Weird links open at startup

chibicitiberiu · Jun 20, 2010

I have windows 7, recently installed on my laptop... and for some time, some weird links open up at startup, to a redirect website that sends to some torrent sites, porn and so on...
AVG and MalwareBytes came up empty.

Here is attached the hijack this log.

View attachment hijackthis.txt

johnb35 · Jun 20, 2010

You have an entry i'm curious about.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Download this file here :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Then double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.

In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running

chibicitiberiu · Jun 21, 2010

Thanks for help.
The links still launch at startup after running combofix...

Here are the two logs:

Combofix log:

ComboFix 10-06-20.03 - Tiberiu 06/21/2010 8:27.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2073 [GMT 3:00]
Running from: c:\users\Tiberiu\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\7Loader.TAG

.
((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))
.

2010-06-21 05:32 . 2010-06-21 05:33 -------- d-----w- c:\users\Tiberiu\AppData\Local\temp
2010-06-21 05:32 . 2010-06-21 05:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-21 05:24 . 2010-06-21 05:24 -------- d-----w- C:\32788R22FWJFW
2010-06-20 17:44 . 2010-06-20 17:44 -------- d-----w- c:\program files\MSXML 4.0
2010-06-20 13:33 . 2007-11-03 01:46 7991296 ----a-w- c:\programdata\MAGIX\MusicMaker16Premium_Download_Version\Synth\Vita\Vita.dll
2010-06-20 13:33 . 2007-11-16 16:33 2330624 ----a-w- c:\programdata\MAGIX\MusicMaker16Premium_Download_Version\Synth\Revolta 2\Revolta 2.dll
2010-06-19 18:37 . 2010-06-19 18:37 -------- d-----w- c:\users\Tiberiu\AppData\Roaming\MAGIX
2010-06-19 18:35 . 2003-04-18 13:29 82432 ----a-w- c:\windows\system32\msxml4r.dll
2010-06-19 18:35 . 2003-04-18 13:29 44544 ----a-w- c:\windows\system32\msxml4a.dll
2010-06-19 18:35 . 2007-09-04 13:34 806912 ----a-w- c:\programdata\MAGIX\MusicMaker16Premium_Download_Version\Synth\am-track_SE.dll
2010-06-19 18:35 . 2010-06-19 18:36 -------- d-----w- c:\programdata\MAGIX
2010-06-19 18:34 . 2010-06-19 18:36 -------- d-----w- c:\program files\MAGIX
2010-06-19 18:34 . 2007-04-27 07:43 120200 ----a-w- c:\windows\system32\DLLDEV32i.dll
2010-06-19 18:33 . 2010-06-19 18:36 -------- d-----w- c:\program files\Common Files\MAGIX Services
2010-06-19 18:32 . 2010-06-19 18:32 4286 ----a-r- c:\users\Tiberiu\AppData\Roaming\Microsoft\Installer\{271A659B-A7D3-405E-AE31-3086133BE0B7}\ARPPRODUCTICON.exe
2010-06-19 18:32 . 2010-06-19 18:32 -------- d-----w- c:\program files\Yamaha
2010-06-19 18:30 . 2010-06-19 18:30 -------- d-----w- c:\users\Tiberiu\AppData\Local\Downloaded Installations
2010-06-19 18:22 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-06-19 18:12 . 2010-06-19 18:12 -------- dc----w- c:\windows\system32\DRVSTORE
2010-06-19 18:12 . 2010-04-28 04:44 54632 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2010-06-19 18:12 . 2010-06-19 18:12 -------- d-----w- c:\program files\Microsoft
2010-06-19 18:12 . 2010-06-19 18:12 -------- d-----w- c:\program files\Windows Live
2010-06-19 18:12 . 2010-06-19 18:12 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-06-19 18:10 . 2010-06-19 18:10 -------- d-----w- c:\program files\Common Files\Windows Live
2010-06-18 20:13 . 2010-06-18 20:13 -------- d-----w- c:\programdata\Codemasters
2010-06-18 20:12 . 2010-06-18 20:12 -------- d-----w- c:\users\Tiberiu\AppData\Roaming\Ubisoft
2010-06-18 20:06 . 2010-06-18 20:06 -------- d-----w- c:\programdata\Ubisoft
2010-06-18 18:05 . 2010-06-18 18:05 -------- d-----w- c:\windows\Options
2010-06-18 18:05 . 2010-06-18 18:05 -------- d-----w- c:\program files\Atheros
2010-06-18 18:05 . 2009-09-21 07:58 1218048 ----a-w- c:\windows\system32\athr.sys
2010-06-18 18:04 . 2010-06-18 18:04 -------- d-----w- c:\programdata\Atheros
2010-06-18 18:02 . 2010-06-18 18:02 -------- d-----w- c:\users\Tiberiu\AppData\Local\ElevatedDiagnostics
2010-06-18 15:38 . 2009-09-04 14:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-06-18 14:23 . 2010-06-18 14:23 -------- d-----w- c:\users\Tiberiu\AppData\Local\FlatOut Ultimate Carnage
2010-06-18 12:14 . 2010-06-18 12:14 -------- d-----w- c:\users\Tiberiu\AppData\Local\Activision
2010-06-18 07:27 . 2010-06-18 07:27 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-06-18 07:13 . 2010-06-18 07:13 -------- d-----w- c:\users\Tiberiu\AppData\Local\Adobe
2010-06-18 07:12 . 2010-06-18 07:12 -------- d-----w- c:\program files\Rockstar Games
2010-06-18 07:11 . 2010-06-18 07:12 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-18 05:47 . 2010-05-07 16:06 30536 ----a-w- c:\windows\system32\TURegOpt.exe
2010-06-18 05:47 . 2010-05-07 16:01 21320 ----a-w- c:\windows\system32\authuitu.dll
2010-06-18 05:47 . 2010-05-07 16:01 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2010-06-18 05:47 . 2010-06-18 05:47 -------- d-----w- c:\users\Tiberiu\AppData\Roaming\TuneUp Software
2010-06-18 05:47 . 2010-06-18 05:49 -------- d-----w- c:\program files\TuneUp Utilities 2010
2010-06-18 05:46 . 2010-06-18 05:47 -------- d-----w- c:\programdata\TuneUp Software
2010-06-18 05:46 . 2010-06-18 05:46 -------- d-sh--w- c:\programdata\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-06-18 05:46 . 2010-06-18 05:46 4277016 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2010-06-18 05:45 . 2010-06-18 05:45 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2010-06-18 05:41 . 2010-06-18 05:41 -------- d-----w- c:\programdata\Martau
2010-06-18 05:40 . 2010-06-18 05:40 -------- d-----w- c:\program files\Total Uninstall 5
2010-06-18 04:43 . 2010-06-18 04:43 -------- d-----w- c:\users\Tiberiu\AppData\Local\Thunderbird
2010-06-18 04:43 . 2010-06-18 04:43 -------- d-----w- c:\users\Tiberiu\AppData\Roaming\Thunderbird
2010-06-17 15:25 . 2010-06-17 15:25 -------- d-----w- c:\windows\system32\xlive
2010-06-17 15:25 . 2010-06-18 15:39 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-06-17 14:32 . 2010-06-17 14:32 -------- d-----w- c:\program files\Ubisoft
2010-06-17 14:08 . 2010-06-17 14:08 10134 ----a-r- c:\users\Tiberiu\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2010-06-17 14:08 . 2010-06-17 14:08 -------- d-----w- c:\program files\Microsoft WSE
2010-06-17 13:35 . 2010-06-17 13:35 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2010-06-17 13:35 . 2010-06-17 13:35 4277016 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2010-06-17 13:35 . 2010-06-17 13:35 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2010-06-17 13:35 . 2010-06-17 13:35 588096 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-06-17 13:28 . 2010-06-17 13:28 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-06-17 13:26 . 2010-06-17 13:26 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-06-17 13:26 . 2010-06-18 09:33 -------- d-----w- c:\users\Tiberiu\AppData\Roaming\Winamp
2010-06-17 13:26 . 2010-06-17 13:27 -------- d-----w- c:\program files\Winamp
2010-06-17 12:57 . 2010-06-17 12:57 -------- d-----w- c:\windows\system32\Wat
2010-06-17 11:14 . 2007-07-19 21:57 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2010-06-17 11:14 . 2007-07-19 15:14 444776 ----a-w- c:\windows\system32\d3dx10_35.dll
2010-06-17 11:14 . 2007-07-19 15:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2010-06-17 11:14 . 2007-07-19 15:14 1358192 ----a-w- c:\windows\system32\D3DCompiler_35.dll
2010-06-17 11:14 . 2007-06-20 17:46 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
2010-06-17 11:06 . 2010-06-17 11:06 -------- d-----w- c:\program files\AGEIA Technologies
2010-06-17 11:06 . 2010-06-17 11:06 -------- d-----w- c:\windows\system32\AGEIA
2010-06-17 11:06 . 2010-06-17 11:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-17 10:10 . 2010-06-16 18:23 -------- d-----w- c:\windows\Panther
2010-06-17 10:10 . 2010-06-17 10:10 -------- d-----w- C:\Boot
2010-06-17 09:37 . 2010-06-20 19:59 -------- d-----w- c:\users\Tiberiu\AppData\Roaming\vlc
2010-06-17 09:12 . 2010-06-17 09:12 0 ----a-w- c:\windows\ativpsrm.bin
2010-06-17 06:41 . 2010-06-17 06:41 175 ----a-w- c:\windows\system32\AvgScan.bat
2010-06-17 06:25 . 2010-06-17 06:25 -------- d-----w- c:\program files\VideoLAN
2010-06-17 05:06 . 2010-06-17 05:06 -------- d-----w- c:\program files\ATI
2010-06-17 05:06 . 2010-06-17 05:06 -------- d-----w- c:\program files\ATI Technologies
2010-06-17 04:48 . 2009-09-04 14:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-06-17 04:48 . 2007-04-04 15:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2010-06-17 04:44 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-06-17 04:42 . 2010-03-04 21:00 632832 ----a-w- c:\windows\system32\Notepad2.exe
2010-06-17 04:40 . 2010-06-17 04:40 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-17 04:37 . 2010-02-11 07:10 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-06-17 04:35 . 2010-06-17 04:35 356616 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-06-17 04:35 . 2010-06-17 04:35 28424 ----a-w- c:\programdata\avg9\update\backup\avgmfx86.sys
2010-06-17 04:35 . 2010-06-17 04:35 333192 ----a-w- c:\programdata\avg9\update\backup\avgldx86.sys
2010-06-17 04:35 . 2010-06-17 04:35 161672 ----a-w- c:\programdata\avg9\update\backup\avgrkx86.sys
2010-06-17 04:34 . 2010-06-17 04:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-17 04:32 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-06-17 04:32 . 2010-01-18 23:29 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2010-06-17 04:32 . 2010-01-18 23:29 369152 ----a-w- c:\windows\system32\secproc.dll
2010-06-17 04:32 . 2010-01-18 23:28 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-06-17 04:32 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-06-17 04:32 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-06-17 04:32 . 2010-01-18 23:28 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-06-17 04:32 . 2010-01-18 23:28 320512 ----a-w- c:\windows\system32\RMActivate.exe
2010-06-17 04:32 . 2010-01-18 23:28 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-06-17 04:32 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-06-17 04:32 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-06-17 04:32 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-06-17 04:27 . 2010-06-17 04:27 -------- d-----r- C:\MSOCache
2010-06-17 04:15 . 2010-06-18 07:12 -------- d-----w- c:\users\Tiberiu\AppData\Local\Rockstar Games
2010-06-17 03:57 . 2010-06-17 03:57 -------- d-----w- c:\program files\Synaptics
2010-06-17 03:56 . 2009-06-18 12:12 212400 ----a-w- c:\windows\system32\drivers\SynTP.sys
2010-06-17 03:56 . 2009-06-18 12:11 120104 ----a-w- c:\windows\system32\SynTPCo4.dll
2010-06-17 03:56 . 2009-06-18 12:11 161064 ----a-w- c:\windows\system32\SynTPAPI.dll
2010-06-17 03:56 . 2009-06-18 12:11 206120 ----a-w- c:\windows\system32\SynCtrl.dll
2010-06-17 03:56 . 2009-05-21 01:43 1176312 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2010-06-17 03:48 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-06-17 03:47 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-06-16 20:00 . 2010-06-16 19:57 875288 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-06-16 20:00 . 2010-06-16 19:57 798488 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
2010-06-16 20:00 . 2010-06-16 19:57 610072 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
2010-06-16 20:00 . 2010-06-16 19:57 1656088 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-06-16 20:00 . 2010-06-16 20:00 -------- d-----w- c:\users\Tiberiu\AppData\Roaming\AVG9
2010-06-16 19:57 . 2010-06-17 05:10 -------- d-----w- C:\$AVG
2010-06-16 19:57 . 2010-06-17 04:34 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-16 19:57 . 2010-06-17 04:34 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-06-16 19:57 . 2010-06-17 04:34 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-16 19:57 . 2010-06-21 05:10 -------- d-----w- c:\windows\system32\drivers\Avg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-18 15:39 . 2010-06-18 15:39 -------- d-----w- c:\program files\BRS
2010-06-18 15:39 . 2010-06-18 15:39 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2010-06-18 15:39 . 2010-06-18 15:39 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2010-06-18 15:39 . 2010-06-18 15:39 -------- d-----w- c:\program files\OpenAL
2010-06-17 14:40 . 2010-06-17 14:40 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-06-17 05:08 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-06-17 04:32 . 2010-06-17 04:28 -------- d-----w- c:\programdata\Microsoft Help
2010-06-17 04:29 . 2010-06-17 04:29 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-06-17 04:29 . 2010-06-17 04:29 -------- d-----w- c:\program files\Microsoft.NET
2010-06-17 04:29 . 2010-06-17 04:29 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-06-17 04:28 . 2010-06-17 04:28 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-06-17 03:58 . 2010-06-17 03:58 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01009.Wdf
2010-06-16 18:28 . 2010-06-16 18:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-05-27 16:54 . 2009-07-13 22:09 3668480 ----a-w- c:\windows\system32\atidxx32.dll
2010-05-27 07:24 . 2010-06-17 04:31 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 03:49 . 2010-06-17 04:31 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 05:18 . 2010-06-17 04:33 977920 ----a-w- c:\windows\system32\wininet.dll
2010-05-01 14:49 . 2010-06-17 04:33 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 15:37 . 2010-04-29 15:37 2137 ----a-w- c:\windows\system32\atipblag.dat
2010-04-06 17:54 . 2010-04-06 17:54 203336 ----a-w- c:\windows\system32\atiicdxx.dat
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2010-01-16 05:59 561552 ----a-w- c:\progra~1\MICROS~2\Office14\URLREDIR.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-06-16 322352]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-17 2065248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-06-18 1537320]
"AvgScan"="c:\windows\system32\AvgScan.bat" [2010-06-17 175]
"fssui"="c:\program files\Windows Live\Family Safety\fsui.exe" [2010-04-28 647528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 14:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-01-21 14:22 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 07:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PLFSetI"=c:\windows\PLFSetI.exe

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-06-16 691696]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-17 1343400]
R3 YMIDUSBW;Yamaha USB-MIDI Driver (WDM);c:\windows\system32\drivers\ymidusbw.sys [2009-08-04 33736]
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2010-06-17 52872]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-06-17 216200]
S1 AvgTdiX;AVG Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-06-17 242896]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-05-27 176128]
S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-06-17 308064]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-08-27 1253376]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2010-05-07 1051976]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-05-27 5586432]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-05-27 209920]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2009-07-13 50688]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2010-02-25 10064]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
FF - ProfilePath - c:\users\Tiberiu\AppData\Roaming\Mozilla\Firefox\Profiles\xvng6ov3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\progra~1\MICROS~2\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MICROS~2\Office14\NPSPWRAP.DLL

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-06-21 08:35:23
ComboFix-quarantined-files.txt 2010-06-21 05:35

Pre-Run: 51,421,450,240 bytes free
Post-Run: 51,860,516,864 bytes free

- - End Of File - - 197786DC162124382396AF5DE7D12342

Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:03 AM, on 6/21/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Windows\explorer.exe
C:\Users\Tiberiu\Downloads\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AvgScan] C:\Windows\system32\AvgScan.bat
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fsui.exe" -autorun
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: FABS - Helping agent for MAGIX media database (Fabs) - MAGIX AG - C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\Common Files\MAGIX Services\Database\bin\fbserver.exe
O23 - Service: @C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

--
End of file - 3663 bytes

johnb35 · Jun 21, 2010

Do you know what this entry is for?

O4 - HKLM\..\Run: [AvgScan] C:\Windows\system32\AvgScan.bat

A batch file is user created. If not, have hijackthis fix this entry and then delete the file.

i will get back to you later on in the day after I go through the combofix log.

chibicitiberiu · Jun 21, 2010

johnb35 said:
Do you know what this entry is for?

O4 - HKLM\..\Run: [AvgScan] C:\Windows\system32\AvgScan.bat

A batch file is user created. If not, have hijackthis fix this entry and then delete the file.

i will get back to you later on in the day after I go through the combofix log.

I think that is what was causing the trouble
Opned it with notepad and this is what it contained:

Code:

@echo off
@break off
start http://3d23a8d0.linkbucks.com/
start http://e83ae95c.linkbucks.com/
start http://2d20ad52.linkbucks.com/
start http://9b147b70.linkbucks.com/

so I guess deleting this with hijack this will fix it

johnb35 · Jun 21, 2010

Yes, have hijackthis fix that entry and then delete the file avgscan.bat and you should be set to go.

tiby · Dec 25, 2010

Thanx

chibicitiberiu said:
I think that is what was causing the trouble
Opned it with notepad and this is what it contained:

Code:

@echo off @break off start http://3d23a8d0.linkbucks.com/ start http://e83ae95c.linkbucks.com/ start http://2d20ad52.linkbucks.com/ start http://9b147b70.linkbucks.com/

so I guess deleting this with hijack this will fix it

Hi! Many many thanx to you! I've got the same problem, and with your help, I could fix it. Greetings from Hungary!

Weird links open at startup

chibicitiberiu

New Member

johnb35

Administrator

chibicitiberiu

New Member

johnb35

Administrator

chibicitiberiu

New Member

johnb35

Administrator

tiby

New Member