Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Hijacker in browser
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 06-04-2009, 10:03 AM   #1 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 6
OS: xp


Hijacker in browser
Hello, i believe i have a hijacker in both my mozilla firefox and internet explorer browsers because everytime I do a search on a search engine and click on the link I'm either, redirected to another site such as topfeed.biz, or the browser can't load the page. Somtimes when I type directly into the address bar it won't load a certain page like google. If you wouldn't mind could somone please let me know how to fix the situation. I have attached the zip file that was asked for and here is the DDS:

DDS (Ver_09-05-14.01) - NTFSx86
Run by VMICadet at 12:17:37.37 on Wed 06/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1367 [GMT -4:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {88A06540-62A2-420A-84DC-6B7A89F31DFD}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
svchost
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\HACB81.EXE
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\VMICadet\Desktop\dds.pif
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [system tool] c:\windows\sysguard.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [BHR] c:\program files\zamaan's software\browser hijack retaliator 4.5\BHR.exe
mRun: [SpyHunter Security Suite] "c:\program files\enigma software group\spyhunter\SpyHunter3.exe"
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205157780160
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1232915353791&h=43dcd01eee93ccae0ebf0e1094a8e87e/&filename=jinstall-6u11-windows-i586-jc.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\bisavuri.dll,c:\windows\system32\lumuheze.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\xxyvUoLB
LSA: Notification Packages = scecli c:\windows\system32\bisavuri.dll c:\windows\system32\lumuheze.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\vmicadet\applic~1\mozilla\firefox\profiles\bn02w9lo.default\

============= SERVICES / DRIVERS ===============

R0 a320raid;a320raid;c:\windows\system32\drivers\A320RAID.SYS [2008-3-11 251578]
R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [2006-12-10 48140]
R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [2006-12-10 204800]
R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\megasas.sys [2006-12-10 19200]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2006-9-27 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2006-9-27 36368]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys --> c:\windows\system32\drivers\vmscsi.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-2-2 38496]

=============== Created Last 30 ================

2009-06-03 12:16 <DIR> --d-h--- c:\windows\PIF
2009-06-03 12:15 <DIR> --d----- c:\windows\system32\appmgmt
2009-06-01 11:25 <DIR> --d----- c:\program files\Enigma Software Group
2009-06-01 11:00 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-06-01 11:00 <DIR> --d----- c:\program files\Broadcom
2009-06-01 11:00 <DIR> --d----- c:\program files\Apoint
2009-06-01 11:00 <DIR> --d----- c:\program files\Mozilla ActiveX Control v1.7.12
2009-06-01 11:00 <DIR> --d----- c:\program files\Bonjour
2009-05-31 23:31 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\~0
2009-05-31 22:26 244,024 a------- c:\windows\system32\MSFLXGRD.OCX
2009-05-31 22:26 203,976 a------- c:\windows\system32\richtx32.ocx
2009-05-31 22:26 140,096 a------- c:\windows\system32\COMDLG32.OCX
2009-05-31 22:26 132,880 a------- c:\windows\system32\MSINET.OCX
2009-05-31 10:45 30,208 a------- c:\windows\system\dop.exe
2009-05-31 10:45 292 a------- c:\windows\system32\dmns.cfg
2009-05-31 10:45 5 a------- c:\windows\system32\avp.id
2009-05-31 10:44 645,120 a------- c:\windows\system\tmp_70175.exe
2009-05-31 10:44 132,152 a------- c:\windows\system\cmd
2009-05-29 12:13 65,536 a------- c:\windows\system32\165.tmp
2009-05-19 00:40 464 a------- c:\temp\z5W[1].VIR

==================== Find3M ====================

2009-05-31 21:10 64,946 a------- c:\windows\system32\nvModes.dat
2009-03-29 10:59 94,208 a--sh--- c:\windows\system32\gudepawu.dll
2009-03-29 10:59 61,440 a--sh--- c:\windows\system32\lubuyosa.exe
2009-03-28 22:59 94,720 a--sh--- c:\windows\system32\nemafayo.dll
2009-03-28 22:59 61,440 a--sh--- c:\windows\system32\tuwugiwi.exe
2009-03-28 10:59 95,232 a--sh--- c:\windows\system32\rasivogi.dll
2009-03-28 10:59 61,440 a--sh--- c:\windows\system32\dereveya.exe
2009-03-27 10:56 94,208 a--sh--- c:\windows\system32\fonewati.dll
2009-03-27 10:56 61,440 a--sh--- c:\windows\system32\revemivu.exe
2009-03-26 22:56 61,440 a--sh--- c:\windows\system32\dijayota.exe
2009-03-26 22:56 95,232 a--sh--- c:\windows\system32\noboluwu.dll
2009-03-26 10:55 96,768 a--sh--- c:\windows\system32\lamaparu.dll
2009-03-26 10:55 129,024 a--sh--- c:\windows\system32\srwoli.dll
2009-03-26 10:55 129,024 a--sh--- c:\windows\system32\rivotuva.dll
2009-03-25 22:55 128,512 a--sh--- c:\windows\system32\hetihoho.dll
2009-03-25 22:55 128,512 a--sh--- c:\windows\system32\exbkou.dll
2009-03-25 22:55 94,208 a--sh--- c:\windows\system32\yatewela.dll
2009-03-25 10:54 128,512 a--sh--- c:\windows\system32\zxhysk.dll
2009-03-25 10:54 128,512 a--sh--- c:\windows\system32\zuzabiyo.dll
2009-03-25 10:54 94,208 a--sh--- c:\windows\system32\zikameho.dll
2009-03-23 08:23 128,000 a--sh--- c:\windows\system32\zimilogo.dll
2009-03-23 08:23 128,000 a--sh--- c:\windows\system32\pmepfx.dll
2008-11-12 21:56 19,151 a------- c:\program files\common files\iduged._sy
2008-11-12 21:56 13,421 a------- c:\docume~1\vmicadet\applic~1\ucepykyhoj.pif
2008-11-12 21:56 11,143 a------- c:\docume~1\vmicadet\applic~1\opamas.vbs
2008-11-12 21:56 10,142 a------- c:\docume~1\alluse~1\applic~1\tudomumiko.pif
2009-02-16 10:56 37,131 a--sh--- c:\windows\system32\BLoUvyxx.ini2
2009-01-18 17:19 1,466 a--sh--- c:\windows\system32\hgQBdfii.ini2
2009-02-16 09:27 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-02-16 09:27 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-02-16 09:27 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 12:18:08.70 ===============
Attached Files
File Type: zip Attach.zip (4.1 KB, 3 views)
Mr. W is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 06-07-2009, 12:39 AM   #2 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: Hijacker in browser
Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-07-2009, 03:11 PM   #3 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 6
OS: xp


Re: Hijacker in browser
Here is the combo fix log:

ComboFix 09-06-07.01 - VMICadet 06/07/2009 16:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1534 [GMT -4:00]
Running from: c:\documents and settings\VMICadet\My Documents\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {88A06540-62A2-420A-84DC-6B7A89F31DFD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\windows\system\cmd
c:\windows\system\dop.exe
c:\windows\system32\avp.id
c:\windows\system32\BLoUvyxx.ini
c:\windows\system32\BLoUvyxx.ini2
c:\windows\system32\dmns.cfg
c:\windows\system32\elawodet.ini
c:\windows\system32\erajozez.ini
c:\windows\system32\exbkou.dll
c:\windows\system32\fonewati.dll
c:\windows\system32\gudepawu.dll
c:\windows\system32\hetihoho.dll
c:\windows\system32\hgQBdfii.ini
c:\windows\system32\hgQBdfii.ini2
c:\windows\system32\ipazutow.ini
c:\windows\system32\lamaparu.dll
c:\windows\system32\nemafayo.dll
c:\windows\system32\noboluwu.dll
c:\windows\system32\pmepfx.dll
c:\windows\system32\qtwnsrgr.ini
c:\windows\system32\rasivogi.dll
c:\windows\system32\rivotuva.dll
c:\windows\system32\srwoli.dll
c:\windows\system32\unanamup.ini
c:\windows\system32\vynfsqay.dll
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\xgqpzr.dll
c:\windows\system32\yatewela.dll
c:\windows\system32\zikameho.dll
c:\windows\system32\zimilogo.dll
c:\windows\system32\zuzabiyo.dll
c:\windows\system32\zxhysk.dll
c:\windows\Tasks\iaeatnri.job
c:\windows\wiaserviv.log

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\system volume information\_restore{4340F960-84F5-4A27-B5CE-47D32B8C1223}\RP223\A0015886.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-07 to 2009-06-07 )))))))))))))))))))))))))))))))
.

2009-06-03 16:16 . 2009-06-03 16:16 -------- d--h--w- c:\windows\PIF
2009-06-01 15:25 . 2009-06-01 15:25 -------- d-----w- c:\program files\Enigma Software Group
2009-06-01 15:00 . 2009-06-01 15:00 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-01 15:00 . 2009-06-01 15:00 -------- d-----w- c:\program files\Broadcom
2009-06-01 15:00 . 2009-06-01 15:00 -------- d-----w- c:\program files\Apoint
2009-06-01 15:00 . 2009-06-01 15:00 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-06-01 15:00 . 2009-06-01 15:00 -------- d-----w- c:\program files\Bonjour
2009-06-01 03:34 . 2009-06-03 16:13 -------- dc----w- c:\windows\system32\DRVSTORE
2009-06-01 03:31 . 2009-06-03 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-31 14:44 . 2009-05-31 14:45 645120 ----a-w- c:\windows\system\tmp_70175.exe
2009-05-19 04:40 . 2009-05-19 04:40 464 ----a-w- c:\temp\z5W[1].VIR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 15:00 . 2008-10-24 21:43 -------- d-----w- c:\program files\Google
2009-06-01 02:29 . 2008-08-09 17:42 -------- d-----w- c:\program files\Trend Micro
2009-06-01 01:10 . 2008-05-23 22:48 64946 ----a-w- c:\windows\system32\nvModes.dat
2009-05-29 16:13 . 2009-05-29 16:13 65536 ----a-w- c:\windows\system32\165.tmp
2009-04-23 01:32 . 2009-04-23 01:32 0 ----a-w- c:\windows\nsreg.dat
2009-03-29 14:59 . 1601-01-01 00:12 61440 --sha-w- c:\windows\system32\lubuyosa.exe
2009-03-29 02:59 . 1601-01-01 00:12 61440 --sha-w- c:\windows\system32\tuwugiwi.exe
2009-03-28 14:59 . 1601-01-01 00:12 61440 --sha-w- c:\windows\system32\dereveya.exe
2009-03-27 14:56 . 1601-01-01 00:12 61440 --sha-w- c:\windows\system32\revemivu.exe
2009-03-27 02:56 . 1601-01-01 00:12 61440 --sha-w- c:\windows\system32\dijayota.exe
2008-11-13 01:56 . 2008-11-13 01:56 19151 ----a-w- c:\program files\Common Files\iduged._sy
.

------- Sigcheck -------

[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll
[-] 2004-08-04 12:00 82944 298A0969CCCF04184CC43B6E7AE34007 c:\windows\system32\ws2_32.dll
[-] 2004-08-04 12:00 82944 298A0969CCCF04184CC43B6E7AE34007 c:\windows\system32\dllcache\ws2_32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-27 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-31 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-31 81920]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-16 159744]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-12-06 405504]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-08 128560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 702072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-25 136600]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2009-04-02 868352]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-05-31 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-05-31 67584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 21:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\WINDOWS\\system\\tmp_70175.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"32453:TCP"= 32453:TCP:Trend Micro OfficeScan Listener

R0 a320raid;a320raid;c:\windows\system32\drivers\A320RAID.SYS [3/11/2008 4:19 AM 251578]
R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [12/10/2006 7:17 PM 48140]
R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [12/10/2006 7:17 PM 204800]
R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\megasas.sys [12/10/2006 7:17 PM 19200]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/3/2008 3:07 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 3:07 PM 55024]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [9/27/2006 2:31 PM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [9/27/2006 2:31 PM 36368]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 3:07 PM 7408]
S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys --> c:\windows\system32\drivers\vmscsi.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2/2/2009 5:22 PM 38496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BHR - c:\program files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\VMICadet\Application Data\Mozilla\Firefox\Profiles\bn02w9lo.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-07 17:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-69272209-39754414-2322641270-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll

- - - - - - - > 'lsass.exe'(940)
c:\program files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll

- - - - - - - > 'explorer.exe'(3884)
c:\program files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\stacsv.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\windows\Temp\LB5B55.EXE
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\windows\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2009-06-07 17:07 - machine was rebooted



ComboFix-quarantined-files.txt 2009-06-07 21:07

Pre-Run: 68,910,612,480 bytes free
Post-Run: 69,244,362,752 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

222 --- E O F --- 2009-01-14 11:12
Last edited by Mr. W; 06-07-2009 at 03:13 PM.
Mr. W is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-07-2009, 03:37 PM   #4 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: Hijacker in browser
Hi,


*Open notepad.
Copy and paste the text inside the code box below to notepad
Code:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/382370-hijacker-browser.html
File::
c:\temp\z5W[1].VIR
c:\windows\system32\165.tmp
c:\windows\system32\tuwugiwi.exe
c:\windows\system32\dereveya.exe
c:\windows\system32\revemivu.exe
c:\windows\system32\dijayota.exe
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system\\tmp_70175.exe"=-
Collect::
c:\windows\system\tmp_70175.exe
c:\windows\system32\lubuyosa.exe
c:\program files\Common Files\iduged._sy
SRPeek::
c:\windows\system32\ws2_32.dll
  • Save and Name it as "CFScript"
  • Drag and drop CFScript.txt to your copy of combofix.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file. Thanks.

------------------------------

*Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 14.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 14".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java(TM) 6 Update 11
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

-----------------------------

Next, it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply


On your next reply, please include a
  • kaspersky scan log
  • combofix log
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-24-2009, 02:57 PM   #5 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 6
OS: xp


Re: Hijacker in browser
Thanks again =), Here are the 2 logs that were asked for and the
C:\QooBox\Quarantine\[4]-Submit_date@time.zip object was submitted to the specified website.:


ComboFix 09-06-23.01 - VMICadet 06/24/2009 9:27.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1406 [GMT -4:00]
Running from: c:\documents and settings\VMICadet\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\VMICadet\Desktop\CFScript.lnk
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {88A06540-62A2-420A-84DC-6B7A89F31DFD}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{4340F960-84F5-4A27-B5CE-47D32B8C1223}\RP226\A0015945.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-24 13:34 . 2009-06-24 13:34 -------- d-----w- c:\windows\LastGood
2009-06-08 07:03 . 2009-06-08 07:03 -------- d-----w- c:\windows\system32\KB905474
2009-06-08 07:03 . 2009-03-11 02:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-06-08 07:03 . 2009-03-11 02:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2009-06-08 07:01 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-06-07 20:59 . 2004-08-04 12:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-07 20:59 . 2004-08-04 12:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-03 16:16 . 2009-06-03 16:16 -------- d--h--w- c:\windows\PIF
2009-06-01 15:25 . 2009-06-01 15:25 -------- d-----w- c:\program files\Enigma Software Group
2009-06-01 15:00 . 2009-06-01 15:00 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-01 15:00 . 2009-06-01 15:00 -------- d-----w- c:\program files\Broadcom
2009-06-01 15:00 . 2009-06-01 15:00 -------- d-----w- c:\program files\Apoint
2009-06-01 15:00 . 2009-06-01 15:00 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-06-01 15:00 . 2009-06-01 15:00 -------- d-----w- c:\program files\Bonjour
2009-06-01 03:34 . 2009-06-03 16:13 -------- dc----w- c:\windows\system32\DRVSTORE
2009-06-01 03:31 . 2009-06-03 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-08 14:23 . 2008-05-23 22:48 64946 ----a-w- c:\windows\system32\nvModes.dat
2009-06-01 15:00 . 2008-10-24 21:43 -------- d-----w- c:\program files\Google
2009-06-01 02:29 . 2008-08-09 17:42 -------- d-----w- c:\program files\Trend Micro
2009-04-23 01:32 . 2009-04-23 01:32 0 ----a-w- c:\windows\nsreg.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-06-10_15.32.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-24 13:33 . 2009-06-24 13:33 16384 c:\windows\Temp\Perflib_Perfdata_8ec.dat
+ 2009-06-24 13:32 . 2009-06-24 13:32 16384 c:\windows\Temp\Perflib_Perfdata_5a4.dat
+ 2004-08-04 12:00 . 2009-06-24 13:36 61026 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-06-08 07:16 61026 c:\windows\system32\perfc009.dat
+ 2009-06-24 13:33 . 2007-05-08 04:43 300656 c:\windows\Temp\JSA0C5.EXE
+ 2004-08-04 12:00 . 2009-06-24 13:36 401032 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-06-08 07:16 401032 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-27 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-31 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-31 81920]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-16 159744]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-12-06 405504]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-08 128560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 702072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-25 136600]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2009-04-02 868352]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-05-31 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-05-31 67584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 21:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"32453:TCP"= 32453:TCP:Trend Micro OfficeScan Listener

R0 a320raid;a320raid;c:\windows\system32\drivers\A320RAID.SYS [3/11/2008 4:19 AM 251578]
R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [12/10/2006 7:17 PM 48140]
R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [12/10/2006 7:17 PM 204800]
R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\megasas.sys [12/10/2006 7:17 PM 19200]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/3/2008 3:07 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 3:07 PM 55024]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [9/27/2006 2:31 PM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [9/27/2006 2:31 PM 36368]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 3:07 PM 7408]
S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys --> c:\windows\system32\drivers\vmscsi.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2/2/2009 5:22 PM 38496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-06-24 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-06-08 02:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 09:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-69272209-39754414-2322641270-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll

- - - - - - - > 'lsass.exe'(940)
c:\program files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll

- - - - - - - > 'explorer.exe'(3548)
c:\program files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\stacsv.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\windows\Temp\JSA0C5.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Apoint\hidfind.exe
.
**************************************************************************
.
Completion time: 2009-06-24 9:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-24 13:46
ComboFix2.txt 2009-06-10 15:38
ComboFix3.txt 2009-06-07 21:07

Pre-Run: 68,968,357,888 bytes free
Post-Run: 68,944,420,864 bytes free

179 --- E O F --- 2009-06-08 07:03


And here is the other one:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, June 24, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, June 24, 2009 15:54:30
Records in database: 2386549
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 34446
Threat name: 25
Infected objects: 58
Suspicious objects: 0
Duration of the scan: 00:35:09


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system\dop.exe.vir Infected: Trojan-Downloader.Win32.Agent.ccoi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\165.tmp.vir Infected: Trojan-Spy.Win32.Zbot.vzu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dereveya.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dijayota.exe.vir Infected: Trojan.Win32.AntiAV.aug 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\exbkou.dll.vir Infected: Packed.Win32.Krap.o 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\fonewati.dll.vir Infected: Packed.Win32.Krap.o 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gudepawu.dll.vir Infected: Packed.Win32.Krap.o 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hetihoho.dll.vir Infected: Packed.Win32.Krap.o 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lamaparu.dll.vir Infected: Packed.Win32.Krap.o 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nemafayo.dll.vir Infected: Packed.Win32.Krap.o 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\noboluwu.dll.vir Infected: Packed.Win32.Krap.o 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pmepfx.dll.vir Infected: Packed.Win32.Krap.o 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rasivogi.dll.vir Infected: Packed.Win32.Krap.o 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\revemivu.exe.vir Infected: Trojan.Win32.AntiAV.aug 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rivotuva.dll.vir Infected: Packed.Win32.Krap.o 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\srwoli.dll.vir Infected: Packed.Win32.Krap.o 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tuwugiwi.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vynfsqay.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ngt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir Infected: Trojan-Dropper.Win32.Agent.arsm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\xgqpzr.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ngt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yatewela.dll.vir Infected: Packed.Win32.Krap.o 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zikameho.dll.vir Infected: Packed.Win32.Krap.o 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zimilogo.dll.vir Infected: Packed.Win32.Krap.o 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zuzabiyo.dll.vir Infected: Packed.Win32.Krap.o 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zxhysk.dll.vir Infected: Packed.Win32.Krap.o 1
C:\Qoobox\Quarantine\[4]-Submit_2009-06-10_11.30.21.zip Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Temp\2F5BADAC.exe Infected: Trojan-Dropper.Win32.Agent.wcc 1
C:\Temp\A0009943.dll Infected: Trojan.Win32.Monder.asxw 1
C:\Temp\A0009944.dll Infected: Trojan.Win32.Monder.asxw 1
C:\Temp\A0011646.SYS Infected: Rootkit.Win32.Agent.hqh 1
C:\Temp\A0012965.dll Infected: Packed.Win32.Krap.p 1
C:\Temp\A0012966.dll Infected: Packed.Win32.Krap.p 1
C:\Temp\bisavuri.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Temp\DIGESTE.DLL Infected: Trojan.Win32.Agent.byib 1
C:\Temp\figaro.sys Infected: Backdoor.Win32.UltimateDefender.a 1
C:\Temp\fujigayu.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Temp\gettpa227.exe Infected: not-a-virus:AdWare.Win32.Agent.jok 1
C:\Temp\halivege.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Temp\iehelper.dll Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.dw 1
C:\Temp\iehelper.VI0 Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.dw 1
C:\Temp\iehelper.VIR Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.dw 1
C:\Temp\lumuheze.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Temp\prun.tmp Infected: Trojan.Win32.Agent.bpna 1
C:\Temp\soyigubu.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Temp\stf4F.tmp Infected: Trojan.Win32.Agent.bgbt 1
C:\Temp\wenijalu.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Temp\xpre.tmp Infected: Trojan.Win32.AntiAV.awz 1
C:\Temp\{0994E64C-0D4E-4656-B815-8E2BECFC76EE} Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.bq 1
C:\Temp\{45C6B6DC-1A5F-4974-BDD5-01B84B6D2D81} Infected: not-a-virus:FraudTool.Win32.AntiVirusPro.au 1
C:\Temp\{503777F6-A635-4164-9B43-C8975392B213} Infected: not-a-virus:FraudTool.Win32.AntiVirusPro.au 1
C:\Temp\{5A37CAB1-12DC-4E33-9A18-36CD8AA581C3} Infected: Trojan.Win32.Monder.aort 1
C:\Temp\{5D023E0F-1B85-41A6-BAA0-235F27450636} Infected: not-a-virus:FraudTool.Win32.AntiVirusPro.au 1
C:\Temp\{61A886DF-0392-4F1B-BC67-127D2280F0AC} Infected: Trojan-Downloader.Win32.Small.jdo 1
C:\Temp\{6FB84279-1FC7-4058-9CEB-97CFEBE1AD3E} Infected: Trojan-Downloader.Win32.Small.jdo 1
C:\Temp\{8661B82F-F1CA-412C-8AB0-B8744BCA68EA} Infected: Trojan-Downloader.Win32.Small.jdl 1
C:\Temp\{B8457051-CBE9-4E1F-AD77-177CD5625053} Infected: Trojan-Downloader.Win32.Small.jdl 1
C:\Temp\{E8F50878-CE9C-4BBA-9328-948884AC0451} Infected: Trojan.Win32.Agent2.drg 1
C:\Temp\{FC9A9349-9AB6-484A-9094-C5AE1B251ECA} Infected: Trojan.Win32.Agent2.drg 1

The selected area was scanned.


:
Thanks again,

MR. W
Mr. W is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-24-2009, 06:04 PM   #6 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: Hijacker in browser
*I would like you to scan a file for me.

Please go HERE. Copy and paste the following file path in to the box.

c:\windows\Temp\JSA0C5.EXE

Then click submit.

Please post the results to your next reply.


*If C:\Temp is not a folder that you created, please the whole folder and empty your recycle bin.

Let me know if it's otherwise.


How's it running?
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-28-2009, 05:16 PM   #7 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 6
OS: xp


Re: Hijacker in browser
Hey again sorry i tried to copy and paste c:\windows\Temp\JSA0C5.EXE into the box and it said the file was not found. Also i deleted the C:\Temp folder because i didn't create it. And it has been running well i haven't gotten redirected or an error when i try to load a web page. And I really appreciate the help, thank you very much.

Mr. W
Mr. W is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-29-2009, 07:13 PM   #8 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: Hijacker in browser
That's fine. I think the file should belong to Trend Micro. It is known to create such randomly named files inside the temp folder.

Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Read TonyKlein's How Did I Get Infected In The First Place?.

Please check out miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-07-2009, 10:31 AM   #9 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 6
OS: xp


Re: Hijacker in browser
Thank you
Mr. W is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 06:34 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85