Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page redirect virus?
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 06-19-2009, 04:31 PM   #1 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 4
OS: windows vista


redirect virus?
I am having an issue with google and yahoo search engines. If I click on the link, I get sent to alternate random websites, however if I just copy and paste the link, the correct page shows. I'm not sure, but I think this problem occurred after I clicked a wrong page when I was on justin.tv and trying to find a site that was showing a soccer game.

here is my dds log


DDS (Ver_09-05-14.01) - NTFSx86
Run by Owner at 18:07:50.77 on Fri 06/19/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1790.704 [GMT -4:00]

AV: Trend Micro AntiVirus *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter3.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Vimicro Corporation\VMUVC\VMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\VoipRaider.com\VoipRaider\VoipRaider.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\EMACHINES\eMachines Recovery Management\eRecovery\HidChk.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\bin32\nSvcAppFlt.exe
C:\Program Files\bin32\nSvcIp.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfNavi.exe
C:\Program Files\InstallShield Installation Information\{7F811A54-5A09-4579-90E1-C93498E230D9}\setup.exe
C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
C:\Program Files\EMACHINES\eMachines Recovery Management\eRecovery\HidChk.exe
C:\Program Files\InstallShield Installation Information\{7F811A54-5A09-4579-90E1-C93498E230D9}\setup.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Owner\Downloads\dds(2).scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = www.hotmail.com/
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1006&m=el1210-01e
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1006&m=el1210-01e
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1006&m=el1210-01e
uInternet Settings,ProxyOverride = *.local
BHO: MRI_DISABLED - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [Sidebar] "c:\program files\windows sidebar\Sidebar.exe" /autorun
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [VoipRaider] "c:\program files\voipraider.com\voipraider\VoipRaider.exe" -nosplash -minimized
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [eRecoveryService]
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [VMonitorVMUVC] "c:\program files\vimicro corporation\vmuvc\VMonitor.exe" VMUVC
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~2.0_0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvLsp.dll
Trusted Zone: k12.nj.us\mail.paramus
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUpldpt-br.cab
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://kribeiro11.spaces.live.com/PhotoUpload/VistaMsnPUplden-us.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TCP: NameServer = 85.255.112.174,85.255.112.71
TCP: {FF71B4BE-EBD4-408C-93BC-FD5F555C3D94} = 85.255.112.174,85.255.112.71

================= FIREFOX ===================

FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\503luifc.default\

============= SERVICES / DRIVERS ===============

R2 ETService;Empowering Technology Service;c:\program files\emachines\emachines recovery management\service\ETService.exe [2006-10-11 24576]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-6-18 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-6-18 36368]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-9-11 43552]
R3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [2008-12-26 250240]
R3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [2008-12-26 476032]

=============== Created Last 30 ================

2009-06-18 22:58 1,195,512 a------- c:\windows\system32\drivers\vsapint.sys
2009-06-18 22:58 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-06-18 22:58 150,032 a------- c:\windows\system32\drivers\tmcomm.sys
2009-06-18 22:58 80,400 a------- c:\windows\system32\drivers\tmtdi.sys
2009-06-18 22:58 50,192 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-06-18 22:58 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-06-18 22:58 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-06-15 23:16 <DIR> --d----- c:\program files\common files\PC Tools
2009-06-15 23:16 <DIR> --d----- c:\program files\Spyware Doctor
2009-06-15 23:15 506,368 a------- c:\windows\system32\msxml.dll
2009-06-14 23:46 335 a------- C:\spyhunter.fix
2009-06-14 23:46 <DIR> --d----- c:\program files\Enigma Software Group
2009-06-10 22:00 <DIR> --d----- c:\program files\QuickTiming

==================== Find3M ====================

2009-06-18 23:16 86,016 a------- c:\windows\inf\infstrng.dat
2009-06-18 23:16 86,016 a------- c:\windows\inf\infstor.dat
2009-06-18 23:16 51,200 a------- c:\windows\inf\infpub.dat
2009-05-08 19:59 1,807,938 a------- c:\windows\system32\Licking Dog Screen Clean.scr
2009-05-01 20:44 98 a------- c:\users\owner\appdata\roaming\wklnhst.dat
2009-04-24 12:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 12:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 09:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-23 08:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 08:42 636,928 a------- c:\windows\system32\localspl.dll
2009-04-21 07:55 2,033,152 a------- c:\windows\system32\win32k.sys
2008-09-11 14:41 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-03-01 22:22 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-03-01 22:22 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-03-01 22:22 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 18:09:40.49 ===============

attached are the other files requested.

Thank you in advance for any help.

also, my antivirus (Trend Micro Antivirus & Spyware) cannot connect to the Internet... is says there is no internet connect, therefore cannot perform necessary updates. Please help.
Attached Files
File Type: zip Attach.zip (2.6 KB, 1 views)
cruise1123 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 06-20-2009, 10:01 AM   #2 (permalink)
Analyst, Security Team
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Tokyo, JP
Posts: 1,476
OS: Vista, Linux Mint


Re: redirect virus?
hi.

Welcome to TSF once again.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe

-------------------------------------------------------------------------
Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

-----------------------------------------------------------------------
I am sorry to inform you that one or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

----------------------------------------------------------------------

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix


* You must rename it before saving it. Rename it from Combofix.exe to Combo-fix.exe . Save it to your desktop.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. You can find instructions HERE.

Please include the C:\ComboFix.txt in your next reply for further review


Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
 I'm a member of U.N.I.T.E and A.S.A.P
mas_pogi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-20-2009, 12:36 PM   #3 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 4
OS: windows vista


Re: redirect virus?
Thanks for your help thus far. I have included the text in the reply and also added the attachment from the combofix. I've changed my passwords to banking and credit card websites...are there any other changes I should make?



ComboFix 09-06-19.01 - Owner 06/20/2009 14:13.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1790.810 [GMT -4:00]
Running from: c:\users\Owner\Desktop\Combo-Fix.exe
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1283530764-2679964507-1001869682-500
c:\$recycle.bin\S-1-5-21-2242091637-194836198-1139957384-500
c:\$recycle.bin\S-1-5-21-2760852498-2543259003-1422614318-1000
c:\$recycle.bin\S-1-5-21-1283530764-2679964507-1001869682-500\desktop.ini
c:\$recycle.bin\S-1-5-21-2242091637-194836198-1139957384-500\desktop.ini
c:\$recycle.bin\S-1-5-21-2760852498-2543259003-1422614318-1000\desktop.ini
c:\windows\system32\drivers\MSIVXtdipomxpowwxeqeequvibmjypenmfcwb.sys
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXrxdrontiltqipxrscsqfrqjkvwnjirdn.dll
c:\windows\system32\MSIVXytnitbmjcfsyvwqtfiibdvrksblkfxac.dll
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys


((((((((((((((((((((((((( Files Created from 2009-05-20 to 2009-06-20 )))))))))))))))))))))))))))))))
.

2009-06-20 18:23 . 2009-06-20 18:23 -------- d-----w- c:\users\Owner\AppData\Local\temp
2009-06-19 03:11 . 2009-06-19 03:11 -------- d-----w- c:\users\Owner\AppData\Local\Trend Micro
2009-06-19 02:58 . 2009-06-19 02:58 1195512 ----a-w- c:\windows\system32\drivers\vsapint.sys
2009-06-19 02:58 . 2009-06-19 02:58 80400 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2009-06-19 02:58 . 2009-06-19 02:58 50192 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-06-19 02:58 . 2009-06-19 02:58 50192 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-06-19 02:58 . 2009-06-19 02:58 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-06-19 02:58 . 2009-06-19 02:58 205328 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-06-19 02:58 . 2009-06-19 02:58 150032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-06-16 03:15 . 2004-08-04 11:00 506368 ----a-w- c:\windows\system32\msxml.dll
2009-06-16 01:26 . 2009-06-16 01:26 0 ----a-w- c:\windows\nsreg.dat
2009-06-16 01:26 . 2009-06-16 01:26 -------- d-----w- c:\users\Owner\AppData\Local\Mozilla
2009-06-15 03:46 . 2009-06-15 03:46 -------- d-----w- c:\program files\Enigma Software Group
2009-06-11 02:00 . 2009-06-11 02:00 -------- d-----w- c:\program files\QuickTiming

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-19 03:15 . 2008-11-28 15:50 -------- d-----w- c:\program files\Trend Micro
2009-06-19 03:12 . 2008-11-28 15:51 -------- d-----w- c:\programdata\Trend Micro
2009-06-16 01:21 . 2008-09-11 19:09 -------- d-----w- c:\program files\BigFix
2009-06-15 23:30 . 2008-09-11 18:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-11 07:05 . 2008-09-11 19:12 -------- d-----w- c:\program files\Microsoft Works
2009-06-11 07:04 . 2008-09-11 19:10 -------- d-----w- c:\programdata\Microsoft Help
2009-05-28 03:45 . 2008-11-29 03:43 -------- d-----w- c:\programdata\CanonIJPLM
2009-05-16 07:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-08 23:59 . 2009-05-08 23:59 -------- d-----w- c:\program files\Nuganics
2009-05-08 23:59 . 2009-05-08 23:59 1807938 ----a-w- c:\windows\system32\Licking Dog Screen Clean.scr
2009-05-02 00:44 . 2008-11-30 02:03 98 ----a-w- c:\users\Owner\AppData\Roaming\wklnhst.dat
2009-04-24 16:05 . 2009-06-10 19:01 827904 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:02 . 2009-06-10 19:01 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 13:44 . 2009-06-10 19:01 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-23 12:43 . 2009-06-10 19:01 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:42 . 2009-06-10 19:01 636928 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 11:55 . 2009-06-10 19:01 2033152 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\Sidebar.exe" [2008-01-21 1233920]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"VoipRaider"="c:\program files\VoipRaider.com\VoipRaider\VoipRaider.exe" [2008-12-08 9016112]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13580832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 92704]
"VMonitorVMUVC"="c:\program files\Vimicro Corporation\VMUVC\VMonitor.exe" [2007-11-13 135168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-06-19 995528]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-06-19 6244896]

c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{26839C33-D4FA-4153-887B-47EB5EDB06BE}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{EF18BDFD-8C8B-4077-9388-5E29DA2D6655}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D346967B-EA51-4296-BE7A-2C0704B67863}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{8E680C6E-4865-4B0C-BE45-F5CCCA7D1B3E}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{2F16262E-07D6-4274-9A76-96CDB15EA7B0}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{2679D057-43B9-46DB-B510-AC65F671D77E}c:\\program files\\voipraider.com\\voipraider\\voipraider.exe"= UDP:c:\program files\voipraider.com\voipraider\voipraider.exe:Client to make VoIP calls.
"UDP Query User{43A44672-72D2-4416-987D-9A64BA1F7181}c:\\program files\\voipraider.com\\voipraider\\voipraider.exe"= TCP:c:\program files\voipraider.com\voipraider\voipraider.exe:Client to make VoIP calls.
"{B70BDCB8-AC1A-49DB-B7EF-BB8EA8D7E327}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{05DF7107-B4D9-4CAF-BD3F-9E16E3D16F61}"= UDP:c:\program files\Windows Mail\WinMail.exe:Windows Mail
"{7FFBEF27-DCD0-43B8-8918-A6CFBE01F9A0}"= TCP:c:\program files\Windows Mail\WinMail.exe:Windows Mail
"{B849FA1F-D4F7-4DF7-A645-253A42CE55B7}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{6CABD0C9-8837-4308-AE7A-E00D7B352A63}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour

R2 ETService;Empowering Technology Service;c:\program files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [10/11/2006 3:35 AM 24576]
R2 tmevtmgr;tmevtmgr;c:\windows\System32\drivers\tmevtmgr.sys [6/18/2009 10:58 PM 50192]
R2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [6/18/2009 10:58 PM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [6/18/2009 11:16 PM 677128]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [9/11/2008 3:09 PM 43552]
R3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\System32\drivers\VMUVC.sys [12/26/2008 2:14 PM 250240]
R3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\System32\drivers\vvftUVC.sys [12/26/2008 2:14 PM 476032]
S3 Partner Service;Partner Service;c:\programdata\Partner\partner.exe [11/28/2008 11:10 AM 110576]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-eRecoveryService - (no file)


.
------- Supplementary Scan -------
.
uStart Page = www.hotmail.com/
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1006&m=el1210-01e
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvLsp.dll
Trusted Zone: k12.nj.us\mail.paramus
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\503luifc.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-20 14:23
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-06-20 14:27
ComboFix-quarantined-files.txt 2009-06-20 18:27

Pre-Run: 111,818,780,672 bytes free
Post-Run: 111,751,024,640 bytes free

151 --- E O F --- 2009-06-11 07:05
Attached Files
File Type: txt combofix.txt (10.4 KB, 2 views)
cruise1123 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-20-2009, 07:59 PM   #4 (permalink)
Analyst, Security Team
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Tokyo, JP
Posts: 1,476
OS: Vista, Linux Mint


Re: redirect virus?
hi.

Quote:
Thanks for your help thus far. I have included the text in the reply and also added the attachment from the combofix. I've changed my passwords to banking and credit card websites...are there any other changes I should make?
That would be enough.

Let's continue
---------------------------------------------------------------------------

Copy and paste the following text into Notepad:

Quote:
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000000
Save this as "fixme.reg" . Choose to save as *all files and place it on your Desktop. It looks like this
Double-click fixme.reg

-------------------------------------------------------------------------

Please uninstall these programs through Programs and Features.
Click the Vista Orb located at left bottom of your screen > Control Panel > Programs

Java(TM) 6 Update 5
Java(TM) 6 Update 7

: They are outdated java runtimes. (Older versions have vulnerabilities that malicious sites can use to exploit and infect your system)

After you uninstall you outdated java, please download the Java(TM) 6 Update 14 here. Install it.

--------------------------------------------------------------------------

Kaspersky scan

*Close any open programs
*Turn off the real time scanner of any existing antivirus program while performing the online scan. You can find the instructions You can find instructions HERE.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

---------------------------------------------------------------------------

Disable any script blocker then double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
Please post the content of DDS.txt in your next reply.

---------------------------------------------------------------------------

How's your computer now?



In your reply, please post

DDs.txt
Kaspersky scan result
Answer to my questions

Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
 I'm a member of U.N.I.T.E and A.S.A.P
mas_pogi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-21-2009, 12:08 AM   #5 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 4
OS: windows vista


Re: redirect virus?
Here you go Mark...

DDS (Ver_09-05-14.01) - NTFSx86
Run by Owner at 2:01:48.37 on Sun 06/21/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1790.1043 [GMT -4:00]

AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\bin32\nSvcAppFlt.exe
C:\Program Files\bin32\nSvcIp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Owner\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.hotmail.com/
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1006&m=el1210-01e
uInternet Settings,ProxyOverride = *.local
BHO: MRI_DISABLED - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] "c:\program files\windows sidebar\Sidebar.exe" /autorun
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [VoipRaider] "c:\program files\voipraider.com\voipraider\VoipRaider.exe" -nosplash -minimized
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [VMonitorVMUVC] "c:\program files\vimicro corporation\vmuvc\VMonitor.exe" VMUVC
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvLsp.dll
Trusted Zone: k12.nj.us\mail.paramus
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUpldpt-br.cab
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://kribeiro11.spaces.live.com/PhotoUpload/VistaMsnPUplden-us.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\503luifc.default\

============= SERVICES / DRIVERS ===============

R2 ETService;Empowering Technology Service;c:\program files\emachines\emachines recovery management\service\ETService.exe [2006-10-11 24576]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-6-18 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-6-18 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-6-18 677128]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-9-11 43552]
R3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [2008-12-26 250240]
R3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [2008-12-26 476032]
S3 Partner Service;Partner Service;c:\programdata\partner\partner.exe [2008-11-28 110576]

=============== Created Last 30 ================

2009-06-20 23:37 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-20 22:05 118,520 a------- c:\windows\system32\PxInsI64.exe
2009-06-20 22:05 115,960 a------- c:\windows\system32\PxCpyI64.exe
2009-06-20 22:05 <DIR> --d----- c:\program files\Sony
2009-06-20 14:27 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-06-20 14:06 161,792 a------- c:\windows\SWREG.exe
2009-06-20 14:06 155,136 a------- c:\windows\PEV.exe
2009-06-20 14:06 98,816 a------- c:\windows\sed.exe
2009-06-18 22:58 1,195,512 a------- c:\windows\system32\drivers\vsapint.sys
2009-06-18 22:58 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-06-18 22:58 150,032 a------- c:\windows\system32\drivers\tmcomm.sys
2009-06-18 22:58 80,400 a------- c:\windows\system32\drivers\tmtdi.sys
2009-06-18 22:58 50,192 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-06-18 22:58 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-06-18 22:58 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-06-15 23:15 506,368 a------- c:\windows\system32\msxml.dll
2009-06-14 23:46 335 a------- C:\spyhunter.fix
2009-06-14 23:46 <DIR> --d----- c:\program files\Enigma Software Group
2009-06-10 22:00 <DIR> --d----- c:\program files\QuickTiming

