Thread: Need help with virus redirecting google
View Single Post
Old 07-02-2009, 01:20 PM   #5 (permalink)
highergroove
Registered User
 
Join Date: Jun 2009
Posts: 8
OS: Win xp


Re: Need help with virus redirecting google
OK, after several hours and rebooting a 4th time, it rebooted.

Here is the text from the log:

ComboFix 09-07-01.04 - Owner 07/02/2009 8:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.958.380 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\sys
c:\program files\sys\sys.dll
c:\program files\sys\sys.sys
c:\windows\010112010146118114.dat
c:\windows\Installer\1324b.msi
c:\windows\Installer\26ea46.msi
c:\windows\ld11.exe
c:\windows\sysguard.exe
c:\windows\system32\wbem\proquota.exe
D:\Autorun.inf
D:\Desktop.ini

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\system volume information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP722\A0372640.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYS
-------\Legacy_SYSDRV
-------\Service_sys
-------\Service_sysdrv


((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))
.

2009-07-02 15:50 . 2004-08-04 19:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-02 15:50 . 2004-08-04 19:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-01 15:08 . 2009-07-01 15:08 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 19:10 . 2008-11-15 23:44 -------- d-----w- c:\program files\DNA
2009-07-02 19:10 . 2008-11-15 23:44 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-07-01 01:07 . 2008-03-02 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-14 15:30 . 2006-02-04 14:07 -------- d-----w- c:\program files\Google
2009-06-09 19:02 . 2008-01-04 00:28 256 ----a-w- c:\windows\system32\pool.bin
2009-06-03 01:49 . 2008-01-04 23:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Roxio
2009-05-18 04:43 . 2006-03-31 01:26 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-05-13 18:09 . 2009-05-13 18:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Search Settings
2009-05-13 18:09 . 2009-05-13 18:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Dealio
2009-05-13 17:23 . 2009-05-13 17:23 -------- d-----w- c:\program files\Search Settings
2009-05-13 17:23 . 2009-05-13 17:23 -------- d-----w- c:\program files\Dealio Toolbar
2009-05-13 17:22 . 2009-05-13 17:20 -------- d-----w- c:\program files\Free Audio Pack
2009-05-13 16:45 . 2009-05-13 16:45 -------- d-----w- c:\documents and settings\LocalService\Application Data\Softland
2009-05-13 16:40 . 2009-05-13 16:40 -------- d-----w- c:\program files\Softland
2009-05-13 16:26 . 2009-05-13 16:26 8854 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\Uninstall_WD_Diagnos_0AB76F69E7614CFAB9B0A1906B4E9E4B.exe
2009-05-13 16:26 . 2009-05-13 16:26 40960 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
2009-05-13 16:26 . 2009-05-13 16:26 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\ARPPRODUCTICON.exe
2009-05-13 16:26 . 2009-05-13 16:26 -------- d-----w- c:\program files\Western Digital Technologies
2009-05-13 16:25 . 2009-05-13 16:25 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{FD6C6B7F-5696-48C5-A601-2EE9E50C3D46}\ARPPRODUCTICON.exe
2009-05-13 16:25 . 2009-05-13 16:25 364544 ----a-w- c:\windows\system32\WDBtnMgr.exe
2009-05-13 01:41 . 2009-05-13 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-05-13 01:41 . 2009-05-13 01:41 -------- d-----w- c:\documents and settings\Owner\Application Data\AVS4YOU
2009-05-13 01:41 . 2009-05-13 01:40 -------- d-----w- c:\program files\AVS4YOU
2009-05-13 01:40 . 2009-05-13 01:40 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-05-07 19:14 . 2009-05-07 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-07 19:14 . 2007-03-28 02:55 -------- d-----w- c:\program files\iTunes
2009-05-07 19:14 . 2007-03-28 02:51 -------- d-----w- c:\program files\iPod
2009-05-07 19:12 . 2009-05-07 19:12 -------- d-----w- c:\program files\Bonjour
2009-05-07 19:11 . 2007-03-28 02:56 -------- d-----w- c:\program files\QuickTime
2009-05-07 19:09 . 2009-01-21 07:40 -------- d-----w- c:\program files\Common Files\Apple
2009-05-07 18:19 . 2009-05-13 16:40 21192 ----a-w- c:\windows\system32\dopdfmn6.dll
2009-05-07 18:19 . 2009-05-13 16:40 18632 ----a-w- c:\windows\system32\dopdfmi6.dll
2009-05-07 15:44 . 2004-08-26 16:11 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:31 . 2004-08-26 16:12 668160 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:31 . 2004-08-26 16:11 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-08-26 16:12 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-08-26 16:12 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2006-02-24 04:05 . 2006-02-24 03:50 2000324 ----a-w- c:\program files\cdex_151.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}]
2009-04-10 03:09 688128 ----a-w- c:\program files\Dealio Toolbar\DealioToolbarIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2004-06-25 147456]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-13 700416]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-03 1957888]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-23 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-21 180269]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-23 53408]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2007-05-08 589824]
"SoftDisc"="c:\program files\SoftDisc\softdisc.exe" [2004-09-02 388608]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-23 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SearchSettings"="c:\program files\Search Settings\SearchSettings.exe" [2009-04-10 970240]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2009-05-13 364544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Tiny Watcher Logon Time.lnk - c:\program files\Watcher\Watcher.exe [2006-11-19 319488]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"8085:TCP"= 8085:TCP:sys

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [12/9/2008 12:37 PM 13088]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2/4/2006 7:00 AM 200576]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: turbotax.com
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\mky5k4q2.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/#inbox
FF - component: c:\program files\Mozilla Firefox\extensions\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}\components\DealioToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.11.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 12:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3762452672-1173523542-119495997-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3600)
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\WLTRAY.EXE
c:\windows\system32\wdfmgr.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-02 12:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-02 19:15

Pre-Run: 15,273,431,040 bytes free
Post-Run: 15,214,669,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

227 --- E O F --- 2009-06-10 03:05
highergroove is offline