Jump to content

REDIRECTION TO ADVERTISING SITES


Perun

Recommended Posts

Hello,

I came into troubles about 30 days ago - using "hydemyass.com" (anonimous proxy surfing service). Until then, I got redirected every time I try to type "hyde" to "secredir.com/?sov=hydemyass.com" and than to advertising

site "http://videorewardspace.com/?sov=124991", some kind of fake advertising - this happens in Firefox, Chrome, IE6.

I tried to get help from a site similar to this one, but they gave up after 2-3 weeks efforts. This is the reason that I have so many tools (like Combofix, OTL, etc) installed, since I am in position that if I can not find the cure, I'll have to do WinXP clean install (but not sure that even this will help, regarding TDL, rootkit etc malware).

With help of experts from this other forum, I tryed all possible scans, but nothing could be found for sure.

Since I started this, I only got Win Explorer crashes relatively often, this didn't happened before, and redirection in all browsers remains.

Not to forget PC data : desktop, dual Intel processors 2932, Win PRO 5.1.2600, service pack 2600, IE 6 (I don't use it, never updated), 2 HDD 500 Gb each.

I runned free MBAM quick scan and everything clean (so it says).

Enclosed I send DDS logs for the beginning.

Thanks in advance for any help you can offer.

dds.txt

attach.txt

Link to post
Share on other sites

Hello,

since I'm new to the forum and I received no answer for 5 days (I no you guys have a lot of work),

I enclose my HJT log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 15:24:01, on 11/12/2011

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\Emsisoft Anti-Malware\a2service.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Emsisoft\Online Armor\OAcat.exe

C:\Program Files\Emsisoft\Online Armor\oasrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Prevx\prevx.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\ThreatFire\TFService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Prevx\prevx.exe

C:\WINDOWS\VMSnap3.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Emsisoft\Online Armor\oaui.exe

C:\Program Files\ThreatFire\TFTray.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Emsisoft\Online Armor\OAhlp.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\drwtsn32.exe

C:\WINDOWS\system32\drwtsn32.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com

O1 - Hosts: ÿþ127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: SafeOnline BHO - {69D72956-317C-44bd-B369-8E44D4EF9801} - C:\WINDOWS\system32\PxSecure.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.exe

O4 - HKLM\..\Run: [MultiScreen] C:\Program Files\MultiScreen\MultiScreen.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Emsisoft\Online Armor\oaui.exe"

O4 - HKLM\..\Run: [ASUS Update Checker] C:\Program Files\ASUS\ASUSUpdate\UpdateChecker\UpdateChecker.exe

O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe

O15 - Trusted IP range: http://192.168.1.1

O15 - ESC Trusted IP range: http://192.168.1.1

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1322556089828

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Emsisoft Anti-Malware 6.0 - Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\Emsisoft Anti-Malware\a2service.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Emsisoft\Online Armor\OAcat.exe

O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Emsisoft\Online Armor\oasrv.exe

O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--

End of file - 7925 bytes

==

What I see by myself, I have wrong entries on my host file:

O1 - Hosts: ÿþ127.0.0.1 localhost

O1 - Hosts: ::1 localhost

This happened before, I forgot to mention, and after I fix "hosts" file, it appears again after 7-10 days again.

Now I haven't shecked it for some time, and it happened again, file modified today 00:38 AM

Thanks again for any help you can provide

Link to post
Share on other sites

Hello and :welcome:

Could you please link me to your original topic (that way I can get an idea of what steps were already done).

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer

  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:
    dd if=/dev/sda of=mbr.bin bs=512 count=1
  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

Link to post
Share on other sites

Hello Ms Lisa,

thanks for a quick reaction,.

First, here's the link of the previous forum trying to help me: http://www.bleepingcomputer.com/forums/topic427280.html

As you see, a lot of things tried, including getxpud but in different way.

Second, I had a lot of tools remaind installed, and maybe something changed (except redirection coming back).

Third, I don't have clean machine at my disposal, I'll need a 1-2 days to get one, where I can do Getxpud CD burning, if you think its necessary PLS inform - now I did everything on infected PC.

Fourth - strange things happened as I booted from CD, as I mentioned, I have 2 HDD, first one has C: and logical D: partition, and second HDD is F:.

As I booted, situation was following:

-sda1 - it was my C:

-sda2- empty, thought it was my usb, but when tryng to write nothing happened, so I finally had to save file on my E:

-this drive also had no size in properties

-sda5 - it was my D:

-sdb1 - it was my E: - second HDD to wich I saved bin file that i send

As you can see, specially from previous attempts on other forum, I had success finding my USB after boot from ISO CD, but now things looks more strange.

I am at your disposal for further advices,and promise prompt reaction, since getting tired of 1 month tries to clean this thing(s)

Thanks again and best regards,

Perun

mbr.zip

Link to post
Share on other sites

Thanks again for quick reaction,

one new thing happened, my USB appeared as sdc1!

Anyway, fdisk.txt:

Disk /dev/sda: 640.1 GB, 640135028736 bytes

255 heads, 63 sectors/track, 77825 cylinders, total 1250263728 sectors

Units = sectors of 1 * 512 = 512 bytes

Device Boot Start End Blocks Id System

/dev/sda1 * 63 410010929 205005433+ 7 HPFS/NTFS

/dev/sda2 410010930 1250242559 420115815 f Win95 Ext'd (LBA)

/dev/sda5 410010993 1250242559 420115783+ 7 HPFS/NTFS

Disk /dev/sdb: 500.1 GB, 500107862016 bytes

255 heads, 63 sectors/track, 60801 cylinders, total 976773168 sectors

Units = sectors of 1 * 512 = 512 bytes

Device Boot Start End Blocks Id System

/dev/sdb1 63 976751999 488375968+ 7 HPFS/NTFS

Disk /dev/sdc: 261 MB, 261750784 bytes

16 heads, 32 sectors/track, 998 cylinders, total 511232 sectors

Units = sectors of 1 * 512 = 512 bytes

Device Boot Start End Blocks Id System

/dev/sdc1 * 32 510974 255471+ 6 FAT16

Partition 1 has different physical/logical endings:

phys=(996, 15, 32) logical=(997, 15, 31)

= = = = =

Expecting your further instructions and best regards.

Link to post
Share on other sites

I have reviewed your other topic and I am pretty sure that your router/switch is the culprit here.

Your ISP usually provides you these details in the internet contract (I live in Romania, and I think I have a fairly similar setup also with a Huawei DSL switch).

If you can explain me exactly how things are setup and what devices these are maybe we can manage to flush the DNS by accessing the devices without losing password settings. Everything points towards a router infection, so ignoring this issue is not an option. You also cannot bypass the DSL switch.

Link to post
Share on other sites

Hi again Ms Elise,

we are neighbors in a way - I am in Serbia, with very poor ISP provider.

They even don't give the password to enter setup of my Huawei HG520c modem, but I picked it up from local forums, therefore, I can access it through browser.

Unfortunatelly it is pre-programmed with parameters which are password protected (these I don't know) and I cannot do factory reset or I will loose these parameters.

Actually, I don't have separate router, only splitter between phone jack and modem, and than it goes directly to PC.

From modem I have only 1 other out which I used when I had other PC in different room, but no VPN or similar.

I'm not expert in this thins, I only accessed through browser (http://192.168.1.1) and did reset with programmed features (or something like this) without any visible effect.

If I pin something in that "reset hole" I'm sure to loose all pre-programmed things and ISP will not give it for sure (poor chance to change provider) - result- no connection.

I tried best to explain, I can send you screen shots from Huawei firmware, but think its most.

Waiting for your advices and thank you very much for such quick reactions, I remain online with best regards.

Link to post
Share on other sites

They even don't give the password to enter setup of my Huawei HG520c modem, but I picked it up from local forums, therefore, I can access it through browser.
There are two things: the password you need for the browser interface (which is default when you get the device and is put there by the manufacturer, not the ISP) and you have the login details from your ISP that you need to access your connection.

In the interface (192.168.1.1), click on the left tab on Basic, then on WAN settings. Do you see data specified under Login Information (in the right panel).

Next click DHCP in the left panel. Look in the right panel under DHCP settings what is listed next to Primary and Secondary WAN DNS Server and post me the addresses there.

Link to post
Share on other sites

And one additional thing, which I mentioned in previous forum,

I found something - on C: in system restore folder I found *.bat file size around 2 Mb! Inside are very strange commands, in some mentioning "porn, sex" etc.

I renamed it to txt but before sent it packed as *.bat for analysis to virustotal.com and 4 AV programs found it as virus:

-AntiVir7.11.18.13 22011.11.30 HIDDENEXT/Worm.Gen

-Comodo10794 2011.11.30 Heur.Dual.Extensions

-Emsisoft5.1.0.11 2011.11.30 Virus.Win32.HTML!IK

-IkarusT3.1.1.109.0 2011.11.30 Virus.Win32.HTML

Since I can not send you this as attachment, I uploaded it to

http://www.filefactory.com/file/c0be52f/n/A0000022.zip

First I found strange such big bat file exists, and I deleted it from system restore week ago, but it reappered yesterday again.

Best regards,

Perun

Link to post
Share on other sites

Sorry,

haven't seen your reply.

Yes, I see following:

"Service Name" - Empty

"Username" - "somewords@name and address of my ISP provider" - guess it wouldn't be wise to write it in public

"Password" - cannot read it, set by ISP provider

"PPP Authentication" - AUTO

Next,

"DHCP Settings"

Both Primary and Secondary WAN DNS Server are "0.0.0.0"

Looking forward to your reply.

Link to post
Share on other sites

"Username" - "somewords@name and address of my ISP provider" - guess it wouldn't be wise to write it in public

"Password" - cannot read it, set by ISP provider

This username and password shoudl have been given you by your ISP, typically when you received your contract.

What you can do is the following. In the HUAWEI interface click Tools and then Restore & Backup. In the right panel click the Backup button. That will save your current configuration to a file. Remember where you save it (for example in My documents, give it a name you'll recognize, for example Routerconfig). The file will download automatically, you can also right click the Backup button to directly save the file.

If you want to restore this configuration, you can do that in the same place, by using the Upload button and specifying the location of the backup.

Next, where you now see 0.0.0.0 for the primary and secondary Wan DNS servers, change them to 8.8.8.8 and 8.8.8.4. These are Google's DNS Servers.

When done, see if you still get redirected.

Link to post
Share on other sites

I took some time to reset machine wich is very slow now.

Modem is working, but redirection remains in all 3 browsers (IE6 - never use it, Firefox 8 and Chrome, where I got virus round end of October)!!!!

I really don't know, even before I was on the edge of clean WinXP install, but reading about all TDL&rootkit viruses, router poisoning, I wonder if this can help.

Do you have any ideas?

PS-should I return WAN addresses to 0000?

Link to post
Share on other sites

One more additional thing,

in folder "Qoobox" of Combofix which I ran later in quarantine file, I found file

with name "secredir[1].htm.URL.vir" and inside it was

"[internetShortcut]

URL=file:///C:/secredir%5B1%5D.htm"

Obviously, this was created during redirection through cloaking "secredir.com" site.

Just one more info.

Best regards,

Perun

Link to post
Share on other sites

The MBR is not infected and the object from system restore is not active anyway. Lets see some updated information though.

I also want you to reset the router using the Reset button (turn off the router, press the reset button for approx. 10 seconds until the lights come on. If you cannot find login details or if your ISP doesn't want to give them to you, you can always restore the backup file you created. The redirects are not caused by anything on your computer.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explaination about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Link to post
Share on other sites

Dear Elise,

I don't have reset switch, but a small hole where I maybe can insert paper.

Honestly, now is almost midnight, and I'm afraid to do this - during the day I can call support, if I cannot restore settings.

So, can we skip this just for now...till tomorrow, I'm afraid to lose connection and maybe I can find these passwords on domestic forums this night, then I'll ne sure that I can do factory reset without troubles and f... ISP provider support .

Here is DDS log

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_29

Run by Milan at 23:14:27 on 2011-12-11

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.506 [GMT 1:00]

.

AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

FW: Online Armor Firewall *Disabled*

FW: Norton Internet Security *Enabled*

.

============== Running Processes ===============

.

C:\Program Files\Emsisoft Anti-Malware\a2service.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\Program Files\Emsisoft\Online Armor\OAcat.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Prevx\prevx.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\ThreatFire\TFService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Prevx\prevx.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\VMSnap3.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\ThreatFire\TFTray.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://google.com

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: SafeOnline BHO: {69d72956-317c-44bd-b369-8e44d4ef9801} - c:\windows\system32\PxSecure.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [VMSnap3] c:\windows\VMSnap3.exe

mRun: [MultiScreen] c:\program files\multiscreen\MultiScreen.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [@OnlineArmor GUI] "c:\program files\emsisoft\online armor\oaui.exe"

mRun: [ASUS Update Checker] c:\program files\asus\asusupdate\updatechecker\UpdateChecker.exe

mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1322556089828

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.1/jinstall-1_4_1_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: AtiExtEvent - Ati2evxx.dll

SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\emsisoft\online~1\oaevent.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\milan\application data\mozilla\firefox\profiles\xq163d71.default\

FF - prefs.js: browser.search.defaulturl -

FF - prefs.js: browser.startup.homepage - hxxp://google.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\milan\application data\mozilla\firefox\profiles\xq163d71.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-3-16 32008]

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2011-11-2 51984]

R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2011-11-2 69392]

R1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\emsisoft anti-malware\a2ddax86.sys [2011-11-8 17904]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-11-11 11608]

R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2011-9-2 22312]

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2010-7-24 202064]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2010-7-24 25000]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2010-7-24 29272]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]

R2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-11-8 2996784]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-11-11 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-11-11 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-11-11 66616]

R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2010-3-16 6416120]

R2 OAcat;Online Armor Helper Service;c:\program files\emsisoft\online armor\oacat.exe [2010-7-24 380784]

R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-3-16 76696]

R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]

R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-3-16 26096]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2011-11-2 33552]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-2-15 2134256]

R3 vvftav303;vvftav303;c:\windows\system32\drivers\vvftav303.sys [2010-3-6 480128]

R3 ZSMC0303;A4 TECH PC Camera H;c:\windows\system32\drivers\usbVM303.sys [2010-3-6 1472768]

S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys --> c:\windows\system32\drivers\is3srv.sys [?]

S1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2010-11-19 38856]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-4 136176]

S2 SvcOnlineArmor;Online Armor;c:\program files\emsisoft\online armor\oasrv.exe [2010-7-24 3652696]

S3 avisfltr;avisfltr;c:\windows\system32\drivers\avisfltr.sys [2011-11-11 327368]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-1-4 136176]

S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-10-31 23624]

S3 IOCTLfuzzer;IOCTLfuzzer;\??\c:\windows\system32\drivers\ioctlfuzzer.sys --> c:\windows\system32\drivers\IOCTLfuzzer.sys [?]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\7a.tmp --> c:\windows\system32\7A.tmp [?]

S3 Normandy;Normandy SR2; [x]

S3 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [2011-11-6 53248]

.

=============== Created Last 30 ================

.

2011-12-10 20:45:23 -------- d-----w- c:\program files\Toolbar Cleaner

2011-12-10 20:44:34 -------- d-----w- c:\documents and settings\milan\application data\Panda Security

2011-12-10 20:42:37 -------- d-----w- c:\program files\Panda Security

2011-12-10 20:42:37 -------- d-----w- c:\documents and settings\all users\application data\Panda Security

2011-12-10 20:42:00 -------- d-----w- C:\temp

2011-12-03 23:24:16 28672 ------w- c:\windows\system32\verclsid.exe

2011-12-03 22:57:17 27648 -c----w- c:\windows\system32\dllcache\jgpl400.dll

2011-12-03 22:57:17 163840 -c----w- c:\windows\system32\dllcache\jgdw400.dll

2011-12-03 20:38:38 -------- d-----w- c:\documents and settings\milan\SecurityScans

2011-12-03 20:37:58 -------- d-----w- c:\program files\Microsoft Baseline Security Analyzer 2

2011-12-01 12:01:06 -------- d-----w- c:\documents and settings\milan\application data\f-secure

2011-12-01 12:00:45 -------- d-----w- c:\documents and settings\all users\application data\F-Secure

2011-11-29 15:44:46 221184 ----a-w- c:\windows\system32\wmpns.dll

2011-11-29 15:42:34 -------- d-----w- c:\program files\MSXML 4.0

2011-11-29 14:52:05 -------- d-----w- C:\___AAAA

2011-11-29 10:31:21 -------- d-----w- C:\ComboFix

2011-11-29 10:20:56 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2011-11-29 10:20:56 272128 ------w- c:\windows\system32\drivers\bthport.sys

2011-11-29 10:19:47 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2011-11-29 10:13:55 2181376 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2011-11-29 10:13:55 2137088 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2011-11-29 10:13:55 2016768 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2011-11-29 10:13:54 2058368 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe

2011-11-29 08:57:48 -------- d-----w- c:\windows\system32\PreInstall

2011-11-29 08:57:45 -------- d--h--w- c:\windows\$hf_mig$

2011-11-29 08:41:47 274288 ----a-w- c:\windows\system32\mucltui.dll

2011-11-29 08:41:47 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2011-11-29 08:38:43 -------- d-----w- c:\windows\system32\SoftwareDistribution

2011-11-29 08:38:21 -------- d-----w- c:\windows\system32\CatRoot2

2011-11-24 10:51:33 -------- d-----w- C:\_OTL

2011-11-16 17:58:12 98816 ----a-w- c:\windows\sed.exe

2011-11-16 17:58:12 518144 ----a-w- c:\windows\SWREG.exe

2011-11-16 17:58:12 256000 ----a-w- c:\windows\PEV.exe

2011-11-16 17:58:12 208896 ----a-w- c:\windows\MBR.exe

2011-11-16 01:56:04 -------- d-----w- c:\documents and settings\milan\application data\fltk.org

.

==================== Find3M ====================

.

2011-12-06 16:30:01 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys

2011-11-17 18:09:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-11 01:19:23 327368 ----a-w- c:\windows\system32\drivers\avisfltr.sys

2011-11-09 22:02:41 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-11-09 22:02:40 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-11-09 20:54:03 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-11-09 20:51:29 134464 ----a-w- c:\windows\system32\LnkProtect.dll

2011-11-05 23:10:10 53248 ----a-w- c:\windows\system32\drivers\rk_remover.sys

2011-11-04 13:15:13 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-10-28 21:59:10 154 ---ha-w- C:\aaw7boot.cmd

2011-10-28 20:34:36 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-10-28 14:43:08 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-09-13 09:49:36 71880 ----a-w- c:\windows\system32\PxSecure.dll

2011-09-13 09:49:34 32008 ----a-w- c:\windows\system32\drivers\pxscan.sys

2011-09-13 09:49:33 76696 ----a-w- c:\windows\system32\drivers\pxrts.sys

2011-09-13 09:49:32 26096 ----a-w- c:\windows\system32\drivers\pxkbf.sys

.

============= FINISH: 23:15:47.15 ===============

If you insist, I will reset modem tonight, but I don't know what so tiny to put in that hole (pin?).

Thanks and best regards,

Perun

Link to post
Share on other sites

I don't have reset switch, but a small hole where I maybe can insert paper.
Yes, you can use a paperclip or pen.

The password is one unique, not something you can find on a forum. Your ISP really should be able to provide it to you. Check also out their website.

However, if you created the backup as instructed you have nothing to worry about; if somehow you can't find the password/username, you can just restore the backup and all will be as it was.

Link to post
Share on other sites

Hello Ms Elise,

I finally did factory reset of modem as per your instructions (first I called ISP support, just to see if it is working), lights blinked, then turned off and on after some time.

I shut down PC and modem (I think that I haven't mentioned that I have ADSL not DSL), restarted again and REDIRECTION REMAINS IN ALL BROWSERS!!!

Now it's really to much for me, hope you will have patience to continue.

Best regards,

Perun

PS-in modem system log, I noticed yeterday a lot of errors that I don't understand, now is only one since I just resetted it

"12/12/2011 11:30:22> Firewall: Filter no port UDP packet!"

Link to post
Share on other sites

Just as an example, now I have more these messages in modem logL

12/12/2011 11:30:22> Firewall: Filter no port UDP packet!

12/12/2011 11:33:14> Firewall: Filter no port UDP packet!

12/12/2011 11:33:19> Last errorlog repeat 1 Times

12/12/2011 11:33:57> Firewall: Filter port scan attack!

12/12/2011 11:34:42> Firewall: Filter port scan attack!

12/12/2011 11:35:1> Firewall: Filter port scan attack!

12/12/2011 11:35:40> Firewall: Filter port scan attack!

12/12/2011 11:36:10> Firewall: Filter no port UDP packet!

Best regards,

Perun

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.