==================== Find3M ====================

2009-06-18 23:16 86,016 a------- c:\windows\inf\infstrng.dat
2009-06-18 23:16 86,016 a------- c:\windows\inf\infstor.dat
2009-06-18 23:16 51,200 a------- c:\windows\inf\infpub.dat
2009-05-08 19:59 1,807,938 a------- c:\windows\system32\Licking Dog Screen Clean.scr
2009-05-01 20:44 98 a------- c:\users\owner\appdata\roaming\wklnhst.dat
2009-04-24 12:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 12:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 09:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-23 08:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 08:42 636,928 a------- c:\windows\system32\localspl.dll
2009-04-21 07:55 2,033,152 a------- c:\windows\system32\win32k.sys
2008-09-11 14:41 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-03-01 22:22 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-03-01 22:22 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-03-01 22:22 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 2:02:41.44 ===============


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, June 21, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, June 21, 2009 06:00:34
Records in database: 2372861
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\

Scan statistics:
Files scanned: 116575
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:38:43


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Windows\System32\MSIVXrxdrontiltqipxrscsqfrqjkvwnjirdn.dll.vir Infected: Trojan.Win32.Agent.clxm 1
C:\Users\Owner\Downloads\setup.exe Infected: Trojan-Downloader.Win32.FraudLoad.eki 1

The selected area was scanned.


My computer is no longer sending me to random websites when I click on the google results links. I didnt notice any other problems prior to the redirect thing, but I dont use the computer much. Should I check anything specifically? Thanks again for your help.

Kelly
Attached Files
File Type: txt Attach.txt (4.8 KB, 1 views)
cruise1123 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-21-2009, 06:23 AM   #6 (permalink)
Analyst, Security Team
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Tokyo, JP
Posts: 1,476
OS: Vista, Linux Mint


Re: redirect virus?
hi.

Quote:
My computer is no longer sending me to random websites when I click on the google results links
Good.

Quote:
I didnt notice any other problems prior to the redirect thing, but I dont use the computer much. Should I check anything specifically? Thanks again for your help.
Not anymore. Main infection was already unloaded and deleted.

Kaspersky flagged a file in qoobox, don't worry about it. It is our tool qurantine folder. =)
Kaspersky also flagged this one,

C:\Users\Owner\Downloads/setup.exe
Using your windows explorer, find that file and delete it.

Update your Windows to Service Pack 2. These are patches to security flaws so it is important to install them. Or else you system is wide open for exploit and vulnerabilities. You can visit here after you are all done with instructions below.

Apart from that, your system is clean.

-------------------------------------------------------------------------

Congratulations! You now appear clean!

We Need to Clean Up Our Mess
  1. Uninstall ComboFix
    Remove Combofix now that we're done with it.
    • Click the Vista Orb at the bottom left of your screen.
    • Now copy and paste this one in Start Search box. Then hit ENTER
      Code:
      ComboFix /u
      .


    Uninstalling ComboFix will do the following:
    1. Delete ComboFix and its components from your computer.
    2. Delete other tools commonly used during the malware removal process.
    3. Resets clock settings to standard format.
    4. Re-hides file extensions and hidden/system files.
    5. Clears System Restore cache and creates new restore point.

  2. Please also delete the DDS.scr located at your desktop.
  3. Please also delete the fixme.reg located at your desktop.
-----------------------------------------------

Recommendations
Below are some recommendations to lower your chances of (re)infection.
  1. Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.

  2. Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file

  3. Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.

  4. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    You can check if there is an update through

    Control Panel\System and Maintenance\Windows Update

  5. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.

  6. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

Please respond to this thread one more time so we can mark this thread as resolved.

Maraming salamat.

Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
 I'm a member of U.N.I.T.E and A.S.A.P
Last edited by mas_pogi; 06-21-2009 at 06:28 AM.
mas_pogi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-21-2009, 10:26 AM   #7 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 4
OS: windows vista


Re: redirect virus?
Thank you so much Mark. Your step by step instructions were easy to follow and I appreciate all your help. Lets hope nothing like this happens again.

Kelly
cruise1123 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-21-2009, 10:35 AM   #8 (permalink)
Analyst, Security Team
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Tokyo, JP
Posts: 1,476
OS: Vista, Linux Mint


Re: redirect virus?
hi.

You are most welcome.

Surf safely.

Since the problem appears to be resolved, it will now be archived.

Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
 I'm a member of U.N.I.T.E and A.S.A.P
mas_pogi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 11:35 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85