Browser redirects[thread moved]

I have the same problem like nmslagle, keep having the address redirected to fake address. can you help to check my log, below is my log.

Please do the following:

Download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

REBOOT and then:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

Please post the MBAM and DDS logs for us. One of the regular volunteers should check back as time permits.

Cheers :)
PP

Please do the following:

Download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

REBOOT and then:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

Please post the MBAM and DDS logs for us. One of the regular volunteers should check back as time permits.

Cheers :)
PP

Thanks for your response.
I did what you said, i use MBAM and DDS, attached is my log.

Please help me to check it

Thanks a lot guys.......

Malwarebytes' Anti-Malware 1.41
Database version: 3059
Windows 5.1.2600 Service Pack 2

10/30/2009 17:22:16
mbam-log-2009-10-30 (17-22-16).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 237286
Time elapsed: 56 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{y101y238-s37i-3bv5-f7i2-r5o5yr7rpe2w} (Generic.Bot.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\Program Files\Common Files\svchost.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\FSantoso4859\Local Settings\Temp\a.exe (Rootkit.Agent) -> Quarantined and deleted successfully.

Thanks a lot guys.......

Happy to help :)

-- I need to see the DDS.txt
Run it again and copy and paste that into your reply.
I don't need another attach.txt. Just the DDS.txt.

I will check back as time permits over the weekend.

PP :)

Thanks for your response.
I did what you said, i use MBAM and DDS, attached is my log.

Please just paste your logs into your reply (do not attach) unless requested to do otherwise.

Happy to help :)

-- I need to see the DDS.txt
Run it again and copy and paste that into your reply.
I don't need another attach.txt. Just the DDS.txt.

I will check back as time permits over the weekend.

PP :)

ah, sorry, here we go, the DDS.txt
thanks...

DDS (Ver_09-10-26.01) - NTFSx86
Run by FSantoso4859 at 8:40:31.51 on Sat 10/31/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2006.1190 [GMT 8:00]

AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Navision\Client\INSTAL~1.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\msiexec.exe
svchost.exe "C:\WINDOWS\system32\ahuiu.exe"
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\FSantoso4859\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Megaupload Toolbar: {4e7bd74f-2b8d-469e-ccb0-b130eedbe97c} - c:\progra~1\megaup~1\MEGAUP~1.DLL
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: IeCatch2 Class: {a5366673-e8ca-11d3-9cd9-0090271d075b} - c:\progra~1\flashget\jccatch.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: Megaupload Toolbar: {4e7bd74f-2b8d-469e-ccb0-b130eedbe97c} - c:\progra~1\megaup~1\MEGAUP~1.DLL
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [P2kAutostart]
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
mRun: [TrackPointSrv] tp4mon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [PSQLLauncher] "c:\program files\thinkvantage fingerprint software\launcher.exe" /startup
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\fsanto~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico
mPolicies-system: EnableLUA = 0 (0x0)
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: microsoft.com\mbs
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fsanto~1\applic~1\mozilla\firefox\profiles\papnscwi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://hk.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: keyword.enabled - false
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2008-3-18 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2008-3-18 38528]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2008-3-18 4442]
R2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\navision\client\INSTAL~1.EXE [2007-4-3 217215]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-6-3 80936]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-3-14 11152]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2009-10-21 28672]
S2 dmadminHKHKG-SXF4859N1-SQL;Logical Disk Manager Administrative Service dmadminHKHKG-SXF4859N1-SQL;c:\windows\system32\1033u.exe srv --> c:\windows\system32\1033u.exe srv [?]
S2 dmserverHKHKG-SXF4859N1-SQL;Logical Disk Manager dmserverHKHKG-SXF4859N1-SQL;c:\windows\system32\ahuiu.exe srv --> c:\windows\system32\ahuiu.exe srv [?]
S2 RDSessMgrlanmanworkstation;Remote Desktop Help Session Manager RDSessMgrlanmanworkstation;c:\windows\system32\1037sb.exe srv --> c:\windows\system32\1037sb.exe srv [?]
S2 RDSessMgrW3SVC;Remote Desktop Help Session Manager RDSessMgrW3SVC;c:\windows\system32\1037su.exe srv --> c:\windows\system32\1037su.exe srv [?]
S2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-8-21 98304]
S2 SpoolerHKHKG-SXF4859N1-CLASSIC;Print Spooler SpoolerHKHKG-SXF4859N1-CLASSIC;c:\windows\system32\ac3acmq.exe srv --> c:\windows\system32\ac3acmq.exe srv [?]
S3 CAM1690;USB 2.0 Compliance JPEG Video Camera;c:\windows\system32\drivers\cam1690.sys [2007-8-29 153344]
S3 HeathDev;Application Server for Microsoft Dynamics NAV HeathDev;c:\navision\application server\nassql.exe [2009-8-28 1930360]
S3 HeathDev_2;Application Server for Microsoft Dynamics NAV HeathDev_2;c:\navision\application server 2\nassql.exe [2009-8-28 1930360]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-3-11 42112]
S3 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2007-3-3 202096]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 ZSMC302;PLEOMAX PWC-3800;c:\windows\system32\drivers\usbvm302.sys --> c:\windows\system32\drivers\usbvm302.sys [?]
S4 HKHKG-SXF4859N1-CLASSIC;Microsoft Dynamics NAV Application Server HKHKG-SXF4859N1-CLASSIC;c:\program files\microsoft dynamics nav\application server\nas.exe [2008-2-14 1860728]
S4 HKHKG-SXF4859N1-SQL;Microsoft Dynamics NAV Application Server HKHKG-SXF4859N1-SQL;c:\program files\microsoft dynamics nav\application server\nassql.exe [2008-2-14 1930360]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2009-1-13 14976]

=============== Created Last 30 ================

2009-10-27 11:11:08 32256 ----a-w- C:\Item Create 01.xls
2009-10-27 11:11:08 100864 ----a-w- C:\Item Amend Test Case.xls
2009-10-26 15:31:30 121344 ----a-w- C:\Outstanding Task List.xls
2009-10-23 12:57:38 0 d-----w- c:\program files\WinSCP
2009-10-21 14:33:39 43520 ----a-w- c:\windows\system32\libusb0.dll
2009-10-21 14:33:39 28672 ----a-w- c:\windows\system32\drivers\libusb0.sys
2009-10-21 14:33:39 0 d-----w- c:\program files\LibUSB-Win32
2009-10-21 14:29:00 933888 ----a-w- c:\windows\system32\SENXPCTL.OCX
2009-10-21 14:29:00 212240 ----a-w- c:\windows\system32\RICHTX32.OCX
2009-10-21 14:28:59 65536 ----a-w- c:\windows\system32\device.OCX
2009-10-21 14:28:59 32768 ----a-w- c:\windows\system32\Bar.OCX
2009-10-21 14:28:59 224016 ----a-w- c:\windows\system32\tabctl32.OCX
2009-10-21 14:28:59 140096 ----a-w- c:\windows\system32\COMDLG32.OCX
2009-10-21 14:28:59 0 d-----w- c:\program files\QuickFreedom
2009-10-21 14:26:12 0 d-----w- c:\docume~1\alluse~1\applic~1\iPodtoComputer
2009-10-21 14:25:49 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-10-21 14:25:48 6144 ----a-w- c:\windows\system32\ff_acm.acm
2009-10-21 14:25:44 499712 ----a-w- c:\windows\system32\MSVCP71.DLL
2009-10-21 14:25:44 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2009-10-21 14:25:41 0 d-----w- c:\program files\Cucusoft
2009-10-21 14:23:35 0 d-----w- c:\docume~1\fsanto~1\applic~1\GetRightToGo
2009-10-21 13:53:13 0 d-----w- c:\windows\system32\XPSViewer
2009-10-21 13:51:57 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-21 13:51:56 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-21 13:51:56 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-21 13:51:56 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-21 13:51:56 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-21 13:51:56 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-21 13:51:56 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-21 13:51:56 0 d-----w- C:\36300c4706e967932a170e731a941f
2009-10-21 13:51:14 0 d-----w- c:\windows\SxsCaPendDel
2009-10-17 14:00:02 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2009-10-16 08:53:49 104 --s-a-w- c:\windows\system32\440199740.dat
2009-10-15 01:57:45 9254180 ----a-w- C:\Item Master Templates_20091008_Item - Some Fields + 1500 error records.xlsx
2009-10-12 03:23:35 0 d-----w- c:\program files\Millennium Trader 4
2009-10-09 02:36:29 0 d-----w- c:\docume~1\fsanto~1\applic~1\Malwarebytes
2009-10-09 02:36:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 02:36:21 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-09 02:36:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-09 02:36:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-05 15:39:57 0 d-----w- c:\program files\common files\Deterministic Networks
2009-10-02 12:24:05 0 d-----w- c:\program files\Microsoft Office Outlook Connector
2009-10-02 12:23:06 0 d-----w- c:\program files\Microsoft

==================== Find3M ====================

2009-09-13 14:44:22 64796 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-28 11:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-06 11:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 11:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2006-02-28 12:00:00 61952 --sh--r- c:\windows\system32\1037su.exe
2006-02-28 12:00:00 61952 --sh--r- c:\windows\system32\ac3acmq.exe
2006-02-28 12:00:00 61952 --sh--r- c:\windows\system32\ahuiu.exe

============= FINISH: 8:41:34.43 ===============

ah, sorry, here we go, the DDS.txt
thanks...

Sorry for the late reply - busy weekend.

I do not see much there - A few things I do not recognize, but that doesn't make them baddies...

-- You do need to update your Java and Adobe Reader and remove the old versions.

How are things running now? Are you still being redirected?

PP :)

Sorry for the late reply - busy weekend.

I do not see much there - A few things I do not recognize, but that doesn't make them baddies...

-- You do need to update your Java and Adobe Reader and remove the old versions.

How are things running now? Are you still being redirected?

PP :)

Thanks for the reply.

i just tried my firefox. it still redirected. I don't know about the common symptom for this spyware, but I will get redirected if i search using the google toolbar, and right click on the result to open on new tab. it will get redirected to another site...

thanks.

i just tried my firefox. it still redirected. I don't know about the common symptom for this spyware, but I will get redirected if i search using the google toolbar, and right click on the result to open on new tab. it will get redirected to another site...

OK - Let's do this before breaking out the big guns:

Please download jpshortstuff's GooredFix.exe to your Desktop.
-- Make sure all browsers are Closed and then DoubleClick GooredFix.exe to run it.
A dialog box should pop up:
"GooredFix will automatically check for and remove infection. Click Yes to continue or No to exit."
-- Click Yes and allow the tool to run. It should go pretty quickly.
-- Look for GooredFix.txt on your Desktop and post that log for me.

See if you are still being redirected and we'll go from there.

PP :)

OK - Let's do this before breaking out the big guns:

Please download jpshortstuff's GooredFix.exe to your Desktop.
-- Make sure all browsers are Closed and then DoubleClick GooredFix.exe to run it.
A dialog box should pop up:
"GooredFix will automatically check for and remove infection. Click Yes to continue or No to exit."
-- Click Yes and allow the tool to run. It should go pretty quickly.
-- Look for GooredFix.txt on your Desktop and post that log for me.

See if you are still being redirected and we'll go from there.

PP :)

I run the program you mention.
Wow, seems it's fixed.... but let me test further for the google toolbar search engine. ...
..
..
after a few test to search on my firefox... it seems it's already fixed... it didn't redirected to fake web...

err... i'm not so sure, what the tools did to my system, did it remove something ?

Thanks very much!!!

Below is the log FYI :

GooredFix by jpshortstuff (24.09.09.1)
Log created at 00:13 on 04/11/2009 (myuserID)
Firefox version 3.5.4 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [10:34 18/03/2008]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [13:07 26/04/2008]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [13:54 21/10/2009]

-=E.O.F=-

err... i'm not so sure, what the tools did to my system, did it remove something ?

I do not think so - that log is clean.... This is the first time I've seen the new version of GooredFix, so maybe I'm misreading it.

I had been leaning toward a rootkitted malware being responsible for the issues - Just wanted to cover all bases, hence GooredFix. Frankly, I'd still like to have a further look.

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for me.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
DO NOT take any action for any found items until I can have a look.

PP :)

I do not think so - that log is clean.... This is the first time I've seen the new version of GooredFix, so maybe I'm misreading it.

I had been leaning toward a rootkitted malware being responsible for the issues - Just wanted to cover all bases, hence GooredFix. Frankly, I'd still like to have a further look.

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for me.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
DO NOT take any action for any found items until I can have a look.

PP :)

seems you're correct.. now it still redirected my web...
I will do as you said tonight. and will get back to you if finished scanning.

Thanks for your help.

seems you're correct.. now it still redirected my web...
I will do as you said tonight. and will get back to you if finished scanning.
Thanks for your help.

Happy to try to help!

There seem to be a lot of different variations of this redirecting malware going around these days. Usually MBAM will detect and remove some of the rootkit components, but I didn't see any in your log. Perhaps it is something new?

Let's see what the GMER scanlog has to say.

PP :)

Happy to try to help!

There seem to be a lot of different variations of this redirecting malware going around these days. Usually MBAM will detect and remove some of the rootkit components, but I didn't see any in your log. Perhaps it is something new?

Let's see what the GMER scanlog has to say.

PP :)

Hi Hi, below is my log for GMER. I run it with no internet connection, and my antivirus is disabled.
Pls help to check.
Thanks.
Thanks.

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-05 04:57:21
Windows 5.1.2600 Service Pack 2
Running: 2pe32u84.exe; Driver: C:\DOCUME~1\FSANTO~1\LOCALS~1\Temp\kfryypoc.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [10001D20] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AdjustWindowRectEx] [1002DE60] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AdjustWindowRect] [1002DED0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [10001D20] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowLongA] [1002DEF0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [10001D20] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!SetWindowLongA] [1002DEF0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [10001D20] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)

Device \Driver\iaStor \Device\Ide\iaStor0 [B9EAAD24] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [B9EAAD24] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

AttachedDevice \FileSystem\Fastfat \Fat savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

That log looks OK other than the above. Let's look at this one further:

Please go here ---> and use the Browse Button at the top of the page to navigate to C:\WINDOWS\system32\drivers\iaStor.sys and Upload it for analysis.
Let me know what you find.

This seems familiar to me - I think I've seen it before.....

PP :)

This seems familiar to me - I think I've seen it before.....

I'm fairly certain that this is infected. It may not show in the scan, but if it has been modified, the latest Combofix should catch and replace it.

Let's go ahead and do this:

If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix to your Desktop and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Please post the combofix log for me and let me know if you are still being redirected. Also, I'd be interested in the Jotti results from my previous post.

Cheers :)
PP

I'm fairly certain that this is infected. It may not show in the scan, but if it has been modified, the latest Combofix should catch and replace it.

Let's go ahead and do this:

If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix to your Desktop and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Please post the combofix log for me and let me know if you are still being redirected. Also, I'd be interested in the Jotti results from my previous post.

Cheers :)
PP

wow, you really know a lot 'bout this :D
I Scanned using jotti's malware. And all of the scan found nothing on the file.

Will try using this combofix. And let you know the result.
Thanks.

wow, you really know a lot 'bout this :D
I Scanned using jotti's malware. And all of the scan found nothing on the file.
Will try using this combofix. And let you know the result.
Thanks.

Well . . . I don't know as much as I'd like to - these baddies are constantly changing. I think I've seen this file modified before and I know combofix will address it if that is the case, so we might as well give it a try.
Please post me the entire combofix log when it finishes its run.

PP :)

Well . . . I don't know as much as I'd like to - these baddies are constantly changing. I think I've seen this file modified before and I know combofix will address it if that is the case, so we might as well give it a try.
Please post me the entire combofix log when it finishes its run.

PP :)

seems that iastor.sys is the bad guy.
now looks like it's not redirected. but let me test a bit more later on. below is the combofix log.
Thanks :)

ComboFix 09-11-04.05 - FSantoso4859 11/06/2009 0:03.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2006.1551 [GMT 8:00]
Running from: c:\documents and settings\FSantoso4859\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-790525478-1958367476-682003330-1003
c:\recycler\S-1-5-21-790525478-1958367476-682003330-500
c:\windows\run.log
c:\windows\system32\1028x.exe
c:\windows\system32\3937169366.dat
c:\windows\system32\440199740.dat
c:\windows\system32\ac3acmq.exe
c:\windows\system32\accesshw.exe
c:\windows\system32\ahuiu.exe
c:\windows\system32\Cache
c:\windows\Temp\1185792423.exe
c:\windows\Temp\181391922.exe
c:\windows\Temp\2741779961.exe

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DMADMINHKHKG-SXF4859N1-SQL
-------\Legacy_DMSERVERHKHKG-SXF4859N1-SQL
-------\Legacy_LANMANSERVERCOMSYSAPP
-------\Legacy_RDSESSMGRLANMANWORKSTATION
-------\Legacy_SPOOLERHKHKG-SXF4859N1-CLASSIC
-------\Legacy_UPSSAMSS
-------\Service_dmadminHKHKG-SXF4859N1-SQL
-------\Service_dmserverHKHKG-SXF4859N1-SQL
-------\Service_lanmanserverCOMSysApp
-------\Service_RDSessMgrlanmanworkstation
-------\Service_SpoolerHKHKG-SXF4859N1-CLASSIC
-------\Service_UPSSamSs

((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-05 16:15 . 2009-11-05 16:15 32 ------w- c:\windows\system32\440199740.dat
2009-11-05 15:58 . 2006-02-28 12:00 13952 -c--a-w- c:\windows\system32\dllcache\cbidf2k.sys
2009-11-05 15:58 . 2006-02-28 12:00 13952 ----a-w- c:\windows\system32\drivers\cbidf2k.sys
2009-11-05 15:58 . 2004-08-03 14:59 95360 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-05 15:58 . 2004-08-03 14:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-05 12:33 . 2004-08-11 04:01 119864 ------w- c:\windows\system32\drivers\IpSecDrv.sys
2009-11-05 12:33 . 2004-08-11 05:22 61492 ------w- c:\windows\system32\cmondll.dll
2009-11-05 12:33 . 2004-08-11 05:22 28726 ------w- c:\windows\system32\SnPolicy.dll
2009-11-05 12:33 . 2004-08-11 05:22 188470 ------w- c:\windows\system32\IreComn.dll
2009-11-05 12:33 . 2004-07-30 05:20 521786 ------w- c:\windows\system32\drivers\Crypto.sys
2009-11-05 12:33 . 2004-07-30 05:20 90166 ------w- c:\windows\system32\IreSC.dll
2009-11-05 12:33 . 2004-07-30 05:19 335930 ------w- c:\windows\system32\IreCGX.dll
2009-11-05 12:33 . 2004-07-30 05:19 151612 ------w- c:\windows\system32\IreBase.dll
2009-11-05 12:33 . 2002-12-06 07:42 207120 ------r- c:\windows\system32\Msoss.dll
2009-11-05 12:32 . 2009-11-05 12:32 -------- d-----w- c:\program files\Juniper
2009-11-05 12:32 . 2004-08-11 05:22 323636 ------w- c:\windows\system32\IreMgmt.dll
2009-11-05 12:32 . 2002-12-06 07:42 78848 ------r- c:\windows\system32\soedber.dll
2009-11-05 12:32 . 2002-12-06 07:42 46080 ------r- c:\windows\system32\soedapi.dll
2009-11-05 12:32 . 2002-12-06 07:42 23552 ------r- c:\windows\system32\ossapi.dll
2009-11-05 12:32 . 2002-12-06 07:42 16896 ------r- c:\windows\system32\ossdmem.dll
2009-11-05 12:32 . 2002-12-06 07:42 11264 ------r- c:\windows\system32\soedoid.dll
2009-11-05 12:32 . 2002-12-06 07:42 28160 ------r- c:\windows\system32\cstrain.dll
2009-11-05 12:32 . 2001-11-07 03:48 143360 ------w- c:\windows\system32\nsldap32v50.dll
2009-11-03 14:45 . 2009-11-03 14:45 21504 ----a-w- c:\windows\system32\tdlwsp.dll
2009-10-23 12:57 . 2009-10-23 12:57 -------- d-----w- c:\program files\WinSCP
2009-10-21 14:33 . 2009-10-21 14:33 -------- d-----w- c:\program files\LibUSB-Win32
2009-10-21 14:33 . 2007-03-20 03:33 28672 ----a-w- c:\windows\system32\drivers\libusb0.sys
2009-10-21 14:33 . 2007-03-20 03:33 43520 ----a-w- c:\windows\system32\libusb0.dll
2009-10-21 14:28 . 2009-10-21 14:30 -------- d-----w- c:\program files\QuickFreedom
2009-10-21 14:26 . 2009-10-21 14:26 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2009-10-21 14:26 . 2009-10-21 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\iPodtoComputer
2009-10-21 14:25 . 2008-06-15 02:01 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-10-21 14:25 . 2003-03-18 14:20 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2009-10-21 14:25 . 2003-03-18 13:14 499712 ----a-w- c:\windows\system32\MSVCP71.DLL
2009-10-21 14:25 . 2009-10-21 14:25 -------- d-----w- c:\program files\Cucusoft
2009-10-21 14:25 . 2009-10-21 14:25 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-10-21 14:23 . 2009-10-21 14:25 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\GetRightToGo
2009-10-21 14:22 . 2009-10-21 14:24 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-10-21 14:21 . 2009-10-21 14:21 -------- d-----w- c:\program files\Microsoft SDKs
2009-10-21 13:53 . 2009-10-21 13:53 175752 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-21 13:53 . 2009-10-21 13:53 -------- d-----w- c:\windows\system32\XPSViewer
2009-10-21 13:52 . 2009-10-21 13:52 -------- d-----w- c:\program files\Reference Assemblies
2009-10-21 13:51 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-21 13:51 . 2009-10-21 13:52 -------- d-----w- C:\36300c4706e967932a170e731a941f
2009-10-21 13:51 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-21 13:51 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-21 13:51 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-21 13:51 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-21 13:51 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-21 13:51 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-21 13:51 . 2009-10-21 13:57 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-17 14:00 . 2009-10-17 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-10-17 13:59 . 2009-10-17 13:59 836464 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\SecurityScan_Release.exe
2009-10-17 13:59 . 2009-10-17 13:59 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-10-17 13:59 . 2009-10-18 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-14 02:47 . 2007-02-12 09:46 3096576 ---ha-w- c:\documents and settings\FSantoso4859\Application Data\U3\temp\Launchpad Removal.exe
2009-10-12 03:23 . 2009-10-16 15:25 -------- d-----w- c:\program files\Millennium Trader 4
2009-10-09 02:36 . 2009-10-09 02:36 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\Malwarebytes
2009-10-09 02:36 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 02:36 . 2009-10-09 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-09 02:36 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-09 02:36 . 2009-10-30 08:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 15:49 . 2008-03-20 05:16 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\uTorrent
2009-11-05 12:32 . 2009-10-05 15:39 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2009-11-05 03:42 . 2009-06-12 02:03 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\webex
2009-10-21 14:27 . 2008-03-18 09:37 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-21 14:27 . 2008-03-18 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-21 14:23 . 2008-03-18 10:30 -------- d-----w- c:\program files\Common Files\Merge Modules
2009-10-21 14:03 . 2008-03-18 10:25 80120 ----a-w- c:\documents and settings\FSantoso4859\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-20 13:28 . 2008-03-18 10:45 -------- d-----w- c:\program files\FlashGet
2009-10-14 06:00 . 2008-04-29 04:37 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\U3
2009-10-14 02:18 . 2008-03-18 07:40 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-02 12:24 . 2009-10-02 12:23 -------- d-----w- c:\program files\Microsoft
2009-10-02 12:24 . 2009-10-02 12:24 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-09-13 14:44 . 2009-09-13 14:44 64796 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-12 02:20 . 2008-11-02 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-12 02:18 . 2008-11-02 12:13 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\Apple Computer
2009-09-11 15:13 . 2009-09-11 15:12 -------- d-----w- c:\program files\iTunes
2009-09-11 15:13 . 2009-09-11 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-11 15:12 . 2009-09-11 15:12 -------- d-----w- c:\program files\iPod
2009-09-11 15:12 . 2008-11-02 12:10 -------- d-----w- c:\program files\Common Files\Apple
2009-09-11 15:10 . 2009-09-11 15:09 -------- d-----w- c:\program files\QuickTime
2009-09-11 14:41 . 2009-09-11 14:41 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-08-28 11:42 . 2009-03-15 16:09 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 11:42 . 2008-11-02 12:22 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 03:04 . 2008-03-18 03:36 87643 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2008-08-16 09:42 . 2008-08-16 09:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 09:42 . 2008-08-16 09:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 09:42 . 2008-08-16 09:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 09:42 . 2008-08-16 09:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 09:43 . 2008-08-16 09:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 09:42 . 2008-08-16 09:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 09:42 . 2008-08-16 09:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 00:41 . 2008-05-21 00:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 00:41 . 2008-05-21 00:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 00:41 . 2008-05-21 00:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 05:58 . 2008-06-05 05:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 09:42 . 2008-08-16 09:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2006-02-28 12:00 . 2006-02-28 12:00 61952 --sh--r- c:\windows\system32\1037su.exe
.

------- Sigcheck -------

[7] 2006-02-28 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-07-02 393216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 33648]
"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2007-03-14 49168]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-15 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-15 137752]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-12-11 1044480]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-01-10 294912]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-01-10 208896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"TrackPointSrv"="tp4mon.exe" - c:\windows\system32\tp4mon.exe [2004-08-04 82432]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-11-22 181536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-02-28 53760]

c:\documents and settings\FSantoso4859\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-8 245760]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-11-26 576104]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-18 50688]
NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2009-11-5 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-14 14:17 89600 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 02:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Dynamics NAV\\CSIDE Client\\AtDebug.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Navision\\Client\\Parsons\\Nav. Client 3.7b\\AtDebug.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Huawei technologies\\Huawei UMTS Data Card\\3 DataModem HSDPA.exe"=
"c:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"c:\\Navision\\Installer\\NAV5SP1\\CSIDE Client\\AtDebug.exe"=
"c:\\Navision\\Installer\\5.0 SP1 NA\\DVD_Signed\\CsideClient\\program files\\Microsoft Dynamics NAV\\CSIDE Client\\AtDebug.exe"=
"c:\\Navision\\Installer\\NAV4\\AtDebug.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=
"c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16272:TCP"= 16272:TCP:BitCometLite 16272 TCP
"16272:UDP"= 16272:UDP:BitCometLite 16272 UDP

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/16/2007 18:32 19504]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [3/18/2008 17:11 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [3/18/2008 17:11 38528]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [11/5/2009 20:33 521786]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [6/3/2009 17:06 80936]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [3/14/2007 22:10 11152]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [8/15/2008 11:11 36188]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [10/21/2009 22:33 28672]
S2 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [11/5/2009 20:33 119864]
S2 RDSessMgrW3SVC;Remote Desktop Help Session Manager RDSessMgrW3SVC;c:\windows\system32\1037su.exe srv --> c:\windows\system32\1037su.exe srv [?]
S2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [8/21/2008 20:04 98304]
S3 CAM1690;USB 2.0 Compliance JPEG Video Camera;c:\windows\system32\drivers\cam1690.sys [8/29/2007 12:01 153344]
S3 HeathDev;Application Server for Microsoft Dynamics NAV HeathDev;c:\navision\Application Server\nassql.exe [8/28/2009 10:17 1930360]
S3 HeathDev_2;Application Server for Microsoft Dynamics NAV HeathDev_2;c:\navision\Application Server 2\nassql.exe [8/28/2009 14:04 1930360]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [3/11/2009 23:24 42112]
S3 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [3/3/2007 23:12 202096]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 ZSMC302;PLEOMAX PWC-3800;c:\windows\system32\Drivers\usbvm302.sys --> c:\windows\system32\Drivers\usbvm302.sys [?]
S4 HKHKG-SXF4859N1-CLASSIC;Microsoft Dynamics NAV Application Server HKHKG-SXF4859N1-CLASSIC;c:\program files\Microsoft Dynamics NAV\Application Server\nas.exe [2/14/2008 16:50 1860728]
S4 HKHKG-SXF4859N1-SQL;Microsoft Dynamics NAV Application Server HKHKG-SXF4859N1-SQL;c:\program files\Microsoft Dynamics NAV\Application Server\nassql.exe [2/14/2008 16:51 1930360]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 07:01 2799808]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [1/13/2009 01:10 14976]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-05 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-03-18 17:30]

2009-10-30 c:\windows\Tasks\Weekly Scan.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2009-01-22 16:45]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
Trusted Zone: microsoft.com\mbs
FF - ProfilePath - c:\documents and settings\FSantoso4859\Application Data\Mozilla\Firefox\Profiles\papnscwi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://hk.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: keyword.enabled - false
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-P2kAutostart - (no file)
AddRemove-HDMI - c:\windows\system32\igxpun.exe
AddRemove-HijackThis - c:\documents and settings\FSantoso4859\Desktop\xxxxx\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 00:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\windows\system32\vrlogon.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll

- - - - - - - > 'lsass.exe'(540)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll

- - - - - - - > 'explorer.exe'(2640)
c:\windows\system32\btmmhook.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Juniper\NetScreen-Remote\IPSecMon.exe
c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Sophos\Remote Management System\RouterNT.exe
c:\windows\System32\TPHDEXLG.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-05 0:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-05 16:30

Pre-Run: 18,721,177,600 bytes free
Post-Run: 19,121,467,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

seems that iastor.sys is the bad guy.
now looks like it's not redirected. but let me test a bit more later on. below is the combofix log.
Thanks :)

Happy to help :)

Let me know if you are still being redirected.

-- Looks to me as though you tried to clean this (or another infection) before posting here? Another typically infected file is missing....

Please do the following:

1) Click START > RUN > type cmd ENTER
At the command prompt, type ipconfig /flushdns and hit ENTER
-- Note there is a space between g <space> /

2) With the command prompt still open, type:
copy c:\windows\system32\dllcache\eventlog.dll c:\windows\system32\ and hit ENTER
You should get a message stating "1 file<s> copied."
-- Note there are spaces between copy <space> c:\ and .dll <space> c:\

3) Please Download ATF-Cleaner.exe by Atribune to the Desktop.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, click No at the prompt.

Click Exit on the Main menu to close the program.

Let me know how things are working and we can wrap this up.

Cheers :)
PP

Happy to help :)

Let me know if you are still being redirected.

-- Looks to me as though you tried to clean this (or another infection) before posting here? Another typically infected file is missing....

Please do the following:

1) Click START > RUN > type cmd ENTER
At the command prompt, type ipconfig /flushdns and hit ENTER
-- Note there is a space between g <space> /

2) With the command prompt still open, type:
copy c:\windows\system32\dllcache\eventlog.dll c:\windows\system32\ and hit ENTER
You should get a message stating "1 file<s> copied."
-- Note there are spaces between copy <space> c:\ and .dll <space> c:\

3) Please Download ATF-Cleaner.exe by Atribune to the Desktop.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, click No at the prompt.

Click Exit on the Main menu to close the program.

Let me know how things are working and we can wrap this up.

Cheers :)
PP

I did the ATF Cleaner.
looks like i'm not being redirected anymore. so It's solved.
Thanks a lot :)

hi hi, after i did the ATF on the firefox, seems something wrong with my firefox, when i open daniweb, all the font will be on the middle, and the appearance looks weird...
although not all web will be like this. only some web, already tried to reinstal firefox, do you know why ? is it blocked some of the plug-in ?

thanks

hi hi, after i did the ATF on the firefox, seems something wrong with my firefox, when i open daniweb, all the font will be on the middle, and the appearance looks weird...
although not all web will be like this. only some web, already tried to reinstal firefox, do you know why ? is it blocked some of the plug-in ?

I do not know - This is the first time I've heard of that. I use ATFCleaner a lot and have never had an issue with Firefox.
Have a look at this thread: ATFCleaner and Firefox
Does that help?

Since the redirect is gone. let's remove Combofix and the files/folders it created:

-- First, change the name of Combofix back to Combofix.exe

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

-- Let me know if you are still having problems with Firefox and we'll see what we can do.

PP :)

hi, i go the forum you mentioned, it said i need to clear cookies/cache of firefox, and it's worked, the firefox is back to normal.
and now the firefox is not being redirected anymore..
thanks a lot !

hi, i go the forum you mentioned, it said i need to clear cookies/cache of firefox, and it's worked, the firefox is back to normal.
and now the firefox is not being redirected anymore..
thanks a lot !

Excellent!

You're Welcome - Glad I could help :)

PP

I have the same problem. I have had McAfee virus removal team working on it for two days and they could not remove the virus in the thread. I ran Malwarebytes and DDS this did not remove the problem, can you help? I ran both tools in safe mode and Malwarebytes states that it removed all virus'. Here is my dds.txt

.
DDS (Ver_2011-06-03.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Run by HP_Administrator at 23:25:00 on 2011-06-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.641 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
.
============== Pseudo HJT Report ===============
.

Thank you for the help