Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google redirection virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Google redirection virus

Unread postby will122k3 » June 17th, 2009, 10:03 pm

First, in advance for your help. I picked up some type of virus/malware that redirects google every time I run a search. Sometimes once I click on a link, it will go to a website that is blocked, sometimes it will try to run a scan on my computer, but generally it will redirect me to some random website.

I have already done some research on this, and I saw that the hijackthis log file is the best way to get this resolved. I have installed and scanned my computer with :AVG Free 8.5, McAfee-- which I have since uninstalled because it would constantly shutdown for no reason, and spyware terminator. Both definitely found multiple threats, but none solved the problem. For some unknown reason Malwarebyte's Anti-Malware does not seem to even open, it once worked, but now when I click on the application, nothing happens. I tried uninstalling and reinstalling to no avail. I ran a scan with spyware terminator, it found multiple objects and I didn't check the report closely enough because it found explorer.exe to be a threat, so it was quarantined. Of course, once rebooted, the computer looked like a blank screen, but i'm pretty computer literate so I was able to figure it out. That's my situation and I would definitely appreciate any help in removing this.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:05 PM, on 6/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN 3000 Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\GameSpy\Comrade\Comrade.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QCWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Comrade.exe] C:\Program Files\GameSpy\Comrade\Comrade.exe
O4 - HKCU\..\Run: [Uninstall_CToolbar] "C:\DOCUME~1\ROOT~1.CHA\LOCALS~1\Temp\CUninst.exe" "/remove"
O4 - HKUS\S-1-5-19\..\Run: [rudayebono] Rundll32.exe "C:\WINDOWS\system32\rotirufe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rudayebono] Rundll32.exe "C:\WINDOWS\system32\rotirufe.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: office.exe
O4 - Global Startup: TIBCO Software Inc. VPN Client.lnk = C:\Program Files\Cisco Systems\VPN 3000 Client\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.tibco.com
O17 - HKLM\Software\..\Telephony: DomainName = na.tibco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.tibco.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\sukikori.dll,c:\progra~1\Manson\liser.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN 3000 Client\cvpnd.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 10031 bytes
will122k3
Active Member
 
Posts: 11
Joined: June 17th, 2009, 9:49 pm
Advertisement
Register to Remove

Re: Google redirection virus

Unread postby Shaba » June 20th, 2009, 6:06 am

Hi will122k3

Is this a personal computer?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Google redirection virus

Unread postby will122k3 » June 20th, 2009, 10:14 am

It's actually a T42 IBM laptop.
will122k3
Active Member
 
Posts: 11
Joined: June 17th, 2009, 9:49 pm

Re: Google redirection virus

Unread postby Shaba » June 20th, 2009, 10:57 am

Yes but it is a personal computer or company computer?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Google redirection virus

Unread postby will122k3 » June 21st, 2009, 1:19 am

It used to be a company computer, but my dad gave it to me about a year ago. I believe it is a program where the employee can opt to buy the computer after a while, after his was updated by the company.
will122k3
Active Member
 
Posts: 11
Joined: June 17th, 2009, 9:49 pm

Re: Google redirection virus

Unread postby Shaba » June 21st, 2009, 4:24 am

I see.

Download gmer.zip and save to your desktop.
alternate download site
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other unning programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Google redirection virus

Unread postby will122k3 » June 23rd, 2009, 2:36 am

I correctly downloaded the file, then extracted it to a file. I click on the file, and get a message saying the publisher could not be verified, would you like to run this file? I hit run of course, and nothing happens. I've tried this several times. I've tried deleting the file and re-downloading, downloading from the alternate site, and running in safe mode to no avail.

By default, I have .zip files opening with WinZip, this obviously did not work, so I right clicked on the .zip file and chose to open it as a "Compressed (zipped) Folder". I did this method exactly as the tutorial said in the link, although it was redundant as I already know how to do it. I even tried executing the file with WinRAR archiver, obviously to no avail. I'm at a loss now. The only other time I can remember anything not opening once I clicked it is Malwarebyte's Anti-Malware, which continues not to run.

I've also come across another problem with my computer, I always open firefox for the internet, but I have IE installed. I run the task manager and it shows iexplorer.exe is running at like 46,000 K of memory, even though I never ran internet explorer. I had just restarted, so there is no reason for it to open on its own. I hear a lysol ad from my speakers, and I'm shocked because the only window I have up is the firefox, which is on this page as I was typing this reply. There is definitely something odd with my computer, I just heard the internet explorer clicking noise as I type this, and I see iexplorer.exe is running at about 20,000K even though I never opened it.
will122k3
Active Member
 
Posts: 11
Joined: June 17th, 2009, 9:49 pm

Re: Google redirection virus

Unread postby Shaba » June 23rd, 2009, 2:56 am

Please rename gmer.exe and tell me if that helped :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Google redirection virus

Unread postby will122k3 » June 24th, 2009, 12:28 am

Your solution worked perfectly, I am interested in why a file's name would make any difference on it opening. I did get an error message after the scan saying the system had been changed due to some type of rootkit activity. All of the files of type 'library' were in red as well.

The IE clicking noise continues, it even de-selects my current window, greying it out, out of nowhere. Here is the info:

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2009-06-23 23:24:43
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.12 ----

Code 8A33689E ZwEnumerateKey
Code 8A54EE66 ZwFlushInstructionCache
Code 00000000 pIofCallDriver
Code 8A5D2E65 IofCallDriver
Code 8A55A89D IofCompleteRequest

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 8A5D2E6A
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 8A55A8A2
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 8A3368A2
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 8A54EE6A

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\AVG\AVG8\avgtray.exe[180] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04D4000A
.text C:\Program Files\AVG\AVG8\avgtray.exe[180] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04D5000A
.text C:\WINDOWS\system32\rundll32.exe[208] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00AE000A
.text C:\WINDOWS\system32\rundll32.exe[208] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00AF000A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[268] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00CF000A
.text C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe[320] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04B7000A
.text C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe[320] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04B8000A
.text C:\WINDOWS\system32\rundll32.exe[328] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00AE000A
.text C:\WINDOWS\system32\rundll32.exe[328] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00AF000A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[400] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04B6000A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[400] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04B7000A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[488] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04B6000A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[488] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04B7000A
.text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 009D000A
.text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00AF000A
.text C:\WINDOWS\system32\FSRremoS.EXE[636] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04A1000A
.text C:\WINDOWS\system32\FSRremoS.EXE[636] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04B3000A
.text C:\WINDOWS\system32\ati2evxx.exe[672] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04A7000A
.text C:\WINDOWS\system32\ati2evxx.exe[672] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04B9000A
.text C:\WINDOWS\system32\S24EvMon.exe[696] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00A7000A
.text C:\WINDOWS\system32\S24EvMon.exe[696] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00B9000A
.text C:\Program Files\GameSpy\Comrade\Comrade.exe[744] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04BA000A
.text C:\Program Files\GameSpy\Comrade\Comrade.exe[744] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 07C21BB0 c:\program files\gamespy\comrade\154\DetectLib.dll
.text C:\Program Files\GameSpy\Comrade\Comrade.exe[744] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 07C21BF0 c:\program files\gamespy\comrade\154\DetectLib.dll
.text C:\Program Files\Lexmark X74-X75\lxbbbmon.exe[808] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04A1000A
.text C:\Program Files\Lexmark X74-X75\lxbbbmon.exe[808] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04B3000A
.text C:\WINDOWS\Explorer.EXE[836] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00B1000A
.text C:\WINDOWS\Explorer.EXE[836] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00B2000A
.text C:\Program Files\Messenger\msmsgs.exe[880] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00A9000A
.text C:\Program Files\Messenger\msmsgs.exe[880] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00AA000A
.text C:\WINDOWS\system32\services.exe[1080] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0073000A
.text C:\WINDOWS\system32\services.exe[1080] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0085000A
.text C:\WINDOWS\system32\lsass.exe[1092] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0089000A
.text C:\WINDOWS\system32\ibmpmsvc.exe[1260] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00A1000A
.text C:\WINDOWS\system32\ibmpmsvc.exe[1260] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\ati2evxx.exe[1284] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00A7000A
.text C:\WINDOWS\system32\ati2evxx.exe[1284] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00A9000A
.text C:\WINDOWS\system32\LEXBCES.EXE[1568] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00A6000A
.text C:\WINDOWS\system32\LEXBCES.EXE[1568] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00B8000A
.text C:\WINDOWS\system32\LEXPPS.EXE[1612] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00AA000A
.text C:\WINDOWS\system32\spoolsv.exe[1620] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00AF000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1744] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04A2000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1744] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04B4000A
.text C:\WINDOWS\AGRSMMSG.exe[1752] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04B6000A
.text C:\WINDOWS\AGRSMMSG.exe[1752] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04B7000A
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1764] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04BB000A
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1764] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04BC000A
.text C:\WINDOWS\system32\TpShocks.exe[1776] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04A4000A
.text C:\WINDOWS\system32\TpShocks.exe[1776] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04B6000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1796] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04AF000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1796] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04C1000A
.text C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[1816] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04A6000A
.text C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[1816] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04B8000A
.text C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE[1824] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04BC000A
.text C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE[1824] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04BD000A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[1828] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04B6000A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[1828] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04B7000A
.text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[1856] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04B2000A
.text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[1856] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04B3000A
.text C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[1916] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04B5000A
.text C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[1916] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04B6000A
.text C:\Program Files\Network Associates\Common Framework\Mctray.exe[1944] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04B7000A
.text C:\Program Files\Network Associates\Common Framework\Mctray.exe[1944] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04B8000A
.text C:\Program Files\a-squared Free\a2service.exe[1996] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00A5000A
.text C:\Program Files\a-squared Free\a2service.exe[1996] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00A7000A
.text C:\Program Files\a-squared Free\a2service.exe[1996] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes [ 4F, 42, C4, 83 ]
.text C:\WINDOWS\system32\rundll32.exe[2020] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00AE000A
.text C:\WINDOWS\system32\rundll32.exe[2020] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00AF000A
.text C:\WINDOWS\system32\ico.exe[2036] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04A1000A
.text C:\WINDOWS\system32\ico.exe[2036] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04B3000A
.text C:\Program Files\Palm\Hotsync.exe[2084] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00C8000A
.text C:\Program Files\Palm\Hotsync.exe[2084] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00C9000A
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[2116] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00BA000A
.text C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe[2160] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04CB000A
.text C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe[2160] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04CC000A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2364] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 008E000A
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2580] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0096000A
.text C:\Program Files\Bonjour\mDNSResponder.exe[2608] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes JMP 0092000A
.text C:\Program Files\Bonjour\mDNSResponder.exe[2608] ntdll.dll!LdrUnloadDll + 4 7C91736F 1 Byte [ 84 ]
.text C:\WINDOWS\system32\svchost.exe[2672] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 006B000A
.text C:\Program Files\Cisco Systems\VPN 3000 Client\cvpnd.exe[2764] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04C7000A
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[2848] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 008D000A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[3144] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04B9000A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[3144] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04BA000A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0096000A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\alg.exe[3268] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0087000A
.text C:\WINDOWS\system32\alg.exe[3268] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0088000A
.text C:\WINDOWS\system32\QCONSVC.EXE[3388] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04A2000A
.text C:\WINDOWS\system32\QCONSVC.EXE[3388] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04B4000A
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[3500] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0095000A
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[3500] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0096000A
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[3632] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[3728] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 006B000A
.text C:\WINDOWS\system32\wdfmgr.exe[3836] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 006C000A
.text C:\WINDOWS\system32\wdfmgr.exe[3836] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 007E000A
.text C:\Documents and Settings\root.CHANGEME\Desktop\gmer\gamer.exe[3856] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 04AB000A
.text C:\Documents and Settings\root.CHANGEME\Desktop\gmer\gamer.exe[3856] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04BD000A

---- Devices - GMER 1.0.12 ----

Device \Driver\BTHUSB \Device\000000c4 IRP_MJ_CREATE [B5AE7BB0] bthport.sys
Device \Driver\BTHUSB \Device\000000c4 IRP_MJ_CLOSE [B5B13590] bthport.sys
Device \Driver\BTHUSB \Device\000000c4 IRP_MJ_DEVICE_CONTROL [B5AE5F00] bthport.sys
Device \Driver\BTHUSB \Device\000000c4 IRP_MJ_INTERNAL_DEVICE_CONTROL [B5AE6A70] bthport.sys
Device \Driver\BTHUSB \Device\000000c4 IRP_MJ_CLEANUP [B5AE7920] bthport.sys
Device \Driver\BTHUSB \Device\000000c4 IRP_MJ_POWER [B5B14AE0] bthport.sys
Device \Driver\BTHUSB \Device\000000c4 IRP_MJ_SYSTEM_CONTROL [B5B153A0] bthport.sys
Device \Driver\BTHUSB \Device\000000c4 IRP_MJ_PNP [B5B13FB0] bthport.sys
Device \Driver\BTHUSB \Device\000000c6 IRP_MJ_CREATE [B5AE7BB0] bthport.sys
Device \Driver\BTHUSB \Device\000000c6 IRP_MJ_CLOSE [B5B13590] bthport.sys
Device \Driver\BTHUSB \Device\000000c6 IRP_MJ_DEVICE_CONTROL [B5AE5F00] bthport.sys
Device \Driver\BTHUSB \Device\000000c6 IRP_MJ_INTERNAL_DEVICE_CONTROL [B5AE6A70] bthport.sys
Device \Driver\BTHUSB \Device\000000c6 IRP_MJ_CLEANUP [B5AE7920] bthport.sys
Device \Driver\BTHUSB \Device\000000c6 IRP_MJ_POWER [B5B14AE0] bthport.sys
Device \Driver\BTHUSB \Device\000000c6 IRP_MJ_SYSTEM_CONTROL [B5B153A0] bthport.sys
Device \Driver\BTHUSB \Device\000000c6 IRP_MJ_PNP [B5B13FB0] bthport.sys
---- Processes - GMER 1.0.12 ----

