Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

google redirects

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

google redirects

Unread postby justabout1 » January 4th, 2009, 7:02 am

I have a problem in that each time I do a google search and click on the link it redirects me to an ad site.
Does anyone know what the problem is and more importantly the solution.
Your help is much appreciated, and the hijack this log is attached.
Thank you Justin

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:01:55 PM, on 4/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Athlon64\LOCALS~1\Temp\Rar$EX18.125\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netspace.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {25EBFA7E-A624-487D-AD62-BD7EE060B2D7} (NetworkTen Class) - http://supernatural.ten.com.au/entriq/c ... _5_0_7.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1296267218
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/ ... 586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://supernatural.ten.com.au/entriq/c ... Silent.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab
O22 - SharedTaskScheduler: COM+ Service - {3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} - C:\WINDOWS\system32\winload.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11977 bytes
justabout1
Active Member
 
Posts: 5
Joined: January 4th, 2009, 6:55 am
Advertisement
Register to Remove

Re: google redirects

Unread postby davis » January 4th, 2009, 1:13 pm

Hi justabout1,

Welcome to MRU. My name is davis. I will be helping you to fix your malware problems.
If your issues have been resolved or already received help elsewhere, then please let us know. If not, and still need help. Please follow the instructions in the following.


Step1

Regarding to Malware Removal's P2P Programs Policy, please uninstall the following program before we continue:

  1. Click on Start > Control Panel and double click on Add/Remove Programs.
  2. Locate eMule and click on the Change/Remove button to uninstall it.
  3. Close Add/Remove Programs and Control Panel when done.
Note:All the P2P programs should be removed asap. Thank you for your understanding.



Step2

Please close all browsers and other windows while running GooredFix.

  • Please download GooredFix and save it to your Desktop.
  • Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
Note: Do not run Option #2 yet.


Step3

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:

Code: Select all
@Echo off
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32" >> C:\look.txt
START C:\look.txt


Name the file as check.bat, making sure save as type is set to " All Files ". It should look like Image
Double click on check.bat & allow it to run. Copy and paste the content in your next reply (If the file does not open please check here for the file C:\look.txt.)


Step4
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)



In your next reply, please post back:

1.Goored log
2.Look.txt
3.RSIT log.txt and info.txt.

Thanks.
User avatar
davis
Regular Member
 
Posts: 910
Joined: February 3rd, 2008, 4:48 am

Re: google redirects

Unread postby justabout1 » January 4th, 2009, 6:23 pm

Dear Davis
thank you for your help
I have removed e-mule

Google log text is as follows:
GooredFix v1.6 by jpshortstuff
Log created at 09:02 on 05/01/2009 running Option #1 (Athlon64)
Firefox version [Unable to determine]

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

Bat file contents are:
! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32
midimapper REG_SZ midimap.dll
msacm.imaadpcm REG_SZ imaadp32.acm
msacm.msadpcm REG_SZ msadp32.acm
msacm.msg711 REG_SZ msg711.acm
msacm.msgsm610 REG_SZ msgsm32.acm
msacm.trspch REG_SZ tssoft32.acm
vidc.cvid REG_SZ iccvid.dll
VIDC.I420 REG_SZ msh263.drv
vidc.iv31 REG_SZ ir32_32.dll
vidc.iv32 REG_SZ ir32_32.dll
vidc.iv41 REG_SZ ir41_32.ax
VIDC.IYUV REG_SZ iyuv_32.dll
vidc.mrle REG_SZ msrle32.dll
vidc.msvc REG_SZ msvidc32.dll
VIDC.UYVY REG_SZ msyuv.dll
VIDC.YUY2 REG_SZ msyuv.dll
VIDC.YVU9 REG_SZ tsbyuv.dll
VIDC.YVYU REG_SZ msyuv.dll
wavemapper REG_SZ msacm32.drv
msacm.msg723 REG_SZ msg723.acm
vidc.M263 REG_SZ msh263.drv
vidc.M261 REG_SZ msh261.drv
msacm.msaudio1 REG_SZ msaud32.acm
msacm.sl_anet REG_SZ sl_anet.acm
msacm.iac2 REG_SZ C:\WINDOWS\system32\iac25_32.ax
vidc.iv50 REG_SZ ir50_32.dll
msacm.l3acm REG_SZ C:\WINDOWS\system32\l3codeca.acm
wave REG_SZ wdmaud.drv
midi REG_SZ wdmaud.drv
mixer REG_SZ wdmaud.drv
MSVideo8 REG_SZ VfWWDM32.dll
msacm.siren REG_SZ sirenacm.dll
vidc.DIVX REG_SZ DivX.dll
vidc.yv12 REG_SZ DivX.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32\Terminal Server

But I have a problem running RSIT.exe as my pc freezes EVERY time I try to run it.
Any other suggestions?
Cheers
justin
justabout1
Active Member
 
Posts: 5
Joined: January 4th, 2009, 6:55 am

Re: google redirects

Unread postby davis » January 5th, 2009, 1:14 am

Please try this instead:

Step1

Please download DDS and save it to your desktop.


  1. Double click dds.scr to run the tool.
  2. When done, DDS.txt will open.
  3. Click Yes at the next prompt for Optional Scan.
  4. Save both reports to your desktop.


Step2

Please download GMER Rootkit Scanner from Here or Here.


  1. Extract the contents of the zipped file to desktop.
  2. Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  3. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  4. In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  5. Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  6. Once done click on the [Save..] button, and in the File name area, type in "GRS.txt" or it will save as a .log file which cannot be uploaded to your post.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


In your next reply, please post back:

1.DDS.txt
2.GRS.txt
3.Attach.txt (attached to post)
User avatar
davis
Regular Member
 
Posts: 910
Joined: February 3rd, 2008, 4:48 am

Re: google redirects

Unread postby justabout1 » January 5th, 2009, 2:13 am

Hi
Your link to DDS is broken but I found where to download it from.
Here are what you asked for.

DDS (Version 1.1.0) - NTFSx86
Run by Athlon64 at 17:01:01.31 on Mon 05/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.440 [GMT 11:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
AV: Norton AntiVirus 2005 *On-access scanning enabled* (Outdated)
FW: Norton Internet Worm Protection *enabled*
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Athlon64\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netspace.com.au/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Shell=Explorer.exe c:\windows\config\csrss.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: bho2gr Class: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\athlon64\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: COM+ Service: {3c49ddac-3da4-4743-af6c-5974feaf875c} - c:\windows\system32\winload.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-8-24 28544]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2009-1-1 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2009-1-1 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2009-1-1 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2009-1-1 10760]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-3-20 353680]
R4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2009-1-1 418816]
R4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2009-1-1 49664]
R4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-3-3 1174152]
R4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 CTL518;Video Blaster WebCam (WDM);c:\windows\system32\drivers\wcvid.sys [2000-11-28 183589]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]

=============== Created Last 30 ================

2009-01-05 09:05 <DIR> --d----- c:\program files\trend micro
2009-01-02 00:28 <DIR> --d-hr-- C:\$VAULT$.AVG
2009-01-01 21:59 <DIR> --d----- c:\docume~1\athlon64\applic~1\AVG7
2008-12-26 23:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-26 22:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro
2008-12-23 20:04 <DIR> --d----- C:\spoolerlogs
2008-12-23 18:35 <DIR> --dshr-- C:\resycled
2008-12-23 18:35 255 ---shr-- C:\autorun.inf
2008-12-23 18:22 <DIR> --d----- c:\program files\Smart PDF Converter Pro
2008-12-21 19:05 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-21 19:05 1,409 a------- c:\windows\QTFont.for
2008-12-14 14:18 1,221,008 a------- c:\windows\system32\zpeng25.dll
2008-12-12 10:42 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 10:20 <DIR> --d----- c:\program files\MSECache

==================== Find3M ====================

2008-12-14 14:18 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-11-24 09:13 1,966,080 a------- c:\windows\system32\cdintf251.dll
2008-10-29 09:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-29 09:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-29 09:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-29 09:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-29 09:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-23 23:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-17 07:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2007-12-11 20:39 2 a------- c:\program files\common files\sure.bkk
2007-10-19 21:29 15,562 a------- c:\program files\common files\tracker.txt
2007-09-03 22:21 24 a------- c:\program files\common files\Emmcq3Dir.Dir
2006-07-24 23:17 2 a------- c:\program files\common files\emq.dll
2006-07-18 20:11 10 a------- c:\program files\common files\axs.oos
2006-07-18 20:11 2 a------- c:\program files\common files\win2.ziq
2006-07-18 20:11 2 a------- c:\program files\common files\dvd.xxx
2006-03-03 19:02 10 a------- c:\program files\common files\davd.fgh
2006-03-03 19:02 0 a------- c:\program files\common files\point.tyu
2006-03-03 19:02 0 a------- c:\program files\common files\ass.bvc
2006-03-03 19:02 2 a------- c:\program files\common files\weel.llk
2006-03-03 19:02 2 a------- c:\program files\common files\qwerty.jhh
2008-08-24 16:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082420080825\index.dat

============= FINISH: 17:01:37.64 ===============

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-05 17:09:23
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xA77FA8D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xA77F76E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xA7804490]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xA77FAE90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xA7801C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xA7801E90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xA7805D50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xA77FAF80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xA77F7C70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xA7804D10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xA7804AC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xA7801600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xA7805230]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xA78052B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xA77F7AD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xA78034F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xA78032B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xA7805970]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xA78053D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xA77FA4F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xA78057C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xA77FAAA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xA77F7EA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xA7804800]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xA7802580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xA7802400]

Code 8667D6D0 ZwEnumerateKey
Code 8642A828 ZwFlushInstructionCache
Code 86431828 ZwQueryValueKey
Code AAFB6E99 pIofCallDriver

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \FileSystem\Fastfat \Fat avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\msqpdxkkuyuida.sys (*** hidden *** ) AAFB5000-AAFE0000 (176128 bytes)

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\msqpdxkkuyuida.sys (*** hidden *** ) [SYSTEM] msqpdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxkkuyuida.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules@msqpdxserv \\?\globalroot\systemroot\system32\drivers\msqpdxkkuyuida.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules@msqpdxl \\?\globalroot\systemroot\system32\msqpdxplgrmtoj.dll
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxkkuyuida.sys
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules@msqpdxserv \\?\globalroot\systemroot\system32\drivers\msqpdxkkuyuida.sys
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules@msqpdxl \\?\globalroot\systemroot\system32\msqpdxplgrmtoj.dll
Reg HKLM\SOFTWARE\Classes\msqpdxvx
Reg HKLM\SOFTWARE\Classes\msqpdxvx@msqpdxrun 71
Reg HKLM\SOFTWARE\Classes\msqpdxvx@msqpdxpff 8297
Reg HKLM\SOFTWARE\Classes\msqpdxvx@msqpdxaff 3293
Reg HKLM\SOFTWARE\Classes\msqpdxvx@msqpdxinfo ?}gx~yc?~f?cccnnbvkonrlomNYQc
Reg HKLM\SOFTWARE\Classes\msqpdxvx@msqpdxid rfx?~~?? ?h?j?efni?iil?ohTRVWTSPW+,
Reg HKLM\SOFTWARE\Classes\msqpdxvx@msqpdxsrv 1745024793
Reg HKLM\SOFTWARE\Classes\msqpdxvx@msqpdxpos 5}~p|z?vwp4biedfbakz
Reg HKCU\Software\Microsoft\Windows Live\Communications Clients\Shared\1259786443@StoreMemberReplicationStatus 1

---- EOF - GMER 1.0.14 ----


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/03/2006 2:04:46 PM
System Uptime: 1/05/2009 3:00:18 PM (-2782 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | GA-K8NF-9
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | Socket 939 | 2211/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 186 GiB total, 172.863 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 9
Adobe Shockwave Player
ADOCEinstall
Advanced RAR Password Recovery (remove only)
Anatomy MCQs
ArcSoft PhotoStudio 5.5
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
ATI HYDRAVISION
AutoUpdate
AVG 7.5
Canon MP Navigator 2.0
Canon MP800
Canon Utilities Easy-PhotoPrint
CCleaner (remove only)
CD-LabelPrint
Compatibility Pack for the 2007 Office system
Cool MP3 Converter V1.86
Creative Video Blaster WebCam Driver
Creative WebCam Control
Creative WebCam Monitor
deskUNPDF 2
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Easy-WebPrint
Entriq MediaSphere 3.5.2.2
Eudora
Free PDF to Word Doc Converter v1.1
getPlus(R)_ocx
GetRight
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
ImageMixer VCD2
Invoice2go 4.0
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Japanese Fonts Support For Adobe Reader 9
Java(TM) 6 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Macromedia Flash Player
Magic ISO Maker v5.4 (build 0256)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft ActiveSync 4.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 5.2
Microsoft IntelliType Pro 5.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MIMS on PDA for Pocket PC
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero 7 Premium
Network Ten Media Manager 3.5.0.7
NVIDIA Drivers
OmniPage SE 2.0
OpenOffice.org Installer 1.0
Panda ActiveScan
Panda ActiveScan 2.0
PCPitstop Panda AntiVirus Scan (remove only)
Picture Package
PixScreen_CE
QuickTime
RealPlayer
Realtek AC'97 Audio
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Smart PDF Converter 4.2
Sony USB Driver
Spybot - Search & Destroy 1.5.2.20
SpywareGuard v2.2
Trial1-2-3FileConvert v3.0
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VC 9.0 Runtime
ViewSonic Monitor Drivers
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Browser Services
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
ZoneAlarm
ZoneAlarm Spy Blocker

==== Event Viewer Messages From Past Week ========

2/01/2009 8:33:14 AM, error: Dhcp [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 001485BDB192 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

Cheers
Justin
justabout1
Active Member
 
Posts: 5
Joined: January 4th, 2009, 6:55 am

Re: google redirects

Unread postby davis » January 7th, 2009, 3:59 am

Hi justabout1,


Step1

Click Start > Settings > Control Panel.
In the Control Panel window, double-click Add/Remove Programs.

ZoneAlarm Spy Blocker

and click on Change/Remove to remove it.


Step2

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofi ... e-combofix

Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. You will see the below prompt when you first run ComboFix:


Image


The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once Recovery Console is installed, you should see a blue screen prompt like the one below:


Image

1.Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

2.Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.


In your next reply, please post back:

1.Combofix log
2.New DDS.txt

Thanks
User avatar
davis
Regular Member
 
Posts: 910
Joined: February 3rd, 2008, 4:48 am

Re: google redirects

Unread postby justabout1 » January 7th, 2009, 3:25 pm

ComboFix 09-01-07.01 - Athlon64 2009-01-08 6:14:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.659 [GMT 11:00]
Running from: c:\documents and settings\Athlon64\Desktop\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
AV: Norton AntiVirus 2005 *On-access scanning enabled* (Outdated)
FW: Norton Internet Worm Protection *enabled*
FW: ZoneAlarm Firewall *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - system32: deleted 75766 bytes in 2 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\resycled
c:\windows\system32\drivers\msqpdxkkuyuida.sys
c:\windows\system32\gvaexnvb.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\msqpdxplgrmtoj.dll
c:\windows\system32\mt_32.dll
c:\windows\system32\pmcrt.dll
c:\windows\system32\qrqss.ini
c:\windows\system32\swqafbpu.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSQPDXSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-08 00:01 . 2007-12-17 22:22 262,144 --a------ c:\program files\Uninstall Spy Blocker.dll
2009-01-05 17:03 . 2009-01-05 17:05 250 --a------ c:\windows\gmer.ini
2009-01-05 09:05 . 2009-01-05 09:05 <DIR> d-------- C:\rsit
2009-01-05 09:05 . 2009-01-05 09:05 <DIR> d-------- c:\program files\trend micro
2009-01-02 00:28 . 2009-01-02 00:28 <DIR> dr-h----- C:\$VAULT$.AVG
2009-01-01 21:59 . 2009-01-01 21:59 <DIR> d-------- c:\documents and settings\LocalService\Application Data\AVG7
2009-01-01 21:59 . 2009-01-07 09:27 <DIR> d-------- c:\documents and settings\Athlon64\Application Data\AVG7
2009-01-01 21:59 . 2009-01-07 09:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg7
2008-12-26 23:27 . 2009-01-01 21:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-26 22:03 . 2008-12-26 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2008-12-26 20:27 . 2008-12-26 20:27 <DIR> d-------- c:\windows\BDOSCAN8
2008-12-23 20:04 . 2008-12-23 20:04 <DIR> d-------- C:\spoolerlogs
2008-12-23 18:22 . 2008-12-23 18:40 <DIR> d-------- c:\program files\Smart PDF Converter Pro
2008-12-21 19:05 . 2008-12-21 19:05 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-21 19:05 . 2008-12-21 19:05 1,409 --a------ c:\windows\QTFont.for
2008-12-14 14:18 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2008-12-12 10:42 . 2008-12-12 10:42 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-12 10:20 . 2008-12-12 10:20 <DIR> d-------- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 22:00 --------- d-----w c:\program files\eMule
2009-01-02 03:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-02 03:35 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-01 10:59 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2008-12-26 09:34 --------- d-----w c:\program files\Panda Security
2008-12-23 07:50 --------- d-----w c:\documents and settings\Athlon64\Application Data\deskUNPDF
2008-12-23 07:22 --------- d-----w c:\program files\Common Files\Adobe
2008-12-23 07:19 --------- d-----w c:\program files\Trial123FileConvert
2008-12-23 06:14 --------- d-----w c:\documents and settings\Athlon64\Application Data\Canon
2008-12-21 21:52 --------- d-----w c:\documents and settings\Athlon64\Application Data\uTorrent
2008-12-18 20:59 --------- d-----w c:\program files\Google
2008-12-11 23:42 --------- d-----w c:\program files\Java
2008-11-23 22:13 1,966,080 ----a-w c:\windows\system32\cdintf251.dll
2008-11-10 10:32 --------- d-----w c:\documents and settings\Athlon64\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-11-07 09:14 --------- d-----w c:\program files\DivX
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-23 12:40 12,858,683 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 03:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 03:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 03:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 03:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 03:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 03:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 03:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 03:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 03:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 03:06 208,744 ----a-w c:\windows\system32\muweb.dll
2007-12-11 09:39 2 ----a-w c:\program files\Common Files\sure.bkk
2007-10-19 10:29 15,562 ----a-w c:\program files\Common Files\tracker.txt
2007-09-03 11:21 24 ----a-w c:\program files\Common Files\Emmcq3Dir.Dir
2006-07-24 12:17 2 ----a-w c:\program files\Common Files\emq.dll
2006-07-18 09:11 2 ----a-w c:\program files\Common Files\win2.ziq
2006-07-18 09:11 2 ----a-w c:\program files\Common Files\dvd.xxx
2006-07-18 09:11 10 ----a-w c:\program files\Common Files\axs.oos
2006-03-03 08:02 2 ----a-w c:\program files\Common Files\weel.llk
2006-03-03 08:02 2 ----a-w c:\program files\Common Files\qwerty.jhh
2006-03-03 08:02 10 ----a-w c:\program files\Common Files\davd.fgh
2006-03-03 08:02 0 ----a-w c:\program files\Common Files\point.tyu
2006-03-03 08:02 0 ----a-w c:\program files\Common Files\ass.bvc
2008-08-24 05:26 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082420080825\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 1200128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 344064]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-06-29 32768]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-12 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-14 282624]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-10 185872]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-01-02 590848]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2009-01-01 219136]

c:\documents and settings\Athlon64\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk
backup=c:\windows\pss\GetRight - Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Athlon64^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\Athlon64\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-09-03 15:18 94208 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2005-11-15 19:44 1200128 c:\progra~1\MI3AA1~1\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetworkTen Media Manager Tray]
--a------ 2007-01-11 15:08 387152 c:\program files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-05-14 14:50 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-10 16:58 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-01-19 12:49 4670968 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Documents and Settings\\Athlon64\\Desktop\\utorrent.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-08-24 28544]
S3 CTL518;Video Blaster WebCam (WDM);c:\windows\system32\drivers\wcvid.sys [2000-11-28 183589]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58f0075b-a9f2-11da-b2b2-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6E615E07-8CA2-BF63-4CB9-CD1A796988B3}]
c:\windows\system32:svchost.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-26 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} - c:\windows\system32\winload.dll
MSConfigStartUp-BitTorrent - c:\program files\BitTorrent\bittorrent.exe
MSConfigStartUp-eMuleAutoStart - c:\program files\eMule\emule.exe
MSConfigStartUp-warez - c:\program files\Warez P2P Client\warez.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netspace.com.au/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

O16 -: {25EBFA7E-A624-487D-AD62-BD7EE060B2D7} - hxxp://supernatural.ten.com.au/entriq/c ... _5_0_7.cab
c:\windows\Downloaded Program Files\MediaSphere.inf

O16 -: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://supernatural.ten.com.au/entriq/c ... Silent.cab
c:\windows\Downloaded Program Files\MediaSphere.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 06:17:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-162531612-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-08 6:18:17
ComboFix-quarantined-files.txt 2009-01-07 19:18:15

Pre-Run: 186,983,575,552 bytes free
Post-Run: 186,980,880,384 bytes free

244 --- E O F --- 2008-12-18 21:01:22

DDS text


DDS (Version 1.1.0) - NTFSx86
Run by Athlon64 at 6:21:54.39 on Thu 08/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.550 [GMT 11:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
AV: Norton AntiVirus 2005 *On-access scanning enabled* (Outdated)
FW: Norton Internet Worm Protection *enabled*
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Athlon64\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netspace.com.au/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: bho2gr Class: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\athlon64\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-8-24 28544]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2009-1-1 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2009-1-1 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2009-1-1 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2009-1-1 10760]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-3-20 353680]
R4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2009-1-1 418816]
R4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2009-1-1 49664]
R4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-3-3 1174152]
R4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 CTL518;Video Blaster WebCam (WDM);c:\windows\system32\drivers\wcvid.sys [2000-11-28 183589]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]

=============== Created Last 30 ================

2009-01-08 06:11 161,792 a------- c:\windows\SWREG.exe
2009-01-08 06:11 98,816 a------- c:\windows\sed.exe
2009-01-08 06:10 <DIR> --d----- C:\ComboFix
2009-01-08 00:01 262,144 a------- c:\program files\Uninstall Spy Blocker.dll
2009-01-05 17:03 250 a------- c:\windows\gmer.ini
2009-01-05 09:05 <DIR> --d----- c:\program files\trend micro
2009-01-02 00:28 <DIR> --d-hr-- C:\$VAULT$.AVG
2009-01-01 21:59 <DIR> --d----- c:\docume~1\athlon64\applic~1\AVG7
2008-12-26 23:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-26 22:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro
2008-12-23 20:04 <DIR> --d----- C:\spoolerlogs
2008-12-23 18:22 <DIR> --d----- c:\program files\Smart PDF Converter Pro
2008-12-21 19:05 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-21 19:05 1,409 a------- c:\windows\QTFont.for
2008-12-14 14:18 1,221,008 a------- c:\windows\system32\zpeng25.dll
2008-12-12 10:42 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 10:20 <DIR> --d----- c:\program files\MSECache

==================== Find3M ====================

2008-12-14 14:18 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-11-24 09:13 1,966,080 a------- c:\windows\system32\cdintf251.dll
2008-10-29 09:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-29 09:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-29 09:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-29 09:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-29 09:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-23 23:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-17 07:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2007-12-11 20:39 2 a------- c:\program files\common files\sure.bkk
2007-10-19 21:29 15,562 a------- c:\program files\common files\tracker.txt
2007-09-03 22:21 24 a------- c:\program files\common files\Emmcq3Dir.Dir
2006-07-24 23:17 2 a------- c:\program files\common files\emq.dll
2006-07-18 20:11 10 a------- c:\program files\common files\axs.oos
2006-07-18 20:11 2 a------- c:\program files\common files\win2.ziq
2006-07-18 20:11 2 a------- c:\program files\common files\dvd.xxx
2006-03-03 19:02 10 a------- c:\program files\common files\davd.fgh
2006-03-03 19:02 0 a------- c:\program files\common files\point.tyu
2006-03-03 19:02 0 a------- c:\program files\common files\ass.bvc
2006-03-03 19:02 2 a------- c:\program files\common files\weel.llk
2006-03-03 19:02 2 a------- c:\program files\common files\qwerty.jhh
2008-08-24 16:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082420080825\index.dat

============= FINISH: 6:22:17.60 ===============
You do not have the required permissions to view the files attached to this post.
justabout1
Active Member
 
Posts: 5
Joined: January 4th, 2009, 6:55 am

Re: google redirects

Unread postby davis » January 8th, 2009, 3:52 am

Hi justabout1,


I do not recommend that you have more than one anti virus product installed and running on your computer at a time.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".
It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to Add/Remove Porgrams in the control panel and remove one of them in the following.

Norton AntiVirus 2005(outdated)
AVG 7.5.552

Since Norton AntiVirus 2005 is an outdated version, you are well advised to clean the leftovers with Norton Removal Tool.
After that, Please do the following:


Step1

Please Click START then RUN
Now copy/paste Combofix /u in runbox and click OK.
Note: the space between the X and the U, it needs to be there.

After that, please redownload the Combofix to your desktop since it updates quickly.

Please click "Yes" to install the Recovery Console.



  1. Close any open browsers
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  3. Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
Code: Select all
DDS::
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
File::
c:\program files\Uninstall Spy Blocker.dll
Folder::
c:\program files\eMule
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6E615E07-8CA2-BF63-4CB9-CD1A796988B3}]

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Step2

Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Step3

Please do an online scan with Kaspersky Online Scanner.


  1. Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  2. Click Accept button on the "Requirements and limitations".
  3. When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  4. It will be Downloading and installing the program and Updating the database.
  5. When Updating the database have finished, click on Settings.
  6. Make sure all boxes are checked. then click on the Save button.
  7. Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  8. Once the scan is completed, Click on View Scan Report.
  9. You may see a list of infected items over there. Click on Save Report As.
  10. Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  11. Please post the contents in your next reply.

You can refer to this animation




Please post back the logs in your next reply.

1.KAS Scan Report
2.Combofix log
3.New DDS.txt

Tell me how your pc is running now.
User avatar
davis
Regular Member
 
Posts: 910
Joined: February 3rd, 2008, 4:48 am

Re: google redirects

Unread postby justabout1 » January 8th, 2009, 6:44 am

My pc is running very smoothly with your help
The attachments you requested are :
ComboFix 09-01-07.02 - Athlon64 2009-01-08 19:56:28.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.541 [GMT 11:00]
Running from: c:\documents and settings\Athlon64\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Athlon64\Desktop\CFScript.txt
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point

FILE ::
c:\program files\Uninstall Spy Blocker.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\eMule
c:\program files\eMule\Incoming\ - Mika - Relax, Take It Easy.mp3
c:\program files\eMule\Incoming\Backstreet Boys - Larger Than Life.mp3
c:\program files\eMule\Incoming\Backstreet Boys - Show Me The Meaning Of Being Lonely.mp3
c:\program files\eMule\Incoming\Backstreet boys - Tell Me Why.mp3
c:\program files\eMule\Incoming\bear force one.mp3
c:\program files\eMule\Incoming\Boys 2 Men - Boyz Ii Men - I Ll Make Love To You.mp3
c:\program files\eMule\Incoming\Pet Shop Boys & Dusty Springfield - What Have I Done To Deserve This.mp3
c:\program files\eMule\Incoming\Phantom of the Opera - Theme.mp3
c:\program files\eMule\Incoming\Shirley Bassey - Where Do I Begin (Love Story).mp3
c:\program files\eMule\Temp\006.part
c:\program files\eMule\Temp\006.part.met
c:\program files\eMule\Temp\006.part.met.bak
c:\program files\Uninstall Spy Blocker.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.

2009-01-08 19:36 . 2009-01-08 19:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-05 17:03 . 2009-01-05 17:05 250 --a------ c:\windows\gmer.ini
2009-01-05 09:05 . 2009-01-05 09:05 <DIR> d-------- C:\rsit
2009-01-05 09:05 . 2009-01-05 09:05 <DIR> d-------- c:\program files\trend micro
2009-01-02 00:28 . 2009-01-08 08:26 <DIR> dr-h----- C:\$VAULT$.AVG
2009-01-01 21:59 . 2009-01-01 21:59 <DIR> d-------- c:\documents and settings\LocalService\Application Data\AVG7
2009-01-01 21:59 . 2009-01-08 08:00 <DIR> d-------- c:\documents and settings\Athlon64\Application Data\AVG7
2009-01-01 21:59 . 2009-01-07 09:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg7
2008-12-26 23:27 . 2009-01-01 21:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-26 22:03 . 2008-12-26 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2008-12-26 20:27 . 2008-12-26 20:27 <DIR> d-------- c:\windows\BDOSCAN8
2008-12-23 20:04 . 2008-12-23 20:04 <DIR> d-------- C:\spoolerlogs
2008-12-23 18:22 . 2008-12-23 18:40 <DIR> d-------- c:\program files\Smart PDF Converter Pro
2008-12-21 19:05 . 2008-12-21 19:05 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-21 19:05 . 2008-12-21 19:05 1,409 --a------ c:\windows\QTFont.for
2008-12-14 14:18 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2008-12-12 10:42 . 2008-12-12 10:42 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-12 10:20 . 2008-12-12 10:20 <DIR> d-------- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 08:37 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-08 08:37 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-02 03:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-02 03:35 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-01 10:59 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2008-12-26 09:34 --------- d-----w c:\program files\Panda Security
2008-12-23 07:50 --------- d-----w c:\documents and settings\Athlon64\Application Data\deskUNPDF
2008-12-23 07:22 --------- d-----w c:\program files\Common Files\Adobe
2008-12-23 07:19 --------- d-----w c:\program files\Trial123FileConvert
2008-12-23 06:14 --------- d-----w c:\documents and settings\Athlon64\Application Data\Canon
2008-12-21 21:52 --------- d-----w c:\documents and settings\Athlon64\Application Data\uTorrent
2008-12-18 20:59 --------- d-----w c:\program files\Google
2008-12-11 23:42 --------- d-----w c:\program files\Java
2008-11-23 22:13 1,966,080 ----a-w c:\windows\system32\cdintf251.dll
2008-11-10 10:32 --------- d-----w c:\documents and settings\Athlon64\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-23 12:40 12,858,683 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 03:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 03:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 03:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 03:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 03:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 03:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 03:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 03:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 03:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 03:06 208,744 ----a-w c:\windows\system32\muweb.dll
2007-12-11 09:39 2 ----a-w c:\program files\Common Files\sure.bkk
2007-10-19 10:29 15,562 ----a-w c:\program files\Common Files\tracker.txt
2007-09-03 11:21 24 ----a-w c:\program files\Common Files\Emmcq3Dir.Dir
2006-07-24 12:17 2 ----a-w c:\program files\Common Files\emq.dll
2006-07-18 09:11 2 ----a-w c:\program files\Common Files\win2.ziq
2006-07-18 09:11 2 ----a-w c:\program files\Common Files\dvd.xxx
2006-07-18 09:11 10 ----a-w c:\program files\Common Files\axs.oos
2006-03-03 08:02 2 ----a-w c:\program files\Common Files\weel.llk
2006-03-03 08:02 2 ----a-w c:\program files\Common Files\qwerty.jhh
2006-03-03 08:02 10 ----a-w c:\program files\Common Files\davd.fgh
2006-03-03 08:02 0 ----a-w c:\program files\Common Files\point.tyu
2006-03-03 08:02 0 ----a-w c:\program files\Common Files\ass.bvc
2008-08-24 05:26 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082420080825\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 1200128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\IEXPLORE.EXE" [2008-10-15 633632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 344064]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-06-29 32768]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-12 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-14 282624]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-10 185872]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-01-02 590848]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2009-01-01 219136]

c:\documents and settings\Athlon64\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk
backup=c:\windows\pss\GetRight - Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Athlon64^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\Athlon64\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-09-03 15:18 94208 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2005-11-15 19:44 1200128 c:\progra~1\MI3AA1~1\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetworkTen Media Manager Tray]
--a------ 2007-01-11 15:08 387152 c:\program files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-05-14 14:50 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-10 16:58 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-01-19 12:49 4670968 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Documents and Settings\\Athlon64\\Desktop\\utorrent.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-08-24 28544]
S3 CTL518;Video Blaster WebCam (WDM);c:\windows\system32\drivers\wcvid.sys [2000-11-28 183589]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58f0075b-a9f2-11da-b2b2-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-26 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netspace.com.au/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

O16 -: {25EBFA7E-A624-487D-AD62-BD7EE060B2D7} - hxxp://supernatural.ten.com.au/entriq/c ... _5_0_7.cab
c:\windows\Downloaded Program Files\MediaSphere.inf

O16 -: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://supernatural.ten.com.au/entriq/c ... Silent.cab
c:\windows\Downloaded Program Files\MediaSphere.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 19:57:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-162531612-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-08 19:58:25
ComboFix-quarantined-files.txt 2009-01-08 08:58:23
ComboFix2.txt 2009-01-08 08:52:15
ComboFix3.txt 2009-01-07 19:18:18

Pre-Run: 186,918,645,760 bytes free
Post-Run: 186,903,068,672 bytes free

241 --- E O F --- 2008-12-18 21:01:22


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, January 8, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, January 08, 2009 09:50:58
Records in database: 1586041
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 55601
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:58:47


File name / Threat name / Threats count
C:\Documents and Settings\Athlon64\My Documents\Downloads\Windows Vista Activator.rar Infected: Trojan.Win32.Midgare.npq 1

The selected area was scanned.


DDS (Version 1.1.0) - NTFSx86
Run by Athlon64 at 21:40:24.14 on Thu 08/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.342 [GMT 11:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Athlon64\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netspace.com.au/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: bho2gr Class: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [<NO NAME>] c:\program files\internet explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/servle ... 6.000000b5
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\athlon64\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-8-24 28544]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2009-1-1 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2009-1-1 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2009-1-1 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2009-1-1 10760]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-3-20 353680]
R4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2009-1-1 418816]
R4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2009-1-1 49664]
R4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 CTL518;Video Blaster WebCam (WDM);c:\windows\system32\drivers\wcvid.sys [2000-11-28 183589]

=============== Created Last 30 ================

2009-01-08 19:56 <DIR> --d----- C:\ComboFix
2009-01-08 19:48 <DIR> a-dshr-- C:\cmdcons
2009-01-08 19:47 161,792 a------- c:\windows\SWREG.exe
2009-01-08 19:47 98,816 a------- c:\windows\sed.exe
2009-01-08 19:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-01-05 17:03 250 a------- c:\windows\gmer.ini
2009-01-05 09:05 <DIR> --d----- c:\program files\trend micro
2009-01-02 00:28 <DIR> --d-hr-- C:\$VAULT$.AVG
2009-01-01 21:59 <DIR> --d----- c:\docume~1\athlon64\applic~1\AVG7
2008-12-26 23:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-26 22:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro
2008-12-23 20:04 <DIR> --d----- C:\spoolerlogs
2008-12-23 18:22 <DIR> --d----- c:\program files\Smart PDF Converter Pro
2008-12-21 19:05 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-21 19:05 1,409 a------- c:\windows\QTFont.for
2008-12-14 14:18 1,221,008 a------- c:\windows\system32\zpeng25.dll
2008-12-12 10:42 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 10:20 <DIR> --d----- c:\program files\MSECache

==================== Find3M ====================

2008-12-14 14:18 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-11-24 09:13 1,966,080 a------- c:\windows\system32\cdintf251.dll
2008-10-29 09:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-29 09:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-29 09:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-29 09:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-29 09:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-23 23:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-17 07:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2007-12-11 20:39 2 a------- c:\program files\common files\sure.bkk
2007-10-19 21:29 15,562 a------- c:\program files\common files\tracker.txt
2007-09-03 22:21 24 a------- c:\program files\common files\Emmcq3Dir.Dir
2006-07-24 23:17 2 a------- c:\program files\common files\emq.dll
2006-07-18 20:11 10 a------- c:\program files\common files\axs.oos
2006-07-18 20:11 2 a------- c:\program files\common files\win2.ziq
2006-07-18 20:11 2 a------- c:\program files\common files\dvd.xxx
2006-03-03 19:02 10 a------- c:\program files\common files\davd.fgh
2006-03-03 19:02 0 a------- c:\program files\common files\point.tyu
2006-03-03 19:02 0 a------- c:\program files\common files\ass.bvc
2006-03-03 19:02 2 a------- c:\program files\common files\weel.llk
2006-03-03 19:02 2 a------- c:\program files\common files\qwerty.jhh
2008-08-24 16:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082420080825\index.dat

============= FINISH: 21:40:50.00 ===============

Cheers
justin
justabout1
Active Member
 
Posts: 5
Joined: January 4th, 2009, 6:55 am

Re: google redirects

Unread postby davis » January 8th, 2009, 3:10 pm

Hi justabout1,

My pc is running very smoothly

That sounds good. :cheers: Please do the following:

Use Windows Explorer to find and delete this file:

C:\Documents and Settings\Athlon64\My Documents\Downloads\Windows Vista Activator.rar

Other than that, You logs look good. Any issue left? If not, Let's do some housecleaning.

Step1

Click START then RUN
Now copy/paste Combofix /u in runbox and click OK.
Note the space between the X and the U, it needs to be there.

Image

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
Remember to delete GooredFix, DDS, GMER Rootkit Scanner, bat file and all the logs we have used.


Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:



  1. Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  2. Make your Internet Explorer more secure

    Please referring this thread to configure Internet Explorer 7 properly.


  3. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  4. Install a-squared Free -a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers

    A tutorial on installing & using this product can be found here:

    Clean your PC with a-squared Free

  5. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!
User avatar
davis
Regular Member
 
Posts: 910
Joined: February 3rd, 2008, 4:48 am

Re: google redirects

Unread postby Shaba » January 9th, 2009, 4:28 am

justabout1 this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 71 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware