Thread: [Resolved] Having problems with search redirecting
View Single Post
  #5 (permalink)  
Old 10-07-2009, 08:31 PM
broni's Avatar
broni broni is offline
Senior Member
  
Join Date: Nov 2004
Posts: 2,272
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
re: [Resolved] Having problems with search redirecting
Don't touch anything while we're in the middle of cleaning process.

It's better to paste all logs into your reply.

ComboFix 09-07-09.08 - DAD 2009-07-10 11:08.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.790 [GMT -4:00]
Running from: c:\documents and settings\DAD\Desktop\ComboFix.exe
AV: Charter Security Suite 8.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Charter Security Suite 8.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\desktop.ini
c:\documents and settings\All Users\Application Data\15305154
c:\documents and settings\All Users\Application Data\15305154\15305154
c:\documents and settings\All Users\Application Data\15305154\15305154.exe
C:\njabm.exe
C:\p2hhr.bat
c:\program files\IEToolbar
C:\recp.exe
c:\recycler\S-1-5-21-0542021250-6048155995-856127392-2980
c:\recycler\S-1-5-21-4007816999-2439052494-62277440-1003
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Installer\2e5ace5.msi
c:\windows\Installer\563c6a.msp
c:\windows\Installer\682c4.msi
c:\windows\Installer\7bc6b4.msp
c:\windows\Installer\9bf25d.msi
c:\windows\rimmm21281.exe
c:\windows\system32\ayxHRqru.ini
c:\windows\system32\ayxHRqru.ini2
c:\windows\system32\BddcMUtv.ini
c:\windows\system32\BddcMUtv.ini2
c:\windows\system32\config\systemprofile\Desktop\S ystem Security 2009.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security
c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security\System Security
c:\windows\system32\Data
c:\windows\system32\DgQqrBeg.ini
c:\windows\system32\DgQqrBeg.ini2
c:\windows\system32\drivers\hjgruiuncuroty.sys
c:\windows\system32\HiiPoUvw.ini
c:\windows\system32\HiiPoUvw.ini2
c:\windows\system32\hjgruifyntjljk.dat
c:\windows\system32\hjgruipmtamhnq.dll
c:\windows\system32\hjgruirkqaqxnp.dll
c:\windows\system32\hjgruitsgbjuvw.dat
c:\windows\system32\JQpVuBeg.ini
c:\windows\system32\JQpVuBeg.ini2
c:\windows\system32\KQAKnnnn.ini
c:\windows\system32\KQAKnnnn.ini2
c:\windows\system32\KRBJPXyb.ini
c:\windows\system32\KRBJPXyb.ini2
c:\windows\system32\msssc.dll
c:\windows\system32\RqYHjkkj.ini
c:\windows\system32\RqYHjkkj.ini2
c:\windows\system32\rrAHOqru.ini
c:\windows\system32\rrAHOqru.ini2
c:\windows\system32\Rssuwyay.ini
c:\windows\system32\Rssuwyay.ini2
c:\windows\system32\vxaHgfii.ini
c:\windows\system32\vxaHgfii.ini2
c:\windows\system32\xHgfOXyb.ini
c:\windows\system32\xHgfOXyb.ini2
C:\xxqkc.exe
C:\yiuvab.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruicxleplrv


((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-10 02:08 . 2009-07-10 02:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-08 15:49 . 2009-07-08 15:49 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-08 03:01 . 2009-07-08 03:01 4116 ----a-w- c:\windows\vhtp71375.exe
2009-07-08 02:59 . 2009-07-08 02:59 93696 ----a-w- c:\windows\enlw7870.exe
2009-07-08 01:47 . 2004-08-18 01:34 442368 ----a-w- c:\windows\system32\vp6vfw.dll
2009-06-29 15:27 . 2009-06-29 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-07-10 14:25 . 2008-09-06 20:18 -------- d-----w- c:\program files\Charter High-Speed Security Suite
2009-07-09 17:09 . 2008-08-13 19:52 26 ----a-w- c:\windows\popcinfo.dat
2009-07-09 00:51 . 2008-08-10 00:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-09 00:30 . 2008-09-10 18:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-09 00:21 . 2008-09-10 23:49 -------- d-----w- c:\docume~1\DAD\APPLIC~1\FrostWire
2009-07-08 15:50 . 2009-03-31 15:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 12:14 . 2009-02-14 19:07 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2009-06-29 15:45 . 2008-08-02 05:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-17 15:27 . 2009-03-31 15:56 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-03-31 15:57 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-03 21:57 . 2009-06-03 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\ThumbnailCache4R
2009-05-30 14:31 . 2008-11-15 03:22 -------- d-----w- c:\docume~1\DAD\APPLIC~1\Yahoo!
2009-05-30 14:08 . 2008-08-02 04:22 -------- d-----w- c:\program files\Yahoo!
2009-05-30 01:26 . 2009-05-30 01:26 262144 ----a-w- C:\ntuser.dat
2009-05-26 20:21 . 2008-08-09 20:59 -------- d-----w- c:\program files\FrostWire
2009-05-07 15:32 . 2008-08-03 20:36 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-06-23 18:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2009-03-23 21:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2008-08-03 20:36 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-07-04 07:15 . 2009-07-04 07:15 410624 ----a-w- c:\program files\mozilla firefox\components\hspnlgtgsbkm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-03-24 1488112]
"Google Update"="c:\documents and settings\DAD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-30 133104]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-03-11 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-11 114688]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2002-10-16 1622016]
"UC_Start"="c:\ibmtools\Updater\ucstartup.exe" [2003-03-17 32768]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-05-05 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-12 86016]
"F-Secure TNB"="c:\program files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" [2008-09-23 957024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"BluetoothAuthenticationAgent"="irprops.cpl" - c:\windows\system32\irprops.cpl [2008-04-14 380416]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\DAD\Start Menu\Programs\Startup\
My On Target Forecast - Desktop.lnk - c:\program files\My On Target Forecast - Desktop\liveonline_2803147.exe [2008-9-14 450560]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-03-05 16:18 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe"
"lxdpamon"="c:\program files\Lexmark Z2300 Series\lxdpamon.exe"
"lxdpmon.exe"="c:\program files\Lexmark Z2300 Series\lxdpmon.exe"
"F-Secure Manager"="c:\program files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-02-14 3:07 PM 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-02-14 2:56 PM 79904]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Charter High-Speed Security Suite\HIPS\drivers\fshs.sys [2009-02-14 2:56 PM 66720]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-09-03 3:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 3:07 PM 55024]
R2 lxdp_device;lxdp_device;c:\windows\system32\lxdpco ms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Charter High-Speed Security Suite\Anti-Virus\minifilter\fsgk.sys [2009-02-14 2:55 PM 99960]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Charter High-Speed Security Suite\ORSP Client\fsorsp.exe [2009-02-14 2:56 PM 55904]
S0 pxark;pxark;c:\windows\system32\drivers\pxark.sys --> c:\windows\system32\drivers\pxark.sys [?]
S2 CSIScanner;CSIScanner;"c:\program files\PrevxCSI\prevxcsi.exe" /service --> c:\program files\PrevxCSI\prevxcsi.exe [?]
S3 EraserUtilDrv10820;EraserUtilDrv10820;\??\c:\progr am files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10820.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10820.sys [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 3:07 PM 7408]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Charter High-Speed Security Suite\Anti-Virus\win2k\fsfilter.sys [2009-02-14 2:55 PM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Charter High-Speed Security Suite\Anti-Virus\win2k\fsrec.sys [2009-02-14 2:55 PM 25184]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-461431683-1972036021-255455817-1007Core.job
- c:\documents and settings\DAD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-30 16:13]

2009-07-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-461431683-1972036021-255455817-1007UA.job
- c:\documents and settings\DAD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-30 16:13]

2009-07-10 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\CHARTE~1\ANTI-V~1\fsav.exe [2009-02-14 13:35]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MzRamBooster - c:\program files\MZ U.T\MzRamBooster.exe
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-15305154 - c:\documents and settings\All Users\Application Data\15305154\15305154.exe
HKLM-Run-CTHelper - CTHELPER.EXE


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*Yahoo! SearchBar Home Page
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*Yahoo!
LSP: c:\program files\Charter High-Speed Security Suite\FSPS\program\fslsp.dll
FF - ProfilePath - c:\docume~1\DAD\APPLIC~1\Mozilla\Firefox\Profiles\ bkjsbhte.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\Mozilla Firefox\components\hspnlgtgsbkm.dll
FF - plugin: c:\documents and settings\DAD\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
 FF - user.js: yahoo.homepage.dontask - true
FF - user.js: google.toolbar.linkdoctor.enabled - false
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-07-10 11:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(692)
c:\program files\Charter High-Speed Security Suite\FSPS\program\fslsp.dll

- - - - - - - > 'explorer.exe'(3604)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
c:\program files\Charter High-Speed Security Suite\Common\FSMA32.EXE
c:\program files\Charter High-Speed Security Suite\Anti-Virus\fsgk32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Charter High-Speed Security Suite\Common\FSMB32.EXE
c:\windows\system32\lxdpcoms.exe
c:\windows\system32\pctspk.exe
c:\program files\Charter High-Speed Security Suite\Common\FCH32.EXE
c:\program files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
c:\program files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
c:\program files\Charter High-Speed Security Suite\FSPC\fspc.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
c:\program files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
c:\program files\Charter High-Speed Security Suite\FWES\program\fsdfwd.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\CHARTE~1\ANTI-V~1\fsav32.exe
.
************************************************** ************************
.
Completion time: 2009-07-10 11:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-10 15:29

Pre-Run: 58,566,725,632 bytes free
Post-Run: 58,730,561,536 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windo ws XP Home Edition" /fastdetect /NoExecute=OptIn

249 --- E O F --- 2009-07-10 14:24
__________________
My Home Page
Reply With Quote