Jump to content

Recommended Posts

Hi

a few days ago I foolishly ran an innocent-looking file called university challenge questions, after which my browser now redirects google or yahoo search results to thealltimes.com or get-answers-fast.com.

I installed malwarebytes and hijackthis - here's the output :

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 12:05:38, on 02/01/2012

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.19170)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\DellTPad\Apoint.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Sophos\AutoUpdate\ALMon.exe

C:\Program Files\IDT\WDM\sttray.exe

C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe

C:\Program Files\Trend Micro\Browser Guard\BGUI.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\STOPzilla!\STOPzilla.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\Trend Micro\Browser Guard\tmiegsrv.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.myheritage.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll

O2 - BHO: GomPicker - {F0181C6E-9218-4792-9F3C-E8DF52B2F1AC} - C:\Program Files\GRETECH\GomPicker\GomPickerBHO.dll

O2 - BHO: TMIEGBHO - {F1AD4A42-BA52-47BC-89DF-3F68F24C017F} - C:\Program Files\Trend Micro\Browser Guard\TMAMS.dll

O3 - Toolbar: TMBGBAR TOOLBAR - {C8137A8D-415D-450C-A1B1-D0C519D45296} - C:\Program Files\Trend Micro\Browser Guard\tmieg.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe

O4 - HKLM\..\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray.exe

O4 - HKLM\..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe

O4 - HKLM\..\Run: [Trend Micro Browser Guard] "C:\Program Files\Trend Micro\Browser Guard\BGUI.EXE"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - Global Startup: Bluetooth.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000

O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105

O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.2.0.cab

O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/JuniperSetupClient.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = holovis.local

O17 - HKLM\Software\..\Telephony: DomainName = holovis.local

O17 - HKLM\System\CCS\Services\Tcpip\..\{FEA20FED-107C-4DAB-841B-787F0A736224}: NameServer = 192.168.0.148

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = holovis.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = holovis.local

O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O18 - Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll

O18 - Filter hijack: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\sophos_detoured.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe

O23 - Service: Juniper Unified Network Service (JuniperAccessService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe

O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Trend Micro RUBotted Service (RUBotSrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe

O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe

O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe

O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c3f58890\STacSV.exe

O23 - Service: Sophos Web Intelligence Service (swi_service) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe

O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

--

End of file - 9176 bytes

Any help would be appreciated thank you,

Link to post
Share on other sites

@user59

Have you done the preliminaries we ask be done first? follow the http://forums.malwarebytes.org/index.php?showtopic=9573

Why did you run the HijackThis?? Stop and advise IF you are asking for or getting Help elsewhere.

Edited by Maurice Naggar
Link to post
Share on other sites

Hi

thanks for the reply.

I ran the malwarebytes scan which did not find anything then I ran hijack this as it seemed to be one of the first diagnostic steps in this type of issue.

I have now run the dds script :

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.19170 BrowserJavaVersion: 1.6.0_29

Run by Kev at 12:41:16 on 2012-01-02

Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.2047.484 [GMT 0:00]

.

AV: Sophos Anti-Virus *Enabled/Updated* {479CCF92-4960-B3E0-7373-BF453B467D2C}

SP: Sophos Anti-Virus *Enabled/Updated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: STOPzilla Anti-Spyware *Disabled/Updated* {B2E69928-50DC-94CA-6A80-AAB054008761}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c3f58890\STacSV.exe

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\WLANExt.exe

C:\Windows\system32\taskeng.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\rundll32.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe

C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

C:\Program Files\Sophos\Remote Management System\RouterNT.exe

C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Sophos\AutoUpdate\ALMon.exe

C:\Program Files\IDT\WDM\sttray.exe

C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe

C:\Program Files\Trend Micro\Browser Guard\BGUI.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\STOPzilla!\STOPzilla.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\Trend Micro\Browser Guard\tmiegsrv.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://search.myheritage.com

BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll

BHO: GretechBHO Class: {f0181c6e-9218-4792-9f3c-e8df52b2f1ac} - c:\program files\gretech\gompicker\GomPickerBHO.dll

BHO: TMIEGBHO Class: {f1ad4a42-ba52-47bc-89df-3f68f24c017f} - c:\program files\trend micro\browser guard\TMAMS.dll

TB: TMBGBAR TOOLBAR: {c8137a8d-415d-450c-a1b1-d0c519d45296} - c:\program files\trend micro\browser guard\tmieg.dll

TB: {37483B40-C254-4A72-BDA4-22EE90182C1E} - No File

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [sophos AutoUpdate Monitor] c:\program files\sophos\autoupdate\almon.exe

mRun: [sysTrayApp] c:\program files\idt\wdm\sttray.exe

mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe

mRun: [Trend Micro Browser Guard] "c:\program files\trend micro\browser guard\BGUI.EXE"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105

IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.2.0.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

TCP: DhcpNameServer = 194.168.4.100 194.168.8.100

TCP: Interfaces\{370DC991-BA72-4B43-B9B4-0BE0C1C6E998} : DhcpNameServer = 194.168.4.100 194.168.8.100

TCP: Interfaces\{FEA20FED-107C-4DAB-841B-787F0A736224} : NameServer = 192.168.0.148

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\progra~1\sophos\sophos~1\sophos_detoured.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\kev.holovis\appdata\roaming\mozilla\firefox\profiles\u20cei44.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.info.co.uk/

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2801948&q=

FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\foxit software\foxit reader\plugins\npqtplugin.dll

FF - plugin: c:\program files\foxit software\foxit reader\plugins\npqtplugin2.dll

FF - plugin: c:\program files\foxit software\foxit reader\plugins\npqtplugin3.dll

FF - plugin: c:\program files\foxit software\foxit reader\plugins\npqtplugin4.dll

FF - plugin: c:\program files\foxit software\foxit reader\plugins\npqtplugin5.dll

FF - plugin: c:\program files\foxit software\foxit reader\plugins\npqtplugin6.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

.

============= SERVICES / DRIVERS ===============

.

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]

R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-5-12 59280]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-4-16 65584]

R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2011-6-29 122360]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-2 652872]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2012-1-1 439632]

R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2011-6-29 163056]

R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2011-6-29 97520]

R2 Sophos Agent;Sophos Agent;c:\program files\sophos\remote management system\ManagementAgentNT.exe [2011-6-29 282624]

R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2010-9-30 230640]

R2 Sophos Message Router;Sophos Message Router;c:\program files\sophos\remote management system\RouterNT.exe [2011-6-29 806912]

R2 swi_service;Sophos Web Intelligence Service;c:\program files\sophos\sophos anti-virus\web intelligence\swi_service.exe [2011-6-29 1541360]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2011-6-29 2062872]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2011-6-28 223432]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2011-6-29 127488]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-2 20464]

R3 NETwNv32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETwNv32.sys [2011-8-3 7341568]

R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2009-3-6 133632]

R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2009-3-8 280096]

S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-6-28 29736]

S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2011-6-29 101120]

S3 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2010-11-9 132464]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\28896\RapportIaso.sys [2011-8-7 21520]

S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [2011-6-29 23928]

S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-10-20 121064]

S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-10-20 12776]

S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-10-20 136808]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_c3f58890\AEstSrv.exe [2011-6-29 81920]

S4 avediaChannelListener;avediaChannelListener;c:\program files\exterity\avedia channel listener\avediaChannelListener.exe [2007-4-12 90112]

S4 BecHelperService;BecHelperService;c:\program files\3 mobile broadband\3connect\BecHelperService.exe [2011-6-29 1737464]

S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2011-6-29 22536]

S4 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-10-25 2358656]

S4 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2011-12-2 2923392]

.

=============== Created Last 30 ================

.

2012-01-02 10:06:48 -------- d-sh--w- C:\$RECYCLE.BIN

2012-01-02 10:06:44 -------- d-----w- c:\users\kev.holovis\appdata\local\temp

2012-01-02 09:54:43 98816 ----a-w- c:\windows\sed.exe

2012-01-02 09:54:43 208896 ----a-w- c:\windows\MBR.exe

2012-01-02 00:21:03 -------- d-----w- c:\users\kev.holovis\appdata\roaming\Malwarebytes

2012-01-02 00:20:56 -------- d-----w- c:\programdata\Malwarebytes

2012-01-02 00:20:53 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-01-02 00:20:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-01-01 22:24:08 388096 ----a-r- c:\users\kev.holovis\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2012-01-01 22:06:58 -------- d-----w- c:\programdata\Trend Micro

2012-01-01 22:01:46 -------- d-----w- c:\users\kev.holovis\appdata\local\Browser Guard

2012-01-01 21:56:41 -------- d-----w- c:\program files\WinPcap

2012-01-01 21:56:12 -------- d-----w- c:\program files\Trend Micro

2011-12-28 10:51:28 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-12-28 10:51:00 -------- d-----w- c:\programdata\Hitman Pro

2011-12-28 10:49:22 6480192 ----a-w- C:\HitmanPro35.exe

2011-12-27 23:46:09 163840 --sha-r- c:\windows\system32\bcryptu.dll

2011-12-27 20:59:51 -------- d-----w- c:\program files\DCoder Image Source

2011-12-27 20:59:46 -------- d-----w- c:\program files\FFMPEG Core Files

2011-12-27 20:59:38 -------- d-----w- c:\program files\CD Audio Reader Filter

2011-12-27 20:59:37 -------- d-----w- c:\program files\OpenSource AVI Splitter

2011-12-27 20:59:36 -------- d-----w- c:\program files\OpenSource DTSAC3DD+ Source Filter

2011-12-27 20:59:36 -------- d-----w- c:\program files\Gabest MPEG Splitter

2011-12-27 20:59:31 -------- d-----w- c:\program files\RealMedia

2011-12-27 20:59:18 -------- d-----w- c:\program files\DScaler5

2011-12-27 20:59:07 -------- d-----w- c:\program files\OpenSource Flash Video Splitter

2011-12-27 20:59:04 -------- d-----w- c:\program files\DirectVobSub

2011-12-27 20:59:01 -------- d-----w- c:\program files\LAV Filters

2011-12-27 20:58:50 -------- d-----w- c:\program files\Haali

2011-12-27 20:58:46 -------- d-----w- c:\program files\Bass Audio Decoder

2011-12-27 20:58:41 74752 ----a-w- c:\windows\system32\ff_vfw.dll

2011-12-27 20:58:39 -------- d-----w- c:\program files\ffdshow

2011-12-27 20:57:35 -------- d-----w- c:\programdata\Zoom Player

2011-12-27 20:57:35 -------- d-----w- c:\program files\Zoom Player

2011-12-27 20:40:17 -------- d-----w- c:\program files\GNU

2011-12-27 20:40:10 -------- d-----w- c:\program files\CoreAAC

2011-12-27 20:39:48 -------- d-----w- c:\programdata\GRETECH

2011-12-27 20:38:33 -------- d-----w- c:\program files\GRETECH

2011-12-27 19:26:36 -------- d-----w- c:\users\kev.holovis\appdata\roaming\Softplicity

2011-12-27 19:13:16 -------- d-----w- c:\program files\Conduit

2011-12-27 19:13:00 -------- d-----w- c:\users\kev.holovis\appdata\local\Conduit

2011-12-27 11:07:52 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c35025a1-180d-452a-b65d-e0523b295105}\mpengine.dll

2011-12-26 22:50:19 -------- d-----w- C:\FACEBOOK

2011-12-16 08:31:50 88576 -c--a-w- c:\windows\system32\tlntsess.exe

2011-12-16 08:31:50 71168 -c--a-w- c:\windows\system32\telnet.exe

2011-12-16 08:31:41 3602816 -c--a-w- c:\windows\system32\ntkrnlpa.exe

2011-12-16 08:31:40 905088 -c--a-w- c:\windows\system32\drivers\tcpip.sys

2011-12-16 08:31:40 3550080 -c--a-w- c:\windows\system32\ntoskrnl.exe

2011-12-16 08:31:39 707584 -c--a-w- c:\program files\common files\system\wab32.dll

2011-12-16 08:31:39 429056 -c--a-w- c:\windows\system32\EncDec.dll

2011-12-16 08:31:13 2048 -c--a-w- c:\windows\system32\tzres.dll

2011-12-16 08:31:10 2043904 -c--a-w- c:\windows\system32\win32k.sys

2011-12-16 08:31:09 49152 -c--a-w- c:\windows\system32\csrsrv.dll

2011-12-15 14:12:18 -------- d-----w- c:\program files\common files\Juniper Networks

2011-12-15 13:59:06 -------- d-----w- c:\users\kev.holovis\appdata\roaming\Juniper Networks

2011-12-14 08:36:26 -------- d-----w- c:\users\kev.holovis\appdata\roaming\Windows Small Business Server

2011-12-13 23:32:55 -------- d-----w- c:\users\kev.holovis\Roaming

2011-12-13 23:31:26 -------- d-----w- c:\program files\Cisco

2011-12-13 23:27:17 -------- d-----w- c:\program files\SystemRequirementsLab

2011-12-07 14:27:46 -------- d-----w- c:\users\kev.holovis\appdata\roaming\TeamViewer

2011-12-06 11:19:17 -------- d-----w- c:\users\kev.holovis\appdata\local\Broadcom

2011-12-03 16:02:31 -------- d-----w- c:\program files\Veetle

.

==================== Find3M ====================

.

2011-12-03 14:49:43 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-15 14:29:56 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-11-03 06:22:04 916992 -c--a-w- c:\windows\system32\wininet.dll

2011-11-03 06:17:38 43520 -c--a-w- c:\windows\system32\licmgr10.dll

2011-11-03 06:17:23 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl

2011-11-03 06:17:08 71680 -c--a-w- c:\windows\system32\iesetup.dll

2011-11-03 06:17:08 109056 -c--a-w- c:\windows\system32\iesysprep.dll

2011-11-03 05:22:43 385024 -c--a-w- c:\windows\system32\html.iec

2011-11-03 04:45:39 133632 -c--a-w- c:\windows\system32\ieUnatt.exe

2011-11-03 04:43:59 1638912 -c--a-w- c:\windows\system32\mshtml.tlb

.

============= FINISH: 12:43:05.49 ===============

I have attached the zip file

thanks

Attach.zip

Link to post
Share on other sites

Save and close any work documents, close any apps that you started.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Reply with copy of the latest MBAM scan log for my review.

Edited by Maurice Naggar
Link to post
Share on other sites

Hi Maurice

I ran the scan : here is the logfile :

Malwarebytes Anti-Malware (Trial) 1.60.0.1800

www.malwarebytes.org

Database version: v2012.01.04.04

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 8.0.6001.19170

Kev :: KEV-LAPTOP [administrator]

Protection: Enabled

04/01/2012 19:51:51

mbam-log-2012-01-04 (19-51-51).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 346637

Time elapsed: 48 minute(s), 38 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

Next, start Hijackthis. Do a Scan and Save log.

Reply as to whether the browser redirects are not happening, and

put copies of Checkup.txt and

HijakThis log in your next reply.

Link to post
Share on other sites

The HijackThis log and the Checkup text are good. You are good to go, after a small cleanup.

I see that you are clear of your original issues.

The following few steps will remove tools we used.

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

We are finished here. Best regards.

Link to post
Share on other sites

  • 1 month later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.