Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

ask.com, google search redirect

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

ask.com, google search redirect

Unread postby mvisser » January 24th, 2009, 2:06 pm

When I use the Google search bar or google.com, resulting links are redirected to websites I don't want. Ask.com toolbar was accidentally or automatically installed (I don't know how). I don't know how to fix this problem. I've done virus search, and Ad-Aware 8, but only a handful of cookies turned up. Here's my HijackThis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:47 AM, on 1/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sonoma.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sonoma.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [NGTray] "C:\Program Files\Symantec\Ghost\ngtray.exe"
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInCon ... ontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 4861947838
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 4861938664
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://130.157.33.98/activex/AxisCamControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = solar.sonoma.edu
O17 - HKLM\Software\..\Telephony: DomainName = solar.sonoma.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{F93B6E14-36A4-458D-80AC-25753EB32DA8}: NameServer = 85.255.115.4,85.255.112.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC6153EC-35BD-4567-8871-A074DF8DFB40}: NameServer = 85.255.115.4,85.255.112.14
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = solar.sonoma.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.4,85.255.112.14
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.4,85.255.112.14
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Symantec Ghost Client Agent (NGCLIENT) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SlingAgent Service (SlingAgentService) - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: Web Update Wizard Service V4 (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe

--
End of file - 11057 bytes
mvisser
Active Member
 
Posts: 7
Joined: January 24th, 2009, 2:00 pm
Advertisement
Register to Remove

Re: ask.com, google search redirect

Unread postby Axephilic » January 25th, 2009, 1:01 pm

Hello ,

Welcome to the Malware Removal Forums! My name is Adam and I will be assisting you with getting the malware off of your computer. Please observe the following points before we start:
  • If at any point you don't understand something, please let me know and I will be glad to expain or go more into depth for you. :)
  • I am still in training, so my responses may take more time than usual because all of my posts must be checked by an expert or teacher.
    Also, please remember, I am a volunteer and I have a personal life. I go to school full time, have a part time job, and I do sports. A lot of this takes a lot of time.
  • Please keep all of your replys in this topic/thread and do not make a new topic/thread, thanks!
  • Please stick with this, don't stop responding because the symptoms are gone, the infection could still be there. Keep replying to my posts until I give you the All Clean message. ;)
  • If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me so the topic will not be closed.
  • Please do not run other tools to remove the malware unless I ask you to until I give you the all clean. They will just mess up my fixes and make things more complicated, not fix the problem.

Make an Uninstall List

Next, please make an uninstall list using HijackThis.
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply. Please also include a new HijackThis log.

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: ask.com, google search redirect

Unread postby mvisser » January 25th, 2009, 1:35 pm

Thanks for helping. I've pasted the uninstall list and hijack this report.

2001 Structural Matrices
Ad-Aware
Ad-Aware
Adobe Acrobat 9 Pro
Adobe Flash Player 9 ActiveX
Adobe Flash Player 9 ActiveX
Apple Software Update
AutoSiteGallery
BeerSmith Brewing Software
CCS64 V3.4
CCS64 V3.5
Compatibility Pack for the 2007 Office system
Conexant D110 MDC V.9x Modem
Disney Pirates of the Caribbean Online
EndNote X.0.2
ExamView Pro
Facebook Desktop
Garmin Communicator Plugin
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB927891)
Hotfix for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver for Mobile
ISI ResearchSoft - Export Helper
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Magic DVD Ripper V5.0
Mathematica 5.2
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
meetingmaker
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Visio Professional 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows XP Video Decoder Checkup Utility
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
PowerDVD 5.7
QuickTime
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Slingbox Platform SDK 1.2.5.15
SlingPlayer
Sonic CinePlayer
Sonic DLA
Sonic RecordNow! Plus
Sonic Update Manager
Stat/Transfer Nine
Stata 10
Symantec Ghost Console Client
Universal Imaging Utility
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB955839)
User Profile Hive Cleanup Service
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WD Anywhere Backup
WD Diagnostics
WD Drive Manager (x86)
Web Update Wizard (Redistributable) 4.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Yahoo! Messenger
YourProductName


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:52 AM, on 1/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sonoma.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sonoma.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [NGTray] "C:\Program Files\Symantec\Ghost\ngtray.exe"
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInCon ... ontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 4861947838
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 4861938664
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://130.157.33.98/activex/AxisCamControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = solar.sonoma.edu
O17 - HKLM\Software\..\Telephony: DomainName = solar.sonoma.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{F93B6E14-36A4-458D-80AC-25753EB32DA8}: NameServer = 85.255.115.4,85.255.112.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC6153EC-35BD-4567-8871-A074DF8DFB40}: NameServer = 85.255.115.4,85.255.112.14
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = solar.sonoma.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.4,85.255.112.14
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.4,85.255.112.14
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Symantec Ghost Client Agent (NGCLIENT) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SlingAgent Service (SlingAgentService) - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: Web Update Wizard Service V4 (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe

--
End of file - 10786 bytes
mvisser
Active Member
 
Posts: 7
Joined: January 24th, 2009, 2:00 pm

Re: ask.com, google search redirect

Unread postby Axephilic » January 26th, 2009, 2:07 pm

Hello,

Please Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

In your next reply, please include:
  1. MBAM log
  2. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: ask.com, google search redirect

Unread postby mvisser » January 26th, 2009, 5:14 pm

Malwarebytes' Anti-Malware 1.33
Database version: 1696
Windows 5.1.2600 Service Pack 2

1/26/2009 1:12:09 PM
mbam-log-2009-01-26 (13-12-09).txt

Scan type: Full Scan (C:\|)
Objects scanned: 132469
Time elapsed: 53 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 9
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\aquaplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.4,85.255.112.14 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f93b6e14-36a4-458d-80ac-25753eb32da8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.4,85.255.112.14 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fc6153ec-35bd-4567-8871-a074df8dfb40}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.4,85.255.112.14 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.4,85.255.112.14 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f93b6e14-36a4-458d-80ac-25753eb32da8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.4,85.255.112.14 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{fc6153ec-35bd-4567-8871-a074df8dfb40}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.4,85.255.112.14 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.4,85.255.112.14 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{f93b6e14-36a4-458d-80ac-25753eb32da8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.4,85.255.112.14 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{fc6153ec-35bd-4567-8871-a074df8dfb40}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.4,85.255.112.14 -> Quarantined and deleted successfully.

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\visser\Local Settings\Temp\tmp14.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\visser\Local Settings\Temp\tmp194.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gaopdxrowprtrf.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\autorun.inf (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\resycled\ntldr.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\visser\Local Settings\Temporary Internet Files\neokast-stream-player-installer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxhrmqsklv.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxhylvjdnd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxkyaxelyd.sys (Trojan.Agent) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:53 PM, on 1/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sonoma.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sonoma.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [NGTray] "C:\Program Files\Symantec\Ghost\ngtray.exe"
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInCon ... ontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 4861947838
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 4861938664
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://130.157.33.98/activex/AxisCamControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = solar.sonoma.edu
O17 - HKLM\Software\..\Telephony: DomainName = solar.sonoma.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = solar.sonoma.edu
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Symantec Ghost Client Agent (NGCLIENT) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SlingAgent Service (SlingAgentService) - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: Web Update Wizard Service V4 (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe

--
End of file - 10629 bytes
mvisser
Active Member
 
Posts: 7
Joined: January 24th, 2009, 2:00 pm

Re: ask.com, google search redirect

Unread postby Axephilic » January 27th, 2009, 9:17 am

Hi there, it's looking good. :)

Fix HijackThis lines

  • Run HijackThis!
  • Click on Do a System Scan only
  • Place a tick next to the following lines:

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
Close all open windows and click on Fix checked and when you get a popup window click on Yes.

Kaspersky Online Scanner
Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

In your next reply, please include:
  1. Kaspersky report
  2. Are you still experiencing any problems?
  3. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: ask.com, google search redirect

Unread postby mvisser » January 27th, 2009, 5:19 pm

I am not experiencing the symptoms any longer, but Kaspersky found some threats. I haven't done anything to address these threats.

Mike Visser



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, January 27, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, January 27, 2009 15:18:35
Records in database: 1706683
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
G:\

Scan statistics:
Files scanned: 78065
Threat name: 2
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 02:41:08


File name / Threat name / Threats count
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\tempo-41F.tmp Infected: Trojan-PSW.Win32.Agent.lst 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\tempo-E7B.tmp Infected: Packed.Win32.Tdss.a 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\tempo-EAD.tmp Infected: Packed.Win32.Tdss.a 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\tmp18.tmp Infected: Packed.Win32.Tdss.a 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\tmp197.tmp Infected: Packed.Win32.Tdss.a 1

The selected area was scanned.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:15 PM, on 1/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sonoma.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sonoma.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [NGTray] "C:\Program Files\Symantec\Ghost\ngtray.exe"
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInCon ... ontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 4861947838
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 4861938664
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://130.157.33.98/activex/AxisCamControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = solar.sonoma.edu
O17 - HKLM\Software\..\Telephony: DomainName = solar.sonoma.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = solar.sonoma.edu
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Symantec Ghost Client Agent (NGCLIENT) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SlingAgent Service (SlingAgentService) - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: Web Update Wizard Service V4 (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe

--
End of file - 10395 bytes
mvisser
Active Member
 
Posts: 7
Joined: January 24th, 2009, 2:00 pm

Re: ask.com, google search redirect

Unread postby Axephilic » January 28th, 2009, 12:29 am

Hi there,

  1. Please download OTMoveIt3.exe from Geeks to Go and save it to your desktop.
  2. Double click on OTMoveIt3.exe to run it.
  3. Please copy and paste the following in the Code box into OTMoveIt3 (1).

    Warning: Do not type it out to prevent any typo errors and damaging your machine.

    Code: Select all
    :Processes
    explorer.exe
    :Files
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\tempo-41F.tmp
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\tempo-E7B.tmp
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\tempo-EAD.tmp
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\tmp18.tmp
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\tmp197.tmp
    :Commands
    [EmptyTemp]
    [Reboot]


    Please refer to this image to use OTMoveIt3.

    Image

  4. Click on MoveIt! (2)
  5. Click Exit (3) when done.

Run GMER
Please download gmer.zip from Gmer and save it to your desktop.

  1. Right click on gmer.zip and select Extract All....
  2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  3. Click on the Browse button. Click on Desktop. Then click OK.
  4. Click Next. It will start extracting.
  5. Once done, check (tick) the Show extracted files box and click Finish.
  6. Double click on gmer.exe to run it.
  7. Select the Rootkit tab.
  8. On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  9. Select all drives that are connected to your system to be scanned.
  10. Click on the Scan button.
  11. When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  12. Open Notepad or a similar text editor.
  13. Paste the clipboard contents into the text editor.
  14. Save the Gmer scan log and post it in your next reply.
  15. Close Gmer.
  16. Open Command Prompt by going to Start > Run and type in cmd. Press Enter.
  17. In Command Prompt, type in net stop gmer. Press Enter.
  18. Type in exit to close Command Prompt.

Note: Do not run any programs while Gmer is running.

In your next reply, please include:
  1. OTMoveIt3 log
  2. GMER scan log
  3. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: ask.com, google search redirect

Unread postby mvisser » January 28th, 2009, 7:11 pm

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\tempo-41F.tmp moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\tempo-E7B.tmp moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\tempo-EAD.tmp moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\tmp18.tmp moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\tmp197.tmp moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\visser\LOCALS~1\Temp\etilqs_L6oeuaFsmI3Qkz5orJM3 scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\visser\Local Settings\Application Data\Mozilla\Firefox\Profiles\3m1kd21e.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\visser\Local Settings\Application Data\Mozilla\Firefox\Profiles\3m1kd21e.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\visser\Local Settings\Application Data\Mozilla\Firefox\Profiles\3m1kd21e.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\visser\Local Settings\Application Data\Mozilla\Firefox\Profiles\3m1kd21e.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\visser\Local Settings\Application Data\Mozilla\Firefox\Profiles\3m1kd21e.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\visser\Local Settings\Application Data\Mozilla\Firefox\Profiles\3m1kd21e.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01282009_141800

Files moved on Reboot...
File C:\DOCUME~1\visser\LOCALS~1\Temp\etilqs_L6oeuaFsmI3Qkz5orJM3 not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\visser\Local Settings\Application Data\Mozilla\Firefox\Profiles\3m1kd21e.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\visser\Local Settings\Application Data\Mozilla\Firefox\Profiles\3m1kd21e.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\visser\Local Settings\Application Data\Mozilla\Firefox\Profiles\3m1kd21e.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\visser\Local Settings\Application Data\Mozilla\Firefox\Profiles\3m1kd21e.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\visser\Local Settings\Application Data\Mozilla\Firefox\Profiles\3m1kd21e.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\visser\Local Settings\Application Data\Mozilla\Firefox\Profiles\3m1kd21e.default\XUL.mfl moved successfully.



GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-28 15:02:39
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA8F887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA8F8C10]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xA93416D0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA9036ABD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA9036AE7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA9036A51]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA9036A7D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA9036B11]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA9036A27]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA9036AD1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA9036A67]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA9036AA9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA9036B27]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA9036AFB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 805021FC 7 Bytes JMP A9036AFF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056DF7C 5 Bytes JMP A9036AC1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A70D8 7 Bytes JMP A9036B15 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A7EEE 5 Bytes JMP A9036B2B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805AD66C 7 Bytes JMP A9036AD5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C6F40 5 Bytes JMP A9036AEB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8720 5 Bytes JMP A9036AAD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 8061987A 7 Bytes JMP A9036A6B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A2E4 7 Bytes JMP A9036A55 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A4B4 7 Bytes JMP A9036A81 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B1EA 5 Bytes JMP A9036A2B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0069000A
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 006900A4
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00690FAF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00690FC0
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00690073
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00690051
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 006900D0
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 006900BF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00690F52
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00690F63
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 006900FC
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00690062
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00690025
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00690F94
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00690FE5
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00690040
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 006900E1
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0068001B
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0068006C
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00680000
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00680FCA
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00680051
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00680040
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00680FEF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00680FAF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[124] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00660FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00DC0FE5
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00DC0F72
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00DC0F8D
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00DC0067
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00DC004A
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00DC0025
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00DC00AE
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00DC009D
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00DC0F29
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00DC0F3A
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00DC0F04
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00DC0F9E
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00DC0FD4
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00DC008C
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00DC0FB9
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00DC000A
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00DC0F4B
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00DB0FCA
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00DB0051
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00DB0025
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00DB000A
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00DB0F94
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00DB0040
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00DB0FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00DB0FB9
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[656] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00070062
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070F6D
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00070F88
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 000700AB
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0007008E
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000700F2
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 000700D7
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00070F34
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0007007D
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 000700BC
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00060051
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00060040
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[908] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00F30FA3
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00F30098
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00F30087
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00F30076
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00F30040
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00F30F66
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00F30F77
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F30F44
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F30F55
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00F30F33
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00F3005B
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00F3001B
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00F30F88
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00F30FD4
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00F30FE5
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00F300C9
.text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00F20FCA
.text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00F20040
.text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00F20FE5
.text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00F2001B
.text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00F20F83
.text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00F20FA8
.text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00F2000A
.text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00F20FB9
.text C:\WINDOWS\system32\lsass.exe[920] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00810000
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00810F57
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00810F68
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00810F83
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00810040
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00810FAF
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00810082
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00810F3A
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00810093
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00810F04
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008100AE
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00810F9E
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00810FE5
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00810067
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 0081001B
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00810FD4
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00810F1F
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00800FC0
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0080005F
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00800FE5
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00800011
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0080004E
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0080003D
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0080002C
.text C:\WINDOWS\system32\svchost.exe[1096] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00900F8D
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00900FA8
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00900FC3
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0090005B
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00900F7C
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009000C4
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00900F6B
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00900104
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00900F50
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00900076
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 009000A7
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 0090004A
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 0090002F
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 009000DF
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 008F0FA8
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 008F002F
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 008F0FB9
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 008F0FCA
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 008F0F7C
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 008F001E
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 008F0FE5
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 008F0F97
.text C:\WINDOWS\system32\svchost.exe[1180] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 008D0FEF
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 022F0000
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 022F0F63
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 022F0F7E
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 022F0058
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 022F0047
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 022F0FC0
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 022F0F26
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 022F0F41
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 022F00AB
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 022F009A
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 022F0EF7
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 022F0FAF
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 022F0011
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 022F0F52
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 022F002C
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 022F0FDB
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 022F0089
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 022C002C
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 022C0069
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 022C001B
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 022C000A
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 022C0058
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 022C0FB6
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 022C0FE5
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 022C003D
.text C:\WINDOWS\System32\svchost.exe[1320] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01C90000
.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 022D0FEF
.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 022D0FCA
.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 022D0FB9
.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 022D0FA8
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008F0000
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008F0087
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008F0076
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008F0FA8
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008F0065
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008F0FB9
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008F00BF
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008F00A4
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008F00E4
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008F0F41
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008F00F5
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 008F004A
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 008F0FDB
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 008F0F6D
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 008F0FCA
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 008F001B
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 008F0F52
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00760025
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0076004A
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00760FDE
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0076000A
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00760F8D
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00760FA8
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00760FEF
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00760FB9
.text C:\WINDOWS\system32\svchost.exe[1392] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00740000
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009C0000
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009C0F8D
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009C0F9E
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009C0FAF
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009C006C
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009C0051
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009C00CB
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009C00AE
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009C00FA
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009C0F61
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 009C0F50
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 009C0FCA
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 009C0011
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 009C009D
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 009C0040
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 009C0FE5
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 009C0F72
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 009A0F9E
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 009A002C
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 009A0FC3
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 009A0FD4
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 009A0F79
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 009A001B
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 009A0FEF
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\svchost.exe[1556] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00980FEF
.text C:\WINDOWS\system32\svchost.exe[1556] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\system32\svchost.exe[1556] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 009B0FCA
.text C:\WINDOWS\system32\svchost.exe[1556] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 009B0FB9
.text C:\WINDOWS\system32\svchost.exe[1556] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 009B0F94
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008A0000
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008A00A4
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008A0089
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008A0FAF
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008A0FC0
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008A0051
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008A0F88
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008A00D0
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008A0F63
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008A00F2
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008A0F48
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 008A006C
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 008A001B
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 008A00BF
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 008A0FE5
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 008A002C
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 008A00E1
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00890FC0
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00890F80
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00890011
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00890000
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00890047
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0089002C
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00890FEF
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00890FA5
.text C:\WINDOWS\Explorer.EXE[3580] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0000
.text C:\WINDOWS\Explorer.EXE[3580] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A0F68
.text C:\WINDOWS\Explorer.EXE[3580] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A0F79
.text C:\WINDOWS\Explorer.EXE[3580] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A0051
.text C:\WINDOWS\Explorer.EXE[3580] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A0F94
.text C:\WINDOWS\Explorer.EXE[3580] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A002C
.text C:\WINDOWS\Explorer.EXE[3580] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A00A9
.text C:\WINDOWS\Explorer.EXE[3580] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A008E
.text C:\WINDOWS\Explorer.EXE[3580] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A0F21
.text C:\WINDOWS\Explorer.EXE[3580] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A0F3C
.text C:\WINDOWS\Explorer.EXE[3580] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001A0F10
.text C:\WINDOWS\Explorer.EXE[3580] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\Explorer.EXE[3580] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001A0011
.text C:\WINDOWS\Explorer.EXE[3580] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001A0F57
.text C:\WINDOWS\Explorer.EXE[3580] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\Explorer.EXE[3580] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001A0FDB
.text C:\WINDOWS\Explorer.EXE[3580] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001A00BA
.text C:\WINDOWS\Explorer.EXE[3580] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00280FA5
.text C:\WINDOWS\Explorer.EXE[3580] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0028003D
.text C:\WINDOWS\Explorer.EXE[3580] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00280FC0
.text C:\WINDOWS\Explorer.EXE[3580] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00280FE5
.text C:\WINDOWS\Explorer.EXE[3580] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00280F80
.text C:\WINDOWS\Explorer.EXE[3580] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0028002C
.text C:\WINDOWS\Explorer.EXE[3580] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00280000
.text C:\WINDOWS\Explorer.EXE[3580] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0028001B
.text C:\WINDOWS\Explorer.EXE[3580] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\Explorer.EXE[3580] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 002B000A
.text C:\WINDOWS\Explorer.EXE[3580] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 002B0FD4
.text C:\WINDOWS\Explorer.EXE[3580] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 002B002F
.text C:\WINDOWS\Explorer.EXE[3580] ws2_32.dll!socket 71AB3B91 5 Bytes JMP 00EC0000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Services - GMER 1.0.14 ----

Service system32\drivers\gaopdxhrmqsklv.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxhrmqsklv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxhrmqsklv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxrowprtrf.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxhrmqsklv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxhrmqsklv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxrowprtrf.dll

---- EOF - GMER 1.0.14 ----


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:13 PM, on 1/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sonoma.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sonoma.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [NGTray] "C:\Program Files\Symantec\Ghost\ngtray.exe"
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInCon ... ontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 4861947838
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 4861938664
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://130.157.33.98/activex/AxisCamControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = solar.sonoma.edu
O17 - HKLM\Software\..\Telephony: DomainName = solar.sonoma.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = solar.sonoma.edu
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Symantec Ghost Client Agent (NGCLIENT) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SlingAgent Service (SlingAgentService) - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: Web Update Wizard Service V4 (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe

--
End of file - 10206 bytes
mvisser
Active Member
 
Posts: 7
Joined: January 24th, 2009, 2:00 pm

Re: ask.com, google search redirect

Unread postby Axephilic » January 28th, 2009, 8:34 pm

Hi,

You have a VERY serious infection known as a rootkit. Rootkits are specialist programs designed to patch the Windows kernel with the intention of hiding themselves from Windows.
What does this mean? Rootkits hide files. And really good rootkits hide really bad files.

We do have tools to detect rootkits, but the problem with these is that they still require Windows to operate, and an exceptionally advanced rootkit might therefor have patched the Windows kernel in such a way that even our specialist tools are fooled - because in the end, they're nothing more than kernel-privileged (= highest permissions possible) applications.

Don't worry - most rootkits don't exhibit this type of behaviour. They only patch the userland mode - which means that normal programs such as Windows Explorer will not detect them, but higher privileged kernel programs will.

However, we have also identified a small number of kernel rootkits. They completely patch the kernel, which is, in fact, the very essence of Windows. So they can potentially fool every scanner we have because of there high privileges.

Because of these functions, you should consider reformatting and reinstalling the operating system.

The thing is, Windows is now lying to you. And we can never be sure how deep this goes. Not all rootkits can be detected. Every rootkit can and will impair your computer's normal behaviour and stability, one way or another. We can somehow detect rootkits, but as all rootkit detectors need Windows to operate, we can't be sure they're not being lied to as well.

In any case involving rootkits, I cannot guarantee anything. The best course of action would be reformatting and reinstalling the operating system.

If you wish to procede without reformatting and reinstalling, then follow the instructions. If you are going to reformat, then do not follow the instructions.




Please navigate to the system tray on the bottom right hand corner and look for a Image sign.
  • Right-click it -> chose "Exit."
  • A popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You successfully disabled the McAfee Guard.

Download and Run ComboFix
Please visit this page to download and run Combofix - http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Save it to your desktop.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will see the following message if Microsoft Windows Recovery Console is not installed.

    Image

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes to continue scanning for malware.

When finished, a log will be produced. Please post this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

In your next reply, please include:
  1. ComboFix log
  2. A new HijackThis log

OR

Your decision to reformat.

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: ask.com, google search redirect

Unread postby mvisser » January 28th, 2009, 8:52 pm

I am leaning toward reformatting, especially since I am likely to get a new computer soon anyhow. However, I need to transfer data from my current computer to the new one... is this infection likely to be transferred also?

Mike Visser
mvisser
Active Member
 
Posts: 7
Joined: January 24th, 2009, 2:00 pm

Re: ask.com, google search redirect

Unread postby Axephilic » January 29th, 2009, 5:28 pm

Hi there,

When you backup your files, I recommend burning them to a CD-R. This way, the files cannot mutate on the CD and as soon as you get them to the new PC, before transferring them; you can scan them from the CD to make sure they are not infected. You should only backup files, not programs. Programs should be downloaded and reinstalled.

This is still a little risky though. ;)

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: ask.com, google search redirect

Unread postby mvisser » January 30th, 2009, 1:45 pm

Given the number and size of files I need to transfer, I will be using a USB hard drive. What should I do to scan before transferring the files?

Mike Visser
mvisser
Active Member
 
Posts: 7
Joined: January 24th, 2009, 2:00 pm

Re: ask.com, google search redirect

Unread postby Axephilic » January 30th, 2009, 5:48 pm

As I said before, it will still be risky. But, if you must; then transfer all the files to the USB device, put it in the new computer and immediately scan the whole USB device for viruses.

Good luck.

If you have any more questions, then please ask; other wise I will ask to have this topic archived. :)

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: ask.com, google search redirect

Unread postby askey127 » February 1st, 2009, 7:47 pm

This topic is now closed. If you wish it to be reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.
Please do not contact us to reopen this topic if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 307 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware