Jump to content

Explorer and firefox hijacked - log files - HELP !!!


Recommended Posts

Hey guys,

Theres a client PC Ive been trying to clean with Malwarebytes, Spybot, AVG and all the available online scanners. Ive also disabled a couple of strange things with HJT.

Some things were cleaned but IE and firefox keep redirecting and making it impossible to work.

Im attaching malwarebytes quick scan log, Attach.txt from DDS and bellow the contents of DDS.txt . I tried running GMER twice but the PC hanged.

Hope someone could help me, Im desperate. Thanks so much. Diego

DDS (Ver_10-03-17.01) - NTFSx86

Run by yessi at 19:11:22.52 on Mon 07/12/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1993.862 [GMT -4:00]

============== Running Processes ===============

C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe

C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Kaspersky Lab\NetworkAgent 8\klnagent.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\WINDOWS\LTSVC\LTSVC.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\WINDOWS\LTSvc\LTSvcMon.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\PDF Complete\pdfsvc.exe

C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe

C:\Program Files\ActivIdentity\ActivClient\acevents.exe

C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe

C:\WINDOWS\LTSvc\LTTray.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\ltsvc\labvnc.exe

C:\WINDOWS\ltsvc\labvnc.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\SearchProtocolHost.exe

\\ABC1\Users\yessi\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\hewlett-packard\hp protecttools security manager\bin\DPAgent.exe,

BHO: File Sanitizer for HP ProtectTools: {3134413b-49b4-425c-98a5-893c1f195601} - c:\program files\hewlett-packard\file sanitizer\IEBHO.dll

BHO: HP ProtectTools Security Manager Extension: {395610ae-c624-4f58-b89e-23733ea00f9a} - c:\program files\hewlett-packard\hp protecttools security manager\bin\DpOtsPluginIe8.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe

mRun: [setRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe

mRun: [File Sanitizer] c:\program files\hewlett-packard\file sanitizer\CoreShredder.exe

mRun: [acevents] "c:\program files\actividentity\activclient\acevents.exe"

mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"

mRun: [LabTech Tray Icon] c:\windows\ltsvc\LTTray.exe

mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\networ~1.lnk - c:\windows\ltsvc\LTTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)

uPolicies-explorer: NoWindowsUpdate = 0 (0x0)

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: ackpbsc - c:\program files\actividentity\activclient\ackpbsc.dll

Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll

Notify: igfxcui - igfxdev.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

LSA: Notification Packages = DPPassFilter scecli

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\yessi\applic~1\mozilla\firefox\profiles\t3ai36sm.default\

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\yessi\application data\mozilla\firefox\profiles\t3ai36sm.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

FF - component: c:\program files\hewlett-packard\hp protecttools security manager\bin\firefoxext\components\dpffcli.dll

FF - plugin: c:\documents and settings\yessi\application data\mozilla\firefox\profiles\t3ai36sm.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2010-1-26 110520]

R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2010-1-26 51800]

R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2010-1-26 13256]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-29 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-29 29584]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-29 242896]

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-24 214024]

R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2010-1-26 40088]

R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\common files\actividentity\ac.sharedstore.exe [2009-6-3 207400]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-29 308064]

R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\hewlett-packard\2009 password filter for hp protecttools\PTChangeFilterService.exe [2010-1-12 36864]

R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2010-1-26 281192]

R2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\hewlett-packard\file sanitizer\HPFSService.exe [2009-12-11 297984]

R2 klnagent;Kaspersky Lab Network Agent;c:\program files\kaspersky lab\networkagent 8\klnagent.exe [2010-3-10 136352]

R2 labvnc;labvnc;c:\windows\ltsvc\labvnc.exe [2010-5-19 971776]

R2 LTService;LabTech Monitoring Service;c:\windows\ltsvc\LTSVC.exe [2010-5-19 3088384]

R2 LTSvcMon;LabTech Monitoring Service CheckUp Util;c:\windows\ltsvc\LTSvcMon.exe [2010-5-19 98304]

R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2010-4-24 635416]

R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2010-4-24 2066968]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-4-24 160424]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-12-18 44800]

S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2009-10-21 32312]

S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2009-12-7 362040]

S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2010-4-24 79816]

S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2010-4-24 35272]

S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2010-4-24 34248]

=============== Created Last 30 ================

2010-07-02 01:23:52 0 d-----w- c:\windows\McAfee.com

2010-07-02 00:24:24 0 d-----w- c:\docume~1\yessi\applic~1\QuickScan

2010-06-29 18:00:08 0 d--h--w- C:\$AVG

2010-06-29 16:57:09 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-06-29 16:57:08 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-06-29 16:57:05 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-06-29 16:57:01 0 d-----w- c:\windows\system32\drivers\Avg

2010-06-29 16:55:28 0 d-----w- c:\program files\AVG

2010-06-29 16:55:18 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2010-06-28 21:57:42 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-06-28 21:57:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-06-28 20:42:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-28 20:42:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-28 20:42:55 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-28 20:18:12 0 d-----w- c:\docume~1\yessi\applic~1\Malwarebytes

2010-06-28 20:18:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-06-28 20:05:48 0 d-----w- c:\windows\pss

2010-06-28 19:14:52 0 d-----w- c:\program files\Kaspersky Lab

2010-06-28 19:14:52 0 d-----w- c:\program files\common files\Kaspersky Lab

2010-06-28 19:14:52 0 d-----w- c:\program files\common files\Cisco Systems

2010-06-28 18:56:46 0 d-----w- c:\program files\webserver

==================== Find3M ====================

2010-05-20 15:08:07 45056 ----a-w- c:\windows\NCUNINST.EXE

2010-04-24 08:09:12 156160 ----a-w- c:\windows\system32\imapihp.exe

============= FINISH: 19:12:14.56 ===============

Attach.zip

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.