944,052 Members | Top Members by Rank

Hardware and Software > Microsoft Windows > Viruses, Spyware and other Nasties > Browser redirects[thread moved]
Ad:
You are currently viewing page 2 of this multi-page discussion thread; Jump to the first page
Permalink
Nov 3rd, 2009
0
Re: Browser redirects[thread moved]
Click to Expand / Collapse  Quote originally posted by ferrysb ...
err... i'm not so sure, what the tools did to my system, did it remove something ?
I do not think so - that log is clean.... This is the first time I've seen the new version of GooredFix, so maybe I'm misreading it.

I had been leaning toward a rootkitted malware being responsible for the issues - Just wanted to cover all bases, hence GooredFix. Frankly, I'd still like to have a further look.

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for me.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
DO NOT take any action for any found items until I can have a look.

PP
Moderator
Reputation Points: 169
Solved Threads: 106
Central Scrutinizer
PhilliePhan is offline Offline
1,576 posts
since Dec 2006
Permalink
Nov 4th, 2009
0
Re: Browser redirects[thread moved]
Click to Expand / Collapse  Quote originally posted by PhilliePhan ...
I do not think so - that log is clean.... This is the first time I've seen the new version of GooredFix, so maybe I'm misreading it.

I had been leaning toward a rootkitted malware being responsible for the issues - Just wanted to cover all bases, hence GooredFix. Frankly, I'd still like to have a further look.

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for me.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
DO NOT take any action for any found items until I can have a look.

PP

seems you're correct.. now it still redirected my web...
I will do as you said tonight. and will get back to you if finished scanning.

Thanks for your help.
Reputation Points: 10
Solved Threads: 0
Newbie Poster
ferrysb is offline Offline
12 posts
since Oct 2009
Permalink
Nov 4th, 2009
0
Re: Browser redirects[thread moved]
Click to Expand / Collapse  Quote originally posted by ferrysb ...
seems you're correct.. now it still redirected my web...
I will do as you said tonight. and will get back to you if finished scanning.
Thanks for your help.
Happy to try to help!

There seem to be a lot of different variations of this redirecting malware going around these days. Usually MBAM will detect and remove some of the rootkit components, but I didn't see any in your log. Perhaps it is something new?

Let's see what the GMER scanlog has to say.

PP
Moderator
Reputation Points: 169
Solved Threads: 106
Central Scrutinizer
PhilliePhan is offline Offline
1,576 posts
since Dec 2006
Permalink
Nov 5th, 2009
0
Re: Browser redirects[thread moved]
Click to Expand / Collapse  Quote originally posted by PhilliePhan ...
Happy to try to help!

There seem to be a lot of different variations of this redirecting malware going around these days. Usually MBAM will detect and remove some of the rootkit components, but I didn't see any in your log. Perhaps it is something new?

Let's see what the GMER scanlog has to say.

PP

Hi Hi, below is my log for GMER. I run it with no internet connection, and my antivirus is disabled.
Pls help to check.
Thanks.
Thanks.

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-05 04:57:21
Windows 5.1.2600 Service Pack 2
Running: 2pe32u84.exe; Driver: C:\DOCUME~1\FSANTO~1\LOCALS~1\Temp\kfryypoc.sys


---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [10001D20] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AdjustWindowRectEx] [1002DE60] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AdjustWindowRect] [1002DED0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [10001D20] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowLongA] [1002DEF0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [10001D20] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!SetWindowLongA] [1002DEF0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [10001D20] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)

Device \Driver\iaStor \Device\Ide\iaStor0 [B9EAAD24] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [B9EAAD24] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

AttachedDevice \FileSystem\Fastfat \Fat savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----
Reputation Points: 10
Solved Threads: 0
Newbie Poster
ferrysb is offline Offline
12 posts
since Oct 2009
Permalink
Nov 5th, 2009
0
Re: Browser redirects[thread moved]
Click to Expand / Collapse  Quote originally posted by ferrysb ...
---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----
That log looks OK other than the above. Let's look at this one further:

Please go here ---> http://virusscan.jotti.org/ and use the Browse Button at the top of the page to navigate to C:\WINDOWS\system32\drivers\iaStor.sys and Upload it for analysis.
Let me know what you find.

This seems familiar to me - I think I've seen it before.....

PP
Moderator
Reputation Points: 169
Solved Threads: 106
Central Scrutinizer
PhilliePhan is offline Offline
1,576 posts
since Dec 2006
Permalink
Nov 5th, 2009
0
Re: Browser redirects[thread moved]
Click to Expand / Collapse  Quote originally posted by PhilliePhan ...
This seems familiar to me - I think I've seen it before.....
I'm fairly certain that this is infected. It may not show in the scan, but if it has been modified, the latest Combofix should catch and replace it.


Let's go ahead and do this:

If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix to your Desktop and run it:
http://www.bleepingcomputer.com/comb...o-use-combofix

Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Please post the combofix log for me and let me know if you are still being redirected. Also, I'd be interested in the Jotti results from my previous post.

Cheers
PP
Moderator
Reputation Points: 169
Solved Threads: 106
Central Scrutinizer
PhilliePhan is offline Offline
1,576 posts
since Dec 2006
Permalink
Nov 5th, 2009
0
Re: Browser redirects[thread moved]
Click to Expand / Collapse  Quote originally posted by PhilliePhan ...
I'm fairly certain that this is infected. It may not show in the scan, but if it has been modified, the latest Combofix should catch and replace it.


Let's go ahead and do this:

If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix to your Desktop and run it:
http://www.bleepingcomputer.com/comb...o-use-combofix

Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Please post the combofix log for me and let me know if you are still being redirected. Also, I'd be interested in the Jotti results from my previous post.

Cheers
PP
wow, you really know a lot 'bout this
I Scanned using jotti's malware. And all of the scan found nothing on the file.

Will try using this combofix. And let you know the result.
Thanks.
Reputation Points: 10
Solved Threads: 0
Newbie Poster
ferrysb is offline Offline
12 posts
since Oct 2009
Permalink
Nov 5th, 2009
0
Re: Browser redirects[thread moved]
Click to Expand / Collapse  Quote originally posted by ferrysb ...
wow, you really know a lot 'bout this
I Scanned using jotti's malware. And all of the scan found nothing on the file.
Will try using this combofix. And let you know the result.
Thanks.
Well . . . I don't know as much as I'd like to - these baddies are constantly changing. I think I've seen this file modified before and I know combofix will address it if that is the case, so we might as well give it a try.
Please post me the entire combofix log when it finishes its run.

PP
Moderator
Reputation Points: 169
Solved Threads: 106
Central Scrutinizer
PhilliePhan is offline Offline
1,576 posts
since Dec 2006
Permalink
Nov 5th, 2009
0
Re: Browser redirects[thread moved]
Click to Expand / Collapse  Quote originally posted by PhilliePhan ...
Well . . . I don't know as much as I'd like to - these baddies are constantly changing. I think I've seen this file modified before and I know combofix will address it if that is the case, so we might as well give it a try.
Please post me the entire combofix log when it finishes its run.

PP
seems that iastor.sys is the bad guy.
now looks like it's not redirected. but let me test a bit more later on. below is the combofix log.
Thanks


ComboFix 09-11-04.05 - FSantoso4859 11/06/2009 0:03.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2006.1551 [GMT 8:00]
Running from: c:\documents and settings\FSantoso4859\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-790525478-1958367476-682003330-1003
c:\recycler\S-1-5-21-790525478-1958367476-682003330-500
c:\windows\run.log
c:\windows\system32\1028x.exe
c:\windows\system32\3937169366.dat
c:\windows\system32\440199740.dat
c:\windows\system32\ac3acmq.exe
c:\windows\system32\accesshw.exe
c:\windows\system32\ahuiu.exe
c:\windows\system32\Cache
c:\windows\Temp\1185792423.exe
c:\windows\Temp\181391922.exe
c:\windows\Temp\2741779961.exe

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DMADMINHKHKG-SXF4859N1-SQL
-------\Legacy_DMSERVERHKHKG-SXF4859N1-SQL
-------\Legacy_LANMANSERVERCOMSYSAPP
-------\Legacy_RDSESSMGRLANMANWORKSTATION
-------\Legacy_SPOOLERHKHKG-SXF4859N1-CLASSIC
-------\Legacy_UPSSAMSS
-------\Service_dmadminHKHKG-SXF4859N1-SQL
-------\Service_dmserverHKHKG-SXF4859N1-SQL
-------\Service_lanmanserverCOMSysApp
-------\Service_RDSessMgrlanmanworkstation
-------\Service_SpoolerHKHKG-SXF4859N1-CLASSIC
-------\Service_UPSSamSs


((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-05 16:15 . 2009-11-05 16:15 32 ------w- c:\windows\system32\440199740.dat
2009-11-05 15:58 . 2006-02-28 12:00 13952 -c--a-w- c:\windows\system32\dllcache\cbidf2k.sys
2009-11-05 15:58 . 2006-02-28 12:00 13952 ----a-w- c:\windows\system32\drivers\cbidf2k.sys
2009-11-05 15:58 . 2004-08-03 14:59 95360 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-05 15:58 . 2004-08-03 14:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-05 12:33 . 2004-08-11 04:01 119864 ------w- c:\windows\system32\drivers\IpSecDrv.sys
2009-11-05 12:33 . 2004-08-11 05:22 61492 ------w- c:\windows\system32\cmondll.dll
2009-11-05 12:33 . 2004-08-11 05:22 28726 ------w- c:\windows\system32\SnPolicy.dll
2009-11-05 12:33 . 2004-08-11 05:22 188470 ------w- c:\windows\system32\IreComn.dll
2009-11-05 12:33 . 2004-07-30 05:20 521786 ------w- c:\windows\system32\drivers\Crypto.sys
2009-11-05 12:33 . 2004-07-30 05:20 90166 ------w- c:\windows\system32\IreSC.dll
2009-11-05 12:33 . 2004-07-30 05:19 335930 ------w- c:\windows\system32\IreCGX.dll
2009-11-05 12:33 . 2004-07-30 05:19 151612 ------w- c:\windows\system32\IreBase.dll
2009-11-05 12:33 . 2002-12-06 07:42 207120 ------r- c:\windows\system32\Msoss.dll
2009-11-05 12:32 . 2009-11-05 12:32 -------- d-----w- c:\program files\Juniper
2009-11-05 12:32 . 2004-08-11 05:22 323636 ------w- c:\windows\system32\IreMgmt.dll
2009-11-05 12:32 . 2002-12-06 07:42 78848 ------r- c:\windows\system32\soedber.dll
2009-11-05 12:32 . 2002-12-06 07:42 46080 ------r- c:\windows\system32\soedapi.dll
2009-11-05 12:32 . 2002-12-06 07:42 23552 ------r- c:\windows\system32\ossapi.dll
2009-11-05 12:32 . 2002-12-06 07:42 16896 ------r- c:\windows\system32\ossdmem.dll
2009-11-05 12:32 . 2002-12-06 07:42 11264 ------r- c:\windows\system32\soedoid.dll
2009-11-05 12:32 . 2002-12-06 07:42 28160 ------r- c:\windows\system32\cstrain.dll
2009-11-05 12:32 . 2001-11-07 03:48 143360 ------w- c:\windows\system32\nsldap32v50.dll
2009-11-03 14:45 . 2009-11-03 14:45 21504 ----a-w- c:\windows\system32\tdlwsp.dll
2009-10-23 12:57 . 2009-10-23 12:57 -------- d-----w- c:\program files\WinSCP
2009-10-21 14:33 . 2009-10-21 14:33 -------- d-----w- c:\program files\LibUSB-Win32
2009-10-21 14:33 . 2007-03-20 03:33 28672 ----a-w- c:\windows\system32\drivers\libusb0.sys
2009-10-21 14:33 . 2007-03-20 03:33 43520 ----a-w- c:\windows\system32\libusb0.dll
2009-10-21 14:28 . 2009-10-21 14:30 -------- d-----w- c:\program files\QuickFreedom
2009-10-21 14:26 . 2009-10-21 14:26 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2009-10-21 14:26 . 2009-10-21 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\iPodtoComputer
2009-10-21 14:25 . 2008-06-15 02:01 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-10-21 14:25 . 2003-03-18 14:20 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2009-10-21 14:25 . 2003-03-18 13:14 499712 ----a-w- c:\windows\system32\MSVCP71.DLL
2009-10-21 14:25 . 2009-10-21 14:25 -------- d-----w- c:\program files\Cucusoft
2009-10-21 14:25 . 2009-10-21 14:25 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-10-21 14:23 . 2009-10-21 14:25 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\GetRightToGo
2009-10-21 14:22 . 2009-10-21 14:24 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-10-21 14:21 . 2009-10-21 14:21 -------- d-----w- c:\program files\Microsoft SDKs
2009-10-21 13:53 . 2009-10-21 13:53 175752 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-21 13:53 . 2009-10-21 13:53 -------- d-----w- c:\windows\system32\XPSViewer
2009-10-21 13:52 . 2009-10-21 13:52 -------- d-----w- c:\program files\Reference Assemblies
2009-10-21 13:51 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-21 13:51 . 2009-10-21 13:52 -------- d-----w- C:\36300c4706e967932a170e731a941f
2009-10-21 13:51 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-21 13:51 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-21 13:51 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-21 13:51 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-21 13:51 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-21 13:51 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-21 13:51 . 2009-10-21 13:57 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-17 14:00 . 2009-10-17 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-10-17 13:59 . 2009-10-17 13:59 836464 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\SecurityScan_Release.exe
2009-10-17 13:59 . 2009-10-17 13:59 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-10-17 13:59 . 2009-10-18 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-14 02:47 . 2007-02-12 09:46 3096576 ---ha-w- c:\documents and settings\FSantoso4859\Application Data\U3\temp\Launchpad Removal.exe
2009-10-12 03:23 . 2009-10-16 15:25 -------- d-----w- c:\program files\Millennium Trader 4
2009-10-09 02:36 . 2009-10-09 02:36 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\Malwarebytes
2009-10-09 02:36 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 02:36 . 2009-10-09 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-09 02:36 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-09 02:36 . 2009-10-30 08:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 15:49 . 2008-03-20 05:16 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\uTorrent
2009-11-05 12:32 . 2009-10-05 15:39 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2009-11-05 03:42 . 2009-06-12 02:03 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\webex
2009-10-21 14:27 . 2008-03-18 09:37 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-21 14:27 . 2008-03-18 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-21 14:23 . 2008-03-18 10:30 -------- d-----w- c:\program files\Common Files\Merge Modules
2009-10-21 14:03 . 2008-03-18 10:25 80120 ----a-w- c:\documents and settings\FSantoso4859\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-20 13:28 . 2008-03-18 10:45 -------- d-----w- c:\program files\FlashGet
2009-10-14 06:00 . 2008-04-29 04:37 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\U3
2009-10-14 02:18 . 2008-03-18 07:40 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-02 12:24 . 2009-10-02 12:23 -------- d-----w- c:\program files\Microsoft
2009-10-02 12:24 . 2009-10-02 12:24 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-09-13 14:44 . 2009-09-13 14:44 64796 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-12 02:20 . 2008-11-02 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-12 02:18 . 2008-11-02 12:13 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\Apple Computer
2009-09-11 15:13 . 2009-09-11 15:12 -------- d-----w- c:\program files\iTunes
2009-09-11 15:13 . 2009-09-11 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-11 15:12 . 2009-09-11 15:12 -------- d-----w- c:\program files\iPod
2009-09-11 15:12 . 2008-11-02 12:10 -------- d-----w- c:\program files\Common Files\Apple
2009-09-11 15:10 . 2009-09-11 15:09 -------- d-----w- c:\program files\QuickTime
2009-09-11 14:41 . 2009-09-11 14:41 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-08-28 11:42 . 2009-03-15 16:09 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 11:42 . 2008-11-02 12:22 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 03:04 . 2008-03-18 03:36 87643 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2008-08-16 09:42 . 2008-08-16 09:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 09:42 . 2008-08-16 09:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 09:42 . 2008-08-16 09:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 09:42 . 2008-08-16 09:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 09:43 . 2008-08-16 09:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 09:42 . 2008-08-16 09:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 09:42 . 2008-08-16 09:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 00:41 . 2008-05-21 00:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 00:41 . 2008-05-21 00:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 00:41 . 2008-05-21 00:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 05:58 . 2008-06-05 05:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 09:42 . 2008-08-16 09:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2006-02-28 12:00 . 2006-02-28 12:00 61952 --sh--r- c:\windows\system32\1037su.exe
.

------- Sigcheck -------

[7] 2006-02-28 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-07-02 393216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 33648]
"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2007-03-14 49168]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-15 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-15 137752]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-12-11 1044480]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-01-10 294912]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-01-10 208896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"TrackPointSrv"="tp4mon.exe" - c:\windows\system32\tp4mon.exe [2004-08-04 82432]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-11-22 181536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-02-28 53760]

c:\documents and settings\FSantoso4859\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-8 245760]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-11-26 576104]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-18 50688]
NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2009-11-5 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-14 14:17 89600 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 02:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Dynamics NAV\\CSIDE Client\\AtDebug.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Navision\\Client\\Parsons\\Nav. Client 3.7b\\AtDebug.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Huawei technologies\\Huawei UMTS Data Card\\3 DataModem HSDPA.exe"=
"c:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"c:\\Navision\\Installer\\NAV5SP1\\CSIDE Client\\AtDebug.exe"=
"c:\\Navision\\Installer\\5.0 SP1 NA\\DVD_Signed\\CsideClient\\program files\\Microsoft Dynamics NAV\\CSIDE Client\\AtDebug.exe"=
"c:\\Navision\\Installer\\NAV4\\AtDebug.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=
"c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16272:TCP"= 16272:TCP:BitCometLite 16272 TCP
"16272:UDP"= 16272:UDP:BitCometLite 16272 UDP

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/16/2007 18:32 19504]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [3/18/2008 17:11 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [3/18/2008 17:11 38528]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [11/5/2009 20:33 521786]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [6/3/2009 17:06 80936]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [3/14/2007 22:10 11152]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [8/15/2008 11:11 36188]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [10/21/2009 22:33 28672]
S2 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [11/5/2009 20:33 119864]
S2 RDSessMgrW3SVC;Remote Desktop Help Session Manager RDSessMgrW3SVC;c:\windows\system32\1037su.exe srv --> c:\windows\system32\1037su.exe srv [?]
S2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [8/21/2008 20:04 98304]
S3 CAM1690;USB 2.0 Compliance JPEG Video Camera;c:\windows\system32\drivers\cam1690.sys [8/29/2007 12:01 153344]
S3 HeathDev;Application Server for Microsoft Dynamics NAV HeathDev;c:\navision\Application Server\nassql.exe [8/28/2009 10:17 1930360]
S3 HeathDev_2;Application Server for Microsoft Dynamics NAV HeathDev_2;c:\navision\Application Server 2\nassql.exe [8/28/2009 14:04 1930360]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [3/11/2009 23:24 42112]
S3 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [3/3/2007 23:12 202096]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 ZSMC302;PLEOMAX PWC-3800;c:\windows\system32\Drivers\usbvm302.sys --> c:\windows\system32\Drivers\usbvm302.sys [?]
S4 HKHKG-SXF4859N1-CLASSIC;Microsoft Dynamics NAV Application Server HKHKG-SXF4859N1-CLASSIC;c:\program files\Microsoft Dynamics NAV\Application Server\nas.exe [2/14/2008 16:50 1860728]
S4 HKHKG-SXF4859N1-SQL;Microsoft Dynamics NAV Application Server HKHKG-SXF4859N1-SQL;c:\program files\Microsoft Dynamics NAV\Application Server\nassql.exe [2/14/2008 16:51 1930360]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 07:01 2799808]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [1/13/2009 01:10 14976]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-05 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-03-18 17:30]

2009-10-30 c:\windows\Tasks\Weekly Scan.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2009-01-22 16:45]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
Trusted Zone: microsoft.com\mbs
FF - ProfilePath - c:\documents and settings\FSantoso4859\Application Data\Mozilla\Firefox\Profiles\papnscwi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://hk.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: keyword.enabled - false
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-P2kAutostart - (no file)
AddRemove-HDMI - c:\windows\system32\igxpun.exe
AddRemove-HijackThis - c:\documents and settings\FSantoso4859\Desktop\xxxxx\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 00:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\windows\system32\vrlogon.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll

- - - - - - - > 'lsass.exe'(540)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll

- - - - - - - > 'explorer.exe'(2640)
c:\windows\system32\btmmhook.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Juniper\NetScreen-Remote\IPSecMon.exe
c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Sophos\Remote Management System\RouterNT.exe
c:\windows\System32\TPHDEXLG.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-05 0:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-05 16:30

Pre-Run: 18,721,177,600 bytes free
Post-Run: 19,121,467,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
Reputation Points: 10
Solved Threads: 0
Newbie Poster
ferrysb is offline Offline
12 posts
since Oct 2009
Permalink
Nov 5th, 2009
0
Re: Browser redirects[thread moved]
Click to Expand / Collapse  Quote originally posted by ferrysb ...
seems that iastor.sys is the bad guy.
now looks like it's not redirected. but let me test a bit more later on. below is the combofix log.
Thanks
Happy to help

Let me know if you are still being redirected.

-- Looks to me as though you tried to clean this (or another infection) before posting here? Another typically infected file is missing....


Please do the following:

1) Click START > RUN > type cmd ENTER
At the command prompt, type ipconfig /flushdns and hit ENTER
-- Note there is a space between g <space> /

2) With the command prompt still open, type:
copy c:\windows\system32\dllcache\eventlog.dll c:\windows\system32\ and hit ENTER
You should get a message stating "1 file<s> copied."
-- Note there are spaces between copy <space> c:\ and .dll <space> c:\

3) Please Download ATF-Cleaner.exe by Atribune to the Desktop.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, click No at the prompt.
Click Exit on the Main menu to close the program.

Let me know how things are working and we can wrap this up.

Cheers
PP
Last edited by PhilliePhan; Nov 5th, 2009 at 11:42 pm. Reason: Added info....
Moderator
Reputation Points: 169
Solved Threads: 106
Central Scrutinizer
PhilliePhan is offline Offline
1,576 posts
since Dec 2006

This thread is solved

Either the thread starter or a moderator has marked this thread as solved. You can most likely trust the responses and answers given. There is most likely no reason for any further responses to be posted here. If you have a related question, please start a new thread in this forum instead.

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
This thread is currently closed and is not accepting any new replies.
Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Random web pages when selecting from google
Next Thread in Viruses, Spyware and other Nasties Forum Timeline: Internet Explorer redirects Virus thread cannot be removed





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC