Redirection of URL Virus - Free Antivirus Forum

Redirection of URL Virus

BullGuard Antivirus Forum > Virus > Virus Questions > Redirection of URL Virus

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Pectabyte
New Member

Date Joined Aug 2008
Total Posts : 5

Posted 8-28-2008 7:29 (GMT +1)

Ugh... So I have a virus that redirects me to random websites when I click on a search result in Google. Additionally it prevents me from sending e-mail and AIM messages. I've ran antivirus scans with NOD32 and Antivir and neither of them find anything. I've scoured the internet and don't have any decent leads on how to fix it. Here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:44 PM, on 8/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Function Key Controller\FKC.exe
C:\WINDOWS\BisonCam\BisonTrayIcon.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\AIM\aim.exe
C:\program files\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [FunctionKeyCtrl] C:\Program Files\Function Key Controller\FKC.exe
O4 - HKLM\..\Run: [BisonTrayIcon] C:\WINDOWS\BisonCam\BisonTrayIcon.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6283 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13642

Posted 8-28-2008 8:13 (GMT +1)

Hello

Please download Malwarebytes' Anti-Malware:

http://www.besttechie.net/tools/mbam-setup.exe

to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch

Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. Please save it to a convenient location.

Copy and Paste that log into your next reply, along with fresh hijackthis log.

NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Pectabyte
New Member

Date Joined Aug 2008
Total Posts : 5

Posted 8-28-2008 8:32 (GMT +1)

Okay here are the result for Mbam and Hijackthis:

Malwarebytes' Anti-Malware 1.25

Database version: 1062

Windows 5.1.2600 Service Pack 2

12:25:19 PM 8/28/2008

mbam-log-08-28-2008 (12-25-19).txt

Scan type: Full Scan (C:\|D:\|F:\|)

Objects scanned: 166675

Time elapsed: 45 minute(s), 32 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Failed to unload process.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.

_____________________________________________________________________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:25 PM, on 8/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Function Key Controller\FKC.exe
C:\WINDOWS\BisonCam\BisonTrayIcon.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\AIM\aim.exe
C:\program files\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [FunctionKeyCtrl] C:\Program Files\Function Key Controller\FKC.exe
O4 - HKLM\..\Run: [BisonTrayIcon] C:\WINDOWS\BisonCam\BisonTrayIcon.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6041 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13642

Posted 8-29-2008 3:26 (GMT +1)

Please download Combofix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".

Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Post the contents of that log in your next reply

NB. If you are using any P2P (file sharing) programs, please remove them before we clean your computer.. We do not clean logs that have P2P applications installed as this can cause reinfection during your cleaning.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Pectabyte
New Member

Date Joined Aug 2008
Total Posts : 5

Posted 8-29-2008 7:15 (GMT +1)

Here is ComboFix's log:

ComboFix 08-08-28.04 - Pectabyte 2008-08-28 23:02:31.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1579 [GMT -7:00]

Running from: C:\Documents and Settings\Pectabyte\Desktop\ComboFix.exe

Command switches used :: / snapshot

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Pectabyte\Application Data\macromedia\Flash Player\#SharedObjects\F4DYUCX7\interclick.com

C:\Documents and Settings\Pectabyte\Application Data\macromedia\Flash Player\#SharedObjects\F4DYUCX7\interclick.com\ud.sol

C:\Documents and Settings\Pectabyte\Application Data\macromedia\Flash Player\#SharedObjects\F4DYUCX7\static.youku.com

C:\Documents and Settings\Pectabyte\Application Data\macromedia\Flash Player\#SharedObjects\F4DYUCX7\static.youku.com\v1.0.0296\v\swf\qplayer.swf\qplayer.sol

C:\Documents and Settings\Pectabyte\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com

C:\Documents and Settings\Pectabyte\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol

C:\Documents and Settings\Pectabyte\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com

C:\Documents and Settings\Pectabyte\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TDSSSERV

-------\Service_tdssserv

((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))

.

2008-08-28 11:38 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-08-28 11:37 . 2008-08-28 11:37 <DIR> d-------- C:\Documents and Settings\Pectabyte\Application Data\Malwarebytes

2008-08-28 11:37 . 2008-08-28 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-08-28 11:37 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-08-28 11:36 . 2008-08-28 11:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-08-27 14:02 . 2008-08-27 14:02 <DIR> d-------- C:\Program Files\Trend Micro

2008-08-27 13:55 . 2008-08-27 13:55 <DIR> d-------- C:\Documents and Settings\Administrator

2008-08-25 00:43 . 2008-08-26 17:03 <DIR> d-------- C:\Documents and Settings\Pectabyte\Application Data\SPORE Creature Creator

2008-08-25 00:43 . 2008-08-25 00:43 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll

2008-08-23 15:22 . 2008-08-23 15:22 <DIR> d-------- C:\Program Files\Penumbra

2008-08-21 16:04 . 2008-08-21 16:04 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment

2008-08-18 14:00 . 2008-08-18 14:33 <DIR> d-------- C:\Documents and Settings\Pectabyte\Application Data\PSPDocMaker

2008-08-14 21:49 . 2007-01-03 17:36 1,875,110 --a------ C:\WINDOWS\system\cygwin1.dll

2008-08-14 21:49 . 2007-01-03 17:46 66,048 --a------ C:\WINDOWS\system\cygz.dll

2008-08-13 19:49 . 2008-08-13 19:49 <DIR> d--h----- C:\WINDOWS\PIF

2008-08-13 19:09 . 2008-08-13 19:09 <DIR> d-------- C:\Documents and Settings\Pectabyte\Application Data\vlc

2008-08-13 19:08 . 2008-08-13 19:08 <DIR> d-------- C:\Program Files\VideoLAN

2008-08-13 19:00 . 2008-08-13 19:01 <DIR> d-------- C:\Documents and Settings\Pectabyte\Application Data\Media Player Classic

2008-08-13 16:04 . 2008-08-13 16:04 3,932,214 --a------ C:\WINDOWS\InvaderDark1280.bmp

2008-08-13 15:06 . 2008-08-13 15:07 8,646,494 --a------ C:\Documents and Settings\Pectabytevlc-0.8.6e-win32.7z

2008-08-11 09:55 . 2008-08-11 09:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk

2008-08-11 09:52 . 2008-08-11 09:57 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared

2008-08-11 09:52 . 2008-08-11 09:57 <DIR> d-------- C:\Program Files\Autodesk

2008-08-07 16:51 . 2008-08-07 16:51 <DIR> d-------- C:\Program Files\uTorrent

2008-08-07 16:51 . 2008-08-28 23:06 <DIR> d-------- C:\Documents and Settings\Pectabyte\Application Data\uTorrent

2008-07-31 16:38 . 2008-07-31 16:38 <DIR> d-------- C:\Program Files\support.com

2008-07-31 16:38 . 2008-07-31 16:38 <DIR> d-------- C:\Program Files\Common Files\SupportSoft

2008-07-31 16:38 . 2008-07-31 16:41 1,145 --a------ C:\net_save.dna

2008-07-29 03:00 . 2008-07-29 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-29 06:07 --------- d-----w C:\Program Files\Steam

2008-08-27 19:49 --------- d-----w C:\Program Files\ESET

2008-08-25 07:42 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-08-25 07:42 --------- d-----w C:\Program Files\Electronic Arts

2008-08-22 07:53 --------- d-----w C:\Documents and Settings\Pectabyte\Application Data\dvdcss

2008-08-21 19:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\licensecb

2008-08-21 19:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\CrazyBump

2008-08-13 23:04 --------- d-----w C:\Program Files\AlienGUIse

2008-07-28 06:22 --------- d-----w C:\Program Files\HP

2008-07-28 06:22 --------- d-----w C:\Program Files\Hewlett-Packard

2008-07-15 17:29 --------- d-----w C:\Program Files\iTunes

2008-07-15 17:29 --------- d-----w C:\Documents and Settings\Pectabyte\Application Data\Apple Computer

2008-07-15 17:28 --------- d-----w C:\Program Files\QuickTime

2008-07-15 17:28 --------- d-----w C:\Program Files\iPod

2008-07-15 17:28 --------- d-----w C:\Program Files\Bonjour

2008-07-15 17:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer

2008-07-15 17:27 --------- d-----w C:\Program Files\Common Files\Apple

2008-07-15 17:27 --------- d-----w C:\Program Files\Apple Software Update

2008-07-15 17:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple

2008-07-12 20:31 --------- d-----w C:\Program Files\AGEIA Technologies

2008-07-12 20:29 --------- d-----w C:\Program Files\OpenAL

2008-07-12 20:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-07-10 16:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys

2008-06-30 05:48 --------- d-----w C:\Documents and Settings\Pectabyte\Application Data\AdobeUM

2008-06-29 21:25 --------- d-----w C:\Program Files\FlashFXP

2008-06-29 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\FlashFXP

2008-06-29 01:38 --------- d-----w C:\Program Files\wings3d_0.99.00b

2008-06-05 03:23 22,328 ----a-w C:\Documents and Settings\Pectabyte\Application Data\PnkBstrK.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AIM"="C:\PROGRA~1\AIM\aim.exe" [2003-08-01 08:31 61440]

"Steam"="c:\program files\steam\steam.exe" [2008-06-02 16:10 1271032]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"FunctionKeyCtrl"="C:\Program Files\Function Key Controller\FKC.exe" [2006-05-25 16:49 49152]

"BisonTrayIcon"="C:\WINDOWS\BisonCam\BisonTrayIcon.exe" [2005-10-06 18:49 40960]

"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11 1388544]

"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-06-02 23:23 921600]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-11 13:06 8527872]

"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]

"HPHUPD05"="C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-07 21:55 49152]

"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]

"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 15:41 49152]

"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2005-07-07 21:55 491520]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-07 21:55 176128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]

2001-12-20 23:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Quake III Arena\\quake3.exe"=

"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=

"C:\\WINDOWS\\system32\\PnkBstrA.exe"=

"C:\\WINDOWS\\system32\\PnkBstrB.exe"=

"C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=

"C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=

"C:\\Program Files\\GtkRadiant 1.5.0\\GtkRadiant.exe"=

"C:\\Program Files\\Steam\\steamapps\\pectabyte\\counter-strike source\\hl2.exe"=

"D:\\Instalation Programs and Games\\Games\\DUKE3D\\duke3d.exe"=

"C:\\Program Files\\AIM\\aim.exe"=

"C:\\Program Files\\FlashFXP\\FlashFXP.exe"=

"C:\\Program Files\\Steam\\steamapps\\common\\unreal tournament 3\\Binaries\\UT3.exe"=

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Quake\\glquake.exe"=

"C:\\Program Files\\uTorrent\\uTorrent.exe"=

"C:\\Program Files\\Steam\\steamapps\\pectabyte\\opposing force\\hl.exe"=

"C:\\Program Files\\Steam\\steamapps\\pectabyte\\deathmatch classic\\hl.exe"=

"C:\\Program Files\\Steam\\steamapps\\pectabyte\\half-life\\hl.exe"=

"C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=

"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=

"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=

"C:\\Program Files\\Autodesk\\Backburner\\server.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\Steam\\steamapps\\pectabyte\\half-life blue shift\\hl.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5710e1a-30f6-11dd-9e7d-806d6172696f}]

\Shell\AutoRun\command - E:\autorun.exe

\Shell\setup\command - E:\setup.exe

.

Contents of the 'Scheduled Tasks' folder

2008-08-28 C:\WINDOWS\Tasks\HP Usg Daily.job

- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2005-07-07 21:55]

.

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Pectabyte\Application Data\Mozilla\Firefox\Profiles\5hcdoz3w.default\

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-28 23:07:34

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\ehome\ehrecvr.exe

C:\WINDOWS\ehome\ehSched.exe

C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe

C:\Program Files\ESET\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe

.

**************************************************************************

.

Completion time: 2008-08-28 23:12:29 - machine was rebooted [Pectabyte]

ComboFix-quarantined-files.txt 2008-08-29 06:11:54

Pre-Run: 35,296,522,240 bytes free

Post-Run: 37,821,177,856 bytes free

201 --- E O F --- 2008-08-14 10:02:13

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13642

Posted 8-29-2008 7:19 (GMT +1)

Looks clean. How are things running now ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Pectabyte
New Member

Date Joined Aug 2008
Total Posts : 5

Posted 8-29-2008 7:35 (GMT +1)

Fine. I guess I am just a little bewildered how I got the virus. I don't even know how to prevent it from happening again. Did I really wipe it out or did I just get rid of the symptoms? Thank you. Thank you so much.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13642

Posted 8-30-2008 5:53 (GMT +1)

Malwarebytes' Anti-Malware get rid of it smile

To completely and immediately remove any infected file or files in the data store, turn off and then turn on System Restore. To do so, follow these steps:
System Restore

Uninstall ComboFix

Go to Start->Run, and type in ComboFix /u
Make sure there is a space between ComboFix and /u
Click Enter

This will ->

Uninstall ComboFix. Delete its related folders and files.

Reset your clock settings. Hide file extensions.

Hide the system/hidden files. And resets System Restore again.

Please read Tony Klein's excellent article: How I got Infected in the First Place

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

cescyfootie
New Member

Date Joined Aug 2008
Total Posts : 1

Posted 8-30-2008 9:46 (GMT +1)

Is this a general guide for everyone who has the same type of virus (redirect virus) or is this specific to the hijackthis log the user has posted? I have dowloaded hijackthis and malware software as directed by this thread, stopped there before I proceed with the rest of the directions.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13642

Posted 8-31-2008 4:55 (GMT +1)

Hello cescyfootie smile

I´ll suggest you - >

Click here - >> Before posting a log

After You have run the scan tools -

Reboot normally

Post Hijackthis log along with SuperAntiSpyware log, , C: combofix TXT in your own topic

Please copy and paste your log. DO NOT add it as an attachment

Kindly do not annotate or format the log with color or font changes.

Since this issue appears resolved ... this Topic is closed.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Forum Information

Currently it is Saturday, November 22, 2008 3:07 PM (GMT +1)
There are a total of 64.053 posts in 15.836 threads.
In the last 3 days there were 26 new threads and 156 reply posts. View Active Threads