Thread: Please Help Remove Google Redirect Malware:Skynet
View Single Post
Old 06-26-2009, 09:26 AM   #7 (permalink)
ThurstonOz
Registered User
 
Join Date: Jun 2009
Posts: 6
OS: XP


Re: Please Help Remove Google Redirect Malware:Skynet
Ok, I think I've got it all now.. Sorry about that. Thanks again.
Cheers.


ComboFix 09-06-25.01 - Eric 06/25/2009 21:15.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.210 [GMT -5:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\nfr.assembly

.
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-06-26 )))))))))))))))))))))))))))))))
.

2009-06-26 02:17 . 2009-06-26 02:17 51328 ----a-w- c:\windows\system32\drivers\_rasl2tp.sys_.vir
2009-06-26 02:17 . 2009-06-26 02:17 52480 ----a-w- c:\windows\system32\drivers\_i8042prt.sys_.vir
2009-06-26 02:17 . 2009-06-26 02:17 56623 ----a-w- c:\windows\system32\drivers\_ati1btxx.sys_.vir
2009-06-26 02:17 . 2009-06-26 02:17 53376 ----a-w- c:\windows\system32\drivers\_1394bus.sys_.vir
2009-06-25 13:38 . 2009-06-25 13:38 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-25 12:48 . 2009-06-25 12:48 389120 ----a-w- c:\windows\system32\CF25002.exe
2009-06-24 18:57 . 2009-06-24 18:57 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\WinZip
2009-06-24 18:56 . 2009-06-24 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-06-23 15:12 . 2009-06-23 15:12 -------- d-----w- c:\documents and settings\Eric\Application Data\Malwarebytes
2009-06-23 15:12 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 15:12 . 2009-06-23 21:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 15:12 . 2009-06-23 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-23 15:12 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-23 14:44 . 2009-06-23 14:44 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-26 02:12 . 2008-10-12 15:22 -------- d-----w- c:\documents and settings\Eric\Application Data\CallingID
2009-06-23 13:21 . 2008-10-12 18:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-23 13:21 . 2008-10-12 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-07 15:32 . 2004-04-22 16:38 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2006-06-23 17:33 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-24 18:56 . 2009-04-24 18:00 880560 ----a-w- c:\windows\system32\drivers\vetefile.sys
2009-04-24 18:56 . 2009-04-24 18:00 108368 ----a-w- c:\windows\system32\drivers\veteboot.sys
2009-04-24 18:56 . 2008-10-12 16:51 1385760 ----a-w- c:\documents and settings\All Users\Application Data\CA\Consumer\AV\tmp\vete_tmp.dll
2009-04-24 17:55 . 2009-04-24 17:28 112716144 ----a-w- c:\documents and settings\All Users\Application Data\CA\Consumer\CCube\tmp\DAE28645C536241BEA137E87E6C9DF86.exe
2009-04-17 12:26 . 2004-04-22 16:38 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-04-23 16:19 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-25_13.37.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-25 13:38 . 2008-10-16 20:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-25 13:38 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-25 13:38 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-25 13:38 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-25 13:38 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-25 13:38 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-25 13:38 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-25 13:38 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-25 13:38 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-25 13:38 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2009-06-25 13:38 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-25 13:38 . 2009-04-29 04:46 666624 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-25 13:38 . 2008-11-15 01:50 578560 c:\windows\system32\dllcache\cache\user32.DLL
+ 2009-06-25 13:38 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-25 13:38 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-25 13:38 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-25 13:38 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-25 13:38 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-25 13:38 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-25 13:38 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-25 13:38 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-25 13:38 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-25 13:38 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"PowerBar"="c:\program files\CyberLink\PowerStarter\PowerBar.exe" [2004-04-08 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-10-29 335872]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-04-24 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-04-24 610304]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 1052672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-10-17 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-11-14 62464]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Config2500.lnk - c:\program files\Config2500\Utility\Config2500.exe [2005-2-24 565248]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-10 525640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= "c:\program files\CA\CA Internet Security Suite\CA Website Inspector\LinkAdvisor\CIDLinkAdvisor.dll" [2008-12-14 1376256]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe"
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
"CAPPActiveProtection"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe"
"capfupgrade"=c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
"capfasem"=c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
"cafw"=c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.510\QOELoader.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [1/5/2009 11:36 AM 107512]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [11/18/2008 12:14 PM 72696]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [8/25/2008 2:18 PM 52728]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [12/12/2008 12:37 PM 115704]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [4/24/2009 1:00 PM 128240]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [12/12/2008 12:37 PM 144376]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [7/30/2008 12:38 PM 58872]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [12/12/2008 12:37 PM 1153528]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [12/10/2008 12:58 PM 797176]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [12/19/2008 1:59 PM 297464]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [4/22/2004 12:21 PM 187668]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [12/12/2008 12:37 PM 205304]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [4/22/2004 12:21 PM 5817]
S2 QQORQRTV;QQORQRTV;c:\windows\system32\drivers\QQORQRTV.sys [11/7/2008 10:39 PM 178176]
S3 CB102;D-Link DFE-680TXD DirectPort CardBus Driver;c:\windows\system32\drivers\cb102.sys [4/23/2004 3:01 PM 37916]
S3 fa410;NETGEAR FA410TX Fast Ethernet PC Card Driver;c:\windows\system32\drivers\fa410nd5.sys [5/3/2004 11:25 AM 24618]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [10/12/2008 10:22 AM 222448]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/nwshp?hl=en&tab=wn
uInternet Connection Wizard,ShellNext = hxxp://www.averatec.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
TCP: {1841E1FF-BAC0-4999-B722-6BBB27478B84} = 10.10.1.22,10.10.1.19
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} - hxxp://12.107.134.185/JpegInst.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 21:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'explorer.exe'(3732)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-26 21:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-26 02:41

Pre-Run: 31,363,903,488 bytes free
Post-Run: 31,362,437,120 bytes free

188 --- E O F --- 2009-06-10 16:25
ThurstonOz is offline