Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google searches redirected, Virus Scan disabled at startup

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Google searches redirected, Virus Scan disabled at startup

Unread postby epb » January 5th, 2009, 4:31 pm

Hello,

I seem to have downloaded virus or trojan that's caused a few problems for me. Originally, I had a program named Spyware Protect 2009 running in my system tray. I was also getting a number of Internet Explorer popups (and a couple links saved to my desktop) even though I was running Firefox. After running Malwarebytes Anti-Malware, I removed a number of Trojans (Agent, Vundo, Vundo.h, FakeAlert and Downloader). That seemed to clear up those issues, but I still have a couple problems. First off, even though Virus Scan is loaded at startup, the On-Access scan is disabled. I can turn it back on, but it occasionally, I'll find it turned off again on its own. The other issue is, when I do a Google search and click on a link, I'll be redirected to info.com, shopica or some other advertisement site. This happens about once every ten times.

In addition to running Anti-Malware, I've also run Ad-Aware with updated definitions, but that didin't find anything. My HijackThis logs are below. let me know if you'd like the Anti-Malware logs as well:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:02 PM, on 1/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\SolarWinds\ipMonitor\ipmrptsrv9.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\SolarWinds\ipMonitor\ipm9watchdog.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\zyross\zyross_ec_an\bin\wrapper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre1.5.0_11\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\SolarWinds\ipMonitor\SWDiscoveryEngine12.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\VirusScan\SCAN32.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: {B0073133-2D9B-4AC6-8AAC-6EB8E9343040} (CEMAClassLoaderCtl Object) - http://132.177.196.114/EMA.Utils/EMA.Cl ... Loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://vpn.unh.edu/dana-cached/setup/J ... tupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.unh.edu
O17 - HKLM\Software\..\Telephony: DomainName = ad.unh.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.unh.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = unh.edu,unh.edu,unh.edu,ad.unh.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = unh.edu,unh.edu,unh.edu,ad.unh.edu
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: ipMonitorRpt - SolarWinds - C:\Program Files\SolarWinds\ipMonitor\ipmrptsrv9.exe
O23 - Service: ipMonitorSrv - SolarWinds - C:\Program Files\SolarWinds\ipMonitor\ipmservice9.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies Inc. - C:\Documents and Settings\epb3\Application Data\TANDBERG\See&Share\monitorservice.exe
O23 - Service: SolarWinds Discovery Service - SolarWinds - C:\Program Files\SolarWinds\ipMonitor\SWDiscoveryEngine12.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: ZyrOSS Data Collector for Polycom Products (zyross_dc) - Unknown owner - C:\Program Files\zyross\zyross_ec_an\bin\wrapper.exe

--
End of file - 8972 bytes



Thanks in advance.
epb
Active Member
 
Posts: 10
Joined: January 5th, 2009, 4:11 pm
Advertisement
Register to Remove

Re: Google searches redirected, Virus Scan disabled at startup

Unread postby peku006 » January 10th, 2009, 8:45 am

Hello and welcome to Malware Removal.

My name is peku006and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Please continue to respond until I give you the "All Clear"

If you follow these instructions, everything should go smoothly.

1 - Scan With ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable Anti-virus

Please include the C:\ComboFix.txt in your next reply for further review.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Google searches redirected, Virus Scan disabled at startup

Unread postby epb » January 12th, 2009, 10:09 am

Below is my ComboFix log. I noticed a couple of odd things along the way. The first of which was when i ran it, it said it had detected a root kit and needed to reboot the computer. No problem, I allowed it to do this and ComboFix ran at startup. There was one problem, though, since it said VirusScan was running. I couldn't do anything about it since nothing else had booted up and all I had on my screen was the ComboFix window. So, I killed ComboFix, let everything else startup, disabled VirusScan and SpyBot S&D and ran ComboFix again. It still told me VirusScan was running even though i had disabled it so I let it run anyway. Below are the results:

ComboFix 09-01-11.03 - epb3 2009-01-12 8:34:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1579 [GMT -5:00]
Running from: c:\documents and settings\epb3\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\struct~.ini
c:\windows\system32\0527F69C39.dll
c:\windows\system32\Cache
c:\windows\system32\cfx32.ocx
c:\windows\system32\D7856F98E5.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekapqjnkdad.sys
c:\windows\system32\F3D8B8A343.dll
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekaebwiyrwl.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekauhhbowba.dll

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-07 13:11 . 2009-01-07 13:11 73,216 --a------ c:\windows\system32\ffkuz.dll
2009-01-06 09:55 . 2009-01-06 11:02 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-06 09:55 . 2009-01-06 11:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-06 08:54 . 2009-01-06 08:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-06 08:51 . 2007-10-25 15:06 1,495,552 --a------ c:\windows\system32\epoPGPsdk.dll
2009-01-06 08:51 . 2008-01-24 20:50 171,400 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-01-06 08:51 . 2008-01-24 20:50 72,936 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-01-06 08:51 . 2008-01-24 20:50 64,232 --a------ c:\windows\system32\drivers\mfeapfk.sys
2009-01-06 08:51 . 2008-01-24 20:50 52,104 --a------ c:\windows\system32\drivers\mfetdik.sys
2009-01-06 08:51 . 2008-01-24 20:50 33,960 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-01-06 08:51 . 2007-10-25 15:06 280 --a------ c:\windows\system32\epoPGPsdk.dll.sig
2009-01-06 08:48 . 2009-01-06 08:48 <DIR> d-------- c:\program files\McAfee
2009-01-06 08:48 . 2009-01-06 08:48 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-05 14:41 . 2009-01-05 14:41 <DIR> d-------- c:\program files\Trend Micro
2009-01-05 12:53 . 2006-10-04 09:06 1,197,294 --------- c:\windows\system32\dllcache\sysmain.sdb
2009-01-05 12:53 . 2006-10-04 09:06 764,868 --------- c:\windows\system32\dllcache\apph_sp.sdb
2009-01-05 12:53 . 2006-10-04 09:06 217,118 --------- c:\windows\system32\dllcache\apphelp.sdb
2009-01-05 12:52 . 2009-01-05 12:52 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-01-05 11:49 . 2009-01-05 11:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-05 11:49 . 2009-01-05 11:49 <DIR> d-------- c:\documents and settings\epb3\Application Data\Malwarebytes
2009-01-05 11:49 . 2009-01-05 11:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-05 11:49 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 11:49 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-05 11:39 . 2009-01-05 11:38 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-05 11:37 . 2009-01-05 11:39 <DIR> d-------- c:\documents and settings\epb3\.housecall6.6
2009-01-05 11:28 . 2009-01-05 11:28 <DIR> d-------- c:\documents and settings\epb3\Application Data\HouseCall 6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 16:02 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-01-06 16:02 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-01-06 13:55 --------- d-----w c:\program files\Network Associates
2009-01-06 13:50 --------- d-----w c:\program files\Common Files\Network Associates
2009-01-05 19:02 --------- d-----w c:\program files\Lavasoft
2009-01-05 19:02 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-05 19:01 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 21:35 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-05 20:55 --------- d-----w c:\program files\Sonic
2008-12-05 20:55 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-05 20:44 --------- d-----w c:\program files\Common Files\Intuit
2008-12-05 20:40 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 20:40 --------- d-----w c:\program files\Nortel Networks
2008-12-05 20:36 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-05 20:30 --------- d-----w c:\program files\Juniper Networks
2008-12-05 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2008-12-05 20:26 --------- d-----w c:\program files\Ethereal
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 9.0
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 7.5
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 7.0
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 6.12
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 6.0
2008-12-05 14:53 --------- d-----w c:\program files\TuneUp Utilities 2007
2008-12-05 14:52 --------- d-----w c:\documents and settings\epb3\Application Data\TuneUp Software
2008-12-05 14:52 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-24 14:28 --------- d-----w c:\program files\ClearSight
2008-11-20 20:19 --------- d-----w c:\program files\GnuWin32
2008-11-17 13:23 --------- d-----w c:\documents and settings\epb3\Application Data\SSH
2008-11-14 20:14 --------- d-----w c:\documents and settings\epb3\Application Data\Elluminate
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-05-16 19:34 23,510,720 ----a-w c:\documents and settings\epb3\Application Data\dotnetfx.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-11 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.CODAU"= codian_video_decoder.dll
"VIDC.CODV"= codian_video_decoder.dll
"msacm.PLCMg722"= PLCMg722.acm
"msacm.PLCMg728"= PLCMg728.acm
"msacm.PLCMg729A"= PLCMg729A.acm
"msacm.PLCMsiren"= PLCMsiren.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-287218729-682003330-1107\Scripts\Logon\0\0]
"Script"=\\ad.unh.edu\SysVol\ad.unh.edu\scripts\telecomNOC.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-287218729-682003330-21444\Scripts\Logon\0\0]
"Script"=\\ad.unh.edu\SysVol\ad.unh.edu\scripts\telecomNOC.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-287218729-682003330-21667\Scripts\Logon\0\0]
"Script"=\\ad.unh.edu\SysVol\ad.unh.edu\scripts\telecomNOC.bat

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-03-04 11:26 606208 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
--a------ 2007-01-12 20:48 275800 c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-20 12:06 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-11 07:01 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
--a------ 2006-12-05 18:38 707360 c:\windows\vVX3000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"Google Update"="c:\documents and settings\epb3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\iperf.exe"=
"c:\\Program Files\\Solarwinds\\Free Tools\\TFTP-Server.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Polycom\\PVX\\vvsys.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Documents and Settings\\epb3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\epb3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 smrtdrv;SMART Technologies Inc. Mirror Driver;c:\windows\system32\drivers\smrtdrv.sys [2008-02-19 2432]
R3 SolarWinds Discovery Service;SolarWinds Discovery Service;c:\program files\Solarwinds\ipMonitor\SWDiscoveryEngine12.exe [2007-10-02 122880]
R4 ipMonitorRpt;ipMonitorRpt;c:\program files\Solarwinds\ipMonitor\ipmrptsrv9.exe [2007-10-19 475136]
R4 ipMonitorSrv;ipMonitorSrv;c:\program files\Solarwinds\ipMonitor\ipmservice9.exe [2008-01-04 990720]
R4 Sniffer;SNIFFER Protocol Driver;c:\windows\system32\drivers\sniffer.sys [2005-10-27 607216]
R4 zyross_dc;ZyrOSS Data Collector for Polycom Products;c:\program files\zyross\zyross_ec_an\bin\wrapper.exe [2007-03-09 204800]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-06-28 42512]
S3 PGNPF;PG Netgroup Packet Filter;c:\windows\system32\PGdrivers\npf.sys --> c:\windows\system32\PGdrivers\npf.sys [?]
S4 SMART Mirror Driver Monitor Service;SMART Mirror Driver Monitor Service;c:\documents and settings\epb3\Application Data\TANDBERG\See&Share\monitorservice.exe [2008-02-19 135680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-12-05 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-02 19:35]

2009-01-09 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\epb3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 10:30]

2008-12-05 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job
- c:\program files\Microsoft LifeCam\LifeExp.exe [2007-01-12 20:48]

2008-12-05 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX3000_exe.job
- c:\windows\vVX3000.exe [2006-12-05 18:38]

2009-01-12 c:\windows\Tasks\smvqsfzk.job
- c:\windows\system32\rundll32.exe [2004-08-04 05:00]

2009-01-12 c:\windows\Tasks\User_Feed_Synchronization-{E39D2DB4-ADFF-4A46-A393-BF76567CDA61}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\EMA.ClassLoader.dll - O16 -: {B0073133-2D9B-4AC6-8AAC-6EB8E9343040}
hxxp://132.177.196.114/EMA.Utils/EMA.Cl ... Loader.cab
FF - ProfilePath - c:\documents and settings\epb3\Application Data\Mozilla\Firefox\Profiles\jluf5fbo.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox? ... S:official
FF - plugin: c:\documents and settings\epb3\Application Data\Mozilla\Firefox\Profiles\jluf5fbo.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\epb3\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npkapanga.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 08:36:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-12 8:38:06
ComboFix-quarantined-files.txt 2009-01-12 13:38:04

Pre-Run: 76,927,639,552 bytes free
Post-Run: 76,988,973,056 bytes free

253 --- E O F --- 2008-12-22 21:30:50


Immediately after running this, SpyBot S&D popped up telling me that some changes had been made to my registry and asked me if I should allow the changes. I assumed I had forgot to disable Spybot and that all these changes were from ComboFix so I allowed them. I disabled Spybot again and decided to run ComboFix again with it disabled. It still thought VirusScan was running, but I ran it once again. The new log didn't say it had deleted anything else, but here it is anyway:

ComboFix 09-01-11.03 - epb3 2009-01-12 8:42:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1500 [GMT -5:00]
Running from: c:\documents and settings\epb3\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-07 13:11 . 2009-01-07 13:11 73,216 --a------ c:\windows\system32\ffkuz.dll
2009-01-06 09:55 . 2009-01-06 11:02 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-06 09:55 . 2009-01-06 11:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-06 08:54 . 2009-01-06 08:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-06 08:51 . 2007-10-25 15:06 1,495,552 --a------ c:\windows\system32\epoPGPsdk.dll
2009-01-06 08:51 . 2008-01-24 20:50 171,400 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-01-06 08:51 . 2008-01-24 20:50 72,936 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-01-06 08:51 . 2008-01-24 20:50 64,232 --a------ c:\windows\system32\drivers\mfeapfk.sys
2009-01-06 08:51 . 2008-01-24 20:50 52,104 --a------ c:\windows\system32\drivers\mfetdik.sys
2009-01-06 08:51 . 2008-01-24 20:50 33,960 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-01-06 08:51 . 2007-10-25 15:06 280 --a------ c:\windows\system32\epoPGPsdk.dll.sig
2009-01-06 08:48 . 2009-01-06 08:48 <DIR> d-------- c:\program files\McAfee
2009-01-06 08:48 . 2009-01-06 08:48 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-05 14:41 . 2009-01-05 14:41 <DIR> d-------- c:\program files\Trend Micro
2009-01-05 12:53 . 2006-10-04 09:06 1,197,294 --------- c:\windows\system32\dllcache\sysmain.sdb
2009-01-05 12:53 . 2006-10-04 09:06 764,868 --------- c:\windows\system32\dllcache\apph_sp.sdb
2009-01-05 12:53 . 2006-10-04 09:06 217,118 --------- c:\windows\system32\dllcache\apphelp.sdb
2009-01-05 12:52 . 2009-01-05 12:52 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-01-05 11:49 . 2009-01-05 11:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-05 11:49 . 2009-01-05 11:49 <DIR> d-------- c:\documents and settings\epb3\Application Data\Malwarebytes
2009-01-05 11:49 . 2009-01-05 11:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-05 11:49 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 11:49 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-05 11:39 . 2009-01-05 11:38 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-05 11:37 . 2009-01-05 11:39 <DIR> d-------- c:\documents and settings\epb3\.housecall6.6
2009-01-05 11:28 . 2009-01-05 11:28 <DIR> d-------- c:\documents and settings\epb3\Application Data\HouseCall 6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 16:02 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-01-06 16:02 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-01-06 13:55 --------- d-----w c:\program files\Network Associates
2009-01-06 13:50 --------- d-----w c:\program files\Common Files\Network Associates
2009-01-05 19:02 --------- d-----w c:\program files\Lavasoft
2009-01-05 19:02 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-05 19:01 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 21:35 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-05 20:55 --------- d-----w c:\program files\Sonic
2008-12-05 20:55 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-05 20:44 --------- d-----w c:\program files\Common Files\Intuit
2008-12-05 20:40 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 20:40 --------- d-----w c:\program files\Nortel Networks
2008-12-05 20:36 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-05 20:30 --------- d-----w c:\program files\Juniper Networks
2008-12-05 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2008-12-05 20:26 --------- d-----w c:\program files\Ethereal
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 9.0
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 7.5
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 7.0
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 6.12
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 6.0
2008-12-05 14:53 --------- d-----w c:\program files\TuneUp Utilities 2007
2008-12-05 14:52 --------- d-----w c:\documents and settings\epb3\Application Data\TuneUp Software
2008-12-05 14:52 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-24 14:28 --------- d-----w c:\program files\ClearSight
2008-11-20 20:19 --------- d-----w c:\program files\GnuWin32
2008-11-17 13:23 --------- d-----w c:\documents and settings\epb3\Application Data\SSH
2008-11-14 20:14 --------- d-----w c:\documents and settings\epb3\Application Data\Elluminate
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-05-16 19:34 23,510,720 ----a-w c:\documents and settings\epb3\Application Data\dotnetfx.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-11 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.CODAU"= codian_video_decoder.dll
"VIDC.CODV"= codian_video_decoder.dll
"msacm.PLCMg722"= PLCMg722.acm
"msacm.PLCMg728"= PLCMg728.acm
"msacm.PLCMg729A"= PLCMg729A.acm
"msacm.PLCMsiren"= PLCMsiren.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-287218729-682003330-1107\Scripts\Logon\0\0]
"Script"=\\ad.unh.edu\SysVol\ad.unh.edu\scripts\telecomNOC.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-287218729-682003330-21444\Scripts\Logon\0\0]
"Script"=\\ad.unh.edu\SysVol\ad.unh.edu\scripts\telecomNOC.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-287218729-682003330-21667\Scripts\Logon\0\0]
"Script"=\\ad.unh.edu\SysVol\ad.unh.edu\scripts\telecomNOC.bat

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-03-04 11:26 606208 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
--a------ 2007-01-12 20:48 275800 c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-20 12:06 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-11 07:01 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
--a------ 2006-12-05 18:38 707360 c:\windows\vVX3000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"Google Update"="c:\documents and settings\epb3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\iperf.exe"=
"c:\\Program Files\\Solarwinds\\Free Tools\\TFTP-Server.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Polycom\\PVX\\vvsys.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Documents and Settings\\epb3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\epb3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 smrtdrv;SMART Technologies Inc. Mirror Driver;c:\windows\system32\drivers\smrtdrv.sys [2008-02-19 2432]
R3 SolarWinds Discovery Service;SolarWinds Discovery Service;c:\program files\Solarwinds\ipMonitor\SWDiscoveryEngine12.exe [2007-10-02 122880]
R4 ipMonitorRpt;ipMonitorRpt;c:\program files\Solarwinds\ipMonitor\ipmrptsrv9.exe [2007-10-19 475136]
R4 ipMonitorSrv;ipMonitorSrv;c:\program files\Solarwinds\ipMonitor\ipmservice9.exe [2008-01-04 990720]
R4 Sniffer;SNIFFER Protocol Driver;c:\windows\system32\drivers\sniffer.sys [2005-10-27 607216]
R4 zyross_dc;ZyrOSS Data Collector for Polycom Products;c:\program files\zyross\zyross_ec_an\bin\wrapper.exe [2007-03-09 204800]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-06-28 42512]
S3 PGNPF;PG Netgroup Packet Filter;c:\windows\system32\PGdrivers\npf.sys --> c:\windows\system32\PGdrivers\npf.sys [?]
S4 SMART Mirror Driver Monitor Service;SMART Mirror Driver Monitor Service;c:\documents and settings\epb3\Application Data\TANDBERG\See&Share\monitorservice.exe [2008-02-19 135680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-12-05 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-02 19:35]

2009-01-09 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\epb3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 10:30]

2008-12-05 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job
- c:\program files\Microsoft LifeCam\LifeExp.exe [2007-01-12 20:48]

2008-12-05 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX3000_exe.job
- c:\windows\vVX3000.exe [2006-12-05 18:38]

2009-01-12 c:\windows\Tasks\smvqsfzk.job
- c:\windows\system32\rundll32.exe [2004-08-04 05:00]

2009-01-12 c:\windows\Tasks\User_Feed_Synchronization-{E39D2DB4-ADFF-4A46-A393-BF76567CDA61}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\EMA.ClassLoader.dll - O16 -: {B0073133-2D9B-4AC6-8AAC-6EB8E9343040}
hxxp://132.177.196.114/EMA.Utils/EMA.Cl ... Loader.cab
FF - ProfilePath - c:\documents and settings\epb3\Application Data\Mozilla\Firefox\Profiles\jluf5fbo.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox? ... S:official
FF - plugin: c:\documents and settings\epb3\Application Data\Mozilla\Firefox\Profiles\jluf5fbo.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\epb3\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npkapanga.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 08:43:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-12 8:44:33
ComboFix-quarantined-files.txt 2009-01-12 13:44:31
ComboFix2.txt 2009-01-12 13:38:07

Pre-Run: 77,007,757,312 bytes free
Post-Run: 76,989,079,552 bytes free

234 --- E O F --- 2008-12-22 21:30:50

After this ran again, I noticed that Spybot had restarted once again, but I didn't see VirusScan in my system try any longer. Also, I noticed Firefox was no longer my default browser. Anyway, I decided to reboot to see if VirusScan would come back. As I was doing this, I noticed an M in my system tray. Ordinarilly, my VirusScan console is represented by a V, by I remember reading about how to disable VirusScan before running ComboFix and it said the icon was an M. Anyway, my computer restarted and VirusScan was back, this time with the familar V in the system tray.

All that aside, here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:39, on 2009-01-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\SolarWinds\ipMonitor\ipmrptsrv9.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\SolarWinds\ipMonitor\ipm9watchdog.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\zyross\zyross_ec_an\bin\wrapper.exe
C:\Program Files\Java\jre1.5.0_11\bin\java.exe
C:\Program Files\SolarWinds\ipMonitor\SWDiscoveryEngine12.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B0073133-2D9B-4AC6-8AAC-6EB8E9343040} (CEMAClassLoaderCtl Object) - http://132.177.196.114/EMA.Utils/EMA.Cl ... Loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://vpn.unh.edu/dana-cached/setup/J ... tupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.unh.edu
O17 - HKLM\Software\..\Telephony: DomainName = ad.unh.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.unh.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = unh.edu,unh.edu,unh.edu,ad.unh.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ad.unh.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = unh.edu,unh.edu,unh.edu,ad.unh.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = unh.edu,unh.edu,unh.edu,ad.unh.edu
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: ipMonitorRpt - SolarWinds - C:\Program Files\SolarWinds\ipMonitor\ipmrptsrv9.exe
O23 - Service: ipMonitorSrv - SolarWinds - C:\Program Files\SolarWinds\ipMonitor\ipmservice9.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies Inc. - C:\Documents and Settings\epb3\Application Data\TANDBERG\See&Share\monitorservice.exe
O23 - Service: SolarWinds Discovery Service - SolarWinds - C:\Program Files\SolarWinds\ipMonitor\SWDiscoveryEngine12.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: ZyrOSS Data Collector for Polycom Products (zyross_dc) - Unknown owner - C:\Program Files\zyross\zyross_ec_an\bin\wrapper.exe

--
End of file - 8983 bytes

Thanks for your help.
epb
Active Member
 
Posts: 10
Joined: January 5th, 2009, 4:11 pm

Re: Google searches redirected, Virus Scan disabled at startup

Unread postby peku006 » January 12th, 2009, 11:00 am

Hi epb

1 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\ffkuz.dll
c:\windows\system32\drivers\logiflt.iad



Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2 - Run Malwarebytes' Anti-Malware

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
On the Scanner tab:
  • Make sure the "Perform full scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • The log can also be found here:

    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


3 - Status Check
Please reply with

1. the ComboFix log(C:\ComboFix.txt)
2. the Malwarebytes' Anti-Malware Log
How is the computer running now?

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Google searches redirected, Virus Scan disabled at startup

Unread postby epb » January 12th, 2009, 12:30 pm

First off, here are the logs. First, ComboFix:

ComboFix 09-01-11.03 - epb3 2009-01-12 10:12:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1498 [GMT -5:00]
Running from: c:\documents and settings\epb3\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\epb3\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\logiflt.iad
c:\windows\system32\ffkuz.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\logiflt.iad
c:\windows\system32\ffkuz.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-06 09:55 . 2009-01-06 11:02 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-06 09:55 . 2009-01-06 11:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-06 08:54 . 2009-01-06 08:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-06 08:51 . 2007-10-25 15:06 1,495,552 --a------ c:\windows\system32\epoPGPsdk.dll
2009-01-06 08:51 . 2008-01-24 20:50 171,400 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-01-06 08:51 . 2008-01-24 20:50 72,936 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-01-06 08:51 . 2008-01-24 20:50 64,232 --a------ c:\windows\system32\drivers\mfeapfk.sys
2009-01-06 08:51 . 2008-01-24 20:50 52,104 --a------ c:\windows\system32\drivers\mfetdik.sys
2009-01-06 08:51 . 2008-01-24 20:50 33,960 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-01-06 08:51 . 2007-10-25 15:06 280 --a------ c:\windows\system32\epoPGPsdk.dll.sig
2009-01-06 08:48 . 2009-01-06 08:48 <DIR> d-------- c:\program files\McAfee
2009-01-06 08:48 . 2009-01-06 08:48 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-05 14:41 . 2009-01-05 14:41 <DIR> d-------- c:\program files\Trend Micro
2009-01-05 12:53 . 2006-10-04 09:06 1,197,294 --------- c:\windows\system32\dllcache\sysmain.sdb
2009-01-05 12:53 . 2006-10-04 09:06 764,868 --------- c:\windows\system32\dllcache\apph_sp.sdb
2009-01-05 12:53 . 2006-10-04 09:06 217,118 --------- c:\windows\system32\dllcache\apphelp.sdb
2009-01-05 12:52 . 2009-01-05 12:52 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-01-05 11:49 . 2009-01-05 11:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-05 11:49 . 2009-01-05 11:49 <DIR> d-------- c:\documents and settings\epb3\Application Data\Malwarebytes
2009-01-05 11:49 . 2009-01-05 11:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-05 11:49 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 11:49 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-05 11:39 . 2009-01-05 11:38 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-05 11:37 . 2009-01-05 11:39 <DIR> d-------- c:\documents and settings\epb3\.housecall6.6
2009-01-05 11:28 . 2009-01-05 11:28 <DIR> d-------- c:\documents and settings\epb3\Application Data\HouseCall 6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 16:02 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-01-06 13:55 --------- d-----w c:\program files\Network Associates
2009-01-06 13:50 --------- d-----w c:\program files\Common Files\Network Associates
2009-01-05 19:02 --------- d-----w c:\program files\Lavasoft
2009-01-05 19:02 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-05 19:01 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 21:35 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-05 20:55 --------- d-----w c:\program files\Sonic
2008-12-05 20:55 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-05 20:44 --------- d-----w c:\program files\Common Files\Intuit
2008-12-05 20:40 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 20:40 --------- d-----w c:\program files\Nortel Networks
2008-12-05 20:36 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-05 20:30 --------- d-----w c:\program files\Juniper Networks
2008-12-05 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2008-12-05 20:26 --------- d-----w c:\program files\Ethereal
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 9.0
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 7.5
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 7.0
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 6.12
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 6.0
2008-12-05 14:53 --------- d-----w c:\program files\TuneUp Utilities 2007
2008-12-05 14:52 --------- d-----w c:\documents and settings\epb3\Application Data\TuneUp Software
2008-12-05 14:52 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-24 14:28 --------- d-----w c:\program files\ClearSight
2008-11-20 20:19 --------- d-----w c:\program files\GnuWin32
2008-11-17 13:23 --------- d-----w c:\documents and settings\epb3\Application Data\SSH
2008-11-14 20:14 --------- d-----w c:\documents and settings\epb3\Application Data\Elluminate
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-05-16 19:34 23,510,720 ----a-w c:\documents and settings\epb3\Application Data\dotnetfx.exe
.

((((((((((((((((((((((((((((( snapshot@2009-01-12_ 8.37.18.88 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-12 13:30:40 212,568 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-01-12 15:06:12 212,572 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-07-26 12:25:24 109,080 ----a-w c:\windows\Temp\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-11 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.CODAU"= codian_video_decoder.dll
"VIDC.CODV"= codian_video_decoder.dll
"msacm.PLCMg722"= PLCMg722.acm
"msacm.PLCMg728"= PLCMg728.acm
"msacm.PLCMg729A"= PLCMg729A.acm
"msacm.PLCMsiren"= PLCMsiren.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-287218729-682003330-1107\Scripts\Logon\0\0]
"Script"=\\ad.unh.edu\SysVol\ad.unh.edu\scripts\telecomNOC.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-287218729-682003330-21444\Scripts\Logon\0\0]
"Script"=\\ad.unh.edu\SysVol\ad.unh.edu\scripts\telecomNOC.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-287218729-682003330-21667\Scripts\Logon\0\0]
"Script"=\\ad.unh.edu\SysVol\ad.unh.edu\scripts\telecomNOC.bat

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-03-04 11:26 606208 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
--a------ 2007-01-12 20:48 275800 c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-20 12:06 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-11 07:01 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
--a------ 2006-12-05 18:38 707360 c:\windows\vVX3000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"Google Update"="c:\documents and settings\epb3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\iperf.exe"=
"c:\\Program Files\\Solarwinds\\Free Tools\\TFTP-Server.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Polycom\\PVX\\vvsys.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Documents and Settings\\epb3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\epb3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 smrtdrv;SMART Technologies Inc. Mirror Driver;c:\windows\system32\drivers\smrtdrv.sys [2008-02-19 2432]
R3 SolarWinds Discovery Service;SolarWinds Discovery Service;c:\program files\Solarwinds\ipMonitor\SWDiscoveryEngine12.exe [2007-10-02 122880]
R4 ipMonitorRpt;ipMonitorRpt;c:\program files\Solarwinds\ipMonitor\ipmrptsrv9.exe [2007-10-19 475136]
R4 ipMonitorSrv;ipMonitorSrv;c:\program files\Solarwinds\ipMonitor\ipmservice9.exe [2008-01-04 990720]
R4 Sniffer;SNIFFER Protocol Driver;c:\windows\system32\drivers\sniffer.sys [2005-10-27 607216]
R4 zyross_dc;ZyrOSS Data Collector for Polycom Products;c:\program files\zyross\zyross_ec_an\bin\wrapper.exe [2007-03-09 204800]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-06-28 42512]
S3 PGNPF;PG Netgroup Packet Filter;c:\windows\system32\PGdrivers\npf.sys --> c:\windows\system32\PGdrivers\npf.sys [?]
S4 SMART Mirror Driver Monitor Service;SMART Mirror Driver Monitor Service;c:\documents and settings\epb3\Application Data\TANDBERG\See&Share\monitorservice.exe [2008-02-19 135680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-12-05 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-02 19:35]

2009-01-12 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\epb3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 10:30]

2008-12-05 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job
- c:\program files\Microsoft LifeCam\LifeExp.exe [2007-01-12 20:48]

2008-12-05 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX3000_exe.job
- c:\windows\vVX3000.exe [2006-12-05 18:38]

2009-01-12 c:\windows\Tasks\smvqsfzk.job
- c:\windows\system32\rundll32.exe [2004-08-04 05:00]

2009-01-12 c:\windows\Tasks\User_Feed_Synchronization-{E39D2DB4-ADFF-4A46-A393-BF76567CDA61}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\EMA.ClassLoader.dll - O16 -: {B0073133-2D9B-4AC6-8AAC-6EB8E9343040}
hxxp://132.177.196.114/EMA.Utils/EMA.Cl ... Loader.cab
FF - ProfilePath - c:\documents and settings\epb3\Application Data\Mozilla\Firefox\Profiles\jluf5fbo.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox? ... S:official
FF - plugin: c:\documents and settings\epb3\Application Data\Mozilla\Firefox\Profiles\jluf5fbo.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\epb3\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npkapanga.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 10:13:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-12 10:15:05
ComboFix-quarantined-files.txt 2009-01-12 15:15:01
ComboFix2.txt 2009-01-12 13:44:35
ComboFix3.txt 2009-01-12 13:38:07

Pre-Run: 76,902,309,888 bytes free
Post-Run: 76,885,356,544 bytes free

249 --- E O F --- 2008-12-22 21:30:50


And Anti-Malware:

Malwarebytes' Anti-Malware 1.32
Database version: 1645
Windows 5.1.2600 Service Pack 2

2009-01-12 11:02:15
mbam-log-2009-01-12 (11-02-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 112160
Time elapsed: 30 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\seneka.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekapqjnkdad.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0\A0000001.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0\A0000127.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


I did a little browsing and am not sure if I have a problem. I did a Google search and I was redirected to another page. However, it threw ad2.doubleclicker.net before the URL. I know a little about doubleclicker and my understanding is it's not malicious. However, the fact that I'm going to another URL, have to hit back and then click on the link again is disturbing. I'm no longer being sent to sites like info.com or shopica anymore, though, so I suppose that's a plus. Of course, I don't remember anything like this happening pre-infection.

I just tried to reproduce the problem. I did a Google search in Firefox for "spyware". The first link was to Wikipedia and went straight there, but I did see ad2.doublclicker.net being loaded. The next link was for Ad-aware. I clicked it, and it sent me to the following URL:

http://www.stopzilla.com/products/stopz ... mart_55326

Again, I clicked back and then on the link again and went to Lavasoft's site.

Thanks for your help. I look forward to any further suggestions.
epb
Active Member
 
Posts: 10
Joined: January 5th, 2009, 4:11 pm

Re: Google searches redirected, Virus Scan disabled at startup

Unread postby peku006 » January 12th, 2009, 1:04 pm

Hi epb

1 - Download and Run GooredFix

Download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1
and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
Note: Do not run Option #2 yet.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with


1. the report from Goored
2. a fresh HijackThis log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Google searches redirected, Virus Scan disabled at startup

Unread postby epb » January 12th, 2009, 1:42 pm

OK, here's my GooredFix log:

GooredFix v1.81 by jpshortstuff
Log created at 12:40 on 12/01/2009 running Option #1 (epb3)
Firefox version 3.0.5 (en-US)

=====Suspect Goored Entries=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{24E4398D-B58B-424B-8D9D-02D6A5F4156F}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{24E4398D-B58B-424B-8D9D-02D6A5F4156F}\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{07E86107-B02E-45FE-9984-7A5ED6E9E8AE}"="C:\Documents and Settings\epb3\Local Settings\Application Data\{07E86107-B02E-45FE-9984-7A5ED6E9E8AE}"

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{24E4398D-B58B-424B-8D9D-02D6A5F4156F}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{24E4398D-B58B-424B-8D9D-02D6A5F4156F}\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{07E86107-B02E-45FE-9984-7A5ED6E9E8AE}"="C:\Documents and Settings\epb3\Local Settings\Application Data\{07E86107-B02E-45FE-9984-7A5ED6E9E8AE}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

And HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41, on 2009-01-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\SolarWinds\ipMonitor\ipmrptsrv9.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\SolarWinds\ipMonitor\ipm9watchdog.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\zyross\zyross_ec_an\bin\wrapper.exe
C:\Program Files\Java\jre1.5.0_11\bin\java.exe
C:\Program Files\SolarWinds\ipMonitor\SWDiscoveryEngine12.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\epb3\Desktop\GooredFix.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B0073133-2D9B-4AC6-8AAC-6EB8E9343040} (CEMAClassLoaderCtl Object) - http://132.177.196.114/EMA.Utils/EMA.Cl ... Loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://vpn.unh.edu/dana-cached/setup/J ... tupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.unh.edu
O17 - HKLM\Software\..\Telephony: DomainName = ad.unh.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.unh.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = unh.edu,unh.edu,unh.edu,ad.unh.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = unh.edu,unh.edu,unh.edu,ad.unh.edu
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: ipMonitorRpt - SolarWinds - C:\Program Files\SolarWinds\ipMonitor\ipmrptsrv9.exe
O23 - Service: ipMonitorSrv - SolarWinds - C:\Program Files\SolarWinds\ipMonitor\ipmservice9.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies Inc. - C:\Documents and Settings\epb3\Application Data\TANDBERG\See&Share\monitorservice.exe
O23 - Service: SolarWinds Discovery Service - SolarWinds - C:\Program Files\SolarWinds\ipMonitor\SWDiscoveryEngine12.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: ZyrOSS Data Collector for Polycom Products (zyross_dc) - Unknown owner - C:\Program Files\zyross\zyross_ec_an\bin\wrapper.exe

--
End of file - 9081 bytes
epb
Active Member
 
Posts: 10
Joined: January 5th, 2009, 4:11 pm

Re: Google searches redirected, Virus Scan disabled at startup

Unread postby peku006 » January 12th, 2009, 2:20 pm

Hi epb

GooredFix-Option 2
Please double-click GooredFix.exe on your Desktop to run it.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, post the contents of that log in your next reply along with a new HijackThis log (it can also be found on your desktop, called GooredLog.txt).

Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Google searches redirected, Virus Scan disabled at startup

Unread postby epb » January 12th, 2009, 2:33 pm

OK, ran it, asked me to reboot so I did. GooredFix said there was an input error when it ran at startup. At that point, I checked the log:

GooredFix v1.81 by jpshortstuff
Log created at 13:22 on 12/01/2009 running Option #2 (epb3)
Firefox version 3.0.5 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{24E4398D-B58B-424B-8D9D-02D6A5F4156F}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{24E4398D-B58B-424B-8D9D-02D6A5F4156F}\"
->Backing up value... Done.
->Deleting value... Done.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{24E4398D-B58B-424B-8D9D-02D6A5F4156F}\
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Failed.
->Delete on reboot... Set.

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{07E86107-B02E-45FE-9984-7A5ED6E9E8AE}"="C:\Documents and Settings\epb3\Local Settings\Application Data\{07E86107-B02E-45FE-9984-7A5ED6E9E8AE}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\epb3\Local Settings\Application Data\{07E86107-B02E-45FE-9984-7A5ED6E9E8AE}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

=====Reboot=====


I noticed it failed to delete one folder and it didn't look like anything happened after reboot so I ran it once more to be safe and it didn't delete anything new:

GooredFix v1.81 by jpshortstuff
Log created at 13:29 on 12/01/2009 running Option #2 (epb3)
Firefox version 3.0.5 (en-US)
(Subsequent Run)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"
epb
Active Member
 
Posts: 10
Joined: January 5th, 2009, 4:11 pm

Re: Google searches redirected, Virus Scan disabled at startup

Unread postby peku006 » January 12th, 2009, 3:08 pm

Hi epb

Looking good :)

1 - Update Java

Please download JavaRa and unzip it to your desktop.

  • Double-click on JavaRa.exe to start the program.
  • Click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a log file has been produced. Click OK.
  • A log file will pop up. Please save it to a convenient location.

Download the latest version of Java Runtime Environment (JRE) 6 Update 11.

  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on the download to install the newest version.

2 - Clean temp files

    Download and Run ATF Cleaner
    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

    Under Main choose:
      Windows Temp
      Current User Temp
      All Users Temp
      Temporary Internet Files
      Prefetch
      Java Cache

      *The other boxes are optional*
      Then click the Empty Selected button.
    if you use Firefox:
      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
    if you use Opera:
      Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program

3 - Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

5 - Status Check
Please reply with

1. the Kaspersky online scanner report
2. a fresh HijackThis log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Google searches redirected, Virus Scan disabled at startup

Unread postby epb » January 12th, 2009, 3:58 pm

OK, ran everything except the Kaspersky scan. Everytime I run it, I get following error:

(Edit: Guess I can't post images, but here's the link to it)

http://img72.imageshack.us/my.php?image ... skyed5.png

I tried with both Firefox and IE. Rebooted my comp and same error everytime. Here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53 PM, on 2009-01-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\SolarWinds\ipMonitor\ipmrptsrv9.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\SolarWinds\ipMonitor\ipm9watchdog.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\zyross\zyross_ec_an\bin\wrapper.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Java\jre1.5.0_11\bin\java.exe
C:\Program Files\SolarWinds\ipMonitor\SWDiscoveryEngine12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B0073133-2D9B-4AC6-8AAC-6EB8E9343040} (CEMAClassLoaderCtl Object) - http://132.177.196.114/EMA.Utils/EMA.Cl ... Loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://vpn.unh.edu/dana-cached/setup/J ... tupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.unh.edu
O17 - HKLM\Software\..\Telephony: DomainName = ad.unh.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.unh.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = unh.edu,unh.edu,unh.edu,ad.unh.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = unh.edu,unh.edu,unh.edu,ad.unh.edu
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: ipMonitorRpt - SolarWinds - C:\Program Files\SolarWinds\ipMonitor\ipmrptsrv9.exe
O23 - Service: ipMonitorSrv - SolarWinds - C:\Program Files\SolarWinds\ipMonitor\ipmservice9.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies Inc. - C:\Documents and Settings\epb3\Application Data\TANDBERG\See&Share\monitorservice.exe
O23 - Service: SolarWinds Discovery Service - SolarWinds - C:\Program Files\SolarWinds\ipMonitor\SWDiscoveryEngine12.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: ZyrOSS Data Collector for Polycom Products (zyross_dc) - Unknown owner - C:\Program Files\zyross\zyross_ec_an\bin\wrapper.exe

--
End of file - 9211 bytes
epb
Active Member
 
Posts: 10
Joined: January 5th, 2009, 4:11 pm

Re: Google searches redirected, Virus Scan disabled at startup

Unread postby peku006 » January 12th, 2009, 4:15 pm

Hi epb
OK don't worry about kaspersky, we'll try a different online scanner

  1. Please go to F-Secure website to perform an online scan. Click on Start scanning at the bottom of the page.
  2. You may be prompted to install an ActiveX before you are able to accept the License Agreement. If prompted, please install it. After installing, the Accept button will be available.
  3. Click on Accept to accept the License Agreement.
  4. Click on Custom Scan.
    • Under Virus Scan Options, select the Scan whole system option.
    • Under Other Scan Options, select these options:
      • Scan all files
      • Scan whole system for rootkits
      • Scan whole system for spyware
      • Scan inside archives
      • Use advanced heuristics
  5. Click Start.
  6. It will start installing the scanner and virus definitions. Once the installation is done, it will start scanning automatically. This takes a while. Please be patient.
  7. Click on I want decide item by item.
  8. Under Actions, select None for all infections found.
  9. Click Next.
  10. Click on Show Report.
  11. Please copy and paste this report in your next reply.
  12. Click Finish.

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Google searches redirected, Virus Scan disabled at startup

Unread postby epb » January 13th, 2009, 12:53 pm

Any idea how long the scan should take? I let this run overnight and when i came back, the IE window had somehow been killed. No one else had access to the computer so it must have crashed after running the scan. I've run it again this morning for about four hours and it's not quite done. It's scanned about 280000 files, skipped 36 and found 2 viruses. I'm going to have to leave in a few hours so I'm just worried that it'll still be running and will have crashed agin by the time i get back.
epb
Active Member
 
Posts: 10
Joined: January 5th, 2009, 4:11 pm

Re: Google searches redirected, Virus Scan disabled at startup

Unread postby epb » January 13th, 2009, 1:44 pm

Ignore my last post. Got it working. Here's my F-Secure log:

Scanning Report
Tuesday, January 13, 2009 08:10:17 - 12:41:27

Computer name: DBVJVM81
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 2 malware found
Trojan-Downloader.Win32.Murlo.vn (virus)

* C:\Qoobox\Quarantine\C\WINDOWS\system32\ffkuz.dll.vir (Submitted)

Trojan.Win32.Small.brl (virus)

* C:\Qoobox\Quarantine\C\WINDOWS\system32\senekauhhbowba.dll.vir (Submitted)

Statistics
Scanned:

* Files: 293346
* System: 3835
* Not scanned: 59

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 2
* Submitted: 2

Files not scanned:

x�

Options
Scanning engines:

* F-Secure USS: 2.40.0
* F-Secure Hydra: 2.8.8110, 2009-01-13
* F-Secure AVP: 7.0.171, 2009-01-13
* F-Secure Pegasus: 1.20.0, 2008-11-17
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan all files
* Scan inside archives
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.



And HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43 PM, on 2009-01-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\SolarWinds\ipMonitor\ipmrptsrv9.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\SolarWinds\ipMonitor\ipm9watchdog.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\zyross\zyross_ec_an\bin\wrapper.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Java\jre1.5.0_11\bin\java.exe
C:\Program Files\SolarWinds\ipMonitor\SWDiscoveryEngine12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\epb3\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\epb3\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {B0073133-2D9B-4AC6-8AAC-6EB8E9343040} (CEMAClassLoaderCtl Object) - http://132.177.196.114/EMA.Utils/EMA.Cl ... Loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://vpn.unh.edu/dana-cached/setup/J ... tupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.unh.edu
O17 - HKLM\Software\..\Telephony: DomainName = ad.unh.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.unh.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = unh.edu,unh.edu,unh.edu,ad.unh.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = unh.edu,unh.edu,unh.edu,ad.unh.edu
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: ipMonitorRpt - SolarWinds - C:\Program Files\SolarWinds\ipMonitor\ipmrptsrv9.exe
O23 - Service: ipMonitorSrv - SolarWinds - C:\Program Files\SolarWinds\ipMonitor\ipmservice9.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies Inc. - C:\Documents and Settings\epb3\Application Data\TANDBERG\See&Share\monitorservice.exe
O23 - Service: SolarWinds Discovery Service - SolarWinds - C:\Program Files\SolarWinds\ipMonitor\SWDiscoveryEngine12.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: ZyrOSS Data Collector for Polycom Products (zyross_dc) - Unknown owner - C:\Program Files\zyross\zyross_ec_an\bin\wrapper.exe

--
End of file - 9792 bytes
epb
Active Member
 
Posts: 10
Joined: January 5th, 2009, 4:11 pm

Re: Google searches redirected, Virus Scan disabled at startup

Unread postby peku006 » January 13th, 2009, 2:25 pm

Hi epb

Run GooredFix

Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1
and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
Note: Do not run Option #2 yet.

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 62 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware