Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: browser hijacked

  1. #1
    Junior Member
    Join Date
    Mar 2009
    Posts
    6

    Default browser hijacked

    When I use search engines and click links I am diverted to pay sites, store search sites and all sorts of other locations. I click back and click the link again and get diverted to a different site. After clicking back several times I will eventually get to the site i want to go to.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:49:56 PM, on 3/24/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\Program Files\McAfee\VirusScan\McShield.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\WINDOWS\ehome\RMSvc.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\Explorer.EXE
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/mpfplus/en...kq1b1&langid=1
    R3 - URLSearchHook: (no name) - - (no file)
    O1 - Hosts: 221.135.111.121 Download.McAfee.com
    O1 - Hosts: 221.135.111.121 Download.McAfee.com
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
    O4 - Global Startup: Digital Line Detect.lnk.disabled
    O4 - Global Startup: Extender Resource Monitor.lnk.disabled
    O4 - Global Startup: Service Manager.lnk.disabled
    O4 - Global Startup: Status Monitor.lnk.disabled
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
    O20 - AppInit_DLLs: karna.dat
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: byXrppQH - C:\WINDOWS\
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 7566 bytes

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hello and welcome to the Forums
    You're infected.

    At first you need to disable a few realtime protections. These may interfere with our cleaning process.
    We'll enable these when you're clean...

    Disable Spybot S&D Teatimer.
    • Run Spybot-S&D in Advanced Mode
    • If it is not already set to do this, go to the Mode menu select "Advanced Mode"
    • On the left hand side, click on Tools
    • Then click on the Resident icon in the list
    • Uncheck "Resident TeaTimer" and OK any prompts.
    • Restart your computer





    We will begin with ComboFix.

    Please download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper


    If you need help, see this link:
    http://www.bleepingcomputer.com/comb...o-use-combofix
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  3. #3
    Junior Member
    Join Date
    Mar 2009
    Posts
    6

    Default

    I disabled spybot and turned off mcafee. downloaded combofix on to the desktop and ran it. A message popped up saying "errors encountered while performing the operation. Look at the information window for more details." However no such window came up. the combofix progress bar stayed on screen but the program never opened. What should I do?

    Thanks

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi

    Okay. Please check if a file C:\ComboFix.txt exists and post that to here.
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  5. #5
    Junior Member
    Join Date
    Mar 2009
    Posts
    6

    Default

    I could not find a combofix.txt file even with search function. I don't think it was able to run for some reason. should i try running it in safe mode?

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi

    Ok let's try safe mode.

    Restart your computer to the safe mode:
    • Restart your computer
    • Start tapping the F8 key when the computer restarts.
    • When the start menu opens, choose Safe mode
    • Press Enter. The computer then begins to start in Safe mode.


    Run ComboFix.

    Restart to normal mode and post the log to here
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  7. #7
    Junior Member
    Join Date
    Mar 2009
    Posts
    6

    Default

    I was able to run combofix in safe mode. Was not able to install windows recovery console due to lack of internet connection. Also when combofix restarted the computer it booted back up in normal mode and mcafee came on. Just wanted you to be aware in case this influences anything. Here are the logs:

    ComboFix 09-04-01.01 - Administrator 2009-04-02 11:21:05.1 - NTFSx86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.801 [GMT -4:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: McAfee VirusScan *On-access scanning disabled* (Updated)
    FW: McAfee Personal Firewall *enabled*

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Michael Thoerig\Application Data\inst.exe
    c:\documents and settings\Mike 2\Cookies\ekihisasa.bin
    c:\documents and settings\Mike 2\Local Settings\Temporary Internet Files\ebacazicev._sy
    c:\documents and settings\Mike 2\Local Settings\Temporary Internet Files\inulefobah.dll
    c:\program files\SelectRebates
    c:\program files\SelectRebates\SelectRebatesDownload.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_TDSSSERV
    -------\Service_TDSSserv


    ((((((((((((((((((((((((( Files Created from 2009-03-02 to 2009-04-02 )))))))))))))))))))))))))))))))
    .

    2009-03-26 09:57 . 2009-03-26 09:57 <DIR> d-------- c:\program files\ERUNT
    2009-03-24 12:49 . 2009-03-24 12:49 <DIR> d-------- c:\program files\Trend Micro
    2009-03-23 12:31 . 2009-03-26 11:33 54,156 --ah----- c:\windows\QTFont.qfn
    2009-03-23 12:31 . 2009-03-23 12:31 1,409 --a------ c:\windows\QTFont.for

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-04-01 00:20 --------- d--h--w c:\documents and settings\Michael Thoerig\Application Data\Move Networks
    2009-03-26 14:22 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
    2009-03-26 14:21 --------- d-----w c:\program files\SpywareBlaster
    2009-03-26 13:53 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-03-17 01:30 --------- d-----w c:\program files\Common Files\Adobe
    2009-02-28 23:43 --------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2009-02-28 20:47 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
    2009-02-24 16:46 --------- d-----w c:\program files\SUPERAntiSpyware
    2009-02-24 16:46 --------- d-----w c:\documents and settings\Michael Thoerig\Application Data\SUPERAntiSpyware.com
    2009-02-24 16:46 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-02-24 16:45 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
    2009-02-24 16:44 --------- d-----w c:\program files\CCleaner
    2009-02-19 02:12 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
    2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
    2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
    2008-10-18 21:24 17,210 -c--a-w c:\documents and settings\Mike 2\Application Data\evaj.sys
    2008-10-18 21:24 13,302 -c--a-w c:\documents and settings\Mike 2\Application Data\xejybefesa.exe
    2008-10-18 21:24 12,435 -c--a-w c:\documents and settings\Mike 2\Application Data\yqivyd.vbs
    2008-10-18 21:24 12,257 -c--a-w c:\program files\Common Files\vupufuze._dl
    2008-10-18 21:24 12,236 -c--a-w c:\documents and settings\Mike 2\Application Data\imicipevex.bat
    2008-10-18 21:24 10,807 -c--a-w c:\documents and settings\All Users\Application Data\fotinavuxu.sys
    2008-10-18 21:24 10,727 -c--a-w c:\documents and settings\Mike 2\Application Data\inopyw.exe
    2008-10-18 21:24 10,512 -c--a-w c:\documents and settings\Mike 2\Application Data\ahelygono.com
    2008-01-31 23:21 47,360 -c--a-w c:\documents and settings\Michael Thoerig\Application Data\pcouffin.sys
    2006-10-03 19:14 56 -csh--r c:\windows\system32\759A8646EC.sys
    2006-10-05 17:08 88 -csh--r c:\windows\system32\EC46869A75.sys
    2006-10-05 17:08 6,580 -csha-w c:\windows\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.disabledCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk.disabled]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk.disabled
    backup=c:\windows\pss\Digital Line Detect.lnk.disabledCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk.disabled]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk.disabled
    backup=c:\windows\pss\Extender Resource Monitor.lnk.disabledCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk.disabled]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk.disabled
    backup=c:\windows\pss\Service Manager.lnk.disabledCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk.disabled]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk.disabled
    backup=c:\windows\pss\Status Monitor.lnk.disabledCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a------ 2009-02-27 17:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2008-04-13 20:12 15360 c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
    --a------ 2008-08-13 18:32 206064 c:\program files\Dell Support Center\bin\sprtcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
    --a------ 2007-11-15 10:24 16384 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2007-04-27 11:25 257088 c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    -rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    --a------ 2009-01-15 17:17 1830128 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
    "ModemOnHold"=c:\program files\NetWaiting\netWaiting.exe
    "Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe"
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    "Aim6"=
    "ctfmon.exe"=c:\windows\system32\ctfmon.exe
    "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" /startup

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Broadcom Wireless Manager UI"=c:\windows\system32\WLTRAY.exe
    "CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" /r
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe"
    "igfxhkcmd"=c:\windows\system32\hkcmd.exe
    "igfxpers"=c:\windows\system32\igfxpers.exe
    "InstantBurn"=c:\progra~1\NOVADE~1\MEDIAN~1\INSTAN~1\Win2K\IBurn.exe
    "mcagent_exe"=c:\program files\McAfee.com\Agent\mcagent.exe /runkey
    "igfxtray"=c:\windows\system32\igfxtray.exe
    "PaperPort PTD"=c:\program files\ScanSoft\PaperPort\pptd40nt.exe
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
    "SetDefPrt"=c:\program files\Brother\Brmfl04b\BrStDvPt.exe
    "SigmatelSysTrayApp"=stsystra.exe
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    "SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_05\bin\jusched.exe
    "SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
    "DLA"=c:\windows\System32\DLA\DLACTRLW.EXE
    "DMXLauncher"=c:\program files\Dell\Media Experience\DMXLauncher.exe
    "ControlCenter2.0"=c:\program files\Brother\ControlCenter2\brctrcen.exe /autorun
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"=c:\program files\Google\Gmail Notifier\gnotify.exe
    "ehTray"=c:\windows\ehome\ehtray.exe
    "IndexSearch"=c:\program files\ScanSoft\PaperPort\IndexSearch.exe
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\msncall.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3776:UDP"= 3776:UDP:Media Center Extender Service
    "3390:TCP"= 3390:TCP:Remote Media Center Experience

    R0 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2007-06-05 10368]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
    R2 CLBUDF;CyberLink UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [2007-06-05 182272]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-05-22 24652]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    QWAVE REG_MULTI_SZ QWAVE

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
    \Shell\AutoRun\command - E:\setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73bb32f9-f28b-11da-8681-806d6172696f}]
    \Shell\AutoRun\command - D:\arun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc8a2bb0-f13b-11db-86c8-00038a000015}]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a
    .
    Contents of the 'Scheduled Tasks' folder

    2009-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]

    2009-03-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

    2009-04-01 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
    .
    - - - - ORPHANS REMOVED - - - -

    Notify-byXrppQH - (no file)
    SafeBoot-TDSSpqlt.sys


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://news.bbc.co.uk/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/mpfplus/en-us/mpfplus7/default.asp?affid=105-72&dtag=hfkq1b1&langid=1
    IE: &Search
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: musicmatch.com\online
    FF - ProfilePath - c:\documents and settings\Michael Thoerig\Application Data\Mozilla\Firefox\Profiles\jugeaafs.default\
    FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
    FF - plugin: c:\documents and settings\Michael Thoerig\Application Data\Mozilla\Firefox\Profiles\jugeaafs.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava11.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava12.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava13.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava14.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava32.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJPI142_05.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPOJI610.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    .

    **************************************************************************

    catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-04-02 11:26:58
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(852)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\WLTRYSVC.EXE
    c:\windows\system32\BCMWLTRY.EXE
    c:\windows\system32\brss01a.exe
    c:\windows\system32\Brmfrmps.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
    c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
    c:\program files\McAfee\VirusScan\Mcshield.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
    c:\program files\Dell\QuickSet\NicConfigSvc.exe
    c:\windows\ehome\RMSvc.exe
    c:\program files\Dell Support Center\bin\sprtsvc.exe
    c:\windows\ehome\McrdSvc.exe
    c:\program files\McAfee.com\Agent\mcagent.exe
    c:\program files\McAfee\MPF\MpfSrv.exe
    c:\progra~1\McAfee\MSC\mcuimgr.exe
    c:\windows\system32\wscntfy.exe
    c:\progra~1\McAfee\MSC\mcsvrcnt.exe
    .
    **************************************************************************
    .
    Completion time: 2009-04-02 11:32:03 - machine was rebooted [Michael Thoerig]
    ComboFix-quarantined-files.txt 2009-04-02 15:31:35

    Pre-Run: 12,016,656,384 bytes free
    Post-Run: 11,005,648,896 bytes free

    239 --- E O F --- 2009-03-13 07:03:48


    HJT:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:33, on 2009-04-02
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\Program Files\McAfee\VirusScan\McShield.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\WINDOWS\ehome\RMSvc.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    c:\PROGRA~1\mcafee\msc\mcuimgr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/mpfplus/en...kq1b1&langid=1
    R3 - URLSearchHook: (no name) - - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 6316 bytes


    Thanks again

  8. #8
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi again

    I must warn that one or more of the identified infections is a backdoor trojan.

    This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

    I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

    Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

    When Should I Format, How Should I Reinstall

    We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

    Should you have any questions, please feel free to ask.

    Please let us know what you have decided to do in your next post
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  9. #9
    Junior Member
    Join Date
    Mar 2009
    Posts
    6

    Default

    I think it's in my best interest to go ahead and reformat. I have a few questions for you:

    1. Should we attempt to clean the system before the reformat?

    2. I need to get certain document off of the computer before the reformat. Is this safe, or could it potentially bring the trojan with them?

    3. In a similar vein, I used a jump drive to get log files from hjt and combofix off of the computer. Is the usb flash drive compromised now? is there anything I can do about it?

    Thanks again.

  10. #10
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi

    1. Should we attempt to clean the system before the reformat?
    Sure we can but I can't promise that it will be 100% clean.

    2. I need to get certain document off of the computer before the reformat. Is this safe, or could it potentially bring the trojan with them?
    Text, images, sound should be safe to backup. Don't take any system/program files like exes or dlls. And scan the backups with an antivirus before restoring those.

    3. In a similar vein, I used a jump drive to get log files from hjt and combofix off of the computer. Is the usb flash drive compromised now? is there anything I can do about it?
    Well you should scan the drive with and up-to-date antivirus before using it again.

    Let me know that do you want to clean it or format it
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •