TechSpot

Getting Redirected from Google Search Links

By chiby
Jun 29, 2010
  1. I've been getting redirected from google search links. I've run Mal-ware Bytes and Microsoft Security essentials a few times already. Plz help me fix this. Attached is the hjackthis logfile
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

  3. chiby

    chiby TS Rookie Topic Starter

    I'd greatly appreciate it if anyone could help me out here. Thank you!
    I scanned 2x with malwarebytes so here are two logs:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4251

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18928

    6/28/2010 8:32:25 PM
    mbam-log-2010-06-28 (20-32-25).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 63078
    Time elapsed: 2 hour(s), 12 minute(s), 56 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\$RECYCLE.BIN\S-1-5-21-3500304205-112821965-2698384200-1000\$RCRFXV0.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
    C:\Users\Lillian\AppData\Local\Temp\Nrf.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Users\Lillian\AppData\Roaming\c56c654e.exe (Trojan.Agent) -> Quarantined and deleted successfully.



    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4251

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18928

    6/28/2010 11:38:08 PM
    mbam-log-2010-06-28 (23-38-08).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 253878
    Time elapsed: 2 hour(s), 24 minute(s), 29 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\RZDVL2F27W (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)




    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-06-29 17:51:07
    Windows 6.0.6002 Service Pack 2
    Running: zr6tboft.exe; Driver: C:\Users\Lillian\AppData\Local\Temp\pwddafoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT 8696DB40 ZwAlertResumeThread
    SSDT 8696DC20 ZwAlertThread
    SSDT 8697D2F8 ZwAllocateVirtualMemory
    SSDT 86906078 ZwAlpcConnectPort
    SSDT 8697C0C8 ZwCreateMutant
    SSDT 8697D3E8 ZwCreateThread
    SSDT 8697D9D0 ZwDebugActiveProcess
    SSDT 8696B510 ZwFreeVirtualMemory
    SSDT 8697C1B8 ZwImpersonateAnonymousToken
    SSDT 8697C298 ZwImpersonateThread
    SSDT 8696B410 ZwMapViewOfSection
    SSDT 8697DB90 ZwOpenEvent
    SSDT 868CB830 ZwOpenProcessToken
    SSDT 8697E008 ZwOpenThreadToken
    SSDT 8697F840 ZwResumeThread
    SSDT 8697E220 ZwSetContextThread
    SSDT 868C9718 ZwSetInformationProcess
    SSDT 8697E150 ZwSetInformationThread
    SSDT 8697DAB0 ZwSuspendProcess
    SSDT 8696DD68 ZwSuspendThread
    SSDT 8696D290 ZwTerminateProcess
    SSDT 8697E070 ZwTerminateThread
    SSDT 868C9808 ZwUnmapViewOfSection
    SSDT 8696B600 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!KeSetEvent + 11D 81EF1880 8 Bytes [40, DB, 96, 86, 20, DC, 96, ...]
    .text ntkrnlpa.exe!KeSetEvent + 131 81EF1894 4 Bytes [F8, D2, 97, 86]
    .text ntkrnlpa.exe!KeSetEvent + 13D 81EF18A0 4 Bytes [78, 60, 90, 86]
    .text ntkrnlpa.exe!KeSetEvent + 1F5 81EF1958 4 Bytes [C8, C0, 97, 86] {ENTER 0x97c0, 0x86}
    .text ntkrnlpa.exe!KeSetEvent + 221 81EF1984 4 Bytes CALL FD75B15C
    .text ...
    .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x87B4E480, 0x3C939, 0xE8000020]
    .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x87B8F900, 0x3CA, 0x48000040]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] ntdll.dll!NtQueryInformationProcess 76F84E54 5 Bytes JMP 00FB0DED
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] WS2_32.dll!closesocket 756C330C 5 Bytes JMP 00F9C549
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] WS2_32.dll!recv 756C343A 5 Bytes JMP 00F9C300
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] WS2_32.dll!GetAddrInfoW 756C3D12 5 Bytes JMP 00F9B90E
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] WS2_32.dll!getaddrinfo 756C418A 5 Bytes JMP 00F9B833
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] WS2_32.dll!WSASend 756C4496 5 Bytes JMP 00F9C3A7
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] WS2_32.dll!send 756C659B 5 Bytes JMP 00F9C25D
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] WS2_32.dll!WSARecv 756C8400 5 Bytes JMP 00F9C465
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] WS2_32.dll!WSAAsyncGetHostByName 756D5FB9 5 Bytes JMP 00F9BBA6
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] WS2_32.dll!gethostbyname 756D62D4 5 Bytes JMP 00F9B779
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] USER32.dll!DrawTextExW 76C791CE 5 Bytes JMP 00F9CB0A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] USER32.dll!DrawTextW 76C797D3 5 Bytes JMP 00F9C94C
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] USER32.dll!DrawTextA 76C8558D 5 Bytes JMP 00F9C873
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] USER32.dll!DrawTextExA 76C855C4 5 Bytes JMP 00F9CA25
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] USER32.dll!DialogBoxParamW 76C910B0 5 Bytes JMP 00F9BC7E
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] USER32.dll!SetClipboardData 76CA6410 5 Bytes JMP 00F9C5D4
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] GDI32.dll!ExtTextOutW 7567872B 5 Bytes JMP 00F9CCD1
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] GDI32.dll!GetGlyphIndicesW 7567B765 5 Bytes JMP 00F9D143
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] GDI32.dll!ExtTextOutA 756800A5 5 Bytes JMP 00F9CBEF
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] GDI32.dll!TextOutA 75680BAB 5 Bytes JMP 00F9C6DF
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] GDI32.dll!TextOutW 75680D6D 5 Bytes JMP 00F9C7A9
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5696] GDI32.dll!GetGlyphIndicesA 75699DC0 5 Bytes JMP 00F9D07C

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Unless you installed Viewpoint Manager knowledgeably...
    Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
    Uninstall any of the following programs associated with Viewpoint:
    * Viewpoint Manager
    * Viewpoint Media Player
    * Viewpoint Toolbar
    This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOl, AIM, Compuserve, etc.

    ====================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. chiby

    chiby TS Rookie Topic Starter

    Thank you once again. Here's the log from ComboFix.


    ComboFix 10-06-30.02 - Lillian 06/30/2010 21:29:30.1.1 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.1224 [GMT -4:00]
    Running from: c:\users\Lillian\Desktop\ComboFix.exe
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))
    .

    2010-07-01 01:40 . 2010-07-01 01:41 -------- d-----w- c:\users\Lillian\AppData\Local\temp
    2010-07-01 01:40 . 2010-07-01 01:40 -------- d-----w- c:\users\s\AppData\Local\temp
    2010-07-01 01:40 . 2010-07-01 01:40 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2010-07-01 01:40 . 2010-07-01 01:40 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-06-29 16:02 . 2010-06-29 16:02 -------- d-----w- c:\program files\Trend Micro
    2010-06-28 04:00 . 2010-06-28 04:00 -------- d-----w- C:\7d5341a17ef6849de81c9abb1dd5
    2010-06-27 07:00 . 2010-06-27 07:00 -------- d-----w- C:\55b67a2855b21e3ee9b56f709adc
    2010-06-27 03:12 . 2010-06-27 03:12 52224 --sha-r- c:\users\Lillian\AppData\Roaming\msxml3J.dll
    2010-06-26 22:57 . 2010-06-26 22:57 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
    2010-06-26 22:57 . 2010-06-26 22:57 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
    2010-06-26 22:57 . 2010-06-26 22:57 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
    2010-06-26 22:57 . 2010-06-26 22:57 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
    2010-06-26 22:57 . 2010-06-26 22:57 49152 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
    2010-06-26 22:57 . 2010-06-26 22:57 308808 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
    2010-06-26 22:57 . 2010-06-26 22:57 14848 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    2010-06-26 22:57 . 2010-06-26 22:57 40960 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
    2010-06-26 22:57 . 2010-06-26 22:57 341600 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    2010-06-26 22:54 . 2010-06-26 22:54 -------- d-----w- c:\program files\Common Files\xing shared
    2010-06-26 22:51 . 2010-06-26 22:51 348160 ----a-w- c:\windows\system32\pnup0.dll
    2010-06-23 21:39 . 2009-11-08 14:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2010-06-23 21:39 . 2009-11-08 14:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2010-06-23 21:39 . 2009-11-08 14:55 297808 ----a-w- c:\windows\system32\mscoree.dll
    2010-06-23 21:39 . 2009-11-08 14:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2010-06-23 21:39 . 2009-11-08 14:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2010-06-23 16:10 . 2010-04-16 16:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-06-23 16:10 . 2010-04-16 14:39 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-06-18 01:37 . 2010-06-18 01:37 -------- d-----w- c:\programdata\AIM
    2010-06-18 01:36 . 2010-06-18 01:37 -------- d-----w- c:\program files\AIM
    2010-06-18 01:36 . 2010-06-18 01:36 -------- d-----w- c:\program files\Common Files\Software Update Utility
    2010-06-14 05:28 . 2010-06-14 05:28 -------- d-----w- c:\programdata\Adobe Systems
    2010-06-14 05:12 . 2010-06-14 05:12 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
    2010-06-10 21:38 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
    2010-06-10 21:34 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll
    2010-06-10 21:34 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-06-10 21:34 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys
    2010-06-10 15:57 . 2010-06-10 15:57 -------- d-----w- c:\users\Lillian\New Folder
    2010-06-04 04:23 . 2010-06-04 04:23 -------- d-----w- c:\windows\system32\Adobe
    2010-06-03 23:41 . 2010-06-03 23:41 50354 ----a-w- c:\users\Lillian\AppData\Roaming\Facebook\uninstall.exe
    2010-06-03 23:41 . 2010-06-03 23:41 -------- d-----w- c:\users\Lillian\AppData\Roaming\Facebook

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-01 01:16 . 2009-09-12 12:20 -------- d-----w- c:\programdata\Viewpoint
    2010-06-30 01:46 . 2010-02-10 22:24 -------- d-----w- c:\users\Lillian\AppData\Roaming\vlc
    2010-06-28 22:53 . 2010-02-14 04:23 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-06-28 22:50 . 2009-08-28 16:15 -------- d-----w- c:\program files\Microsoft.NET
    2010-06-28 01:21 . 2010-02-13 04:07 -------- d-----w- c:\program files\Spyware Doctor
    2010-06-27 19:42 . 2010-04-19 00:01 -------- d-----w- c:\programdata\PC Tools
    2010-06-26 22:56 . 2009-09-14 03:20 -------- d-----w- c:\program files\Common Files\Real
    2010-06-26 22:55 . 2009-09-14 03:20 -------- d-----w- c:\program files\Real
    2010-06-26 06:06 . 2010-02-14 00:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-26 05:50 . 2009-12-04 00:50 1 ----a-w- c:\users\Lillian\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-06-24 02:21 . 2010-03-07 02:34 439816 ----a-w- c:\users\Lillian\AppData\Roaming\Real\Update\setup3.10\setup.exe
    2010-06-14 21:41 . 2009-09-11 21:13 121392 ----a-w- c:\users\Lillian\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-06-14 05:13 . 2010-04-22 22:52 -------- d-----w- c:\program files\Common Files\Adobe
    2010-06-12 11:46 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-06-12 03:06 . 2009-08-28 16:14 -------- d-----w- c:\programdata\Microsoft Help
    2010-06-06 15:27 . 2009-09-12 06:14 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-01 17:37 . 2009-10-03 12:27 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-05-31 17:38 . 2010-01-15 00:30 -------- d-----w- c:\users\Lillian\AppData\Roaming\Corel
    2010-05-31 17:02 . 2010-05-31 17:02 -------- d-----w- c:\users\Lillian\AppData\Roaming\PC-FAX TX
    2010-05-29 18:55 . 2010-05-29 18:55 -------- d-----w- c:\users\Guest\AppData\Roaming\Malwarebytes
    2010-05-29 18:54 . 2010-05-29 18:54 -------- d-----w- c:\users\Guest\AppData\Roaming\Symantec
    2010-05-29 18:54 . 2010-05-29 18:54 121392 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-05-29 02:17 . 2010-04-01 14:59 765952 ----a-w- c:\programdata\NexonUS\NGM\NGMDll.dll
    2010-05-19 03:49 . 2010-02-14 04:21 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-05-09 02:43 . 2010-05-09 02:43 -------- d-----w- c:\program files\Windows Live SkyDrive
    2010-05-09 02:34 . 2010-05-09 02:34 -------- d-----w- c:\program files\Common Files\Windows Live
    2010-05-05 05:36 . 2010-05-05 05:36 -------- d-----w- c:\users\Lillian\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    2010-05-04 05:59 . 2010-06-10 21:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-04 05:55 . 2010-06-10 21:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-05-04 05:55 . 2010-06-10 21:33 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-05-04 04:31 . 2010-06-10 21:33 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-05-04 01:41 . 2009-10-14 23:44 50 ----a-w- c:\windows\system32\bridf08b.dat
    2010-05-04 01:40 . 2009-09-19 02:02 -------- d-----w- c:\program files\Brother
    2010-05-04 01:38 . 2008-09-30 18:58 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-05-04 01:28 . 2010-05-04 01:26 -------- d-----w- c:\program files\Canon
    2010-05-04 01:26 . 2010-05-04 01:26 -------- d-----w- c:\programdata\ZoomBrowser
    2010-05-04 01:24 . 2010-05-04 01:24 -------- d-----w- c:\program files\Common Files\Canon
    2010-04-29 19:39 . 2010-02-14 00:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 19:39 . 2010-02-14 00:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-23 14:13 . 2010-05-26 00:21 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-04-19 06:49 . 2010-04-19 06:49 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-04-16 16:43 . 2010-06-23 16:10 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
    2010-04-16 16:43 . 2010-06-23 16:10 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
    2010-04-16 16:43 . 2010-06-23 16:10 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
    2010-04-16 16:43 . 2010-06-23 16:10 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
    2008-06-30 17:44 . 2009-09-12 13:02 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
    2009-09-11 21:12 . 2009-09-11 21:12 13 --sh--r- c:\windows\System32\drivers\fbd.sys
    2009-09-11 21:12 . 2009-09-11 21:12 4 --sh--r- c:\windows\System32\drivers\taishop.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Aim"="c:\program files\AIM\aim.exe" [2010-05-21 3824472]
    "SLFHVNU"="c:\users\Lillian\AppData\Roaming\msxml3J.dll" [2010-06-27 52224]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
    "HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\TSS.exe" [2008-08-04 1242424]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
    "osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
    "Skytel"="Skytel.exe" [2007-11-21 1826816]
    "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-01-19 1150976]
    "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2009-01-09 114688]
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
    "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
    "PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
    "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-26 202256]

    c:\users\Lillian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
    2008-07-10 03:05 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
    2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2"=hex(b):8c,13,25,d0,d5,34,ca,01

    R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
    R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
    R1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6x.sys [2010-02-13 24856]
    R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
    R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
    R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
    R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
    S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20091105.001\IDSvix86.sys [2009-08-26 272432]
    S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys [2007-04-23 25896]
    S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
    S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
    S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
    S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-27 102448]
    S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]
    S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-06-10 347648]
    S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - COMHOST

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Lillian\AppData\Roaming\Mozilla\Firefox\Profiles\sug9qjae.default\
    FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
    FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
    FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
    FF - plugin: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    FF - plugin: c:\users\Lillian\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
    HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
    HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
    MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-06-30 21:41
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(4368)
    c:\program files\Common Files\Symantec Shared\AppCore\AppMgr32.dll
    c:\windows\System32\netshell.dll
    .
    Completion time: 2010-06-30 21:46:26
    ComboFix-quarantined-files.txt 2010-07-01 01:46

    Pre-Run: 95,250,165,760 bytes free
    Post-Run: 95,215,603,712 bytes free

    - - End Of File - - 93E7B68A7C8B9A262D5E9CAB75109731
     
  6. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    You have Norton's leftovers.
    Please, run Norton Removal Tool: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

    =================================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\users\Lillian\AppData\Roaming\msxml3J.dll
    
    
    Folder::
    c:\programdata\Viewpoint
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SLFHVNU"=-
    
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  7. chiby

    chiby TS Rookie Topic Starter

    ComboFix 10-06-30.02 - Lillian 06/30/2010 23:18:58.2.1 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.1085 [GMT -4:00]
    Running from: c:\users\Lillian\Desktop\ComboFix.exe
    Command switches used :: c:\users\Lillian\Desktop\CFScript.txt
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    FILE ::
    "c:\users\Lillian\AppData\Roaming\msxml3J.dll"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\programdata\Viewpoint
    c:\users\Lillian\AppData\Roaming\msxml3J.dll

    .
    ((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))
    .

    2010-07-01 03:33 . 2010-07-01 03:33 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-07-01 03:33 . 2010-07-01 03:33 -------- d-----w- c:\users\Lillian\AppData\Local\temp
    2010-07-01 03:33 . 2010-07-01 03:33 -------- d-----w- c:\users\s\AppData\Local\temp
    2010-07-01 03:33 . 2010-07-01 03:33 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2010-07-01 03:33 . 2010-07-01 03:33 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-07-01 02:57 . 2010-07-01 02:57 -------- d-----w- c:\program files\QS
    2010-07-01 02:57 . 2010-07-01 02:57 -------- d-----w- c:\users\Lillian\AppData\Roaming\TeamViewer
    2010-06-29 16:02 . 2010-06-29 16:02 -------- d-----w- c:\program files\Trend Micro
    2010-06-28 04:00 . 2010-06-28 04:00 -------- d-----w- C:\7d5341a17ef6849de81c9abb1dd5
    2010-06-27 07:00 . 2010-06-27 07:00 -------- d-----w- C:\55b67a2855b21e3ee9b56f709adc
    2010-06-26 22:57 . 2010-06-26 22:57 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
    2010-06-26 22:57 . 2010-06-26 22:57 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
    2010-06-26 22:57 . 2010-06-26 22:57 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
    2010-06-26 22:57 . 2010-06-26 22:57 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
    2010-06-26 22:57 . 2010-06-26 22:57 49152 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
    2010-06-26 22:57 . 2010-06-26 22:57 308808 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
    2010-06-26 22:57 . 2010-06-26 22:57 14848 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    2010-06-26 22:57 . 2010-06-26 22:57 40960 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
    2010-06-26 22:57 . 2010-06-26 22:57 341600 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    2010-06-26 22:54 . 2010-06-26 22:54 -------- d-----w- c:\program files\Common Files\xing shared
    2010-06-26 22:51 . 2010-06-26 22:51 348160 ----a-w- c:\windows\system32\pnup0.dll
    2010-06-23 21:39 . 2009-11-08 14:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2010-06-23 21:39 . 2009-11-08 14:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2010-06-23 21:39 . 2009-11-08 14:55 297808 ----a-w- c:\windows\system32\mscoree.dll
    2010-06-23 21:39 . 2009-11-08 14:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2010-06-23 21:39 . 2009-11-08 14:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2010-06-23 16:10 . 2010-04-16 16:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-06-23 16:10 . 2010-04-16 14:39 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-06-18 01:37 . 2010-06-18 01:37 -------- d-----w- c:\programdata\AIM
    2010-06-18 01:36 . 2010-06-18 01:37 -------- d-----w- c:\program files\AIM
    2010-06-18 01:36 . 2010-06-18 01:36 -------- d-----w- c:\program files\Common Files\Software Update Utility
    2010-06-14 05:28 . 2010-06-14 05:28 -------- d-----w- c:\programdata\Adobe Systems
    2010-06-14 05:12 . 2010-06-14 05:12 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
    2010-06-10 21:38 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
    2010-06-10 21:34 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll
    2010-06-10 21:34 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-06-10 21:34 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys
    2010-06-10 15:57 . 2010-06-10 15:57 -------- d-----w- c:\users\Lillian\New Folder
    2010-06-04 04:23 . 2010-06-04 04:23 -------- d-----w- c:\windows\system32\Adobe
    2010-06-03 23:41 . 2010-06-03 23:41 50354 ----a-w- c:\users\Lillian\AppData\Roaming\Facebook\uninstall.exe
    2010-06-03 23:41 . 2010-06-03 23:41 -------- d-----w- c:\users\Lillian\AppData\Roaming\Facebook

