Tech Support Forum - View Single Post - Please Help Remove Google Redirect Malware:Skynet

ThurstonOz · 06-25-2009, 09:11 PM

Hi,
Thanks for being patient with me. Sorry for the need. Here's the latest combofix log. I'm very thankful for the assistance.
Cheers,
Toz

Combofix log
"capfasem"=c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
"cafw"=c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.510\QOELoader.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [1/5/2009 11:36 AM 107512]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [11/18/2008 12:14 PM 72696]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [8/25/2008 2:18 PM 52728]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [12/12/2008 12:37 PM 115704]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [4/24/2009 1:00 PM 128240]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [12/12/2008 12:37 PM 144376]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [7/30/2008 12:38 PM 58872]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [12/12/2008 12:37 PM 1153528]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [12/10/2008 12:58 PM 797176]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [12/19/2008 1:59 PM 297464]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [4/22/2004 12:21 PM 187668]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [12/12/2008 12:37 PM 205304]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [4/22/2004 12:21 PM 5817]
S2 QQORQRTV;QQORQRTV;c:\windows\system32\drivers\QQORQRTV.sys [11/7/2008 10:39 PM 178176]
S3 CB102;D-Link DFE-680TXD DirectPort CardBus Driver;c:\windows\system32\drivers\cb102.sys [4/23/2004 3:01 PM 37916]
S3 fa410;NETGEAR FA410TX Fast Ethernet PC Card Driver;c:\windows\system32\drivers\fa410nd5.sys [5/3/2004 11:25 AM 24618]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [10/12/2008 10:22 AM 222448]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/nwshp?hl=en&tab=wn
uInternet Connection Wizard,ShellNext = hxxp://www.averatec.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
TCP: {1841E1FF-BAC0-4999-B722-6BBB27478B84} = 10.10.1.22,10.10.1.19
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} - hxxp://12.107.134.185/JpegInst.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 21:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'explorer.exe'(3732)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-26 21:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-26 02:41

Pre-Run: 31,363,903,488 bytes free
Post-Run: 31,362,437,120 bytes free

188 --- E O F --- 2009-06-10 16:25
Thanks!!!!!