Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google links redirected - can't remove malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Google links redirected - can't remove malware

Unread postby dlk_in_pa » May 4th, 2010, 8:18 am

Hi. I can't get rid of some malware. I tried Spybot, MalwareBytes, and Ad-aware. I'm also running McAfee security suite. Spybot and MalwareBytes found things and removed them, and that made things better, but I still get redirected from Google links somewhat regularly. My PC also freezes up from time to time. I have Windows XP Home Edition SP3. Below is my HijackThis log and uninstall list:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:32 PM, on 5/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [arhakwye] C:\Documents and Settings\NetworkService\Local Settings\Application Data\neaxiqojs\mpfmvlttssd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-3013991861-256207873-926089231-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Roberta Kissinger')
O4 - HKUS\S-1-5-21-3013991861-256207873-926089231-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Roberta Kissinger')
O4 - HKUS\S-1-5-21-3013991861-256207873-926089231-1006\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'Roberta Kissinger')
O4 - HKUS\S-1-5-18\..\Run: [arhakwye] C:\Documents and Settings\NetworkService\Local Settings\Application Data\neaxiqojs\mpfmvlttssd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [arhakwye] C:\Documents and Settings\NetworkService\Local Settings\Application Data\neaxiqojs\mpfmvlttssd.exe (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0927670437
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10698 bytes
--------My uninstall list------------------------------------
Ad-Aware
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe Flash Player 10 ActiveX
Adobe Reader 6.0.1
All The Right Type 3
American Civil War Gettysburg
Aspell English Dictionary-0.50-2
Athlon 64 Processor Driver
ATI Control Panel
ATI Display Driver
CCScore
Conexant AC-Link Audio
Critical Update for Windows Media Player 11 (KB959772)
Customer Experience Enhancement
Drop 2
Easy Internet Sign-up
eGames GameButler
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
essvatgt
Flipster Twin Pack
Garmin Communicator Plugin
Garmin MapSource
Garmin TOPO U.S. 2008
Garmin USB Drivers
Garmin WebUpdater
GNU Aspell 0.50-3
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
H&R Block Deluxe + Efile + State 2009
H&R Block Pennsylvania 2009
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
HP Customer Participation Program 7.0
HP DVD Play 2.0
HP Help and Support
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Essential
HP Photosmart Premier Software 6.0
HP Product Detection
HP Software Update
HP Solution Center 7.0
HP User Guides 0025
HP User Guides--System Recovery
HP Wireless Assistant 2.00 C1
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 20
Jewel Labyrinth
Jewel Quest (remove only)
kgcbase
Kodak EasyShare software
Logitech SetPoint
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Mega Match
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Encyclopedia 2000
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Small Business
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Web Publishing Wizard 1.52
Microsoft WinUsb 1.0
Microsoft Works
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 4.5
netbrdg
Notepad++
Office 2003 Trial Assistant
OfotoXMI
Penguin Puzzle
Picture Package Music Transfer
PQ DVD to Zune Converter (remove only)
Q-bert (remove only)
Quick Launch Buttons 5.20 G1
Railroad Tycoon 3
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
SFR
SHASTA
skin0001
SKINXSDK
Soft Data Fax Modem with SmartCP
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Sony Picture Utility
Spybot - Search & Destroy
staticcr
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
The Print Shop 22
TomTom HOME
tooltips
TourSetup
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VIVA MEDIA GAME CENTER
VPRINTOL
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WIRELESS
Wireless Home Network Setup
Zune
Zune
Zune Language Pack (ES)
Zune Language Pack (FR)
dlk_in_pa
Active Member
 
Posts: 10
Joined: May 3rd, 2010, 9:01 pm
Advertisement
Register to Remove

Re: Google links redirected - can't remove malware

Unread postby MWR 3 day Mod » May 8th, 2010, 3:14 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Google links redirected - can't remove malware

Unread postby melboy » May 9th, 2010, 5:07 am

Hi and welcome to the MR forums. :)

I'm melboy and I am going to try to help you with your problem. Please take note of the following:

  1. I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  2. The fixes are specific to your problem and should only be used for this issue on this machine.
  3. If you don't know or understand something, please don't hesitate to ask.
  4. Please DO NOT run any other tools or scans whilst I am helping you.
  5. It is important that you reply to this thread. Do not start a new topic.
  6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  7. Absence of symptoms does not mean that everything is clear.


NOTE: Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.


IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.



No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time, please inform me.


=================================


Note: Please read & print or save to notepad the following as part of the instructions require you booting to safe mode You may not have an internet connection whilst in safe mode.


In normal mode:


Gmer

Download GMER Rootkit Scanner from here and save it to your desktop. Do Not run it yet.



DDS

Please disable any anti-malware program that will block scripts from running before running DDS.

Please download DDS from one of the links below and save it to your desktop:

Link1
Link2
Link3

Disable any script blocker, and then double click dds.scr to run the tool. A command window will appear, this is normal.

Image
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.

Please copy & paste the contents of :
  • DDS.txt
  • Attach.txt
And post them in your next reply.


Safe mode

Now I will be asking you to boot into Safe Mode for the next part of the fix. It may prove beneficial if you print of the following instructions or save them to notepad as you will not have Internet access whilst in safe mode.

How to boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should come up where you will be given the option to enter Safe Mode, do so.

If any problems refer to this tutorial.

In safe mode carry out the following:


Gmer

  • Double click the GMER randomly named .exe file you saved earlier to your desktop. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    See image below
    Image
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Note: Do not run any programs while Gmer is running.


Reboot to normal mode


In your next reply:
  1. DDS.txt
  2. Attach.txt
  3. GMER log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google links redirected - can't remove malware

Unread postby dlk_in_pa » May 10th, 2010, 8:07 am

Hi and thanks for your help. Here are the 3 items that you requested:

DDS.txt:


DDS (Ver_10-03-17.01) - NTFSx86
Run by David at 13:35:46.98 on Sun 05/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.603 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Documents and Settings\David\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
mSearchAssistant = hxxp://www.google.com
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe" -s
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [arhakwye] c:\documents and settings\networkservice\local settings\application data\neaxiqojs\mpfmvlttssd.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [arhakwye] c:\documents and settings\networkservice\local settings\application data\neaxiqojs\mpfmvlttssd.exe
dRun: [ksoeglug] c:\documents and settings\networkservice\local settings\application data\irhaxngou\sgldodgtssd.exe
StartupFolder: c:\docume~1\david\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/share ... insctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupda ... 0927670437
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/fl ... wflash.cab
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - c:\program files\common files\microsoft shared\information retrieval\itss51.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\benufabi.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-29 64288]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385536]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-4-10 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-4-10 144704]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-4-10 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-10 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-10 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-4-10 40552]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1285864]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-4-10 34248]

=============== Created Last 30 ================

2010-05-02 15:40:13 0 d-----w- c:\program files\Trend Micro
2010-05-02 14:47:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-02 14:47:20 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-30 06:00:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-30 03:03:35 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-30 03:03:26 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-30 02:57:11 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-30 02:56:39 0 d-----w- c:\program files\Lavasoft
2010-04-16 02:12:28 0 d-----w- c:\docume~1\david\applic~1\Malwarebytes
2010-04-16 02:12:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-16 02:12:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-16 02:11:59 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-16 02:11:59 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-13 02:30:22 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-13 02:30:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-11 20:01:26 0 d-----w- c:\windows\ie8updates
2010-04-11 18:13:25 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-11 18:13:25 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-04-11 15:48:12 0 d-sh--w- c:\documents and settings\david\IECompatCache
2010-04-11 15:47:35 0 d-sh--w- c:\documents and settings\david\PrivacIE
2010-04-11 15:41:36 0 d-sh--w- c:\documents and settings\david\IETldCache
2010-04-11 15:12:46 0 dc-h--w- c:\windows\ie8
2010-04-11 01:52:17 1089593 ------w- c:\windows\system32\dllcache\ntprint.cat
2010-04-10 20:16:18 0 d-----w- c:\windows\system32\XPSViewer
2010-04-10 20:14:56 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-04-10 20:14:56 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-04-10 20:14:56 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-04-10 20:14:56 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-04-10 20:14:56 117760 ------w- c:\windows\system32\prntvpt.dll
2010-04-10 20:14:55 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-04-10 20:14:55 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-04-10 20:14:54 0 d-----w- C:\1abd5625a09763f6c994ab
2010-04-10 20:14:20 0 d-----w- c:\windows\SxsCaPendDel
2010-04-10 19:45:15 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-04-10 19:43:48 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-04-10 19:43:48 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-04-10 19:43:12 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2010-04-10 19:43:03 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-04-10 19:42:46 128512 ------w- c:\windows\system32\dllcache\dhtmled.ocx
2010-04-10 19:42:02 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-04-10 05:50:27 11737 ----a-w- c:\windows\system32\Config.MPF
2010-04-10 05:46:18 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-10 05:46:18 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-04-10 05:46:18 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-10 05:46:07 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-04-10 05:45:21 0 d-----w- c:\program files\McAfee.com
2010-04-10 05:45:21 0 d-----w- c:\program files\common files\McAfee
2010-04-10 05:44:55 0 d-----w- c:\program files\McAfee
2010-04-10 05:40:10 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-04-10 04:52:51 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-10 04:51:32 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee.com
2010-04-10 04:40:08 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee(2)
2010-04-10 04:40:06 0 d-----w- c:\program files\McAfee(2)
2010-04-10 04:13:42 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-04-10 03:36:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Citrix

==================== Find3M ====================

2010-05-08 18:01:35 8832 ----a-w- c:\windows\system32\drivers\wmiacpi.sys
2010-05-08 18:01:35 8832 ----a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-05-03 17:10:16 5416 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-11 12:38:52 78336 ------w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:52 78336 ------w- c:\windows\system32\dllcache\ieencode.dll
2010-03-11 12:38:51 133120 ----a-w- c:\windows\system32\dllcache\extmgr.dll
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 15:54:36 11070976 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
2010-02-25 06:24:37 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
2010-02-25 06:24:37 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
2010-02-25 06:24:37 1209344 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2010-02-25 06:24:36 5944832 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2010-02-25 06:24:35 594432 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
2010-02-25 06:24:35 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-25 06:24:35 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll
2010-02-25 06:24:35 1985536 ----a-w- c:\windows\system32\dllcache\iertutil.dll
2010-02-25 06:24:35 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2010-02-25 06:24:34 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2009-01-24 02:19:44 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012320090124\index.dat

============= FINISH: 13:37:10.81 ===============


----------------------------------------------------------------------------
attach.txt:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/2/2006 4:07:09 AM
System Uptime: 5/9/2010 1:03:37 PM (0 hours ago)

Motherboard: Hewlett-Packard | | 30AE
Processor: AMD Turion(tm) 64 Mobile Technology ML-32 | U23 | 1794/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 67 GiB total, 18.414 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 1.017 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP299: 2/10/2010 5:34:34 PM - System Checkpoint
RP300: 2/16/2010 8:07:30 PM - System Checkpoint
RP301: 2/18/2010 9:09:47 PM - System Checkpoint
RP302: 2/20/2010 4:54:33 PM - System Checkpoint
RP303: 2/24/2010 7:25:06 PM - System Checkpoint
RP304: 2/26/2010 6:25:52 PM - System Checkpoint
RP305: 3/2/2010 9:12:14 PM - System Checkpoint
RP306: 3/9/2010 9:57:05 PM - System Checkpoint
RP307: 3/17/2010 9:17:50 PM - System Checkpoint
RP308: 3/23/2010 7:50:08 PM - Installed H&R Block Deluxe + Efile + State 2009.
RP309: 3/25/2010 7:17:24 PM - System Checkpoint
RP310: 4/2/2010 11:17:11 PM - System Checkpoint
RP311: 4/6/2010 10:05:32 PM - System Checkpoint
RP312: 4/9/2010 11:14:43 PM - Installed McAfee Virtual Technician
RP313: 4/10/2010 12:39:35 AM - Restore Operation
RP314: 4/10/2010 12:50:06 AM - Restore Operation
RP315: 4/10/2010 4:01:25 PM - Software Distribution Service 3.0
RP316: 4/10/2010 4:06:26 PM - Software Distribution Service 3.0
RP317: 4/10/2010 9:43:41 PM - Printer Driver Microsoft XPS Document Writer Installed
RP318: 4/11/2010 3:59:44 PM - Software Distribution Service 3.0
RP319: 4/12/2010 11:50:52 PM - System Checkpoint
RP320: 4/13/2010 8:28:32 PM - Installed H&R Block Pennsylvania 2009.
RP321: 4/14/2010 11:49:04 PM - System Checkpoint
RP322: 4/15/2010 7:09:21 AM - Software Distribution Service 3.0
RP323: 4/16/2010 6:36:59 AM - Software Distribution Service 3.0
RP324: 4/19/2010 8:17:22 PM - System Checkpoint
RP325: 4/23/2010 12:48:49 AM - System Checkpoint
RP326: 4/30/2010 2:28:05 AM - System Checkpoint
RP327: 5/2/2010 10:46:38 AM - Installed Java(TM) 6 Update 20
RP328: 5/3/2010 7:46:01 PM - System Checkpoint
RP329: 5/8/2010 10:18:46 AM - System Checkpoint

==== Installed Programs ======================

Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe Flash Player 10 ActiveX
Adobe Reader 6.0.1
All The Right Type 3
American Civil War Gettysburg
Aspell English Dictionary-0.50-2
Athlon 64 Processor Driver
ATI Control Panel
ATI Display Driver
BufferChm
CCScore
Conexant AC-Link Audio
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Customer Experience Enhancement
CustomerResearchQFolder
D1300
D1300_Help
Destinations
Drop 2
Easy Internet Sign-up
eGames GameButler
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
essvatgt
eSupportQFolder
Flipster Twin Pack
FullDPAppQFolder
Garmin Communicator Plugin
Garmin MapSource
Garmin TOPO U.S. 2008
Garmin USB Drivers
Garmin WebUpdater
GNU Aspell 0.50-3
Google Toolbar for Internet Explorer
Google Update Helper
H&R Block Deluxe + Efile + State 2009
H&R Block Pennsylvania 2009
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
HP Customer Participation Program 7.0
HP DVD Play 2.0
HP Help and Support
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Essential
HP Photosmart Premier Software 6.0
HP Product Detection
HP Software Update
HP Solution Center 7.0
HP User Guides--System Recovery
HP User Guides 0025
HP Wireless Assistant 2.00 C1
hph_ProductContext
hph_readme
hph_software
hph_software_req
HPPhotoSmartExpress
HPProductAssistant
HpSdpAppCoreApp
InstantShareDevices
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java(TM) 6 Update 20
Jewel Labyrinth
Jewel Quest (remove only)
kgcbase
Kodak EasyShare software
LightScribe 1.4.56.1
Logitech SetPoint
Malwarebytes' Anti-Malware
MarketResearch
McAfee SecurityCenter
Mega Match
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Encyclopedia 2000
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Small Business
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Web Publishing Wizard 1.52
Microsoft WinUsb 1.0
Microsoft Works
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 4.5
netbrdg
Notepad++
Office 2003 Trial Assistant
OfotoXMI
OptionalContentQFolder
Penguin Puzzle
PhotoGallery
Picture Package Music Transfer
PQ DVD to Zune Converter (remove only)
Q-bert (remove only)
Quick Launch Buttons 5.20 G1
Railroad Tycoon 3
RandMap
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
SFR
SHASTA
skin0001
SkinsHP1
SKINXSDK
Soft Data Fax Modem with SmartCP
SolutionCenter
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Sonic_PrimoSDK
Sony Picture Utility
Spybot - Search & Destroy
staticcr
Status
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
The Print Shop 22
TIPCI
TomTom HOME
Toolbox
tooltips
TourSetup
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VIVA MEDIA GAME CENTER
VPRINTOL
WebFldrs XP
WebReg
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WIRELESS
Wireless Home Network Setup
Zune
Zune Language Pack (ES)
Zune Language Pack (FR)

==== Event Viewer Messages From Past Week ========

5/5/2010 10:15:02 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
5/3/2010 5:57:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
5/3/2010 5:57:32 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/3/2010 5:51:26 PM, error: Service Control Manager [7000] - The SDDMI2 service failed to start due to the following error: The system cannot find the file specified.
5/3/2010 10:03:16 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Pml Driver HPZ12 service to connect.
5/3/2010 10:03:16 PM, error: Service Control Manager [7000] - The Pml Driver HPZ12 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/2/2010 12:59:17 PM, error: DCOM [10001] - Unable to start a DCOM Server: {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} as /. The error: "%233" Happened while starting this command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe -Embedding
5/2/2010 11:43:07 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
5/2/2010 10:54:15 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
5/2/2010 10:54:15 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
5/2/2010 10:00:01 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.

==== End Of File ===========================

----------------------------------------------------------------------------
gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-09 22:28:40
Windows 5.1.2600 Service Pack 3
Running: 4off6ez4.exe; Driver: C:\DOCUME~1\David\LOCALS~1\Temp\awrdapow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF74F787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF74F7BFE]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\DRIVERS\wmiacpi.sys entry point in ".rsrc" section [0xF791CC94]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[576] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006D000A
.text C:\WINDOWS\system32\svchost.exe[576] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006E000A
.text C:\WINDOWS\system32\svchost.exe[576] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006C000C
.text C:\WINDOWS\system32\svchost.exe[576] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01D3000A
.text C:\WINDOWS\system32\svchost.exe[576] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 01D2000A
.text C:\WINDOWS\Explorer.EXE[940] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[940] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[940] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs F6A5C400
Device -> \Driver\atapi \Device\Harddisk0\DR0 8A260AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\wmiacpi.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
dlk_in_pa
Active Member
 
Posts: 10
Joined: May 3rd, 2010, 9:01 pm

Re: Google links redirected - can't remove malware

Unread postby melboy » May 10th, 2010, 8:16 am

ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix: Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

    • Open McAfee Security Center.
    • Click on Home on the left pane.
    • Beside Computer & Files, click on the arrow button.
    • Next, click on the arrow button beside Configure at the middle right (NOT the bottom one).
    • You will come to a new page. Please check (click) Off for all the protections. Remember to scroll down.
    • You will be prompted, select Never and just click OK.
    • Note: Don't forget to re-enable it after combofix has finished.

  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



Here is an illustration to assist you in disabling mcafee:
Image
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google links redirected - can't remove malware

Unread postby dlk_in_pa » May 11th, 2010, 6:45 am

Here's the combofix log. Note that I also deinstalled malwarebytes, ad-aware, and spybot prior to running combofix. I'm still running mcafee. Thanks.

ComboFix 10-05-10.02 - David 05/10/2010 22:51:25.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.924 [GMT -4:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\David\Application Data\inst.exe
c:\documents and settings\Roberta Kissinger\Application Data\inst.exe
c:\documents and settings\Roberta Kissinger\Local Settings\Temporary Internet Files\5n7Dt.jpg
c:\documents and settings\Roberta Kissinger\Local Settings\Temporary Internet Files\bL7Y7mHLc.jpg
c:\documents and settings\Roberta Kissinger\Local Settings\Temporary Internet Files\Vmr586V4.jpg
c:\documents and settings\Roberta Kissinger\Local Settings\Temporary Internet Files\xN6vH.jpg
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://82.98.235.29
Infected copy of c:\windows\system32\drivers\wmiacpi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))
.

2010-05-02 15:40 . 2010-05-02 15:40 -------- d-----w- c:\program files\Trend Micro
2010-05-02 14:47 . 2010-05-02 14:46 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-02 02:06 . 2010-05-02 02:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\irhaxngou
2010-04-30 03:03 . 2010-04-30 03:03 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-30 02:56 . 2010-05-11 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-23 05:32 . 2010-04-23 05:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\neaxiqojs
2010-04-20 01:11 . 2010-04-20 01:11 -------- d-sh--w- c:\documents and settings\AJ\PrivacIE
2010-04-20 00:55 . 2010-04-20 00:55 -------- d-sh--w- c:\documents and settings\Roberta Kissinger\IECompatCache
2010-04-19 02:21 . 2010-04-19 02:21 -------- d-sh--w- c:\documents and settings\AJ\IECompatCache
2010-04-18 02:24 . 2010-04-18 02:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-16 02:12 . 2010-04-16 02:12 -------- d-----w- c:\documents and settings\David\Application Data\Malwarebytes
2010-04-16 02:12 . 2010-04-16 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-15 22:58 . 2010-04-15 22:58 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-15 22:58 . 2010-04-15 22:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-15 13:45 . 2010-04-15 13:45 -------- d-----w- c:\documents and settings\Roberta Kissinger\Application Data\Notepad++
2010-04-13 17:40 . 2010-04-13 17:40 -------- d-sh--w- c:\documents and settings\Roberta Kissinger\PrivacIE
2010-04-13 05:26 . 2010-04-13 05:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-13 02:30 . 2010-05-11 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-11 20:01 . 2010-04-15 11:12 -------- d-----w- c:\windows\ie8updates
2010-04-11 19:19 . 2010-04-11 19:19 -------- d-sh--w- c:\documents and settings\AJ\IETldCache
2010-04-11 18:13 . 2010-02-25 06:24 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-04-11 18:13 . 2010-02-25 06:24 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-11 18:02 . 2010-04-11 18:02 -------- d-sh--w- c:\documents and settings\Roberta Kissinger\IETldCache
2010-04-11 15:48 . 2010-04-11 15:48 -------- d-sh--w- c:\documents and settings\David\IECompatCache
2010-04-11 15:47 . 2010-04-11 15:47 -------- d-sh--w- c:\documents and settings\David\PrivacIE
2010-04-11 15:44 . 2010-04-11 15:44 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-11 15:41 . 2010-04-11 15:41 -------- d-sh--w- c:\documents and settings\David\IETldCache
2010-04-11 15:12 . 2010-04-11 15:16 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-11 02:46 . 2004-08-03 18:07 8832 ----a-w- c:\windows\system32\drivers\wmiacpi.sys
2010-05-10 17:06 . 2007-11-18 00:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-05 02:31 . 2010-05-05 02:31 503808 ----a-w- c:\documents and settings\AJ\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-697d162f-n\msvcp71.dll
2010-05-05 02:31 . 2010-05-05 02:31 61440 ----a-w- c:\documents and settings\AJ\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5fac9ea2-n\decora-sse.dll
2010-05-05 02:31 . 2010-05-05 02:31 499712 ----a-w- c:\documents and settings\AJ\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-697d162f-n\jmc.dll
2010-05-05 02:31 . 2010-05-05 02:31 348160 ----a-w- c:\documents and settings\AJ\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-697d162f-n\msvcr71.dll
2010-05-05 02:31 . 2010-05-05 02:31 12800 ----a-w- c:\documents and settings\AJ\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5fac9ea2-n\decora-d3d.dll
2010-05-03 21:59 . 2010-03-09 01:54 439816 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\setup.exe
2010-05-02 17:05 . 2010-05-02 17:05 503808 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-651ebde9-n\msvcp71.dll
2010-05-02 17:05 . 2010-05-02 17:05 61440 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72fe855e-n\decora-sse.dll
2010-05-02 17:05 . 2010-05-02 17:05 499712 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-651ebde9-n\jmc.dll
2010-05-02 17:05 . 2010-05-02 17:05 348160 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-651ebde9-n\msvcr71.dll
2010-05-02 17:05 . 2010-05-02 17:05 12800 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72fe855e-n\decora-d3d.dll
2010-05-02 15:01 . 2006-04-12 05:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 14:47 . 2006-04-12 05:17 -------- d-----w- c:\program files\Common Files\Java
2010-05-02 14:47 . 2010-05-02 14:47 503808 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-71eaf98f-n\msvcp71.dll
2010-05-02 14:47 . 2010-05-02 14:47 499712 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-71eaf98f-n\jmc.dll
2010-05-02 14:47 . 2010-05-02 14:47 348160 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-71eaf98f-n\msvcr71.dll
2010-05-02 14:47 . 2010-05-02 14:47 61440 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2ab626ef-n\decora-sse.dll
2010-05-02 14:47 . 2010-05-02 14:47 12800 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2ab626ef-n\decora-d3d.dll
2010-05-02 14:46 . 2006-04-12 05:17 -------- d-----w- c:\program files\Java
2010-04-23 17:47 . 2006-11-15 17:56 -------- d-----w- c:\documents and settings\Roberta Kissinger\Application Data\AdobeUM
2010-04-14 00:27 . 2010-04-14 00:27 3262128 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockPA.exe
2010-04-11 19:20 . 2009-03-18 23:32 335832 ----a-w- c:\documents and settings\AJ\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-11 03:31 . 2006-11-02 08:08 335832 ----a-w- c:\documents and settings\Roberta Kissinger\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-11 01:46 . 2008-04-30 01:02 335832 ----a-w- c:\documents and settings\David\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-11 01:42 . 2010-04-10 05:44 -------- d-----w- c:\program files\McAfee
2010-04-10 20:16 . 2010-04-10 20:16 -------- d-----w- c:\program files\MSBuild
2010-04-10 20:15 . 2010-04-10 20:15 -------- d-----w- c:\program files\Reference Assemblies
2010-04-10 05:50 . 2010-04-10 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-10 05:46 . 2010-04-10 05:45 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-10 05:45 . 2010-04-10 05:45 -------- d-----w- c:\program files\McAfee.com
2010-04-10 04:52 . 2010-04-10 04:52 -------- d-----w- c:\documents and settings\Roberta Kissinger\Application Data\McAfee.com Personal Firewall
2010-04-10 04:52 . 2010-04-10 04:52 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee.com Personal Firewall
2010-04-10 04:51 . 2010-04-10 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-04-10 04:51 . 2010-04-10 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2010-04-10 04:51 . 2010-04-10 04:40 -------- d-----w- c:\program files\McAfee(2)
2010-04-10 04:51 . 2010-04-10 04:40 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee(2)
2010-04-10 03:36 . 2010-04-10 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2010-04-09 01:47 . 2010-04-09 01:47 0 ---ha-w- c:\windows\system32\BITBB6.tmp
2010-04-09 01:47 . 2010-04-09 01:47 0 ---ha-w- c:\windows\system32\BITBB5.tmp
2010-04-09 01:46 . 2010-04-09 01:46 0 ---ha-w- c:\windows\system32\BITBB4.tmp
2010-04-09 01:46 . 2010-04-09 01:46 0 ---ha-w- c:\windows\system32\BITBB3.tmp
2010-04-07 23:36 . 2008-05-03 01:36 -------- d-----w- c:\documents and settings\David\Application Data\AdobeUM
2010-04-01 23:23 . 2010-04-01 23:22 20846064 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-23 23:55 . 2010-03-23 23:54 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe
2010-03-23 23:52 . 2010-03-23 23:52 -------- d-----w- c:\documents and settings\David\Application Data\TaxCut
2010-03-23 23:51 . 2010-03-23 23:50 -------- d-----w- c:\program files\HRBlock2009
2010-03-23 23:50 . 2010-03-23 23:50 -------- d-----w- c:\program files\PDF995
2010-03-23 23:48 . 2010-03-23 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut
2010-03-11 12:38 . 2010-03-11 12:38 78336 ------w- c:\windows\system32\ieencode.dll
2010-03-10 06:15 . 2004-08-04 08:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 12:26 . 2010-03-09 12:26 8405312 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-09 12:26 . 2010-03-09 12:26 149000 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-09 12:26 . 2010-03-09 12:25 10309448 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-09 12:25 . 2010-03-09 12:25 283280 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-09 12:25 . 2010-03-09 12:25 181768 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-09 12:25 . 2010-03-09 12:25 79368 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-09 12:25 . 2010-03-09 12:25 64000 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-09 12:25 . 2010-03-09 12:25 52288 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-09 12:25 . 2010-03-09 12:25 50688 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-09 12:25 . 2010-03-09 12:25 49152 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-09 12:25 . 2010-03-09 12:25 118784 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-02-25 06:24 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 08:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 20:52 . 2010-04-10 05:46 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-02-17 20:52 . 2010-04-10 05:46 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-02-17 20:52 . 2010-04-10 05:46 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-02-17 20:52 . 2010-04-10 05:40 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-02-17 13:10 . 2004-08-04 08:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 08:00 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 08:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 08:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-01 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 405504]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-03-10 28160]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-10 185896]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2007-10-31 378784]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\David\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-5-18 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-2-10 438272]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 9:53 PM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 20:07]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 20:07]

2010-04-10 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-10 16:22]

2010-04-10 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-10 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - c:\program files\Common Files\Microsoft Shared\Information Retrieval\itss51.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-10 23:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A15FAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74ebf28
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
\Driver\atapi -> atapi.sys @ 0xf72f8852
IoDeviceObjectType -> SecurityProcedure -> ntkrnlpa.exe @ 0x805791fa
\Device\Harddisk0\DR0 -> SecurityProcedure -> ntkrnlpa.exe @ 0x805791fa
NDIS: Broadcom 802.11b/g WLAN -> SendCompleteHandler -> NDIS.sys @ 0xf71f1bb0
PacketIndicateHandler -> NDIS.sys @ 0xf71fea21
SendHandler -> NDIS.sys @ 0xf71dc87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(856)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2192)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\hpq\Shared\HPQTOA~1.EXE
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-05-10 23:32:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-11 03:32

Pre-Run: 21,148,819,456 bytes free
Post-Run: 22,126,940,160 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 50CCA82DD854E69091842F1BF2544B06
dlk_in_pa
Active Member
 
Posts: 10
Joined: May 3rd, 2010, 9:01 pm

Re: Google links redirected - can't remove malware

Unread postby melboy » May 11th, 2010, 3:56 pm

Hi

How are things running? are you still being redirected?



TFC

  • Please download TFC by Old Timer to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



Malwarebytes' Anti-Malware (MBAM)

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, Select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.

    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.



Re-run DDS

Please disable any anti-malware program that will block scripts from running before running DDS.
  • Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, Please copy & paste the contents of :
    • DDS.txt
And post it in your next reply.




In your next reply:
  1. How are things running?
  2. MBAM log
  3. DDS.txt
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google links redirected - can't remove malware

Unread postby dlk_in_pa » May 13th, 2010, 11:09 am

Hi. To answer your question of how things are going after running combofix...... I thought they were going well. I did a bunch of google searches and wasn't getting redirected, however eventually I was redirected and at that point I started getting those fake "system infected" screens popping up frequently. These made my system almost un-usable. My task manager was also disabled. So....apparently I still have/had issues. At that point I had to do a hard boot. I then immediately ran tfc and malwarebytes. malwarebytes found some things (log below as requested), which I told it to remove. I seem to be better now but I haven't done extensive google searches. I also ran dds and log is below. What do you think?

p.s. Usually I cannot submit these responses from my problem computer, including this one. When I paste this into the text box on the submission page and select "submit", I go to an IE screen that says "Internet Explorer cannot display the webpage" and my post is not completed. I have to send this to my work computer and post from there. I'm not sure if this some clue or symptom of my problem, but I wanted to mention it.

Thanks,
Dave

malwarebytes log---------------------------------------------------

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4091

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/12/2010 6:42:48 AM
mbam-log-2010-05-12 (06-42-48).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 226436
Time elapsed: 1 hour(s), 45 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\napstatxt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\PRAGMAbdmdiemnti (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\David\Local Settings\temp\PRAGMA5980.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP313\A0043431.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP314\A0044036.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

dds log -----------------------------------------------------------


DDS (Ver_10-03-17.01) - NTFSx86
Run by David at 19:26:59.28 on Wed 05/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.863 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\David\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe" -s
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
StartupFolder: c:\docume~1\david\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/share ... insctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupda ... 0927670437
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/fl ... wflash.cab
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - c:\program files\common files\microsoft shared\information retrieval\itss51.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385536]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-4-10 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-4-10 144704]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-4-10 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-10 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-10 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-4-10 40552]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-4-10 34248]

=============== Created Last 30 ================

2010-05-12 02:31:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-12 02:31:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-12 02:31:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-11 02:42:57 0 d-sha-r- C:\cmdcons
2010-05-11 02:26:41 98816 ----a-w- c:\windows\sed.exe
2010-05-11 02:26:41 77312 ----a-w- c:\windows\MBR.exe
2010-05-11 02:26:41 256512 ----a-w- c:\windows\PEV.exe
2010-05-11 02:26:41 161792 ----a-w- c:\windows\SWREG.exe
2010-05-02 15:40:13 0 d-----w- c:\program files\Trend Micro
2010-05-02 14:47:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-02 14:47:20 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-30 03:03:26 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-16 02:12:28 0 d-----w- c:\docume~1\david\applic~1\Malwarebytes
2010-04-16 02:12:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-13 02:30:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2010-05-12 05:00:51 8832 ----a-w- c:\windows\system32\drivers\wmiacpi.sys
2010-05-12 05:00:51 8832 ----a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-03-11 12:38:52 78336 ------w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:52 78336 ------w- c:\windows\system32\dllcache\ieencode.dll
2010-03-11 12:38:51 133120 ----a-w- c:\windows\system32\dllcache\extmgr.dll
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 15:54:36 11070976 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2009-01-24 02:19:44 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012320090124\index.dat

============= FINISH: 19:28:59.06 ===============
dlk_in_pa
Active Member
 
Posts: 10
Joined: May 3rd, 2010, 9:01 pm

Re: Google links redirected - can't remove malware

Unread postby melboy » May 13th, 2010, 1:06 pm

Hi

Thanks for the extra info - it is relevant.


Delete the copy of combofix.exe on your desktop and download a fresh copy from > here <, saving it to your desktop.



ComboFix (by sUBs)

  • You must run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

    • Open McAfee Security Center.
    • Click on Home on the left pane.
    • Beside Computer & Files, click on the arrow button.
    • Next, click on the arrow button beside Configure at the middle right (NOT the bottom one).
    • You will come to a new page. Please check (click) Off for all the protections. Remember to scroll down.
    • You will be prompted, select Never and just click OK.
    • Note: Don't forget to re-enable it after combofix has finished.

  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



================================


When combofix has finished and the log file has been produced:


Safe mode

Now I will be asking you to boot into Safe Mode for the next part of the fix. It may prove beneficial if you print of the following instructions or save them to notepad as you may not have Internet access whilst in safe mode.

How to boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should come up where you will be given the option to enter Safe Mode, do so.

If any problems refer to this tutorial.


In safe mode carry out the following:


Gmer

  • Double click the GMER randomly named .exe file you saved earlier to your desktop. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    See image below
    Image
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Note: Do not run any programs while Gmer is running.



Reboot to normal mode and post In your next reply:
  1. C:\combofix.txt
  2. GMER log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google links redirected - can't remove malware

Unread postby dlk_in_pa » May 14th, 2010, 7:52 am

Here's the latest info you requested:

**************************************************************************************
combofix log:

ComboFix 10-05-13.02 - David 05/13/2010 20:23:31.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.928 [GMT -4:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
PEV Error: AppFile

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\wmiacpi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PRAGMAbdmdiemnti
-------\Service_PRAGMAbdmdiemnti


((((((((((((((((((((((((( Files Created from 2010-04-14 to 2010-05-14 )))))))))))))))))))))))))))))))
.

2010-05-12 02:31 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-12 02:31 . 2010-05-12 02:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-12 02:31 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-02 15:40 . 2010-05-02 15:40 -------- d-----w- c:\program files\Trend Micro
2010-05-02 14:47 . 2010-05-02 14:46 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-02 02:06 . 2010-05-02 02:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\irhaxngou
2010-04-30 03:03 . 2010-04-30 03:03 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-30 02:56 . 2010-05-11 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-23 05:32 . 2010-04-23 05:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\neaxiqojs
2010-04-20 01:11 . 2010-04-20 01:11 -------- d-sh--w- c:\documents and settings\AJ\PrivacIE
2010-04-20 00:55 . 2010-04-20 00:55 -------- d-sh--w- c:\documents and settings\Roberta Kissinger\IECompatCache
2010-04-19 02:21 . 2010-04-19 02:21 -------- d-sh--w- c:\documents and settings\AJ\IECompatCache
2010-04-18 02:24 . 2010-04-18 02:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-16 02:12 . 2010-04-16 02:12 -------- d-----w- c:\documents and settings\David\Application Data\Malwarebytes
2010-04-16 02:12 . 2010-04-16 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-15 22:58 . 2010-04-15 22:58 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-15 22:58 . 2010-04-15 22:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-15 13:45 . 2010-04-15 13:45 -------- d-----w- c:\documents and settings\Roberta Kissinger\Application Data\Notepad++

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-14 00:16 . 2004-08-03 18:07 8832 ----a-w- c:\windows\system32\drivers\wmiacpi.sys
2010-05-11 22:02 . 2010-03-09 01:54 439816 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\setup.exe
2010-05-11 02:09 . 2010-04-13 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-10 17:06 . 2007-11-18 00:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-05 02:31 . 2010-05-05 02:31 503808 ----a-w- c:\documents and settings\AJ\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-697d162f-n\msvcp71.dll
2010-05-05 02:31 . 2010-05-05 02:31 61440 ----a-w- c:\documents and settings\AJ\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5fac9ea2-n\decora-sse.dll
2010-05-05 02:31 . 2010-05-05 02:31 499712 ----a-w- c:\documents and settings\AJ\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-697d162f-n\jmc.dll
2010-05-05 02:31 . 2010-05-05 02:31 348160 ----a-w- c:\documents and settings\AJ\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-697d162f-n\msvcr71.dll
2010-05-05 02:31 . 2010-05-05 02:31 12800 ----a-w- c:\documents and settings\AJ\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5fac9ea2-n\decora-d3d.dll
2010-05-02 17:05 . 2010-05-02 17:05 503808 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-651ebde9-n\msvcp71.dll
2010-05-02 17:05 . 2010-05-02 17:05 61440 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72fe855e-n\decora-sse.dll
2010-05-02 17:05 . 2010-05-02 17:05 499712 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-651ebde9-n\jmc.dll
2010-05-02 17:05 . 2010-05-02 17:05 348160 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-651ebde9-n\msvcr71.dll
2010-05-02 17:05 . 2010-05-02 17:05 12800 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72fe855e-n\decora-d3d.dll
2010-05-02 15:01 . 2006-04-12 05:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 14:47 . 2006-04-12 05:17 -------- d-----w- c:\program files\Common Files\Java
2010-05-02 14:47 . 2010-05-02 14:47 503808 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-71eaf98f-n\msvcp71.dll
2010-05-02 14:47 . 2010-05-02 14:47 499712 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-71eaf98f-n\jmc.dll
2010-05-02 14:47 . 2010-05-02 14:47 348160 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-71eaf98f-n\msvcr71.dll
2010-05-02 14:47 . 2010-05-02 14:47 61440 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2ab626ef-n\decora-sse.dll
2010-05-02 14:47 . 2010-05-02 14:47 12800 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2ab626ef-n\decora-d3d.dll
2010-05-02 14:46 . 2006-04-12 05:17 -------- d-----w- c:\program files\Java
2010-04-23 17:47 . 2006-11-15 17:56 -------- d-----w- c:\documents and settings\Roberta Kissinger\Application Data\AdobeUM
2010-04-14 00:27 . 2010-04-14 00:27 3262128 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockPA.exe
2010-04-11 19:20 . 2009-03-18 23:32 335832 ----a-w- c:\documents and settings\AJ\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-11 03:31 . 2006-11-02 08:08 335832 ----a-w- c:\documents and settings\Roberta Kissinger\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-11 01:46 . 2008-04-30 01:02 335832 ----a-w- c:\documents and settings\David\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-11 01:42 . 2010-04-10 05:44 -------- d-----w- c:\program files\McAfee
2010-04-10 20:16 . 2010-04-10 20:16 -------- d-----w- c:\program files\MSBuild
2010-04-10 20:15 . 2010-04-10 20:15 -------- d-----w- c:\program files\Reference Assemblies
2010-04-10 05:50 . 2010-04-10 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-10 05:46 . 2010-04-10 05:45 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-10 05:45 . 2010-04-10 05:45 -------- d-----w- c:\program files\McAfee.com
2010-04-10 04:52 . 2010-04-10 04:52 -------- d-----w- c:\documents and settings\Roberta Kissinger\Application Data\McAfee.com Personal Firewall
2010-04-10 04:52 . 2010-04-10 04:52 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee.com Personal Firewall
2010-04-10 04:51 . 2010-04-10 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-04-10 04:51 . 2010-04-10 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2010-04-10 04:51 . 2010-04-10 04:40 -------- d-----w- c:\program files\McAfee(2)
2010-04-10 04:51 . 2010-04-10 04:40 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee(2)
2010-04-10 03:36 . 2010-04-10 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2010-04-07 23:36 . 2008-05-03 01:36 -------- d-----w- c:\documents and settings\David\Application Data\AdobeUM
2010-04-01 23:23 . 2010-04-01 23:22 20846064 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-23 23:55 . 2010-03-23 23:54 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe
2010-03-23 23:52 . 2010-03-23 23:52 -------- d-----w- c:\documents and settings\David\Application Data\TaxCut
2010-03-23 23:51 . 2010-03-23 23:50 -------- d-----w- c:\program files\HRBlock2009
2010-03-23 23:50 . 2010-03-23 23:50 -------- d-----w- c:\program files\PDF995
2010-03-23 23:48 . 2010-03-23 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut
2010-03-11 12:38 . 2010-03-11 12:38 78336 ------w- c:\windows\system32\ieencode.dll
2010-03-10 06:15 . 2004-08-04 08:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 12:26 . 2010-03-09 12:26 8405312 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-09 12:26 . 2010-03-09 12:26 149000 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-09 12:26 . 2010-03-09 12:25 10309448 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-09 12:25 . 2010-03-09 12:25 283280 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-09 12:25 . 2010-03-09 12:25 181768 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-09 12:25 . 2010-03-09 12:25 79368 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-09 12:25 . 2010-03-09 12:25 64000 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-09 12:25 . 2010-03-09 12:25 52288 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-09 12:25 . 2010-03-09 12:25 50688 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-09 12:25 . 2010-03-09 12:25 49152 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-09 12:25 . 2010-03-09 12:25 118784 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-02-25 06:24 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 08:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 20:52 . 2010-04-10 05:46 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-02-17 20:52 . 2010-04-10 05:46 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-02-17 20:52 . 2010-04-10 05:46 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-02-17 20:52 . 2010-04-10 05:40 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-02-17 13:10 . 2004-08-04 08:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 08:00 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-01 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 405504]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-03-10 28160]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-10 185896]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2007-10-31 378784]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\David\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-5-18 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-2-10 438272]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 9:53 PM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 20:07]

2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 20:07]

2010-04-10 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-10 16:22]

