Articles

Browser hacker that takes me to random sites

September 15, 2010 at 14:09:32
Specs: Microsoft Windows XP Professional, 996 MHz / 127 MB

I think it also records key strokes and it redirects google searches to random places and theclickcheck.com

See More: Browser hacker that takes me to random sites

Report •


#1
September 16, 2010 at 04:03:54

dont type your passwords

Report •

#2
September 16, 2010 at 04:19:27

i had this too but redirect to a different site
this redirect virus only vorks on main browsers like ie,firefox,chrome,opera,safari download some non popular browsers from here.

Report •

#3
September 16, 2010 at 04:48:29

download malwarebytes antimalware and spybot search and destroy.rename their files when downloading to something like downup and zbot install them and create a limited user account if you are in a administrator account and log into it and run them if they fing any viruses delete/quarentine/destroy/eliminate them.then reinstall the browsers.it should work now.

Report •

Related Solutions

#4
September 17, 2010 at 20:04:46

thanks but what i really need is some in debth advice, the virus is really well hidden and i dont want to download 3 things

Report •

#5
September 18, 2010 at 01:56:49

How can I get ahold of gold member that can help me run a scan and tell me how to delete infected files? I know its a virus for sure and I have run several virus removers and malwarebytes but they all don't work, if youve had this problem and had it fixed please tell me how you did it, thanks.

Report •

#6
September 18, 2010 at 02:03:34

is it a redirect virus

Report •

#7
September 18, 2010 at 02:15:42

i found this for a redirect virus might help no downloads needed http://en.kioskea.net/forum/affich-...

Report •

#8
September 18, 2010 at 05:50:02

hi cameo, I got your PM.
Please tell me which cleaners you have tried. That will help to get you on the right track. Thanks

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#9
September 18, 2010 at 11:31:33

for some reason i can't seem to download malwarebytes but ive used a program called regcure but it doesnt give you a log, what would you recommend using?

Report •

#10
September 18, 2010 at 17:25:29

You can use Ccleaner slim:
http://www.piriform.com/ccleaner/bu...
Run it and then click on the registry icon. Delete all it finds, no need to make a backup as they are all missing files.

Now, Try safemode with networking and download these other cleaners:
Malwarebytes
http://www.filehippo.com/download_m...
Trojan Remover
http://www.simplysup.com/tremover/d...
Hitman Pro
http://www.surfright.nl/en
and run them till they are clean.
See if that makes an improvement for you.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#11
September 18, 2010 at 21:38:29

well my computer got reset during the full scan but i did another quick scan and heres the log after running hitman a few times and also the trojan remover
-still having redirect problems

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106

9/18/2010 4:06:22 PM
mbam-log-2010-09-18 (16-06-22).txt

Scan type: Quick scan
Objects scanned: 126149
Time elapsed: 21 minute(s), 13 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
C:\WINNT\msa.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\F5JMWNZTHI (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.203,93.188.161.15 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{57343c3b-1036-4da5-9a2b-507aab4e4b7a}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.203,93.188.161.15 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\spool\prtprocs\w32x86\000013f2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINNT\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINNT\herjek.config (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINNT\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.


Report •

#12
September 19, 2010 at 07:59:46

Did trojan remover and hitman pro start running clean? If not, keep running untill they are. If not go to the next step

Ok, combifix is probably your answer
http://www.bleepingcomputer.com/com...
Follow the guide carefully on that website and also download combofix from it also.
That way you can easily uninstall it when it finishes.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#13
September 19, 2010 at 14:18:48

ok ill try that next
now the log i posted was the only one in the log tab on malwarebytes and it was created after the first scan i did, now either it was updating that log or it doesnt record them after each scan
also i ran tjr til its clean and hitman keeps finding atapi.sys in winnt\system32\drivers\ and wont get rid of it

Report •

#14
September 19, 2010 at 14:23:02

also thanks for the help

Report •

#15
September 19, 2010 at 19:26:56

hey how do i remove the trojan remover and hitman pro now?

Report •

#16
September 19, 2010 at 20:37:42

just remove them from all programs usiong their uninstallers, NOT from add/remove as that will not do it.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#17
September 27, 2010 at 21:25:42

ok here's the log after running combofix - problem seems to be gone for the moment.

ComboFix 10-09-27.04 - travis 09/27/2010 19:35:03.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.127.16 [GMT -7:00]
Running from: c:\documents and settings\travis\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\drivers\etc\lmhosts
c:\winnt\system32\pthreadVC.dll
c:\winnt\Web\default.htt

Infected copy of c:\winnt\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_IAS


((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-28 )))))))))))))))))))))))))))))))
.

2010-09-20 04:56 . 2010-09-20 04:56 -------- d-----w- c:\program files\Sun
2010-09-20 04:51 . 2010-09-28 02:54 -------- d-----w- c:\documents and settings\travis\Local Settings\Application Data\TSVNCache
2010-09-20 04:50 . 2010-09-20 04:50 -------- d-----w- c:\documents and settings\travis\Application Data\TortoiseSVN
2010-09-20 04:50 . 2010-09-20 04:50 -------- d-----w- c:\documents and settings\travis\Application Data\Subversion
2010-09-20 04:49 . 2010-09-20 05:20 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2010-09-20 04:49 . 2010-09-20 05:20 -------- d-----w- c:\program files\TortoiseSVN
2010-09-19 07:36 . 2010-09-19 07:36 -------- d-----w- c:\documents and settings\travis\Local Settings\Application Data\jagexlauncher
2010-09-19 02:20 . 2006-06-19 20:01 69632 ----a-w- c:\winnt\system32\ztvcabinet.dll
2010-09-19 02:20 . 2006-05-25 22:52 162304 ----a-w- c:\winnt\system32\ztvunrar36.dll
2010-09-19 02:20 . 2005-08-26 08:50 77312 ----a-w- c:\winnt\system32\ztvunace26.dll
2010-09-19 02:20 . 2002-03-06 08:00 75264 ----a-w- c:\winnt\system32\unacev2.dll
2010-09-19 02:20 . 2003-02-03 03:06 153088 ----a-w- c:\winnt\system32\UNRAR3.dll
2010-09-19 02:19 . 2010-09-19 02:19 -------- d-----w- c:\documents and settings\travis\Application Data\Simply Super Software
2010-09-19 02:19 . 2010-09-19 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-09-19 00:55 . 2010-09-20 02:20 16968 ----a-w- c:\winnt\system32\drivers\hitmanpro35.sys
2010-09-19 00:54 . 2010-09-19 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-09-19 00:54 . 2010-09-19 00:54 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-09-18 22:03 . 2010-09-18 22:03 -------- d-----w- c:\documents and settings\travis\Application Data\Malwarebytes
2010-09-18 22:01 . 2010-04-29 22:39 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-09-18 22:01 . 2010-09-18 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-18 22:01 . 2010-04-29 22:39 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-09-11 03:20 . 2010-09-11 03:20 -------- d-----w- c:\winnt\system32\wbem\Repository
2010-09-11 03:17 . 2010-09-11 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Guitar Pro 6
2010-09-07 03:29 . 2010-09-07 03:29 -------- d-----w- c:\documents and settings\travis\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-28 01:12 . 2009-09-07 16:44 99 ----a-w- c:\documents and settings\travis\jagex_runescape_preferences2.dat
2010-09-28 01:09 . 2009-07-26 04:38 46 ----a-w- c:\documents and settings\travis\jagex_runescape_preferences.dat
2010-09-26 03:30 . 2009-09-03 20:02 -------- d-----w- c:\program files\PokerStars
2010-09-20 18:53 . 2010-02-12 17:35 -------- d-----w- c:\program files\RegCure
2010-09-20 04:54 . 2009-07-26 04:32 -------- d-----w- c:\program files\Java
2010-09-19 20:58 . 2010-02-14 06:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-19 14:36 . 2010-04-27 07:18 -------- d-----w- c:\program files\Google
2010-09-19 07:37 . 2010-09-19 07:37 33982 ----a-r- c:\documents and settings\travis\Application Data\Microsoft\Installer\{5D87C09F-512F-474A-A306-0FE3B89C396F}\runescape.exe
2010-09-15 21:04 . 2010-09-15 21:04 195584 ----a-w- c:\documents and settings\travis\Application Data\Sun\Java\Deployment\cache\6.0\5\27706285-39c04d59-n\WMINative.dll
2010-09-15 21:04 . 2010-09-15 21:04 195584 ----a-w- c:\documents and settings\travis\Application Data\Sun\Java\Deployment\cache\6.0\5\27706285-1b67b38e-n\WMINative.dll
2010-09-15 21:04 . 2010-09-15 21:04 195584 ----a-w- c:\documents and settings\travis\Application Data\Sun\Java\Deployment\cache\6.0\5\27706285-4c03c8ef-n\WMINative.dll
2010-09-12 19:40 . 2010-02-26 22:37 -------- d-----w- c:\documents and settings\travis\Application Data\uTorrent
2010-09-11 03:17 . 2010-07-13 23:13 -------- d-----w- c:\documents and settings\travis\Application Data\Guitar Pro 6
2010-09-11 03:17 . 2010-07-13 22:57 -------- d-----w- c:\program files\Guitar Pro 6
2010-09-11 02:55 . 2010-08-24 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-09-11 02:55 . 2010-08-24 03:27 -------- d-----w- c:\program files\stop
2010-08-24 03:27 . 2010-08-24 03:27 -------- d-----w- c:\program files\Common Files\iS3
2010-08-03 09:28 . 2010-08-03 09:28 503808 ----a-w- c:\documents and settings\travis\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-59f85f78-n\msvcp71.dll
2010-08-03 09:28 . 2010-08-03 09:28 499712 ----a-w- c:\documents and settings\travis\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-59f85f78-n\jmc.dll
2010-08-03 09:28 . 2010-08-03 09:28 348160 ----a-w- c:\documents and settings\travis\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-59f85f78-n\msvcr71.dll
2010-08-03 09:28 . 2010-08-03 09:28 61440 ----a-w- c:\documents and settings\travis\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4fcc68ad-n\decora-sse.dll
2010-08-03 09:28 . 2010-08-03 09:28 12800 ----a-w- c:\documents and settings\travis\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4fcc68ad-n\decora-d3d.dll
2010-07-27 02:13 . 2010-09-19 20:49 3683248 ----a-w- c:\documents and settings\travis\Application Data\Simply Super Software\Trojan Remover\kjn1.exe
2010-07-17 12:00 . 2010-08-18 19:47 423656 ----a-w- c:\winnt\system32\deployJava1.dll
2009-07-20 03:04 . 2009-07-20 02:01 21952 ---h--w- c:\program files\folder.htt
.

------- Sigcheck -------

[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\winnt\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wscntfy.exe

[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\winnt\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\xmlprov.dll

c:\winnt\System32\wscntfy.exe ... is missing !!
c:\winnt\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-05 00:50 1197448 -c--a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-05 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-05 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 15:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 15:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 15:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 15:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 15:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 15:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 15:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 15:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 15:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrojanScanner"="c:\documents and settings\travis\Desktop\Trojan Remover\Trjscan.exe" [2010-08-02 1167808]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2002-08-29 208896]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2002-08-29 40960]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 1 (0x1)
"DisableChangePassword"= 1 (0x1)
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ROUA3O12PW

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LinkZilla]
2000-11-08 16:27 270336 ----a-w- c:\program files\DVLink\DVSYNC.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-11-15 23:18 1670144 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 18:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
2001-08-23 12:00 135680 ----a-w- c:\winnt\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-02-26 22:37 319280 ----a-w- c:\program files\uTorrent\uTorrent.exe

R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\winnt\system32\drivers\ManyCam.sys [1/14/2008 3:06 AM 21632]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/27/2010 12:19 AM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\winnt\system32\drivers\mbamswissarmy.sys [9/18/2010 3:01 PM 38224]
.
Contents of the 'Scheduled Tasks' folder

2010-09-28 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-27 07:18]

2010-09-28 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-27 07:18]

2010-09-28 c:\winnt\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-09-28 c:\winnt\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-09-19 c:\winnt\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-03-27 c:\winnt\Tasks\System Restore.job
- c:\winnt\system32\Restore\rstrui.exe [2009-07-26 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://www.yahoo.com/?fr=fp-yma2
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-sglfb.sys
SafeBoot-tga.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-27 19:57
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\winnt\system32\ODBC32.dll

- - - - - - - > 'lsass.exe'(536)
c:\winnt\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(356)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\System32\ibmpmsvc.exe
c:\winnt\System32\WgaTray.exe
c:\winnt\System32\atievxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Completion time: 2010-09-27 20:07:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-28 03:07

Pre-Run: 12,292,145,152 bytes free
Post-Run: 13,818,363,904 bytes free

winxpsp1_en_hom_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - 4499093C4BFE9637245511DC2F7589B8


Report •


Ask Question