[Resolved] Browser Hijacked
#1
Posted 15 December 2009 - 08:38 PM
Register to Remove
#2
Posted 16 December 2009 - 01:36 AM
Please do the following:
Download ComboFix from HERE
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
- Double click on ComboFix.exe & follow the prompts.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
- Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
- Click on Yes, to continue scanning for malware.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
#3
Posted 16 December 2009 - 11:50 AM
Thanks
ComboFix 09-12-16.01 - alex 12/16/2009 9:36.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2560 [GMT -8:00]
Running from: c:\documents and settings\alex\Desktop\KittyFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\alex\Application Data\inst.exe
.
((((((((((((((((((((((((( Files Created from 2009-11-16 to 2009-12-16 )))))))))))))))))))))))))))))))
.
2009-12-16 02:18 . 2009-12-16 02:18 -------- d-----w- c:\program files\ERUNT
2009-12-16 01:47 . 2009-12-16 01:47 56532 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-16 01:47 . 2009-12-16 01:47 -------- d-----w- c:\program files\Safari
2009-12-16 00:03 . 2009-12-16 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-15 22:59 . 2009-12-15 22:59 -------- d-----w- c:\program files\Trend Micro
2009-12-15 22:25 . 2009-12-15 22:25 -------- d-----w- c:\program files\MSSOAP
2009-12-15 22:25 . 2009-12-15 22:25 -------- d-----w- c:\program files\Webroot
2009-12-15 22:24 . 2009-12-15 22:24 164 ----a-w- c:\windows\install.dat
2009-12-15 22:01 . 2009-12-15 22:01 -------- d-----w- c:\documents and settings\alex\Local Settings\Application Data\Threat Expert
2009-12-15 21:44 . 2009-10-30 19:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-15 21:43 . 2009-11-09 19:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-15 21:43 . 2009-10-07 00:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-15 21:43 . 2009-09-03 17:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-15 21:43 . 2009-12-15 21:49 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-15 21:43 . 2009-12-16 02:24 -------- d-----w- c:\program files\Spyware Doctor
2009-12-15 21:43 . 2009-12-15 21:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-12-15 21:43 . 2009-12-15 21:43 -------- d-----w- c:\documents and settings\alex\Application Data\PC Tools
2009-12-15 21:42 . 2009-12-16 02:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-14 18:52 . 2009-12-14 18:52 -------- d-----w- c:\documents and settings\alex\Packet Tracer 5.2
2009-12-12 21:02 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-12-12 21:02 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-12-12 21:02 . 2001-08-17 21:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-12-12 21:02 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-12-12 21:02 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-12-12 21:02 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-12-12 21:02 . 2008-04-13 18:45 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-12-12 21:02 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-12-12 19:47 . 2009-12-12 19:47 -------- d-----w- c:\documents and settings\alex\Application Data\Malwarebytes
2009-12-12 19:47 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-12 19:47 . 2009-12-12 19:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-12 19:47 . 2009-12-12 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-12 19:47 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-12 19:38 . 2009-12-12 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-12 19:38 . 2009-12-12 19:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-12 18:27 . 2009-12-13 03:34 -------- d-----w- c:\program files\Visual CertExam Suite
2009-12-12 18:06 . 2009-12-12 18:06 132096 --sha-r- c:\windows\system32\nvwrsptby.dll
2009-12-12 16:42 . 2003-06-23 10:44 1415680 ----a-w- c:\windows\system32\WMV9VCM.DLL
2009-12-12 16:42 . 1999-12-16 08:01 49152 ----a-w- c:\windows\system32\TSCCVID.DLL
2009-12-12 16:41 . 2009-12-12 17:26 -------- d-----w- c:\program files\TESTOUT
2009-12-11 17:04 . 2009-11-20 21:07 798488 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2009-12-09 19:32 . 2009-12-09 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Boson Software
2009-12-08 03:46 . 2009-12-08 03:46 -------- d-----w- c:\program files\gs
2009-12-08 03:45 . 2009-12-08 03:45 -------- d-----w- c:\program files\PlotSoft
2009-12-08 03:45 . 2009-12-08 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PlotSoft
2009-12-07 17:51 . 2009-12-07 17:51 -------- d-----w- c:\documents and settings\alex\Application Data\Foxit Software
2009-12-02 00:33 . 2009-12-02 00:33 -------- d-----w- c:\documents and settings\alex\Application Data\dvdcss
2009-11-30 18:42 . 2009-11-30 19:46 -------- d-----w- c:\documents and settings\alex\Application Data\TeamViewer
2009-11-30 18:42 . 2009-11-30 18:42 -------- d-----w- c:\program files\TeamViewer
2009-11-30 18:41 . 2009-11-30 18:41 -------- d-----w- c:\documents and settings\alex\temp
2009-11-29 21:36 . 2009-11-29 21:36 -------- d-----w- c:\documents and settings\alex\Application Data\UltraVNC
2009-11-29 21:33 . 2009-11-29 21:33 20672 ----a-w- c:\windows\system32\mv2.dll
2009-11-29 21:33 . 2009-11-29 21:33 10688 ----a-w- c:\windows\system32\drivers\mv2.sys
2009-11-29 21:33 . 2009-11-30 18:38 -------- d-----w- c:\program files\UltraVNC
2009-11-28 19:22 . 2009-11-28 19:22 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-28 19:22 . 2009-11-28 19:21 -------- d-----w- c:\program files\Windows Live
2009-11-28 19:22 . 2009-12-06 18:05 -------- d-----w- c:\documents and settings\alex\Tracing
2009-11-28 19:21 . 2009-11-28 19:21 -------- d-----w- c:\program files\Microsoft
2009-11-28 19:19 . 2009-11-28 19:19 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-24 19:15 . 2009-11-24 19:16 -------- d-----w- c:\program files\Packet Tracer 5.2
2009-11-24 19:04 . 2009-11-24 19:04 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-24 19:04 . 2009-11-24 19:04 -------- d-----w- c:\program files\Reference Assemblies
2009-11-24 19:03 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2009-11-24 19:03 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-24 19:03 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-24 19:03 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-24 19:03 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-24 19:03 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-24 19:03 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2009-11-24 19:03 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-24 19:03 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-24 18:52 . 2009-11-24 18:52 127 ----a-w- c:\documents and settings\alex\Local Settings\Application Data\fusioncache.dat
2009-11-24 18:51 . 2009-11-24 18:51 69632 ----a-r- c:\documents and settings\alex\Application Data\Microsoft\Installer\{12F69331-DCBB-46D5-B475-6BFD0F9048B3}\NewShortcut2_12F69331DCBB46D5B4756BFD0F9048B3.exe
2009-11-24 18:51 . 2009-11-24 18:51 69632 ----a-r- c:\documents and settings\alex\Application Data\Microsoft\Installer\{12F69331-DCBB-46D5-B475-6BFD0F9048B3}\NewShortcut1_12F69331DCBB46D5B4756BFD0F9048B3.exe
2009-11-24 18:51 . 2009-11-24 18:51 26694 ----a-r- c:\documents and settings\alex\Application Data\Microsoft\Installer\{12F69331-DCBB-46D5-B475-6BFD0F9048B3}\ARPPRODUCTICON.exe
2009-11-24 18:51 . 2009-11-24 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Boson
2009-11-24 18:51 . 2009-11-24 18:51 -------- d-----w- c:\program files\Boson Software
2009-11-24 18:50 . 2009-11-24 18:50 -------- d-----w- c:\documents and settings\alex\Local Settings\Application Data\{92E7999A-2CF5-4C21-B2CA-43A2607C9436}
2009-11-24 18:47 . 2009-12-12 16:32 -------- d-----w- c:\documents and settings\alex\Local Settings\Application Data\ApplicationHistory
2009-11-24 18:46 . 2009-11-24 18:46 -------- d-----w- c:\windows\system32\URTTemp
2009-11-24 06:26 . 2009-11-24 06:26 0 ----a-w- c:\windows\nsreg.dat
2009-11-24 06:25 . 2009-11-24 06:25 -------- d-----w- c:\documents and settings\alex\Local Settings\Application Data\Mozilla
2009-11-24 05:03 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-11-24 05:03 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-11-24 05:03 . 2001-08-18 06:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-24 05:03 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-24 04:23 . 2009-12-16 01:47 -------- d-----w- c:\documents and settings\alex\Application Data\Apple Computer
2009-11-24 04:23 . 2009-03-20 00:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-11-24 04:23 . 2008-04-17 20:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-11-24 04:23 . 2009-11-24 04:23 -------- d-----w- c:\program files\iPod
2009-11-24 04:23 . 2009-11-24 04:23 -------- d-----w- c:\program files\iTunes
2009-11-24 04:23 . 2009-11-24 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-11-24 04:23 . 2009-11-24 04:23 -------- d-----w- c:\program files\Bonjour
2009-11-24 04:22 . 2009-11-24 04:22 -------- d-----w- c:\program files\QuickTime
2009-11-24 04:22 . 2009-11-24 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-24 04:22 . 2009-11-24 04:22 -------- d-----w- c:\documents and settings\alex\Local Settings\Application Data\Apple
2009-11-24 04:22 . 2009-11-24 04:22 -------- d-----w- c:\program files\Apple Software Update
2009-11-24 04:22 . 2009-05-29 21:36 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-11-24 04:22 . 2009-05-29 21:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-11-24 04:21 . 2009-12-16 01:46 -------- d-----w- c:\program files\Common Files\Apple
2009-11-24 04:21 . 2009-11-24 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-24 04:21 . 2009-12-16 01:47 -------- d-----w- c:\documents and settings\alex\Local Settings\Application Data\Apple Computer
2009-11-24 04:17 . 2009-11-24 06:33 -------- d-----w- C:\iPhone 3.0
2009-11-23 21:39 . 2009-11-23 21:39 8854 ----a-r- c:\documents and settings\alex\Application Data\Microsoft\Installer\{EFBD6F61-53E8-4F5F-8B30-1BB65BAD3EE6}\readme_DC5EDBF7D08241849400BC64FF8DD4BE.exe
2009-11-23 21:39 . 2009-11-23 21:39 40960 ----a-r- c:\documents and settings\alex\Application Data\Microsoft\Installer\{EFBD6F61-53E8-4F5F-8B30-1BB65BAD3EE6}\NewShortcut1_DC5EDBF7D08241849400BC64FF8DD4BE.exe
2009-11-23 21:39 . 2009-11-23 21:39 1078 ----a-r- c:\documents and settings\alex\Application Data\Microsoft\Installer\{EFBD6F61-53E8-4F5F-8B30-1BB65BAD3EE6}\ARPPRODUCTICON.exe
2009-11-23 21:39 . 2009-11-23 21:39 -------- d-----w- c:\program files\Hewlett-Packard
2009-11-22 17:44 . 2009-11-22 17:44 3963160 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-22 17:44 . 2009-11-20 21:07 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-22 17:44 . 2009-11-22 17:44 844056 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-22 17:44 . 2009-11-22 17:44 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-22 08:57 . 2009-11-22 08:57 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2009-11-22 08:54 . 2009-11-22 08:54 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-11-21 23:08 . 2009-11-21 23:08 -------- d-----w- c:\documents and settings\alex\Local Settings\Application Data\Ahead
2009-11-21 22:11 . 2009-11-21 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-11-21 18:29 . 2009-11-21 18:29 -------- d-----w- c:\documents and settings\alex\Application Data\Vso
2009-11-21 18:29 . 2009-11-21 18:29 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-11-21 18:29 . 2009-11-21 18:29 47360 ----a-w- c:\documents and settings\alex\Application Data\pcouffin.sys
2009-11-21 18:29 . 2009-11-21 22:24 -------- d-----w- c:\program files\DVDFab 6
2009-11-21 17:57 . 2004-03-03 01:37 125184 ------w- c:\windows\system32\drivers\imagesrv.sys
2009-11-21 17:57 . 2004-03-03 01:37 5504 ------w- c:\windows\system32\drivers\imagedrv.sys
2009-11-21 17:57 . 2000-06-26 19:45 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2009-11-21 17:57 . 2009-11-21 17:57 -------- d-----w- c:\program files\Common Files\Ahead
2009-11-21 17:57 . 2004-07-27 01:16 476320 ------w- c:\windows\system32\ImagXpr7.dll
2009-11-21 17:57 . 2004-07-27 01:16 471040 ------w- c:\windows\system32\ImagXRA7.dll
2009-11-21 17:57 . 2004-07-27 01:16 262144 ------w- c:\windows\system32\ImagXR7.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-12 18:27 . 2009-11-20 17:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-20 19:10 . 2009-11-20 17:43 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-20 18:02 . 2009-11-20 17:52 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-20 17:56 . 2009-11-20 17:56 -------- d-----w- c:\program files\Realtek
2009-11-20 17:44 . 2009-11-20 17:44 -------- d-----w- c:\program files\microsoft frontpage
2009-11-20 17:39 . 2009-11-20 17:39 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-09 03:21 . 2009-11-09 03:21 59388 ----a-w- c:\windows\system32\drivers\scdemu.sys
2009-11-06 05:16 . 2009-11-06 05:16 73728 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-10-29 07:45 . 2004-08-04 07:56 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 07:56 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 07:56 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 07:56 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-10 07:07 . 2009-11-28 19:28 38208 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-16 7585792]
"nwiz"="nwiz.exe" [2006-08-16 1617920]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-13 16264192]
"FuncKey"="c:\program files\Hotkey Management\FuncKey.exe" [2006-10-09 139264]
"PowerManager"="c:\program files\Power Manager\PM.exe" [2006-10-09 151552]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-10-02 151552]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-20 149280]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-11 2033432]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]
c:\documents and settings\alex\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-20 21:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-17 02:04 2879488 ----a-w- c:\windows\SkyTel.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\TESTOUT\\Cmi\\Navigator.exe"=
"c:\\Documents and Settings\\alex\\Desktop\\age\\MYTH-age2_x1.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Documents and Settings\\alex\\Desktop\\age\\Age2_x1\\age2_x1.exe"=
"c:\\Program Files\\Packet Tracer 5.2\\bin\\PacketTracer5.exe"=
"c:\\Program Files\\age\\Age2_x1\\age2_x1.exe"=
"c:\\Program Files\\age\\MYTH-age2_x1.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [12/15/2009 1:43 PM 207792]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/20/2009 1:07 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/20/2009 1:07 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/20/2009 1:07 PM 285392]
S3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [11/29/2009 1:33 PM 10688]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/15/2009 1:43 PM 359624]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {5048E9BC-F63A-4C43-B7B9-21D77E636A5D} = 68.87.85.102
FF - ProfilePath - c:\documents and settings\alex\Application Data\Mozilla\Firefox\Profiles\8smgit17.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SpySweeper - c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-16 09:41
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-12-16 09:43:22
ComboFix-quarantined-files.txt 2009-12-16 17:43
Pre-Run: 3,160,289,280 bytes free
Post-Run: 3,487,698,944 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer /noguiboot /sos
- - End Of File - - F454DB1F479F8036AF40788D6D3BA7A0
#4
Posted 16 December 2009 - 12:17 PM
Please do the following:
Download GMER Rootkit Scanner from here or here.
- Extract the contents of the zipped file to desktop.
- Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
- If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
Click the image to enlarge it
- In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
- Then click the Scan button & wait for it to finish.
- Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
- Save it where you can easily find it, such as your desktop, and post it in your next reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
#5
Posted 17 December 2009 - 12:40 PM
#6
Posted 17 December 2009 - 01:00 PM
Please rename the GMER program to svchost.exe and run it in safe mode.
Reboot - tap F8 repeatedly on startup till an option menu appears...arrow up to safe mode. Log on with your usual account
Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
#7
Posted 17 December 2009 - 02:46 PM
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-17 12:39:16
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\alex\LOCALS~1\Temp\fxtoraow.sys
---- System - GMER 1.0.15 ----
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xBA6CAE52]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xBA6ABCDE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xBA6ABED0]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xBA6CB640]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xBA6CB8F4]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xBA6C9B44]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xBA6CBD60]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xBA6CB112]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xBA6AB984]
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- EOF - GMER 1.0.15 ----
#8
Posted 17 December 2009 - 03:03 PM
#9
Posted 17 December 2009 - 04:38 PM
Please do the following:
Flush DNS
- Go to Start > Run > type: cmd
- Press OK or Hit Enter.
- At the command prompt, type or copy/paste: ipconfig /flushdns (note the space between “..g /f…” it needs to be there)
- Hit Enter.
- You will get a confirmation that the flush was successful.
- Close the command box.
In I.E.
- Check internet options settings.
- Tools > Internet Options > Connections
- LAN settings
- Choose "automatically detect settings"
- uncheck both proxy settings boxes
In FireFox
- Click on Advanced -> Network -> Setttings…
- the No Proxy option should be selected
NEXT
Please download ATF Cleaner by Atribune.
- Double-click ATF-Cleaner.exe to run the program.
- Under Main choose: Select All
- Click the Empty Selected button.
- If you use Firefox browser
- Click Firefox at the top and choose: Select All
- Click the Empty Selected button.
Click Exit on the Main menu to close the program.
It's normal after running ATF cleaner that the PC will be slower to boot the first time.
NEXT
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
- Ensure all Firefox windows are closed.
- To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
- When prompted to run the scan, click Yes.
- GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
NEXT
- Please open your MalwareBytes AntiMalware Program
- Click the Update Tab and search for updates
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish, so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected. <-- very important
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
NEXT
Run an on-line scan with Kaspersky
Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner
1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
- Close any open programs
- Turn off the real time scanner of any existing antivirus program while performing the online scan
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
- Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
- Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
- Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
- Click View scan report at the bottom.
- Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
In your next reply please include
- Goored log
- MBAM Log
- Kaspersky report
Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
#10
Posted 19 December 2009 - 10:50 AM
Register to Remove
#11
Posted 19 December 2009 - 11:03 AM
Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
#12
Posted 19 December 2009 - 12:07 PM
#13
Posted 19 December 2009 - 12:51 PM
You profile in FF may be corrupted. Try creating a new profile in FireFox:
see if that makes a difference:
- Close Firefox. Click 'File' and then 'Exit' to make sure the program is completely closed.
- Click 'Start' from the desktop and then 'Run.'
- Type 'firefox.exe -ProfileManager' (without the quotes) in the 'Open' text field.
- Click 'OK' to launch the Profile Manager.
- Click the 'Create Profile' button to begin using the profile creation wizard.
- Click 'Next' after reading the welcome message.
- Type a profile name in the space provided. Consider using something descriptive to help you remember what is saved in the profile.
- Click the 'Finish' button to complete the wizard.
Use Your New Profile in Firefox
- Open the Profile Manager following the instructions above.
- Browse through the list of profiles that you have created.
- Click the profile you want to use.
- Click the 'Start Firefox' button to use the selected profile.
Then Try resetting IE back to default:
http://support.microsoft.com/kb/923737
use the "Fix-It" button
Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
#14
Posted 27 December 2009 - 01:10 PM
I've been looking over your logs again and think I have found the culprit
Please do the following:
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
- They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:
Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')
http://forums.whatthetech.com/Browser_Hijacked_t108908.html Collect:: c:\windows\system32\nvwrsptby.dll
Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')
Save this file to your desktop, Save this as "CFScript"
Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it shall produce a log for you.
- Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
- Ensure you are connected to the internet and click OK on the message box.
Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
#15
Posted 27 December 2009 - 10:04 PM
Please open a command window:
Go to Start > Run type cmd into the run box
now copy/paste the following into the open command window > hit enter
@echo off
schtasks /query /fo list /v | findstr /i /c:"Task To Run">log.txt
start notepad log.txt
exit
cls
Please post back the content of log.txt
Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users