Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or start a new topic of your own. Joining allows you to enjoy all this forum has to offer. Learn more in our 
Hi.
I'm using Firefox 3.0.4. Today I clicked a link on a Google search for capcan.org and was apparently redirected. There was a black screen, on top of which was a window with the following (sorry, it is incomplete) message:
"System Warning
There were errors during security setting restore!...System has detected spyware infection!...Click OK to download antispyware tool."
I noticed the url I was now on was a site with the address lvhook.biz.
I clicked Firefox's "Go back one page button" and ran a Malwarebytes scan, which found nothing. My HJT log also looked the same as it did a couple weeks ago when I last checked it, so I don't think anything nasty made its way on my computer, but wouldn't mind some reassurance.
I was hoping someone would check the HJT log. I posted one a couple weeks ago about the 020 line without a response, but I didn't feel worried enough about it to repost in The Waiting Room.
Another poster in the software/browsers section tried the capcan.org site with no problem.
Thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:38 PM, on 3/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [DadApp] "C:\Program Files\Dell\AccessDirect\dadapp.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /installquiet
O4 - HKLM\..\Run: [WorksFUD] "C:\Program Files\Microsoft Works\wkfud.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1235488204989
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O20 - AppInit_DLLs:
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 4103 bytes
Page 1 of 1
- Join to reply or start a new topic
-
This topic is locked
Firefox redirected to lvhook.biz [Solved] tried to trick me into clicking OK for an antispyware scan
#1
- Member
-
- Group: Member
- Posts: 21
- Joined: 15-March 06
- Operating System:XP
Posted 20 March 2009 - 05:43 PM
#2
- Malware Expert
-
- Group: Moderator
- Posts: 16,560
- Joined: 24-April 05
- Location:New York
- Operating System:Windows 98, XP, Vista, Mac OS X
Posted 20 March 2009 - 07:25 PM
Is this problem just affecting Firefox or is it happening to Internet Explorer also (test it out if unsure)?
Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
Download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.
Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
Download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.
#3
- Member
-
- Group: Member
- Posts: 21
- Joined: 15-March 06
- Operating System:XP
Posted 21 March 2009 - 06:45 AM
Hi greyknight17,
I just tried clicking the link in IE and Firefox, and didn't get any redirection with either.
Do you still want me to perform those two other procedures? If so, is it OK to skip the Recovery Console installation? For one thing, I don't like the idea of being connected to the internet for the installation while AV and FW are disabled, and also, this computer is pretty old - it originally had WindowsMe and was upgraded to XP - not sure if that would pose a conflict to the Windows Recovery install.
Was there anything in the log that makes you think I need combofix?
Thanks.
I just tried clicking the link in IE and Firefox, and didn't get any redirection with either.
Do you still want me to perform those two other procedures? If so, is it OK to skip the Recovery Console installation? For one thing, I don't like the idea of being connected to the internet for the installation while AV and FW are disabled, and also, this computer is pretty old - it originally had WindowsMe and was upgraded to XP - not sure if that would pose a conflict to the Windows Recovery install.
Was there anything in the log that makes you think I need combofix?
Thanks.
#4
- Malware Expert
-
- Group: Moderator
- Posts: 16,560
- Joined: 24-April 05
- Location:New York
- Operating System:Windows 98, XP, Vista, Mac OS X
Posted 21 March 2009 - 09:52 AM
It's running XP now so it should not have problems installing the recovery console. To make things easier, go back to that bleepingcomputer site and skip the part where it asks you for the CD. Go down a little and click on the link to go to the Microsoft site instead to download the recovery console. Then just drag and drop that file into ComboFix.
I suggest performing the steps as it may seem like it's ok now, but it will probably return later on, especially if you didn't do anything to remove it in the first place. They usually don't just go away
I suggest performing the steps as it may seem like it's ok now, but it will probably return later on, especially if you didn't do anything to remove it in the first place. They usually don't just go away
#5
- Member
-
- Group: Member
- Posts: 21
- Joined: 15-March 06
- Operating System:XP
Posted 21 March 2009 - 11:13 AM
Hi greyknight17,
The only glitches I encountered were the Message "Error - Win32 only -- Incompatible OS. Combofix only works for workstations with Windows 2000 and XP" The program ran despite the warning. Everything went well from then until the log.txt window opened. The desktop icons and taskbar had disappeared (not the background though) and never reappeared after the scan. The mouse pointer was still there, but I couldn't figure out how to get anything back, so I rebooted.
Here are the two logs you've requested.
And thanks for helping me out with this stuff
ComboFix 09-03-19.02 - Dee and Frank 2009-03-21 12:30:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.95 [GMT -4:00]
Running from: c:\documents and settings\Dee and Frank\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dee and Frank\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\patch.exe
.
((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 )))))))))))))))))))))))))))))))
.
2009-03-08 10:48 . 2009-03-08 10:47 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-08 10:48 . 2009-03-08 10:47 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-08 10:47 . 2009-03-08 10:47 <DIR> d-------- c:\program files\Java
2009-03-08 10:43 . 2009-03-08 10:43 0 --a------ c:\windows\system32\REN7.tmp
2009-03-08 10:43 . 2009-03-08 10:43 0 --a------ c:\windows\system32\REN6.tmp
2009-03-04 18:03 . 2007-10-17 08:36 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-03-04 11:26 . 2009-03-04 11:26 <DIR> d-------- c:\documents and settings\Dee and Frank\Application Data\OpenOffice.org
2009-03-04 11:18 . 2009-03-04 11:18 <DIR> d-------- c:\program files\JRE
2009-03-04 11:17 . 2009-03-04 11:18 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-02-22 19:25 . 2009-02-22 20:12 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-02-21 20:02 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 13:40 --------- d-----w c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition Classic
2009-03-20 18:37 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-20 18:37 --------- d-----w c:\program files\SpywareBlaster
2009-03-04 22:00 --------- d-----w c:\program files\Dell
2009-03-02 15:33 --------- d-----w c:\documents and settings\All Users\Application Data\comodo
2009-03-02 15:27 24,336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-03-02 15:22 155,384 ----a-w c:\windows\system32\guard32.dll
2009-03-02 15:22 110,992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-02-24 00:20 --------- d-----w c:\program files\SUPERAntiSpyware
2009-02-24 00:20 --------- d-----w c:\documents and settings\Dee and Frank\Application Data\SUPERAntiSpyware.com
2009-02-21 15:21 --------- d-----w c:\program files\Trend Micro
2009-02-21 13:47 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-21 01:36 --------- d-----w c:\program files\ERUNT
2009-02-20 21:23 --------- d-----w c:\program files\Google
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-24 00:05 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2002-11-01 208560]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-17 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-17 569344]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-06-24 4800512]
"nwiz"="c:\windows\system32\nwiz.exe" [2003-06-24 323584]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-11 196608]
"avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-22 266497]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2009-03-02 1851128]
"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2009-03-02 1851128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2000-08-08 16:00 311350 c:\program files\Microsoft Works\wkssb.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-06-30 17:02 77824 c:\program files\QuickTime\qttask.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-02-21 28544]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-11-20 110992]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-11-20 24336]
R3 maestro;ESS Maestro 3 Audio Driver (WDM);c:\windows\system32\drivers\es198x.sys [2003-12-12 174464]
S3 LSWPCv4;Wireless-B Notebook Adapter Driver;c:\windows\system32\drivers\rtl8180.sys [2003-10-01 184832]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
MSConfigStartUp-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Dee and Frank\Application Data\Mozilla\Firefox\Profiles\mugxqruy.Default User\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Dee and Frank\Application Data\Mozilla\Firefox\Profiles\mugxqruy.Default User\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 12:33:15
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwClose, ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1409082233-492894223-1343024091-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\guard32.dll
- - - - - - - > 'lsass.exe'(776)
c:\windows\system32\guard32.dll
.
Completion time: 2009-03-21 12:38:17
ComboFix-quarantined-files.txt 2009-03-21 16:38:08
Pre-Run: 12,263,014,400 bytes free
Post-Run: 12,250,730,496 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
137
Now the goored:
GooredFix v1.92 by jpshortstuff
Log created at 13:04 on 21/03/2009 running Option #1 (Dee and Frank)
Firefox version 3.0.4 (en-US)
=====Suspect Goored Entries=====
=====Dumping Registry Values=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"
The only glitches I encountered were the Message "Error - Win32 only -- Incompatible OS. Combofix only works for workstations with Windows 2000 and XP" The program ran despite the warning. Everything went well from then until the log.txt window opened. The desktop icons and taskbar had disappeared (not the background though) and never reappeared after the scan. The mouse pointer was still there, but I couldn't figure out how to get anything back, so I rebooted.
Here are the two logs you've requested.
And thanks for helping me out with this stuff
ComboFix 09-03-19.02 - Dee and Frank 2009-03-21 12:30:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.95 [GMT -4:00]
Running from: c:\documents and settings\Dee and Frank\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dee and Frank\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\patch.exe
.
((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 )))))))))))))))))))))))))))))))
.
2009-03-08 10:48 . 2009-03-08 10:47 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-08 10:48 . 2009-03-08 10:47 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-08 10:47 . 2009-03-08 10:47 <DIR> d-------- c:\program files\Java
2009-03-08 10:43 . 2009-03-08 10:43 0 --a------ c:\windows\system32\REN7.tmp
2009-03-08 10:43 . 2009-03-08 10:43 0 --a------ c:\windows\system32\REN6.tmp
2009-03-04 18:03 . 2007-10-17 08:36 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-03-04 11:26 . 2009-03-04 11:26 <DIR> d-------- c:\documents and settings\Dee and Frank\Application Data\OpenOffice.org
2009-03-04 11:18 . 2009-03-04 11:18 <DIR> d-------- c:\program files\JRE
2009-03-04 11:17 . 2009-03-04 11:18 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-02-22 19:25 . 2009-02-22 20:12 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-02-21 20:02 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 13:40 --------- d-----w c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition Classic
2009-03-20 18:37 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-20 18:37 --------- d-----w c:\program files\SpywareBlaster
2009-03-04 22:00 --------- d-----w c:\program files\Dell
2009-03-02 15:33 --------- d-----w c:\documents and settings\All Users\Application Data\comodo
2009-03-02 15:27 24,336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-03-02 15:22 155,384 ----a-w c:\windows\system32\guard32.dll
2009-03-02 15:22 110,992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-02-24 00:20 --------- d-----w c:\program files\SUPERAntiSpyware
2009-02-24 00:20 --------- d-----w c:\documents and settings\Dee and Frank\Application Data\SUPERAntiSpyware.com
2009-02-21 15:21 --------- d-----w c:\program files\Trend Micro
2009-02-21 13:47 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-21 01:36 --------- d-----w c:\program files\ERUNT
2009-02-20 21:23 --------- d-----w c:\program files\Google
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-24 00:05 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2002-11-01 208560]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-17 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-17 569344]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-06-24 4800512]
"nwiz"="c:\windows\system32\nwiz.exe" [2003-06-24 323584]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-11 196608]
"avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-22 266497]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2009-03-02 1851128]
"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2009-03-02 1851128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2000-08-08 16:00 311350 c:\program files\Microsoft Works\wkssb.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-06-30 17:02 77824 c:\program files\QuickTime\qttask.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-02-21 28544]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-11-20 110992]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-11-20 24336]
R3 maestro;ESS Maestro 3 Audio Driver (WDM);c:\windows\system32\drivers\es198x.sys [2003-12-12 174464]
S3 LSWPCv4;Wireless-B Notebook Adapter Driver;c:\windows\system32\drivers\rtl8180.sys [2003-10-01 184832]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
MSConfigStartUp-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Dee and Frank\Application Data\Mozilla\Firefox\Profiles\mugxqruy.Default User\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Dee and Frank\Application Data\Mozilla\Firefox\Profiles\mugxqruy.Default User\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 12:33:15
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwClose, ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1409082233-492894223-1343024091-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\guard32.dll
- - - - - - - > 'lsass.exe'(776)
c:\windows\system32\guard32.dll
.
Completion time: 2009-03-21 12:38:17
ComboFix-quarantined-files.txt 2009-03-21 16:38:08
Pre-Run: 12,263,014,400 bytes free
Post-Run: 12,250,730,496 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
137
Now the goored:
GooredFix v1.92 by jpshortstuff
Log created at 13:04 on 21/03/2009 running Option #1 (Dee and Frank)
Firefox version 3.0.4 (en-US)
=====Suspect Goored Entries=====
=====Dumping Registry Values=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"
#6
- Malware Expert
-
- Group: Moderator
- Posts: 16,560
- Joined: 24-April 05
- Location:New York
- Operating System:Windows 98, XP, Vista, Mac OS X
Posted 21 March 2009 - 02:05 PM
Delete the following files:
c:\windows\system32\REN7.tmp
c:\windows\system32\REN6.tmp
Other than that, it looks ok so far. Test it out for a day or two and confirm that you don't get redirected anymore.
Good job. Your log is clean.
To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.
Go to Start->Run, copy/paste in combofix /u and hit OK to remove it.
c:\windows\system32\REN7.tmp
c:\windows\system32\REN6.tmp
Other than that, it looks ok so far. Test it out for a day or two and confirm that you don't get redirected anymore.
Good job. Your log is clean.
To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.
Go to Start->Run, copy/paste in combofix /u and hit OK to remove it.
#7
- Member
-
- Group: Member
- Posts: 21
- Joined: 15-March 06
- Operating System:XP
Posted 21 March 2009 - 02:34 PM
OK. I deleted the two .tmp files and uninstalled Combofix (I hope it uninstalled with no problem - my firewall interrupted it a few times).
One thing - Combofix seemed to reset IE as my default browser - is that normal?
Also, was that patch.exe which Combofix deleted the source of the trouble?
Thanks again. I'll try things out for a couple days and then let you know how it goes.
One thing - Combofix seemed to reset IE as my default browser - is that normal?
Also, was that patch.exe which Combofix deleted the source of the trouble?
Thanks again. I'll try things out for a couple days and then let you know how it goes.
#8
- Malware Expert
-
- Group: Moderator
- Posts: 16,560
- Joined: 24-April 05
- Location:New York
- Operating System:Windows 98, XP, Vista, Mac OS X
Posted 22 March 2009 - 10:16 AM
I'm not sure if that patch file was the cause, but I would have to say no in this case, especially if it's a legitimate patch file. It must have been something else that was removed earlier if everything is ok now. Otherwise, we will need to run additional scans to find the files responsible for the problem.
ComboFix will restore some system settings once it's removed. If it restored IE, just make Firefox your default browser again to fix the problem.
ComboFix will restore some system settings once it's removed. If it restored IE, just make Firefox your default browser again to fix the problem.
#9
- Member
-
- Group: Member
- Posts: 21
- Joined: 15-March 06
- Operating System:XP
Posted 23 March 2009 - 06:41 AM
Other than the single instance of browser redirection to lvhook. biz mentioned in the OP, I haven't been redirected. Neither in IE (which I don't usually use much) or Firefox.
I ran a Kaspersky online scan yesterday and it didn't detect anything.
Are there any other scans I ought to run, or do you think the problem's been demolished?
Thanks.
I ran a Kaspersky online scan yesterday and it didn't detect anything.
Are there any other scans I ought to run, or do you think the problem's been demolished?
Thanks.
#10
- Malware Expert
-
- Group: Moderator
- Posts: 16,560
- Joined: 24-April 05
- Location:New York
- Operating System:Windows 98, XP, Vista, Mac OS X
Posted 23 March 2009 - 09:08 PM
Can't find much on this right now, but if you want, run a Panda online scan to see if anything is found:
Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm
* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.
We can perform a more thorough inspection if you follow the remaining instructions here. Skip any that you have already done.
Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm
* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.
We can perform a more thorough inspection if you follow the remaining instructions here. Skip any that you have already done.
#11
- Member
-
- Group: Member
- Posts: 21
- Joined: 15-March 06
- Operating System:XP
Posted 24 March 2009 - 07:42 PM
Here's the Activescan report. "Congratulations! You have no infections today" or somesuch.
Still no other incidents of redirection. I've enabled NoScript in Firefox, which I'd had disabled for a while, just in case it happens again.
;***************************************************************************************************
********************************************************************************
ANALYSIS: 2009-03-24 11:07:47
PROTECTIONS: 1
MALWARE: 0
SUSPECTS: 0
;***************************************************************************************************
********************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================
================================================================================
Avira AntiVir PersonalEdition 8.0.1.30 No Yes
;===================================================================================================
================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================
================================================================================
;===================================================================================================
================================================================================
SUSPECTS
Sent Location
;===================================================================================================
================================================================================
;===================================================================================================
================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================
================================================================================
182048 HIGH MS07-069
;===================================================================================================
================================================================================
Still no other incidents of redirection. I've enabled NoScript in Firefox, which I'd had disabled for a while, just in case it happens again.
;***************************************************************************************************
********************************************************************************
ANALYSIS: 2009-03-24 11:07:47
PROTECTIONS: 1
MALWARE: 0
SUSPECTS: 0
;***************************************************************************************************
********************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================
================================================================================
Avira AntiVir PersonalEdition 8.0.1.30 No Yes
;===================================================================================================
================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================
================================================================================
;===================================================================================================
================================================================================
SUSPECTS
Sent Location
;===================================================================================================
================================================================================
;===================================================================================================
================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================
================================================================================
182048 HIGH MS07-069
;===================================================================================================
================================================================================
#12
- Malware Expert
-
- Group: Moderator
- Posts: 16,560
- Joined: 24-April 05
- Location:New York
- Operating System:Windows 98, XP, Vista, Mac OS X
Posted 24 March 2009 - 07:47 PM
We can close this topic if you feel everything is ok. Otherwise, you may run the further scans indicated in the sticky topic link I provided you.
#13
- Member
-
- Group: Member
- Posts: 21
- Joined: 15-March 06
- Operating System:XP
Posted 24 March 2009 - 08:21 PM
Go ahead and close it. If anything goes amiss in the next few days I'll ask to have it reopened.
Thanks for helping me, greyknight
Thanks for helping me, greyknight
#14
- Malware Expert
-
- Group: Moderator
- Posts: 16,560
- Joined: 24-April 05
- Location:New York
- Operating System:Windows 98, XP, Vista, Mac OS X
Posted 25 March 2009 - 06:16 PM
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
Share this topic:
Page 1 of 1
- Join to reply or start a new topic
-
This topic is locked
