Please help! Redirect virus ect - Free Antivirus Forum

Please help! Redirect virus ect

BullGuard Antivirus Forum > Virus Removal > Removal Help > Please help! Redirect virus ect

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

MikeSmeltz
New Member

Date Joined Nov 2008
Total Posts : 4

Posted 11-21-2008 5:35 (GMT +1)

I think I have multiple problems. I have the redirect thing going on but also have Procleaner2009 or somthing to that effect keep popping up. My malwarebytes usually does the job but keeps coming back with nothing. So here is my HiJackThis log. I hope someone can help guide me through this

Logfile of HijackThis v1.99.1
Scan saved at 11:20:31 PM, on 11/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {09F2FA2B-6F70-45EB-A202-C5C4DE0AE85E} - C:\WINDOWS\system32\framebufn.dll
O2 - BHO: (no name) - {31D747CD-D62B-46D0-AA6E-C7026180E4E3} - C:\WINDOWS\system32\framebufn.dll
O2 - BHO: (no name) - {350153A1-CBBE-4997-BBC8-0C902436DA5F} - C:\WINDOWS\system32\framebufn.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {99EADCAA-987B-4E63-B5BD-9B2D6456C47D} - C:\WINDOWS\system32\framebufn.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Internet Connection Wizard Configuration Tool] C:\Program Files\Internet Explorer\Connection Wizard\icwconfig.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200782324661
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14307

Posted 11-21-2008 5:48 (GMT +1)

Hello

An Anti-Virus product is a necessity. There are many excellent programs that you can purchase. However, we choose to advocate the use of free programs whenever possible. Some very good and easy-to-use free antivirus programs are: AVG

or Avast Install, update. Run a complete systemscan.

Reboot.

Download this program: http://www.ctrlaltdel.dk/Fix_download.exe

and save it on the desktop. Then double click on it (Fix_download.exe).

You may have to allow the program to download files from the web!

The program download the necessary cleaning programs. Once the program
is downloaded, there will be a folder on your desktop named
Fix. – if the instructions not automatically opens, so
double-click "FIX_manual.htm" in Fix folder.

Please follow the instructions and copy the logs here, in this Topic.

Note : Fix_download.exe is detected by some antivirus programs as a "RiskTool" /infection; it is not a virus. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

MikeSmeltz
New Member

Date Joined Nov 2008
Total Posts : 4

Posted 11-21-2008 7:02 (GMT +1)

here they are i think i did it right . . .

Logfile of HijackThis v1.99.1
Scan saved at 12:28:45 AM, on 11/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {09F2FA2B-6F70-45EB-A202-C5C4DE0AE85E} - C:\WINDOWS\system32\framebufn.dll
O2 - BHO: (no name) - {31D747CD-D62B-46D0-AA6E-C7026180E4E3} - C:\WINDOWS\system32\framebufn.dll
O2 - BHO: (no name) - {350153A1-CBBE-4997-BBC8-0C902436DA5F} - C:\WINDOWS\system32\framebufn.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {99EADCAA-987B-4E63-B5BD-9B2D6456C47D} - C:\WINDOWS\system32\framebufn.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Internet Connection Wizard Configuration Tool] C:\Program Files\Internet Explorer\Connection Wizard\icwconfig.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200782324661
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

ComboFix 08-11-19.08 - Rachelle 2008-11-21 0:20:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.288 [GMT -5:00]
Running from: c:\documents and settings\Rachelle\Desktop\FIX\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\TDSSosvd.dat
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-21 to 2008-11-21 )))))))))))))))))))))))))))))))
.

2008-11-20 23:54 . 2008-11-20 23:54 <DIR> d-------- c:\program files\CCleaner
2008-11-15 00:46 . 2008-11-15 01:02 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-11-13 11:23 . 2008-11-20 23:20 <DIR> d-------- C:\HJT
2008-11-11 23:46 . 2008-11-11 23:46 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-11 21:32 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-11-11 21:32 . 2008-06-13 08:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-11 21:31 . 2008-08-14 05:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-11 21:31 . 2008-08-14 04:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-11 21:31 . 2008-08-14 04:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-11 21:31 . 2008-08-14 04:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-11 21:31 . 2008-10-24 06:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-08 18:55 . 2008-11-12 13:44 120,576 --a------ c:\windows\system32\framebufn.dll
2008-10-31 09:46 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-10-31 06:59 . 2008-10-31 06:59 <DIR> d-------- c:\program files\Enigma Software Group
2008-10-30 23:07 . 2008-10-30 23:07 <DIR> d-------- c:\windows\Sun
2008-10-30 23:06 . 2008-10-30 23:06 410,976 --a------ c:\windows\system32\deploytk.dll
2008-10-30 22:34 . 2008-10-31 09:12 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-30 22:34 . 2008-10-30 22:34 <DIR> d-------- c:\documents and settings\Rachelle\Application Data\Malwarebytes
2008-10-30 22:34 . 2008-10-30 22:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-30 22:34 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-30 22:34 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-29 14:00 . 2008-11-20 12:46 <DIR> d-------- c:\documents and settings\Rachelle\Application Data\FrostWire
2008-10-29 13:59 . 2008-10-31 09:46 <DIR> d-------- c:\program files\Java
2008-10-29 13:59 . 2008-10-29 13:59 <DIR> d-------- c:\program files\Common Files\Java
2008-10-29 13:58 . 2008-10-31 09:46 <DIR> d-------- c:\program files\FrostWire
2008-10-24 18:04 . 2008-10-24 18:04 <DIR> d-------- c:\program files\InterActual

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-01 01:16 --------- d-----w c:\documents and settings\Rachelle\Application Data\HP
2008-10-31 13:49 --------- d-----w c:\program files\Coupons
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09F2FA2B-6F70-45EB-A202-C5C4DE0AE85E}]
2008-11-12 13:44 120576 --a------ c:\windows\system32\framebufn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31D747CD-D62B-46D0-AA6E-C7026180E4E3}]
2008-11-12 13:44 120576 --a------ c:\windows\system32\framebufn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{350153A1-CBBE-4997-BBC8-0C902436DA5F}]
2008-11-12 13:44 120576 --a------ c:\windows\system32\framebufn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99EADCAA-987B-4E63-B5BD-9B2D6456C47D}]
2008-11-12 13:44 120576 --a------ c:\windows\system32\framebufn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-03-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-03-22 126976]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-10-12 1282048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Internet Connection Wizard Configuration Tool"="c:\program files\Internet Explorer\Connection Wizard\icwconfig.exe" [2005-03-18 17408]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=

R0 gsjdynca;gsjdynca;c:\windows\system32\drivers\gsjdynca.sys [2004-08-04 23424]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-ID - (no file)

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-21 00:23:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2008-11-21 0:24:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-21 05:24:30

Pre-Run: 17,345,265,664 bytes free
Post-Run: 17,341,333,504 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\ = "Unidentified operating system on drive D."

126 --- E O F --- 2008-11-13 05:02:09

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 2

11/21/2008 12:48:19 AM
mbam-log-2008-11-21 (00-48-19).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 65711
Time elapsed: 11 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14307

Posted 11-21-2008 7:14 (GMT +1)

It looks right smile

Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Name the file as CFScript
and Save it on the desktop

QUOTE:

Killall::

Snapshot::

File::
c:\windows\system32\framebufn.dll

c:\windows\system32\drivers\gsjdynca.sys

Folder::

c:\documents and settings\Rachelle\Application Data\FrostWire

c:\program files\FrostWire

Driver::

Gsjdynca

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09F2FA2B-6F70-45EB-A202-C5C4DE0AE85E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31D747CD-D62B-46D0-AA6E-C7026180E4E3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{350153A1-CBBE-4997-BBC8-0C902436DA5F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99EADCAA-987B-4E63-B5BD-9B2D6456C47D}]

http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report, along wiht new hijackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

MikeSmeltz
New Member

Date Joined Nov 2008
Total Posts : 4

Posted 11-21-2008 3:22 (GMT +1)

Okay here are the new logs:

ComboFix 08-11-19.08 - Rachelle 2008-11-21 9:09:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.286 [GMT -5:00]
Running from: c:\documents and settings\Rachelle\Desktop\FIX\ComboFix.exe
Command switches used :: c:\documents and settings\Rachelle\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\drivers\gsjdynca.sys
c:\windows\system32\framebufn.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Rachelle\Application Data\FrostWire
c:\documents and settings\Rachelle\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
c:\documents and settings\Rachelle\Application Data\FrostWire\checkandupdate.txt
c:\documents and settings\Rachelle\Application Data\FrostWire\createtimes.cache
c:\documents and settings\Rachelle\Application Data\FrostWire\downloads.dat
c:\documents and settings\Rachelle\Application Data\FrostWire\fileurns.bak
c:\documents and settings\Rachelle\Application Data\FrostWire\fileurns.cache
c:\documents and settings\Rachelle\Application Data\FrostWire\filters.props
c:\documents and settings\Rachelle\Application Data\FrostWire\frostwire.props
c:\documents and settings\Rachelle\Application Data\FrostWire\gnutella.net
c:\documents and settings\Rachelle\Application Data\FrostWire\installation.props
c:\documents and settings\Rachelle\Application Data\FrostWire\intent.props
c:\documents and settings\Rachelle\Application Data\FrostWire\library.dat
c:\documents and settings\Rachelle\Application Data\FrostWire\mojito.props
c:\documents and settings\Rachelle\Application Data\FrostWire\questions.props
c:\documents and settings\Rachelle\Application Data\FrostWire\simpp.xml
c:\documents and settings\Rachelle\Application Data\FrostWire\tables.props
c:\documents and settings\Rachelle\Application Data\FrostWire\themes\frostwirePro_theme.fwtp
c:\documents and settings\Rachelle\Application Data\FrostWire\themes\frostwirePro_theme\theme.txt
c:\documents and settings\Rachelle\Application Data\FrostWire\themes\frostwirePro_theme\version.txt
c:\documents and settings\Rachelle\Application Data\FrostWire\version.xml
c:\documents and settings\Rachelle\Application Data\FrostWire\xml\data\audio.sxml2
c:\documents and settings\Rachelle\Application Data\FrostWire\xml\data\video.sxml2
c:\program files\FrostWire
c:\program files\FrostWire\aopalliance.jar
c:\program files\FrostWire\clink.jar
c:\program files\FrostWire\commons-codec-1.3.jar
c:\program files\FrostWire\commons-logging.jar
c:\program files\FrostWire\daap.jar
c:\program files\FrostWire\EULA.txt
c:\program files\FrostWire\forms.jar
c:\program files\FrostWire\foxtrot.jar
c:\program files\FrostWire\FrostWire.exe
c:\program files\FrostWire\FrostWire.ico
c:\program files\FrostWire\FrostWire.jar
c:\program files\FrostWire\gettext-commons.jar
c:\program files\FrostWire\GPL2.txt
c:\program files\FrostWire\guice-1.0.jar
c:\program files\FrostWire\hashes
c:\program files\FrostWire\httpclient-4.0-alpha3.jar
c:\program files\FrostWire\httpcore-4.0-beta2.jar
c:\program files\FrostWire\httpcore-nio-4.0-beta2.jar
c:\program files\FrostWire\httpcore-niossl-4.0-alpha7.jar
c:\program files\FrostWire\icu4j.jar
c:\program files\FrostWire\inspection.props
c:\program files\FrostWire\jaudiotagger.jar
c:\program files\FrostWire\jcraft.jar
c:\program files\FrostWire\jdic.dll
c:\program files\FrostWire\jdic.jar
c:\program files\FrostWire\jdic_stub.jar
c:\program files\FrostWire\jflac.jar
c:\program files\FrostWire\jl.jar
c:\program files\FrostWire\jmdns.jar
c:\program files\FrostWire\jogg.jar
c:\program files\FrostWire\jorbis.jar
c:\program files\FrostWire\jython.jar
c:\program files\FrostWire\launch.properties
c:\program files\FrostWire\log.txt
c:\program files\FrostWire\log4j.jar
c:\program files\FrostWire\log4j.properties
c:\program files\FrostWire\looks.jar
c:\program files\FrostWire\lw-all.jar
c:\program files\FrostWire\messages.jar
c:\program files\FrostWire\mp3spi.jar
c:\program files\FrostWire\onion-common.jar
c:\program files\FrostWire\onion-fec.jar
c:\program files\FrostWire\pmf.ico
c:\program files\FrostWire\ProgressTabs.jar
c:\program files\FrostWire\seenMessages.dat
c:\program files\FrostWire\swt.jar
c:\program files\FrostWire\SystemUtilities.dll
c:\program files\FrostWire\SystemUtilitiesA.dll
c:\program files\FrostWire\themes.jar
c:\program files\FrostWire\tray.dll
c:\program files\FrostWire\tritonus.jar
c:\program files\FrostWire\Uninstall.exe
c:\program files\FrostWire\vorbisspi.jar
c:\windows\system32\drivers\gsjdynca.sys
c:\windows\system32\framebufn.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GSJDYNCA
-------\Service_gsjdynca

((((((((((((((((((((((((( Files Created from 2008-10-21 to 2008-11-21 )))))))))))))))))))))))))))))))
.

2008-11-20 23:54 . 2008-11-20 23:54 <DIR> d-------- c:\program files\CCleaner
2008-11-15 00:46 . 2008-11-15 01:02 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-11-13 11:23 . 2008-11-21 00:28 <DIR> d-------- C:\HJT
2008-11-11 23:46 . 2008-11-11 23:46 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-11 21:32 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-11-11 21:32 . 2008-06-13 08:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-11 21:31 . 2008-08-14 05:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-11 21:31 . 2008-08-14 04:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-11 21:31 . 2008-08-14 04:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-11 21:31 . 2008-08-14 04:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-11 21:31 . 2008-10-24 06:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-31 09:46 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-10-31 06:59 . 2008-10-31 06:59 <DIR> d-------- c:\program files\Enigma Software Group
2008-10-30 23:07 . 2008-10-30 23:07 <DIR> d-------- c:\windows\Sun
2008-10-30 23:06 . 2008-10-30 23:06 410,976 --a------ c:\windows\system32\deploytk.dll
2008-10-30 22:34 . 2008-11-21 00:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-30 22:34 . 2008-10-30 22:34 <DIR> d-------- c:\documents and settings\Rachelle\Application Data\Malwarebytes
2008-10-30 22:34 . 2008-10-30 22:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-30 22:34 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-30 22:34 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-29 13:59 . 2008-10-31 09:46 <DIR> d-------- c:\program files\Java
2008-10-29 13:59 . 2008-10-29 13:59 <DIR> d-------- c:\program files\Common Files\Java
2008-10-24 18:04 . 2008-10-24 18:04 <DIR> d-------- c:\program files\InterActual

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

*Newly Created Service* - GSJDYNCA
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-21 09:12:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2008-11-21 9:13:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-21 14:13:39
ComboFix2.txt 2008-11-21 05:24:36

Pre-Run: 17,332,748,288 bytes free
Post-Run: 17,323,864,064 bytes free

179 --- E O F --- 2008-11-13 05:02:09

Logfile of HijackThis v1.99.1
Scan saved at 9:17:14 AM, on 11/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Internet Connection Wizard Configuration Tool] C:\Program Files\Internet Explorer\Connection Wizard\icwconfig.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200782324661
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

I'm guessing it needs updates?

MikeSmeltz
New Member

Date Joined Nov 2008
Total Posts : 4

Posted 11-21-2008 3:51 (GMT +1)

Seems to be working great. No redirects or pop ups anymore. I installed the suggested AVG Ant-Virus also. Thank you so much. Please let me know if theres anything in my logs you think need fixing. Thanks again

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14307

Posted 11-21-2008 5:44 (GMT +1)

Looks clean - good job smile

If your computer problems are solved, it is time for the clean-up procedure. Download this file and save it on desktop as FIX_removal.exe

http://www.ctrlaltdel.dk/FIX_removal.exe

Double click FIX_removal.exe and follow the instructions - this will remove the programs that you have used during the cleaning process. Once the program is finished, reboot your computer to finalise the clean-up procedure.

I also suggest you read Tony Klein´s article :

So_how_did_I_get_infected_in_the_first_place.html

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Forum Information

Currently it is Wednesday, January 07, 2009 3:20 PM (GMT +1)
There are a total of 65.907 posts in 16.171 threads.
In the last 3 days there were 21 new threads and 109 reply posts. View Active Threads