Tech Support Forum - View Single Post - google search results are redirected to bad sites

liquidsnake · 07-05-2009, 07:10 PM

ComboFix 09-07-04.09 - Owner 07/05/2009 11:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.118 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\Installer\17ffb.msi
c:\windows\Installer\ece8255.msi
c:\windows\Installer\fbe2.msp
c:\windows\system32\drivers\SKYNETtabwwqrw.sys
c:\windows\system32\SKYNETfqrmibsd.dat
c:\windows\system32\SKYNETvingyskm.dat
c:\windows\system32\SKYNETwkfdbwut.dll
c:\windows\system32\SKYNETxumbnrsi.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETesrridmt

((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 )))))))))))))))))))))))))))))))
.

2009-07-03 04:07 . 2009-07-04 17:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-03 04:03 . 2009-07-04 17:46 -------- d-----w- c:\program files\SpywareGuard
2009-07-03 04:03 . 2009-07-04 17:46 -------- d-----w- c:\program files\SpywareBlaster
2009-07-03 03:46 . 2009-07-03 03:46 -------- dc----w- c:\windows\system32\DRVSTORE
2009-07-03 03:46 . 2009-07-03 03:45 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-03 03:41 . 2009-07-03 03:42 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-03 03:41 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-07-02 05:48 . 2009-07-03 04:15 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-02 05:47 . 2009-07-02 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-02 05:47 . 2009-07-02 05:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-02 05:47 . 2009-07-02 05:47 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-07-02 05:46 . 2009-07-02 05:46 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-02 05:40 . 2009-07-02 05:40 -------- d-----w- c:\program files\CCleaner
2009-07-02 05:05 . 2009-07-02 05:04 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-02 05:04 . 2009-07-02 05:04 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-26 08:22 . 2009-07-04 18:11 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-24 05:00 . 2009-06-24 05:00 -------- d-----w- c:\documents and settings\Guest\Application Data\Malwarebytes
2009-06-12 02:43 . 2009-06-12 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\GARMIN
2009-06-11 02:51 . 2009-06-24 06:24 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-10 01:08 . 2009-06-12 02:43 -------- d-----w- c:\documents and settings\Owner\Application Data\GARMIN
2009-06-10 01:06 . 2009-06-12 02:41 -------- d-----w- C:\Garmin
2009-06-10 01:06 . 2007-09-06 22:53 18944 ----a-w- c:\windows\system32\drivers\SiLib.sys
2009-06-10 01:06 . 2007-09-06 22:53 14848 ----a-w- c:\windows\system32\drivers\DSI_SiUSBXp_3_1.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-05 17:59 . 2006-10-14 00:32 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-07-04 18:02 . 2008-04-21 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-03 02:47 . 2006-10-14 00:31 -------- d-----w- c:\program files\uTorrent
2009-07-02 14:07 . 2006-03-28 06:25 -------- d-----w- c:\program files\Java
2009-07-02 00:11 . 2007-08-20 18:35 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-07-02 00:10 . 2009-07-02 00:10 0 ----a-w- C:\LOG4.tmp
2009-06-26 03:09 . 2009-03-24 04:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 03:09 . 2009-03-24 04:02 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-26 03:08 . 2008-04-21 03:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-24 06:24 . 2009-04-01 06:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-21 02:22 . 2007-07-06 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-17 18:27 . 2009-04-01 06:22 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 18:27 . 2009-04-01 06:22 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-18 04:02 . 2009-03-24 04:02 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2005-03-23 16:52 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-03-23 16:53 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2005-03-23 16:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2005-03-23 16:53 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-03-23 16:52 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2001-09-29 01:00 . 2006-03-28 08:04 164864 ----a-w- c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1024000]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-24 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-24 118784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-02 148888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-03 520024]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 03:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\TightVNC\\WinVNC.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/2/2009 8:46 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/23/2009 9:02 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/23/2009 9:02 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/23/2009 9:01 PM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1029456]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.comcast.net/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\h6n9kb43.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-05 11:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-07-05 11:26
ComboFix-quarantined-files.txt 2009-07-05 18:26

Pre-Run: 28,014,383,104 bytes free
Post-Run: 27,997,077,504 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

175 --- E O F --- 2009-06-21 02:22

07-05-2009, 07:10 PM	#3 (permalink)
liquidsnake Registered User Join Date: Mar 2008 Posts: 8 OS: Microsoft Windows XP Home Edition Version 2002 Service Pack 2	Re: google search results are redirected to bad sites ComboFix 09-07-04.09 - Owner 07/05/2009 11:14.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.118 [GMT -7:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\INSTALL.LOG c:\windows\Installer\17ffb.msi c:\windows\Installer\ece8255.msi c:\windows\Installer\fbe2.msp c:\windows\system32\drivers\SKYNETtabwwqrw.sys c:\windows\system32\SKYNETfqrmibsd.dat c:\windows\system32\SKYNETvingyskm.dat c:\windows\system32\SKYNETwkfdbwut.dll c:\windows\system32\SKYNETxumbnrsi.dll D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_SKYNETesrridmt ((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 ))))))))))))))))))))))))))))))) . 2009-07-03 04:07 . 2009-07-04 17:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-07-03 04:03 . 2009-07-04 17:46 -------- d-----w- c:\program files\SpywareGuard 2009-07-03 04:03 . 2009-07-04 17:46 -------- d-----w- c:\program files\SpywareBlaster 2009-07-03 03:46 . 2009-07-03 03:46 -------- dc----w- c:\windows\system32\DRVSTORE 2009-07-03 03:46 . 2009-07-03 03:45 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys 2009-07-03 03:41 . 2009-07-03 03:42 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-07-03 03:41 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe 2009-07-02 05:48 . 2009-07-03 04:15 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-07-02 05:47 . 2009-07-02 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-07-02 05:47 . 2009-07-02 05:47 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-07-02 05:47 . 2009-07-02 05:47 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com 2009-07-02 05:46 . 2009-07-02 05:46 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-07-02 05:40 . 2009-07-02 05:40 -------- d-----w- c:\program files\CCleaner 2009-07-02 05:05 . 2009-07-02 05:04 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-07-02 05:04 . 2009-07-02 05:04 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-06-26 08:22 . 2009-07-04 18:11 -------- d--h--w- C:\$AVG8.VAULT$ 2009-06-24 05:00 . 2009-06-24 05:00 -------- d-----w- c:\documents and settings\Guest\Application Data\Malwarebytes 2009-06-12 02:43 . 2009-06-12 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\GARMIN 2009-06-11 02:51 . 2009-06-24 06:24 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-06-10 01:08 . 2009-06-12 02:43 -------- d-----w- c:\documents and settings\Owner\Application Data\GARMIN 2009-06-10 01:06 . 2009-06-12 02:41 -------- d-----w- C:\Garmin 2009-06-10 01:06 . 2007-09-06 22:53 18944 ----a-w- c:\windows\system32\drivers\SiLib.sys 2009-06-10 01:06 . 2007-09-06 22:53 14848 ----a-w- c:\windows\system32\drivers\DSI_SiUSBXp_3_1.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-05 17:59 . 2006-10-14 00:32 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent 2009-07-04 18:02 . 2008-04-21 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-07-03 02:47 . 2006-10-14 00:31 -------- d-----w- c:\program files\uTorrent 2009-07-02 14:07 . 2006-03-28 06:25 -------- d-----w- c:\program files\Java 2009-07-02 00:11 . 2007-08-20 18:35 -------- d-----w- c:\documents and settings\Owner\Application Data\U3 2009-07-02 00:10 . 2009-07-02 00:10 0 ----a-w- C:\LOG4.tmp 2009-06-26 03:09 . 2009-03-24 04:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-06-26 03:09 . 2009-03-24 04:02 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-26 03:08 . 2008-04-21 03:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-06-24 06:24 . 2009-04-01 06:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-21 02:22 . 2007-07-06 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-06-17 18:27 . 2009-04-01 06:22 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-17 18:27 . 2009-04-01 06:22 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-05-18 04:02 . 2009-03-24 04:02 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-05-07 15:32 . 2005-03-23 16:52 345600 ----a-w- c:\windows\system32\localspl.dll 2009-04-29 04:56 . 2005-03-23 16:53 827392 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:55 . 2005-03-23 16:52 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-04-17 12:26 . 2005-03-23 16:53 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 2005-03-23 16:52 585216 ----a-w- c:\windows\system32\rpcrt4.dll 2001-09-29 01:00 . 2006-03-28 08:04 164864 ----a-w- c:\program files\UNWISE.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1024000] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-24 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-24 118784] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-02 148888] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-03 520024] c:\documents and settings\Owner\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440] SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-06-26 03:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk backup=c:\windows\pss\HotSync Manager.lnkCommon Startup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\StubInstaller.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\uTorrent\\utorrent.exe"= "c:\\Program Files\\FlashFXP\\FlashFXP.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\TightVNC\\WinVNC.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP::Disabled:@xpsp2res.dll,-22009 R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/2/2009 8:46 PM 64160] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/23/2009 9:02 PM 327688] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/23/2009 9:02 PM 108552] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/23/2009 9:01 PM 298776] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1029456] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408] . Contents of the 'Scheduled Tasks' folder 2009-07-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:45] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uInternet Connection Wizard,ShellNext = hxxp://www.comcast.net/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\h6n9kb43.default\ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-05 11:23 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(900) c:\program files\SUPERAntiSpyware\SASWINLO.dll . Completion time: 2009-07-05 11:26 ComboFix-quarantined-files.txt 2009-07-05 18:26 Pre-Run: 28,014,383,104 bytes free Post-Run: 27,997,077,504 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 175 --- E O F --- 2009-06-21 02:22