Library \\?\globalroot\systemroot\system32\UACexgendsxfsajtlg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [360] 0x00930000
Library \\?\globalroot\systemroot\system32\UACjmoxwcnfeahtjdb.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [360] 0x009E0000
Library \\?\globalroot\systemroot\system32\UACexgendsxfsajtlg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [604] 0x00930000
Library \\?\globalroot\systemroot\system32\UACjmoxwcnfeahtjdb.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [604] 0x009E0000
Library \\?\globalroot\systemroot\system32\UACexgendsxfsajtlg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [768] 0x00930000
Library \\?\globalroot\systemroot\system32\UACjmoxwcnfeahtjdb.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [768] 0x009E0000
Library \\?\globalroot\systemroot\system32\UACexgendsxfsajtlg.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [836] 0x00C10000
Library \\?\globalroot\systemroot\system32\UACexgendsxfsajtlg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1056] 0x00930000
Library \\?\globalroot\systemroot\system32\UACjmoxwcnfeahtjdb.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1056] 0x009E0000
Library \\?\globalroot\systemroot\system32\UACexgendsxfsajtlg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1296] 0x03360000
Library \\?\globalroot\systemroot\system32\UACexgendsxfsajtlg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2672] 0x00940000
Library \\?\globalroot\systemroot\system32\UACjmoxwcnfeahtjdb.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2672] 0x009F0000
Library \\?\globalroot\systemroot\system32\UACexgendsxfsajtlg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [3728] 0x00940000
Library \\?\globalroot\systemroot\system32\UACjmoxwcnfeahtjdb.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [3728] 0x009F0000

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\All Users\Application Data\TEMP:A9662AE0
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
File C:\WINDOWS\system32\drivers\SKYNETudnwqgot.sys
File C:\WINDOWS\system32\drivers\UACmoybyxyfrmtdwtt.sys
File C:\WINDOWS\system32\SKYNETemaqnlth.dat
File C:\WINDOWS\system32\SKYNETgkxbcpmn.dll
File C:\WINDOWS\system32\SKYNETpordwssf.dll
File C:\WINDOWS\system32\SKYNETsmuyqoxt.dat
File C:\WINDOWS\system32\UACcyirvpuoeustfoh.log
File C:\WINDOWS\system32\UACevpskaihjdnwjfr.db
File C:\WINDOWS\system32\UACexgendsxfsajtlg.dll
File C:\WINDOWS\system32\uacinit.dll
File C:\WINDOWS\system32\UACjmoxwcnfeahtjdb.dll
File C:\WINDOWS\system32\UACljgxeofbvrmnqun.dll
File C:\WINDOWS\system32\UACmlkyguqcvbpvujy.dll
File C:\WINDOWS\system32\UACnskbgssdxumrxqd.dat
File C:\WINDOWS\system32\uactmp.db
File C:\WINDOWS\system32\UACuocgkcvjdnjetvk.dll
File C:\WINDOWS\system32\UACwuvhejnrcpaxbox.dll
File C:\WINDOWS\Temp\SKYNETaehjxtfbfk.tmp
File C:\WINDOWS\Temp\SKYNETcjoismwlnn.tmp
File C:\WINDOWS\Temp\SKYNETcnvevivist.tmp
File C:\WINDOWS\Temp\SKYNETcxbdsecvsb.tmp
File C:\WINDOWS\Temp\SKYNETcxnsesmntu.tmp
File C:\WINDOWS\Temp\SKYNETcxprjeneey.tmp
File C:\WINDOWS\Temp\SKYNETdutiynbvtn.tmp
File C:\WINDOWS\Temp\SKYNETdwtphxflys.tmp
File C:\WINDOWS\Temp\SKYNETebgawuipmj.tmp
File C:\WINDOWS\Temp\SKYNETfauklhcvxv.tmp
File C:\WINDOWS\Temp\SKYNETguchxwncym.tmp
File C:\WINDOWS\Temp\SKYNEThtsetnthoi.tmp
File C:\WINDOWS\Temp\SKYNEThwvsnihqbr.tmp
File C:\WINDOWS\Temp\SKYNETibcetrpofv.tmp
File C:\WINDOWS\Temp\SKYNETiudtspjlxo.tmp
File C:\WINDOWS\Temp\SKYNETjgatylrwrt.tmp
File C:\WINDOWS\Temp\SKYNETjiougsvbih.tmp
File C:\WINDOWS\Temp\SKYNETokqorjkipm.tmp
File C:\WINDOWS\Temp\SKYNEToripdeugmo.tmp
File C:\WINDOWS\Temp\SKYNETornmbccdtp.tmp
File C:\WINDOWS\Temp\SKYNETosjiniwuxx.tmp
File C:\WINDOWS\Temp\SKYNETowlkwooftv.tmp
File C:\WINDOWS\Temp\SKYNETpuwibappfh.tmp
File C:\WINDOWS\Temp\SKYNETpxxtpeirpr.tmp
File C:\WINDOWS\Temp\SKYNETqrjecibirp.tmp
File C:\WINDOWS\Temp\SKYNETrvjkqlbvrp.tmp
File C:\WINDOWS\Temp\SKYNETsqbxcateev.tmp
File C:\WINDOWS\Temp\SKYNETtcibtoijix.tmp
File C:\WINDOWS\Temp\SKYNETulcrjbqoie.tmp
File C:\WINDOWS\Temp\SKYNETvkivuqfqwf.tmp
File C:\WINDOWS\Temp\SKYNETxvbvoiombc.tmp
File C:\WINDOWS\Temp\SKYNETyciqdmdwtc.tmp
File C:\WINDOWS\Temp\UACafb6.tmp

---- EOF - GMER 1.0.12 ----
will122k3
Active Member
 
Posts: 11
Joined: June 17th, 2009, 9:49 pm

Re: Google redirection virus

Unread postby Shaba » June 24th, 2009, 1:16 am

It makes difference because rootkit you have blocks security related programs which try to remove/recognize it by name.

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Google redirection virus

Unread postby will122k3 » June 24th, 2009, 10:42 pm

ComboFix 09-06-23.01 - root 06/24/2009 21:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1639 [GMT -4:00]
Running from: c:\docume~1\ROOT~1.CHA\Desktop\Columbo.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Manson
c:\recycler\S-1-5-21-1017937101-516276246-1282138258-500
c:\recycler\S-1-5-21-2190867815-3508293876-2501954535-500
c:\recycler\S-1-5-21-3133978997-3095290957-2122901767-500
c:\recycler\S-1-5-21-3402799377-2966927733-1597234714-500
c:\recycler\S-1-5-21-3420895710-4290135725-3043235993-500
c:\recycler\S-1-5-21-3562983710-1449655655-3289834387-500
c:\recycler\S-1-5-21-3825283475-1754454779-3683679437-500
c:\recycler\S-1-5-21-4265909289-3485517607-2614902147-500
c:\recycler\S-1-5-21-448486026-3563514748-4210259494-500
c:\recycler\S-1-5-21-643571872-1266486392-598665437-500
c:\recycler\S-1-5-21-769079328-2389969595-2291903390-500
c:\recycler\S-1-5-21-808743801-558522827-3833581854-500
c:\recycler\S-1-5-21-861567501-492894223-854245398-500
c:\windows\system32\drivers\SKYNETudnwqgot.sys
c:\windows\system32\drivers\UACmoybyxyfrmtdwtt.sys
c:\windows\system32\UACcyirvpuoeustfoh.log
c:\windows\system32\UACevpskaihjdnwjfr.db
c:\windows\system32\UACexgendsxfsajtlg.dll
c:\windows\system32\UAChvlohoxeerokyhe.log
c:\windows\system32\UACjmoxwcnfeahtjdb.dll
c:\windows\system32\UACljgxeofbvrmnqun.dll
c:\windows\system32\UACmlkyguqcvbpvujy.dll
c:\windows\system32\UACnskbgssdxumrxqd.dat
c:\windows\system32\UACuocgkcvjdnjetvk.dll
c:\windows\system32\UACwemkhaektsardbe.log
c:\windows\system32\UACwuvhejnrcpaxbox.dll
c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\documents and settings\jlamar\Local Settings\Temporary Internet Files\StreamPlug.dll
c:\recycler\S-1-5-21-1017937101-516276246-1282138258-500\desktop.ini
c:\recycler\S-1-5-21-1017937101-516276246-1282138258-500\INFO2
c:\recycler\S-1-5-21-2190867815-3508293876-2501954535-500\desktop.ini
c:\recycler\S-1-5-21-2190867815-3508293876-2501954535-500\INFO2
c:\recycler\S-1-5-21-3133978997-3095290957-2122901767-500\desktop.ini
c:\recycler\S-1-5-21-3133978997-3095290957-2122901767-500\INFO2
c:\recycler\S-1-5-21-3402799377-2966927733-1597234714-500\desktop.ini
c:\recycler\S-1-5-21-3402799377-2966927733-1597234714-500\INFO2
c:\recycler\S-1-5-21-3420895710-4290135725-3043235993-500\desktop.ini
c:\recycler\S-1-5-21-3420895710-4290135725-3043235993-500\INFO2
c:\recycler\S-1-5-21-3562983710-1449655655-3289834387-500\desktop.ini
c:\recycler\S-1-5-21-3562983710-1449655655-3289834387-500\INFO2
c:\recycler\S-1-5-21-3825283475-1754454779-3683679437-500\desktop.ini
c:\recycler\S-1-5-21-3825283475-1754454779-3683679437-500\INFO2
c:\recycler\S-1-5-21-4265909289-3485517607-2614902147-500\desktop.ini
c:\recycler\S-1-5-21-4265909289-3485517607-2614902147-500\INFO2
c:\recycler\S-1-5-21-448486026-3563514748-4210259494-500\desktop.ini
c:\recycler\S-1-5-21-448486026-3563514748-4210259494-500\INFO2
c:\recycler\S-1-5-21-643571872-1266486392-598665437-500\desktop.ini
c:\recycler\S-1-5-21-643571872-1266486392-598665437-500\INFO2
c:\recycler\S-1-5-21-769079328-2389969595-2291903390-500\desktop.ini
c:\recycler\S-1-5-21-769079328-2389969595-2291903390-500\INFO2
c:\recycler\S-1-5-21-808743801-558522827-3833581854-500\desktop.ini
c:\recycler\S-1-5-21-808743801-558522827-3833581854-500\INFO2
c:\recycler\S-1-5-21-861567501-492894223-854245398-500\desktop.ini
c:\recycler\S-1-5-21-861567501-492894223-854245398-500\INFO2
c:\windows\system32\drivers\SKYNETudnwqgot.sys
c:\windows\system32\drivers\UACmoybyxyfrmtdwtt.sys
c:\windows\system32\SKYNETemaqnlth.dat
c:\windows\system32\SKYNETgkxbcpmn.dll
c:\windows\system32\SKYNETpordwssf.dll
c:\windows\system32\SKYNETsmuyqoxt.dat
c:\windows\system32\UACcyirvpuoeustfoh.log
c:\windows\system32\UACevpskaihjdnwjfr.db
c:\windows\system32\UACexgendsxfsajtlg.dll
c:\windows\system32\UAChvlohoxeerokyhe.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjmoxwcnfeahtjdb.dll
c:\windows\system32\UACljgxeofbvrmnqun.dll
c:\windows\system32\UACmlkyguqcvbpvujy.dll
c:\windows\system32\UACnskbgssdxumrxqd.dat
c:\windows\system32\uactmp.db
c:\windows\system32\UACuocgkcvjdnjetvk.dll
c:\windows\system32\UACwemkhaektsardbe.log
c:\windows\system32\UACwuvhejnrcpaxbox.dll
c:\windows\Tasks\gbqucnmk.job

----- BITS: Possible infected sites -----

hxxp://na-pa-wsus.tibco.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Service_SKYNETltywrvel


((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-06-25 )))))))))))))))))))))))))))))))
.

2009-06-23 04:56 . 2009-06-23 05:16 -------- d-----w- C:\New
2009-06-18 00:45 . 2009-06-18 00:45 -------- d-----w- c:\program files\Trend Micro
2009-06-18 00:33 . 2009-06-18 00:33 1033728 -c--a-w- c:\windows\system32\dllcache\explorer.exe
2009-06-18 00:33 . 2009-06-18 00:33 1033728 ----a-w- c:\windows\Explorer.EXE
2009-06-17 21:18 . 2009-06-25 00:50 -------- d-----w- c:\program files\WinClamAVShield
2009-06-17 21:16 . 2009-06-25 00:34 -------- d-----w- c:\documents and settings\root.CHANGEME\Application Data\Spyware Terminator
2009-06-17 21:16 . 2009-06-17 21:16 6144 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdel.exe
2009-06-17 21:16 . 2009-06-17 21:16 5632 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys
2009-06-17 21:16 . 2009-06-17 21:16 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-06-17 21:16 . 2009-06-25 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-06-17 21:16 . 2009-06-25 00:34 -------- d-----w- c:\program files\Spyware Terminator
2009-06-17 21:12 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 21:12 . 2009-06-17 21:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 21:12 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-17 20:11 . 2009-06-17 20:53 -------- d-----w- c:\program files\a-squared Free
2009-06-17 19:00 . 2009-06-17 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-17 18:50 . 2009-06-17 18:50 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-17 18:50 . 2009-06-17 12:11 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-17 18:50 . 2009-06-17 12:11 27784 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmfx86.sys
2009-06-17 18:50 . 2009-06-17 12:11 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-06-17 18:50 . 2009-06-17 12:11 1261344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-06-17 18:50 . 2009-06-17 12:11 1452312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-17 12:28 . 2009-06-20 16:33 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-17 12:11 . 2009-06-17 12:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-17 12:11 . 2009-06-17 12:11 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-17 12:11 . 2009-06-17 12:11 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-17 12:11 . 2009-06-17 18:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-17 12:11 . 2009-06-24 14:43 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-17 12:11 . 2009-06-17 12:11 -------- d-----w- c:\program files\AVG
2009-06-17 06:38 . 2009-06-17 06:54 -------- d-----w- c:\documents and settings\All Users\Application Data\97300776
2009-06-17 06:38 . 2009-06-17 06:54 -------- d-----w- c:\documents and settings\All Users\Application Data\17290784
2009-05-31 19:51 . 2009-05-31 19:51 -------- d-----w- c:\documents and settings\root.CHANGEME\Local Settings\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 01:04 . 2009-01-07 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-17 19:10 . 2007-07-20 13:20 -------- d-----w- c:\program files\McAfee
2009-06-17 12:08 . 2009-01-21 21:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-31 19:49 . 2005-01-29 01:48 68568 -c--a-w- c:\documents and settings\root.CHANGEME\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-31 19:45 . 2005-10-25 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2009-05-31 19:45 . 2005-10-25 17:31 -------- d-----w- c:\program files\Yahoo!
2009-05-31 19:44 . 2009-04-21 14:07 -------- d-----w- c:\program files\LightSpeed
2009-05-29 00:50 . 2004-03-11 17:56 -------- d-----w- c:\documents and settings\root.CHANGEME\Application Data\AdobeUM
2009-05-24 23:23 . 2009-05-24 23:23 136 ----a-w- c:\documents and settings\root.CHANGEME\Local Settings\Application Data\fusioncache.dat
2009-05-22 01:31 . 2009-05-25 03:16 607472 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\yupdater.exe
2009-05-19 00:10 . 2009-05-19 00:10 -------- d-----w- c:\documents and settings\root.CHANGEME\Application Data\InstallShield Installation Information
2009-05-19 00:10 . 2009-05-19 00:10 -------- d-----w- c:\documents and settings\root.CHANGEME\Application Data\2K Games
2009-05-19 00:09 . 2009-05-19 00:09 -------- d-----w- c:\program files\GameSpy
2009-05-19 00:08 . 2009-05-19 00:08 -------- d-----w- c:\documents and settings\root.CHANGEME\Application Data\InstallShield
2009-05-07 20:57 . 2009-05-07 20:57 -------- d-----w- c:\program files\Lexmark X74-X75
2009-04-30 05:01 . 2009-04-30 05:01 -------- d-----w- c:\documents and settings\root.CHANGEME\Application Data\Lavasoft
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-06-17 3055616]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-22 4351216]
"Comrade.exe"="c:\program files\GameSpy\Comrade\Comrade.exe" [2007-05-27 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 335872]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-01 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-01 618496]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2007-03-27 136768]
"TpHotkey"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-01-15 94208]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-20 32881]
"QCWLIcon"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-07-30 53248]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2004-02-05 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-02-05 395264]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2004-02-05 106496]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-17 1948440]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-06-17 2174464]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-06-27 88363]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2003-09-04 77824]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2002-09-04 53248]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2003-11-20 57344]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2006-8-25 28672]
eFax 4.3.lnk - c:\program files\eFax Messenger 4.3\J2GTray.exe [2007-8-15 629248]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
TIBCO Software Inc. VPN Client.lnk - c:\program files\Cisco Systems\VPN 3000 Client\ipsecdialer.exe [2004-4-28 1269836]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-17 12:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1469188156-960889200-926709054-21729\Scripts\Logon\0\0]
"Script"=mcafee.cmd

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\FSRremoS.EXE"=
"c:\\Program Files\\Adobe\\Acrobat 6.0\\Reader\\AcroRd32.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\root.CHANGEME\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
"c:\\Documents and Settings\\root.CHANGEME\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Documents and Settings\\root.CHANGEME\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
"c:\\WINDOWS\\system32\\TpShocks.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2/19/2004 6:11 PM 52136]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/17/2009 8:11 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/17/2009 8:11 AM 108552]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2/19/2004 7:08 PM 15360]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/17/2009 8:11 AM 298776]
R2 CVPNDRV;TIBCO Software Inc. IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [4/28/2004 6:28 PM 263751]
R2 PPNT;PPNT;c:\windows\system32\drivers\ppnt.sys [8/3/2005 7:10 PM 13824]
R2 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2/19/2004 6:11 PM 4225]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;c:\windows\system32\drivers\cben5.sys [2/23/2004 5:36 PM 46108]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [6/7/2004 12:30 PM 16384]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [6/7/2004 12:30 PM 9216]
S3 WPC11;Instant Wireless Network PC Card V3.0 Driver;c:\windows\system32\drivers\LSWLNDS.sys [8/5/2005 11:18 AM 54083]
.
Contents of the 'Scheduled Tasks' folder

2009-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-25 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2004-02-19 09:36]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-IBM RecordNow! - (no file)


.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 21:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\CSGina.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(344)
c:\progra~1\WINDOW~3\wmpband.dll
c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\S24EvMon.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Connected\AgentSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN 3000 Client\cvpnd.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\QCONSVC.EXE
c:\program files\Spyware Terminator\sp_rsser.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Network Associates\Common Framework\Mctray.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Lexmark X74-X75\lxbbbmon.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\system32\msiexec.exe
c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
.
**************************************************************************
.
Completion time: 2009-06-25 21:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-25 01:38

Pre-Run: 48,260,747,264 bytes free
Post-Run: 49,792,409,600 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

315 --- E O F --- 2009-06-25 01:38
will122k3
Active Member
 
Posts: 11
Joined: June 17th, 2009, 9:49 pm

Re: Google redirection virus

Unread postby will122k3 » June 24th, 2009, 10:44 pm

Before using Combofix, I did have a tough time disabling my AVG Anti-Virus Free, in fact, I even tried to uninstall it, to no avail. I was able to minipulate the settings enough where it didn't cause a problem with Combofix. I also had to rename the combofix file. The google redirection problem seems to have been fixed. Here is the log after the scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:59 PM, on 6/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN 3000 Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\GameSpy\Comrade\Comrade.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QCWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Comrade.exe] C:\Program Files\GameSpy\Comrade\Comrade.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: TIBCO Software Inc. VPN Client.lnk = C:\Program Files\Cisco Systems\VPN 3000 Client\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.tibco.com
O17 - HKLM\Software\..\Telephony: DomainName = na.tibco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.tibco.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN 3000 Client\cvpnd.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 10064 bytes
will122k3
Active Member
 
Posts: 11
Joined: June 17th, 2009, 9:49 pm

Re: Google redirection virus

Unread postby Shaba » June 25th, 2009, 12:04 am

That's good :)

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    DirLook::
    c:\documents and settings\All Users\Application Data\97300776
    c:\documents and settings\All Users\Application Data\17290784
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Google redirection virus

Unread postby will122k3 » June 25th, 2009, 12:28 am

ComboFix 09-06-23.01 - root 06/24/2009 23:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1590 [GMT -4:00]
Running from: c:\documents and settings\root.CHANGEME\Desktop\Columbo.exe
Command switches used :: c:\documents and settings\root.CHANGEME\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-06-25 )))))))))))))))))))))))))))))))
.

2009-06-25 01:37 . 2009-06-25 01:37 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-23 04:56 . 2009-06-23 05:16 -------- d-----w- C:\New
2009-06-18 00:45 . 2009-06-18 00:45 -------- d-----w- c:\program files\Trend Micro
2009-06-18 00:33 . 2009-06-18 00:33 1033728 -c--a-w- c:\windows\system32\dllcache\explorer.exe
2009-06-18 00:33 . 2009-06-18 00:33 1033728 ----a-w- c:\windows\Explorer.EXE
2009-06-17 21:18 . 2009-06-25 00:50 -------- d-----w- c:\program files\WinClamAVShield
2009-06-17 21:16 . 2009-06-25 02:01 -------- d-----w- c:\documents and settings\root.CHANGEME\Application Data\Spyware Terminator
2009-06-17 21:16 . 2009-06-17 21:16 6144 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdel.exe
2009-06-17 21:16 . 2009-06-17 21:16 5632 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys
2009-06-17 21:16 . 2009-06-17 21:16 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-06-17 21:16 . 2009-06-25 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-06-17 21:16 . 2009-06-25 00:34 -------- d-----w- c:\program files\Spyware Terminator
2009-06-17 21:12 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 21:12 . 2009-06-17 21:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 21:12 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-17 20:11 . 2009-06-25 02:52 -------- d-----w- c:\program files\a-squared Free
2009-06-17 19:00 . 2009-06-17 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-17 18:50 . 2009-06-17 18:50 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-17 18:50 . 2009-06-17 12:11 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-17 18:50 . 2009-06-17 12:11 27784 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmfx86.sys
2009-06-17 18:50 . 2009-06-17 12:11 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-06-17 18:50 . 2009-06-17 12:11 1261344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-06-17 18:50 . 2009-06-17 12:11 1452312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-17 12:28 . 2009-06-20 16:33 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-17 12:11 . 2009-06-17 12:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-17 12:11 . 2009-06-17 12:11 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-17 12:11 . 2009-06-17 12:11 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-17 12:11 . 2009-06-17 18:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-17 12:11 . 2009-06-24 14:43 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-17 12:11 . 2009-06-17 12:11 -------- d-----w- c:\program files\AVG
2009-06-17 06:38 . 2009-06-17 06:54 -------- d-----w- c:\documents and settings\All Users\Application Data\97300776
2009-06-17 06:38 . 2009-06-17 06:54 -------- d-----w- c:\documents and settings\All Users\Application Data\17290784
2009-05-31 19:51 . 2009-05-31 19:51 -------- d-----w- c:\documents and settings\root.CHANGEME\Local Settings\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 02:52 . 2005-08-05 18:00 -------- d-----w- c:\documents and settings\hpiccari\Application Data\Lavasoft
2009-06-25 01:04 . 2009-01-07 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-17 19:10 . 2007-07-20 13:20 -------- d-----w- c:\program files\McAfee
2009-06-17 12:08 . 2009-01-21 21:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-31 19:49 . 2005-01-29 01:48 68568 -c--a-w- c:\documents and settings\root.CHANGEME\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-31 19:45 . 2005-10-25 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2009-05-31 19:45 . 2005-10-25 17:31 -------- d-----w- c:\program files\Yahoo!
2009-05-31 19:44 . 2009-04-21 14:07 -------- d-----w- c:\program files\LightSpeed
2009-05-29 00:50 . 2004-03-11 17:56 -------- d-----w- c:\documents and settings\root.CHANGEME\Application Data\AdobeUM
2009-05-24 23:23 . 2009-05-24 23:23 136 ----a-w- c:\documents and settings\root.CHANGEME\Local Settings\Application Data\fusioncache.dat
2009-05-22 01:31 . 2009-05-25 03:16 607472 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\yupdater.exe
2009-05-19 00:10 . 2009-05-19 00:10 -------- d-----w- c:\documents and settings\root.CHANGEME\Application Data\InstallShield Installation Information
2009-05-19 00:10 . 2009-05-19 00:10 -------- d-----w- c:\documents and settings\root.CHANGEME\Application Data\2K Games
2009-05-19 00:08 . 2009-05-19 00:08 -------- d-----w- c:\documents and settings\root.CHANGEME\Application Data\InstallShield
2009-05-07 20:57 . 2009-05-07 20:57 -------- d-----w- c:\program files\Lexmark X74-X75
2009-04-30 05:01 . 2009-04-30 05:01 -------- d-----w- c:\documents and settings\root.CHANGEME\Application Data\Lavasoft
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\17290784 ----

2009-06-17 06:47 . 2009-06-17 06:47 56 ----a-w- c:\documents and settings\All Users\Application Data\17290784\pc17290784cnf
2009-06-17 06:47 . 2009-06-17 06:48 0 ----a-w- c:\documents and settings\All Users\Application Data\17290784\pc17290784ins
2009-06-17 06:38 . 2009-06-17 06:38 64784 ----a-w- c:\documents and settings\All Users\Application Data\17290784\17290784.glu

---- Directory of c:\documents and settings\All Users\Application Data\97300776 ----



------- Sigcheck -------

[7] 2004-08-04 07:56 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe
[7] 2008-04-14 09:42 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[7] 2008-04-14 09:42 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe
[7] 2008-04-14 09:42 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\dllcache\cache\svchost.exe

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2002-11-01 22:26 528896 68E1F4EF02DF52CA9C5E157045D23582 c:\windows\$NtUninstallKB824141$\user32.dll
[7] 2002-08-29 11:41 560128 DD9269230C21EE8FB7FD3FCCC3B1CFCB c:\windows\$NtUninstallKB826939$\user32.dll
[-] 2003-09-25 16:49 560128 32173306185F603E75C477E117F3BB8D c:\windows\$NtUninstallKB840987$\user32.dll
[7] 2004-08-04 07:56 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2004-06-17 17:58 560128 31FB2D788A9AA618452C02E8375B6DCD c:\windows\$NtUninstallKB891711$\user32.dll
[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2008-04-14 09:42 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[7] 2008-04-14 09:42 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll
[7] 2008-04-14 09:42 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\dllcache\cache\user32.dll

[7] 2004-08-04 07:56 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2001-08-23 12:00 75264 8529C295DF59B564D37A73B5629162B1 c:\windows\$NtUninstallKB817778$\ws2_32.dll
[7] 2008-04-14 09:42 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[7] 2008-04-14 09:42 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll
[7] 2008-04-14 09:42 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\dllcache\cache\ws2_32.dll

[-] 2004-09-29 18:27 656896 2C07195588D69A067C2AFDAA31759295 c:\windows\$hf_mig$\KB834707\SP2QFE\wininet.dll
[-] 2005-01-27 17:08 657920 A8EAC5330876548E9966A7D13025D196 c:\windows\$hf_mig$\KB867282\SP2QFE\wininet.dll
[-] 2005-05-02 20:57 658944 E1E18136F9DD3DF1AD9C82193A5898A6 c:\windows\$hf_mig$\KB883939\SP2QFE\wininet.dll
[-] 2005-03-10 07:43 657920 C8663B488996E89A84C3D17C1D12B79E c:\windows\$hf_mig$\KB890923\SP2QFE\wininet.dll
[-] 2005-09-02 23:53 660480 97A6FD7CAFD688CF2C78939EBAF0CD0C c:\windows\$hf_mig$\KB896688\SP2QFE\wininet.dll
[-] 2005-07-03 02:09 659456 6E533D155B259EB2363D3E04B5BE309F c:\windows\$hf_mig$\KB896727\SP2QFE\wininet.dll
[-] 2005-10-21 03:38 661504 AF785C4947676A7FC1673FDC5C8D0B5B c:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
[-] 2006-05-10 05:25 663552 D94CFFDB53E7AC867438E2DFD50E7CBC c:\windows\$hf_mig$\KB916281\SP2QFE\wininet.dll
[-] 2006-09-14 08:31 664576 D207370287CF769AEBEBF03837784963 c:\windows\$hf_mig$\KB922760\SP2QFE\wininet.dll
[-] 2006-10-23 15:34 664576 231EF4179ACABE486376B5CA893F1076 c:\windows\$hf_mig$\KB925454\SP2QFE\wininet.dll
[-] 2007-01-04 14:05 665088 3FFA1573FC274E5AA7467D03941C45EE c:\windows\$hf_mig$\KB928090\SP2QFE\wininet.dll
[-] 2007-06-26 14:35 665600 E1A3DD68B5380B360A7310A64D9BB188 c:\windows\$hf_mig$\KB937143\SP2QFE\wininet.dll
[-] 2007-06-26 14:09 658944 184E47C8F7B331025E6DC92740DB188F c:\windows\$NtServicePackUninstall$\wininet.dll
[7] 2004-08-04 07:56 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\$NtUninstallKB834707$\wininet.dll
[-] 2004-09-29 18:47 656896 CBA65B573C66FE23F647FF96E3A10994 c:\windows\$NtUninstallKB883939$\wininet.dll
[7] 2004-02-07 01:05 588288 4F64D1DF989E3AA2FAD91A2F1167B9C7 c:\windows\$NtUninstallKB889293-IE6SP1-20041111.235619$\wininet.dll
[-] 2005-07-03 02:11 658432 5B5FF992C0FA762CCF8655FC290E6E52 c:\windows\$NtUninstallKB896688$\wininet.dll
[-] 2005-05-02 20:52 657920 1A078AF3F85D10BA56444C23B3A18E74 c:\windows\$NtUninstallKB896727$\wininet.dll
[-] 2005-09-02 23:52 658432 AF61EBB1F550175EFF406D545D6AB086 c:\windows\$NtUninstallKB905915$\wininet.dll
[-] 2005-10-21 03:39 658432 E7B27B6B6E06CE34EA019FD8B858C613 c:\windows\$NtUninstallKB916281$\wininet.dll
[-] 2006-05-10 05:23 658432 38AB7A56F566D9AAAD31812494944824 c:\windows\$NtUninstallKB922760$\wininet.dll
[-] 2006-09-14 08:39 658944 621AF3F6174A3F60677F5230E28BCC07 c:\windows\$NtUninstallKB925454$\wininet.dll
[-] 2006-10-23 15:17 658944 6B2735ADFF5A5D3B9130CA4A794722F0 c:\windows\$NtUninstallKB928090$\wininet.dll
[-] 2007-01-04 13:37 658944 8C393DF5234CBCBFF1EE31902D6B40AE c:\windows\$NtUninstallKB937143$\wininet.dll
[7] 2008-04-14 09:42 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2008-04-14 09:42 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\system32\wininet.dll
[7] 2008-04-14 09:42 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\system32\dllcache\cache\wininet.dll

[-] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-04 06:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2005-05-25 19:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2006-01-13 02:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[7] 2008-04-14 04:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-04-14 04:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\system32\dllcache\cache\tcpip.sys
[7] 2008-04-14 04:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\system32\drivers\tcpip.sys

[7] 2004-08-04 07:56 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2002-08-29 11:41 516608 2246D8D8F4714A2CEDB21AB9B1849ABB c:\windows\$NtUninstallKB840987$\winlogon.exe
[7] 2008-04-14 09:42 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2008-04-14 09:42 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe
[7] 2008-04-14 09:42 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\dllcache\cache\winlogon.exe

[7] 2004-08-04 06:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2002-08-29 10:09 167552 3B350E5A2A5E951453F3993275A4523A c:\windows\$NtUninstallKB826942$\ndis.sys
[7] 2008-04-14 04:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2008-04-14 04:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\dllcache\ndis.sys
[7] 2008-04-14 04:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\dllcache\cache\ndis.sys
[7] 2008-04-14 04:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[7] 2004-08-04 06:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
[7] 2008-04-14 04:23 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[7] 2008-04-14 04:23 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\dllcache\ip6fw.sys
[7] 2008-04-14 04:23 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\dllcache\cache\ip6fw.sys
[7] 2008-04-14 04:23 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[-] 2005-03-01 20:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[-] 2006-12-19 16:12 2059392 BA4B97C00A437C1CC3DA365D93EE1E9D c:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
[-] 2007-02-28 09:15 2059392 4D3DBDCCBF97F5BA1E74F322B155C3BA c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[-] 2007-02-28 08:38 2057600 515D30E2C90A3665A2739309334C9283 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[7] 2002-08-29 09:04 1947904 0E8EFB15746878A9B256E75267337233 c:\windows\$NtUninstallKB826939$\ntkrnlpa.exe
[-] 2003-04-24 15:57 1949440 46AE6F2D416C39FFDCFC8BCB01203EA3 c:\windows\$NtUninstallKB840987$\ntkrnlpa.exe
[-] 2004-06-17 08:03 1954688 ED0D7A5F1138CCFD3ECAF8F6AC691F13 c:\windows\$NtUninstallKB885835_0$\ntkrnlpa.exe
[7] 2004-08-04 05:58 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
[-] 2005-03-02 00:34 2056832 81013F36B21C7F72CF784CC6731E0002 c:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
[-] 2006-12-19 08:55 2057600 1D659BFB788ED2BA45075624B748D249 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[7] 2008-04-14 04:01 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[7] 2008-04-14 04:01 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\system32\ntkrnlpa.exe
[7] 2008-04-14 04:01 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\system32\dllcache\cache\ntkrnlpa.exe

[-] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[-] 2006-12-19 16:51 2182016 CEF243F6DEFD20BE4ADDE26C7ECACB54 c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 09:55 2182144 5A5C8DB4AA962C714C8371FBDF189FC9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 09:10 2180352 582A8DBAA58C3B1F176EB2817DAEE77C c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2002-08-29 10:03 2042240 B9080D97DBD631AADF9128F7316958D2 c:\windows\$NtUninstallKB826939$\ntoskrnl.exe
[-] 2003-04-24 15:57 1925760 97EC4AB4650DA6FC521CF16F8A6DDCB0 c:\windows\$NtUninstallKB840987$\ntoskrnl.exe
[-] 2004-06-17 17:22 2051584 F240DC474F8EDB2D95514D831DF069E5 c:\windows\$NtUninstallKB885835_0$\ntoskrnl.exe
[7] 2004-08-04 06:19 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
[-] 2005-03-02 00:59 2179328 4D4CF2C14550A4B7718E94A6E581856E c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
[-] 2006-12-19 14:17 2180352 8F0DEAB1F81FB83F9C5995853CE48B9F c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[7] 2008-04-14 04:57 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[7] 2008-04-14 04:57 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\system32\ntoskrnl.exe
[7] 2008-04-14 04:57 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\system32\dllcache\cache\ntoskrnl.exe

[7] 2009-06-18 00:33 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\Explorer.EXE
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2002-08-29 11:41 1004032 A82B28BFC2E4455FE43022A498C0EF0A c:\windows\$NtUninstallKB820291$\explorer.exe
[7] 2004-08-04 07:56 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2008-04-14 09:42 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2009-06-18 00:33 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\system32\dllcache\explorer.exe
[7] 2009-06-18 00:33 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\system32\dllcache\cache\Explorer.EXE

[7] 2004-08-04 07:56 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtServicePackUninstall$\services.exe
[7] 2008-04-14 09:42 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\ServicePackFiles\i386\services.exe
[7] 2008-04-14 09:42 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\system32\services.exe
[7] 2008-04-14 09:42 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\system32\dllcache\cache\services.exe

[7] 2004-08-04 07:56 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe
[7] 2008-04-14 09:42 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[7] 2008-04-14 09:42 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe
[7] 2008-04-14 09:42 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\dllcache\cache\lsass.exe

[7] 2004-08-04 07:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[7] 2008-04-14 09:42 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2008-04-14 09:42 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe
[7] 2008-04-14 09:42 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\dllcache\cache\ctfmon.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 07:56 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[7] 2008-04-14 09:42 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2008-04-14 09:42 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe
[7] 2008-04-14 09:42 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\dllcache\cache\spoolsv.exe

[7] 2004-08-04 07:56 111104 4126D27CECE4471E00E425411F7306B5 c:\windows\$NtServicePackUninstall$\wuauclt.exe
[7] 2008-04-14 09:42 111104 ED7262E52C31CF1625B65039102BC16C c:\windows\ServicePackFiles\i386\wuauclt.exe
[7] 2007-04-17 02:45 53080 3A83A45E7DD5276315AA20245E7C32BF c:\windows\system32\wuauclt.exe
[7] 2007-04-17 02:45 53080 3A83A45E7DD5276315AA20245E7C32BF c:\windows\system32\dllcache\wuauclt.exe
[7] 2007-04-17 02:45 53080 3A83A45E7DD5276315AA20245E7C32BF c:\windows\system32\dllcache\cache\wuauclt.exe

[7] 2004-08-04 07:56 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2008-04-14 09:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[7] 2008-04-14 09:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe
[7] 2008-04-14 09:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\dllcache\cache\userinit.exe

[7] 2004-08-04 07:56 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2008-04-14 09:42 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[7] 2008-04-14 09:42 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll
[7] 2008-04-14 09:42 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\dllcache\cache\termsrv.dll

[-] 2007-04-16 16:07 986112 09F7CB3687F86EDAA4CA081F7AB66C03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2007-04-16 15:52 984576 A01F9CA902A88F7CED06884174D6419D c:\windows\$NtServicePackUninstall$\kernel32.dll
[7] 2002-08-29 11:41 930304 8F162DC91D67D87C1A481BF602A9DAC8 c:\windows\$NtUninstallKB840987$\kernel32.dll
[7] 2004-08-04 07:56 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtUninstallKB935839$\kernel32.dll
[7] 2008-04-14 09:41 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\ServicePackFiles\i386\kernel32.dll
[7] 2008-04-14 09:41 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\system32\kernel32.dll
[7] 2008-04-14 09:41 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\system32\dllcache\cache\kernel32.dll

[7] 2004-08-04 07:56 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll
[7] 2008-04-14 09:42 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[7] 2008-04-14 09:42 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll
[7] 2008-04-14 09:42 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\dllcache\cache\powrprof.dll

[7] 2004-08-04 07:56 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll
[7] 2008-04-14 09:41 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[7] 2008-04-14 09:41 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll
[7] 2008-04-14 09:41 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\dllcache\cache\imm32.dll

[7] 2004-08-04 07:56 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[7] 2008-04-14 09:42 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[7] 2008-04-14 09:42 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll
[7] 2008-04-14 09:42 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\dllcache\cache\sfcfiles.dll

[7] 2004-08-04 07:56 167936 9C3C12975C97119412802B181FBEEFFE c:\windows\$NtServicePackUninstall$\appmgmts.dll
[7] 2008-04-14 09:41 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\ServicePackFiles\i386\appmgmts.dll
[7] 2008-04-14 09:41 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\system32\appmgmts.dll
[7] 2008-04-14 09:41 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\system32\dllcache\appmgmts.dll
[7] 2008-04-14 09:41 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\system32\dllcache\cache\appmgmts.dll

[7] 2004-08-04 05:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[7] 2008-04-14 04:09 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\ServicePackFiles\i386\kbdclass.sys
[7] 2008-04-14 04:09 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\dllcache\cache\kbdclass.sys
[7] 2008-04-14 04:09 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\drivers\kbdclass.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-01 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-01 618496]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2007-03-27 136768]
"TpHotkey"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-01-15 94208]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-20 32881]
"QCWLIcon"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-07-30 53248]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2004-02-05 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-02-05 395264]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2004-02-05 106496]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2003-09-04 77824]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2003-11-20 57344]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - c:\program files\eFax Messenger 4.3\J2GTray.exe [2007-8-15 629248]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
TIBCO Software Inc. VPN Client.lnk - c:\program files\Cisco Systems\VPN 3000 Client\ipsecdialer.exe [2004-4-28 1269836]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-17 12:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1469188156-960889200-926709054-21729\Scripts\Logon\0\0]
"Script"=mcafee.cmd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=c:\windows\pss\DataViz Inc Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sp_rssrv"=2 (0x2)
"MDM"=2 (0x2)
"McAfeeFramework"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"a2free"=2 (0x2)
"cisvc"=3 (0x3)
"LexBceS"=2 (0x2)
"avg8wd"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\FSRremoS.EXE"=
"c:\\Program Files\\Adobe\\Acrobat 6.0\\Reader\\AcroRd32.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\root.CHANGEME\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
"c:\\Documents and Settings\\root.CHANGEME\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Documents and Settings\\root.CHANGEME\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
"c:\\WINDOWS\\system32\\TpShocks.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2/19/2004 6:11 PM 52136]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/17/2009 8:11 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/17/2009 8:11 AM 108552]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [6/17/2009 5:16 PM 142592]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2/19/2004 7:08 PM 15360]
R2 CVPNDRV;TIBCO Software Inc. IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [4/28/2004 6:28 PM 263751]
R2 PPNT;PPNT;c:\windows\system32\drivers\ppnt.sys [8/3/2005 7:10 PM 13824]
R2 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2/19/2004 6:11 PM 4225]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;c:\windows\system32\drivers\cben5.sys [2/23/2004 5:36 PM 46108]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [6/7/2004 12:30 PM 16384]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [6/7/2004 12:30 PM 9216]
S3 WPC11;Instant Wireless Network PC Card V3.0 Driver;c:\windows\system32\drivers\LSWLNDS.sys [8/5/2005 11:18 AM 54083]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/17/2009 8:11 AM 298776]
.
Contents of the 'Scheduled Tasks' folder

2009-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-25 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2004-02-19 09:36]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 23:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\CSGina.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(280)
c:\progra~1\WINDOW~3\wmpband.dll
c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll
.
Completion time: 2009-06-25 23:27
ComboFix-quarantined-files.txt 2009-06-25 03:26
ComboFix2.txt 2009-06-25 01:38

Pre-Run: 49,676,603,392 bytes free
Post-Run: 49,659,887,616 bytes free

368 --- E O F --- 2009-06-25 01:57
will122k3
Active Member
 
Posts: 11
Joined: June 17th, 2009, 9:49 pm

Re: Google redirection virus

Unread postby Shaba » June 25th, 2009, 1:30 am

Do you recognize these folders?

c:\documents and settings\All Users\Application Data\97300776
c:\documents and settings\All Users\Application Data\17290784
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware