing ?

Restart your pc and run combofix once more, post its log.
__________________


Our help is voluntary. But this site needs donations to operate.
Last edited by LonnyRJones; 05-02-2009 at 05:34 AM. Reason: removed attachment
LonnyRJones is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-02-2009, 05:20 AM   #19 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 12
OS: Windows XP


Re: Google/Yahoo redirect issue (possible trojan)
I am not sure why the files were missing. Combofix log is below:

ComboFix 09-05-02.4 - Admin 05/02/2009 7:12.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.226 [GMT -4:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
.

((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-04-29 01:07 . 2008-04-14 00:12 71680 ----a-w c:\windows\system32\dllcache\wbemcons.dll
2009-04-29 01:07 . 2008-04-14 00:12 214528 ----a-w c:\windows\system32\dllcache\wbemcomn.dll
2009-04-29 01:06 . 2008-04-14 00:12 196608 ----a-w c:\windows\system32\dllcache\wbemcntl.dll
2009-04-15 23:30 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 23:30 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 23:30 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 23:30 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 23:30 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 23:30 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 23:30 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 23:30 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 23:30 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 23:30 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 23:28 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 23:28 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-09 02:02 . 2009-04-09 02:02 -------- d--h--w c:\windows\PIF
2009-04-09 01:59 . 2009-04-09 01:59 -------- d-----w c:\documents and settings\Admin\Local Settings\Application Data\Mozilla
2009-04-07 00:38 . 2009-04-07 00:38 -------- d-----w c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 11:11 . 2004-08-07 13:16 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-04-18 11:20 . 2008-02-08 00:03 -------- d-----w c:\program files\McAfee
2009-04-09 01:52 . 2005-01-17 05:24 -------- d-----w c:\program files\Eazy VCD
2009-04-08 23:45 . 2006-03-08 03:10 -------- d-----w c:\program files\Microsoft Money
2009-04-08 23:43 . 2007-01-14 06:05 -------- d-----w c:\program files\BitTorrent
2009-04-02 22:09 . 2005-04-25 01:05 -------- d-----w c:\program files\Yahoo!
2009-03-08 08:34 . 2004-08-04 08:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2004-08-04 08:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2004-08-04 08:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2004-08-04 08:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2004-08-04 08:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2004-08-04 08:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2004-08-04 08:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2004-08-04 08:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2004-08-04 08:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2004-08-04 08:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-04 08:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-15 06:43 . 2008-02-08 00:04 340 ----a-w c:\windows\Tasks\McDefragTask.job
2009-02-09 12:10 . 2004-08-04 08:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 08:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 08:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 08:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 08:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2004-08-04 08:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 08:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 08:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 08:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 08:00 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-22_02.46.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-29 01:07 . 2008-04-14 00:12 71680 c:\windows\system32\wbem\wbemcons.dll
+ 2004-08-07 13:10 . 2009-04-29 01:28 69574 c:\windows\system32\perfc009.dat
+ 2004-08-04 08:00 . 2004-08-04 08:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2005-01-03 15:32 . 2009-05-02 11:10 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-01-03 15:32 . 2009-04-21 23:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-01-03 15:32 . 2009-04-21 23:25 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2005-01-03 15:32 . 2009-05-02 11:10 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-03-28 23:01 . 2009-04-16 09:58 23040 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-03-28 23:01 . 2009-04-29 01:12 23040 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-03-28 23:01 . 2009-04-16 09:58 61440 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2006-03-28 23:01 . 2009-04-29 01:12 61440 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2006-03-28 23:01 . 2009-04-16 09:58 27136 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-03-28 23:01 . 2009-04-29 01:12 27136 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-03-28 23:01 . 2009-04-16 09:58 11264 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-03-28 23:01 . 2009-04-29 01:12 11264 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-03-28 23:01 . 2009-04-29 01:12 12288 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-03-28 23:01 . 2009-04-16 09:58 12288 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-08-25 23:49 . 2008-01-18 15:13 2247 c:\windows\ServicePackFiles\i386\tscdsbl.bat
+ 2008-08-25 23:49 . 2008-01-18 15:13 2247 c:\windows\Installer\tsclientmsitrans\tscdsbl.bat
- 2006-03-28 23:01 . 2009-04-16 09:58 4096 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-03-28 23:01 . 2009-04-29 01:12 4096 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-04-29 01:07 . 2008-04-14 00:12 214528 c:\windows\system32\wbem\wbemcomn.dll
+ 2009-04-29 01:06 . 2008-04-14 00:12 196608 c:\windows\system32\wbem\wbemcntl.dll
+ 2004-08-07 13:10 . 2009-04-29 01:28 413528 c:\windows\system32\perfh009.dat
+ 2006-03-28 23:01 . 2009-04-29 01:12 409600 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-03-28 23:01 . 2009-04-16 09:58 409600 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-03-28 23:01 . 2009-04-29 01:12 286720 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-03-28 23:01 . 2009-04-16 09:58 286720 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-03-28 23:01 . 2009-04-16 09:58 249856 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-03-28 23:01 . 2009-04-29 01:12 249856 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2006-03-28 23:01 . 2009-04-16 09:58 794624 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-03-28 23:01 . 2009-04-29 01:12 794624 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2006-03-28 23:01 . 2009-04-16 09:58 135168 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2006-03-28 23:01 . 2009-04-29 01:12 135168 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-03-28 23:01 . 2009-04-16 09:58 593920 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2006-03-28 23:01 . 2009-04-29 01:12 593920 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-08 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-07 4730880]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-05-23 483328]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 286720]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-19 155648]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DeviceDiscovery"="c:\program files\HP\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HostManager"="c:\program files\Common Files\AOL\1201498247\ee\AOLSoftware.exe" [2006-09-26 50736]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-01-30 88363]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-04-07 323584]

c:\documents and settings\Admin\Start Menu\Programs\Startup\
PowerReg SchedulerV2.exe [2005-10-25 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-1-3 36954]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-02-08 17:32]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-02-08 17:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 07:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????0?2?7?7??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2616)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-02 7:17
ComboFix-quarantined-files.txt 2009-05-02 11:16
ComboFix2.txt 2009-04-26 13:46
ComboFix3.txt 2009-04-22 23:51
ComboFix4.txt 2009-04-22 02:48

Pre-Run: 52,614,766,592 bytes free
Post-Run: 52,633,321,472 bytes free

199 --- E O F --- 2009-04-29 01:12
element1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-04-2009, 06:00 AM   #20 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,941
OS: WinXP and Vista


Re: Google/Yahoo redirect issue (possible trojan)
Thank you LonnyRJones.

Your WMI now seems to be working properly, and your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.



Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 09:10 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85