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-01 02:05 . 2008-09-30 19:43 -------- d-----w- c:\programdata\Symantec
    2010-07-01 02:05 . 2008-09-30 19:43 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-06-30 01:46 . 2010-02-10 22:24 -------- d-----w- c:\users\Lillian\AppData\Roaming\vlc
    2010-06-28 22:53 . 2010-02-14 04:23 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-06-28 22:50 . 2009-08-28 16:15 -------- d-----w- c:\program files\Microsoft.NET
    2010-06-28 01:21 . 2010-02-13 04:07 -------- d-----w- c:\program files\Spyware Doctor
    2010-06-27 19:42 . 2010-04-19 00:01 -------- d-----w- c:\programdata\PC Tools
    2010-06-26 22:56 . 2009-09-14 03:20 -------- d-----w- c:\program files\Common Files\Real
    2010-06-26 22:55 . 2009-09-14 03:20 -------- d-----w- c:\program files\Real
    2010-06-26 06:06 . 2010-02-14 00:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-26 05:50 . 2009-12-04 00:50 1 ----a-w- c:\users\Lillian\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-06-24 02:21 . 2010-03-07 02:34 439816 ----a-w- c:\users\Lillian\AppData\Roaming\Real\Update\setup3.10\setup.exe
    2010-06-14 21:41 . 2009-09-11 21:13 121392 ----a-w- c:\users\Lillian\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-06-14 05:13 . 2010-04-22 22:52 -------- d-----w- c:\program files\Common Files\Adobe
    2010-06-12 11:46 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-06-12 03:06 . 2009-08-28 16:14 -------- d-----w- c:\programdata\Microsoft Help
    2010-06-06 15:27 . 2009-09-12 06:14 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-01 17:37 . 2009-10-03 12:27 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-05-31 17:38 . 2010-01-15 00:30 -------- d-----w- c:\users\Lillian\AppData\Roaming\Corel
    2010-05-31 17:02 . 2010-05-31 17:02 -------- d-----w- c:\users\Lillian\AppData\Roaming\PC-FAX TX
    2010-05-29 18:55 . 2010-05-29 18:55 -------- d-----w- c:\users\Guest\AppData\Roaming\Malwarebytes
    2010-05-29 18:54 . 2010-05-29 18:54 -------- d-----w- c:\users\Guest\AppData\Roaming\Symantec
    2010-05-29 18:54 . 2010-05-29 18:54 121392 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-05-29 02:17 . 2010-04-01 14:59 765952 ----a-w- c:\programdata\NexonUS\NGM\NGMDll.dll
    2010-05-19 03:49 . 2010-02-14 04:21 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-05-09 02:43 . 2010-05-09 02:43 -------- d-----w- c:\program files\Windows Live SkyDrive
    2010-05-09 02:34 . 2010-05-09 02:34 -------- d-----w- c:\program files\Common Files\Windows Live
    2010-05-05 05:36 . 2010-05-05 05:36 -------- d-----w- c:\users\Lillian\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    2010-05-04 05:59 . 2010-06-10 21:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-04 05:55 . 2010-06-10 21:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-05-04 05:55 . 2010-06-10 21:33 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-05-04 04:31 . 2010-06-10 21:33 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-05-04 01:41 . 2009-10-14 23:44 50 ----a-w- c:\windows\system32\bridf08b.dat
    2010-05-04 01:40 . 2009-09-19 02:02 -------- d-----w- c:\program files\Brother
    2010-05-04 01:38 . 2008-09-30 18:58 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-05-04 01:28 . 2010-05-04 01:26 -------- d-----w- c:\program files\Canon
    2010-05-04 01:26 . 2010-05-04 01:26 -------- d-----w- c:\programdata\ZoomBrowser
    2010-05-04 01:24 . 2010-05-04 01:24 -------- d-----w- c:\program files\Common Files\Canon
    2010-04-29 19:39 . 2010-02-14 00:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 19:39 . 2010-02-14 00:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-23 14:13 . 2010-05-26 00:21 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-04-19 06:49 . 2010-04-19 06:49 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-04-16 16:43 . 2010-06-23 16:10 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
    2010-04-16 16:43 . 2010-06-23 16:10 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
    2010-04-16 16:43 . 2010-06-23 16:10 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
    2010-04-16 16:43 . 2010-06-23 16:10 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
    2009-09-11 21:12 . 2009-09-11 21:12 13 --sh--r- c:\windows\System32\drivers\fbd.sys
    2009-09-11 21:12 . 2009-09-11 21:12 4 --sh--r- c:\windows\System32\drivers\taishop.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Aim"="c:\program files\AIM\aim.exe" [2010-05-21 3824472]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
    "HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\TSS.exe" [2008-08-04 1242424]
    "Skytel"="Skytel.exe" [2007-11-21 1826816]
    "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-01-19 1150976]
    "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2009-01-09 114688]
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
    "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
    "PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
    "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-26 202256]

    c:\users\Lillian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
    2008-07-10 03:05 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
    2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2"=hex(b):8c,13,25,d0,d5,34,ca,01

    R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
    R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
    R1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6x.sys [2010-02-13 24856]
    R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
    R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
    R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
    S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys [2007-04-23 25896]
    S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
    S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
    S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
    S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]
    S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-06-10 347648]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Lillian\AppData\Roaming\Mozilla\Firefox\Profiles\sug9qjae.default\
    FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
    FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
    FF - plugin: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    FF - plugin: c:\users\Lillian\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-06-30 23:33
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-06-30 23:38:25
    ComboFix-quarantined-files.txt 2010-07-01 03:38
    ComboFix2.txt 2010-07-01 01:46

    Pre-Run: 96,804,270,080 bytes free
    Post-Run: 96,826,617,856 bytes free

    - - End Of File - - CEC6A5C9825460FFBD2760DFF409EEED
     
  8. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    How is redirection issue?

    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
     
  9. chiby

    chiby TS Rookie Topic Starter

    Well I can't say for sure that the problem is fixed as it occurs at random times. Attached is the log:
     

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Keep me updated on this.

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Restart computer.

    =====================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  11. chiby

    chiby TS Rookie Topic Starter

    Attached are the two logs:
     

    Attached Files:

  12. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      DRV - [2010/02/13 19:47:03 | 000,024,856 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avgfwd6x.sys -- (Avgfwfd)
      O4 - HKLM..\Run: [NDSTray.exe]  File not found
      O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
      [2010/04/18 09:36:52 | 000,000,000 | ---D | C] -- C:\Users\Lillian\AppData\Local\pmyyqvrfi
      [2010/04/03 03:32:03 | 000,009,314 | -HS- | M] () -- C:\Users\Lillian\AppData\Local\Wv7V1mEL4UH
      [2010/04/03 03:32:03 | 000,009,314 | -HS- | M] () -- C:\ProgramData\Wv7V1mEL4UH
      @Alternate Data Stream - 154 bytes -> C:\ProgramData\TEMP:DFC5A2B2
      @Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [resethosts]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  13. chiby

    chiby TS Rookie Topic Starter

    Still doesn't seem like i'm being redirected to anywhere. Here's the log after the fix, I'll get to the quick scan log in a second.

    All processes killed
    ========== OTL ==========
    Service Avgfwfd stopped successfully!
    Service Avgfwfd deleted successfully!
    C:\Windows\System32\drivers\avgfwd6x.sys moved successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NDSTray.exe deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
    C:\Users\Lillian\AppData\Local\pmyyqvrfi folder moved successfully.
    C:\Users\Lillian\AppData\Local\Wv7V1mEL4UH moved successfully.
    C:\ProgramData\Wv7V1mEL4UH moved successfully.
    ADS C:\ProgramData\TEMP:DFC5A2B2 deleted successfully.
    ADS C:\ProgramData\TEMP:A8ADE5D8 deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Guest
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes

    User: Lillian
    ->Temp folder emptied: 45904 bytes
    ->Temporary Internet Files folder emptied: 6950827 bytes
    ->Java cache emptied: 3879 bytes
    ->FireFox cache emptied: 87348127 bytes
    ->Flash cache emptied: 4918 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: s
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 3154 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 90.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: Guest

    User: Lillian
    ->Flash cache emptied: 0 bytes

    User: Public

    User: s

    Total Flash Files Cleaned = 0.00 mb

    C:\Windows\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.7.0 log created on 07012010_013657

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
  14. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Very good :)

    After you post Quick Scan....

    Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.

    ========================================================

    Disable your antivirus program.
    Go to Kaspersky website and perform an online antivirus scan.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    5. Click on My Computer under Scan.
    6. Once the scan is complete, it will display the results. Click on View Scan Report.
    7. You will see a list of infected items there. Click on Save Report As....
    8. Save this report to a convenient place. Change the Files of type to Text file (.txt before clicking on the Save button. Then post it here.
     
  15. chiby

    chiby TS Rookie Topic Starter

    Quickscan Log:
     

    Attached Files:

  16. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Go ahead with steps from my reply #14.
     
  17. chiby

    chiby TS Rookie Topic Starter

    About that report, I accidentally closed it and it's not under the REPORTS tab. The scan came up clean though. Umm...should i re-run the scan to get the report again?
     
  18. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    That's fine :)

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    ====================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
  19. chiby

    chiby TS Rookie Topic Starter

    Alright, thank you so much once again! Have a good evening :)
     
  20. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Same to you :)
    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...