2010-04-10 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-10 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - c:\program files\Common Files\Microsoft Shared\Information Retrieval\itss51.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-13 20:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe??????????4?n??|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A177AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74ebf28
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
\Driver\atapi -> atapi.sys @ 0xf72f8852
IoDeviceObjectType -> SecurityProcedure -> ntkrnlpa.exe @ 0x805791fa
\Device\Harddisk0\DR0 -> SecurityProcedure -> ntkrnlpa.exe @ 0x805791fa
NDIS: Broadcom 802.11b/g WLAN -> SendCompleteHandler -> NDIS.sys @ 0xf71f1bb0
PacketIndicateHandler -> NDIS.sys @ 0xf71fea21
SendHandler -> NDIS.sys @ 0xf71dc87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(852)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(608)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\hpq\Shared\HPQTOA~1.EXE
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-05-13 21:05:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-14 01:05
ComboFix2.txt 2010-05-11 03:32

Pre-Run: 22,048,063,488 bytes free
Post-Run: 22,038,900,736 bytes free

- - End Of File - - 3A80E90368024E01E3975F84DCB9A1C7


**************************************************************************************
gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-14 07:36:23
Windows 5.1.2600 Service Pack 3
Running: 4off6ez4.exe; Driver: C:\DOCUME~1\David\LOCALS~1\Temp\awrdapow.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\DRIVERS\wmiacpi.sys entry point in ".rsrc" section [0xF7918C94]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[632] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[632] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[632] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006C000C
.text C:\WINDOWS\Explorer.EXE[932] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[932] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[932] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \FileSystem\Cdfs \Cdfs F6C34400
Device -> \Driver\atapi \Device\Harddisk0\DR0 8A265AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\wmiacpi.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
dlk_in_pa
Active Member
 
Posts: 10
Joined: May 3rd, 2010, 9:01 pm

Re: Google links redirected - can't remove malware

Unread postby melboy » May 14th, 2010, 8:25 am

Hi

It's still there unfortunately - but we're not done yet!



COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    TDL:: 
    C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


After combofix has finished and the log has been produced, do the following:


SystemLook

Please download SystemLook by jpshortstuff from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    PRAGMA*
    
    :folderfind
    PRAGMA*
    
    :regfind
    PRAGMA*
    
    

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



In your next reply:
  1. combofix.txt
  2. SystemLook.txt
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google links redirected - can't remove malware

Unread postby dlk_in_pa » May 14th, 2010, 6:55 pm

Thanks for sticking with this. Seems like I have a nasty one. Here's the info you requested:

combofix log:

ComboFix 10-05-14.06 - David 05/14/2010 18:06:22.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.929 [GMT -4:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\David\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\wmiacpi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\DRIVERS\wmiacpi.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\drivers\wmiacpi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\DRIVERS\wmiacpi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\DRIVERS\wmiacpi.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\drivers\wmiacpi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\DRIVERS\wmiacpi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\DRIVERS\wmiacpi.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\drivers\wmiacpi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-14 to 2010-05-14 )))))))))))))))))))))))))))))))
.

2010-05-12 02:31 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-12 02:31 . 2010-05-12 02:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-12 02:31 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-02 15:40 . 2010-05-02 15:40 -------- d-----w- c:\program files\Trend Micro
2010-05-02 14:47 . 2010-05-02 14:46 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-02 02:06 . 2010-05-02 02:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\irhaxngou
2010-04-30 03:03 . 2010-04-30 03:03 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-30 02:56 . 2010-05-11 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-23 05:32 . 2010-04-23 05:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\neaxiqojs
2010-04-20 01:11 . 2010-04-20 01:11 -------- d-sh--w- c:\documents and settings\AJ\PrivacIE
2010-04-20 00:55 . 2010-04-20 00:55 -------- d-sh--w- c:\documents and settings\Roberta Kissinger\IECompatCache
2010-04-19 02:21 . 2010-04-19 02:21 -------- d-sh--w- c:\documents and settings\AJ\IECompatCache
2010-04-18 02:24 . 2010-04-18 02:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-16 02:12 . 2010-04-16 02:12 -------- d-----w- c:\documents and settings\David\Application Data\Malwarebytes
2010-04-16 02:12 . 2010-04-16 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-15 22:58 . 2010-04-15 22:58 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-15 22:58 . 2010-04-15 22:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-15 13:45 . 2010-04-15 13:45 -------- d-----w- c:\documents and settings\Roberta Kissinger\Application Data\Notepad++

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-14 21:59 . 2004-08-03 18:07 8832 ----a-w- c:\windows\system32\drivers\wmiacpi.sys
2010-05-14 12:03 . 2010-04-10 05:44 -------- d-----w- c:\program files\McAfee
2010-05-11 22:02 . 2010-03-09 01:54 439816 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\setup.exe
2010-05-11 02:09 . 2010-04-13 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-10 17:06 . 2007-11-18 00:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-05 02:31 . 2010-05-05 02:31 503808 ----a-w- c:\documents and settings\AJ\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-697d162f-n\msvcp71.dll
2010-05-05 02:31 . 2010-05-05 02:31 61440 ----a-w- c:\documents and settings\AJ\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5fac9ea2-n\decora-sse.dll
2010-05-05 02:31 . 2010-05-05 02:31 499712 ----a-w- c:\documents and settings\AJ\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-697d162f-n\jmc.dll
2010-05-05 02:31 . 2010-05-05 02:31 348160 ----a-w- c:\documents and settings\AJ\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-697d162f-n\msvcr71.dll
2010-05-05 02:31 . 2010-05-05 02:31 12800 ----a-w- c:\documents and settings\AJ\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5fac9ea2-n\decora-d3d.dll
2010-05-02 17:05 . 2010-05-02 17:05 503808 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-651ebde9-n\msvcp71.dll
2010-05-02 17:05 . 2010-05-02 17:05 61440 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72fe855e-n\decora-sse.dll
2010-05-02 17:05 . 2010-05-02 17:05 499712 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-651ebde9-n\jmc.dll
2010-05-02 17:05 . 2010-05-02 17:05 348160 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-651ebde9-n\msvcr71.dll
2010-05-02 17:05 . 2010-05-02 17:05 12800 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72fe855e-n\decora-d3d.dll
2010-05-02 15:01 . 2006-04-12 05:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 14:47 . 2006-04-12 05:17 -------- d-----w- c:\program files\Common Files\Java
2010-05-02 14:47 . 2010-05-02 14:47 503808 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-71eaf98f-n\msvcp71.dll
2010-05-02 14:47 . 2010-05-02 14:47 499712 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-71eaf98f-n\jmc.dll
2010-05-02 14:47 . 2010-05-02 14:47 348160 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-71eaf98f-n\msvcr71.dll
2010-05-02 14:47 . 2010-05-02 14:47 61440 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2ab626ef-n\decora-sse.dll
2010-05-02 14:47 . 2010-05-02 14:47 12800 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2ab626ef-n\decora-d3d.dll
2010-05-02 14:46 . 2006-04-12 05:17 -------- d-----w- c:\program files\Java
2010-04-23 17:47 . 2006-11-15 17:56 -------- d-----w- c:\documents and settings\Roberta Kissinger\Application Data\AdobeUM
2010-04-14 00:27 . 2010-04-14 00:27 3262128 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockPA.exe
2010-04-11 19:20 . 2009-03-18 23:32 335832 ----a-w- c:\documents and settings\AJ\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-11 03:31 . 2006-11-02 08:08 335832 ----a-w- c:\documents and settings\Roberta Kissinger\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-11 01:46 . 2008-04-30 01:02 335832 ----a-w- c:\documents and settings\David\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-10 20:16 . 2010-04-10 20:16 -------- d-----w- c:\program files\MSBuild
2010-04-10 20:15 . 2010-04-10 20:15 -------- d-----w- c:\program files\Reference Assemblies
2010-04-10 05:50 . 2010-04-10 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-10 05:46 . 2010-04-10 05:45 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-10 05:45 . 2010-04-10 05:45 -------- d-----w- c:\program files\McAfee.com
2010-04-10 04:52 . 2010-04-10 04:52 -------- d-----w- c:\documents and settings\Roberta Kissinger\Application Data\McAfee.com Personal Firewall
2010-04-10 04:52 . 2010-04-10 04:52 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee.com Personal Firewall
2010-04-10 04:51 . 2010-04-10 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-04-10 04:51 . 2010-04-10 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2010-04-10 04:51 . 2010-04-10 04:40 -------- d-----w- c:\program files\McAfee(2)
2010-04-10 04:51 . 2010-04-10 04:40 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee(2)
2010-04-10 03:36 . 2010-04-10 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2010-04-07 23:36 . 2008-05-03 01:36 -------- d-----w- c:\documents and settings\David\Application Data\AdobeUM
2010-04-01 23:23 . 2010-04-01 23:22 20846064 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-23 23:55 . 2010-03-23 23:54 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe
2010-03-23 23:52 . 2010-03-23 23:52 -------- d-----w- c:\documents and settings\David\Application Data\TaxCut
2010-03-23 23:51 . 2010-03-23 23:50 -------- d-----w- c:\program files\HRBlock2009
2010-03-23 23:50 . 2010-03-23 23:50 -------- d-----w- c:\program files\PDF995
2010-03-23 23:48 . 2010-03-23 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut
2010-03-11 12:38 . 2010-03-11 12:38 78336 ------w- c:\windows\system32\ieencode.dll
2010-03-10 06:15 . 2004-08-04 08:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 12:26 . 2010-03-09 12:26 8405312 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-09 12:26 . 2010-03-09 12:26 149000 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-09 12:26 . 2010-03-09 12:25 10309448 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-09 12:25 . 2010-03-09 12:25 283280 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-09 12:25 . 2010-03-09 12:25 181768 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-09 12:25 . 2010-03-09 12:25 79368 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-09 12:25 . 2010-03-09 12:25 64000 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-09 12:25 . 2010-03-09 12:25 52288 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-09 12:25 . 2010-03-09 12:25 50688 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-09 12:25 . 2010-03-09 12:25 49152 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-09 12:25 . 2010-03-09 12:25 118784 ----a-w- c:\documents and settings\Roberta Kissinger\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-02-25 06:24 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 08:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 20:52 . 2010-04-10 05:46 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-02-17 20:52 . 2010-04-10 05:46 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-02-17 20:52 . 2010-04-10 05:46 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-02-17 20:52 . 2010-04-10 05:40 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-02-17 13:10 . 2004-08-04 08:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 08:00 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-01 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 405504]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-03-10 28160]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-10 185896]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2007-10-31 378784]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\David\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-5-18 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-2-10 438272]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 9:53 PM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 20:07]

2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 20:07]

2010-04-10 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-10 16:22]

2010-04-10 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-10 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - c:\program files\Common Files\Microsoft Shared\Information Retrieval\itss51.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-14 18:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?P???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1920)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\hpq\Shared\HPQTOA~1.EXE
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-05-14 18:43:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-14 22:43
ComboFix2.txt 2010-05-14 01:05
ComboFix3.txt 2010-05-11 03:32

Pre-Run: 21,992,460,288 bytes free
Post-Run: 21,998,845,952 bytes free

- - End Of File - - 73A617B8EBB6809D477E3E1201B9FE60


*************************************

systemlook log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 18:50 on 14/05/2010 by David (Administrator - Elevation successful)

========== filefind ==========

Searching for "PRAGMA*"
No files found.

========== folderfind ==========

Searching for "PRAGMA*"
No folders found.

========== regfind ==========

Searching for "PRAGMA*"
No data found.

-=End Of File=-
dlk_in_pa
Active Member
 
Posts: 10
Joined: May 3rd, 2010, 9:01 pm

Re: Google links redirected - can't remove malware

Unread postby melboy » May 14th, 2010, 7:30 pm

Hi

Thanks for sticking with this. Seems like I have a nasty one.

No problem, you're welcome. You do have a nasty one (or two) and I'll update you on that when we're sure we've got it - the log does look promising.

Please ensure the instructions below are carried out in normal mode (Not safe mode)


RootRepeal
Download RootRepeal.zip from here & unzip it to your Desktop.
  • Double click RootRepeal.exe to start the program
  • Click the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
      Drivers
      Files
      Processes
      SSDT
      Stealth Objects
      Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan
Note: The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File then Exit to close the program



Malwarebytes' Anti-Malware (MBAM)

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.

    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.



In your next reply:
  1. Rootrepeal log
  2. MBAM log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google links redirected - can't remove malware

Unread postby dlk_in_pa » May 14th, 2010, 8:49 pm

Here's the info you requested:

RootRepeal log:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/05/14 20:06
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xF776F000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF6839000 Size: 63744 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF7517000 Size: 60416 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEDDD4000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79C3000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xEDDEC000 Size: 143744 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF79A7000 Size: 7936 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: mbr.sys
Image Path: C:\DOCUME~1\David\LOCALS~1\Temp\mbr.sys
Address: 0xF7867000 Size: 20864 File Visible: No Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7209000 Size: 574976 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF79F3000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBAEA8000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\david\local settings\temp\~df7d8c.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david\local settings\temp\~dfbdf0.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: d:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp322\change.log.3
Status: Allocation size mismatch (API: 16384, Raw: 4096)

Path: d:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp325\change.log.3
Status: Allocation size mismatch (API: 16384, Raw: 4096)

==EOF==

*************************************

mbam log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4103

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/14/2010 8:44:12 PM
mbam-log-2010-05-14 (20-44-12).txt

Scan type: Quick scan
Objects scanned: 137845
Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
dlk_in_pa
Active Member
 
Posts: 10
Joined: May 3rd, 2010, 9:01 pm

Re: Google links redirected - can't remove malware

Unread postby melboy » May 14th, 2010, 9:10 pm

Hi

Looks good - carry out the instructions below and then give me an update on how things are running as well as the ESET online scan log.


Uninstall Programs

  • click on start
  • Click on control panel
  • Double click the icon add/remove programs
  • click on the program listed below and click Remove
    J2SE Runtime Environment 5.0 Update 6



Update Adobe Reader

Your Adobe Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader 9.3 to your PC's desktop.
  • Uninstall via Start > Control Panel > Add/Remove Programs:
    Adobe Reader 6.0.1
  • Install the new downloaded updated software.
  • Then using the internal updater update the software to the current increment 9.3.2
    • Open Adobe Reader go to > Help > Check for updates and allow the updater to check.
    • If updates are found click Show Details and check the boxes to click to download and install any necessary updates.

REBOOT

TFC

  • Please download TFC by Old Timer to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 491 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware