Search engine results have wrong URL / Malware?

[tgaston]

When I search on google, yahoo, ect the results come back with the right description but the wrong URL. It wants to take you to some marketing or advertising site.

This is what comes up when I search for my own web-site. The desciption is correct, but look at the URL.

Premium New and Used Boat Sales and ServiceSoutheast Florida's premier dealer for EdgeWater, Shearwater, Sterling and Parker boats and Yamaha outboards. Full line engine service and custom rigging.
hxxp://www.swiftpage.com - 26k - Cached - Similar pages

Seagate Marine SalesSeagate Marine Sales, inc. was incorporated in March of 1992. We are a small, family owned and operated business with over 30 years of experience serving ...
hxxp://www.online-education.net - 10k - Cached - Similar pages

This happens to anything I search for.

I attached the scaned info. Thanks!



DDS (Version 1.0) - NTFSx86
Run by Seagate Marine Sales at 11:42:16.07 on Sat 12/06/2008

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Auto Run Software for Photo Frame] "c:\program files\philips\philips photoframe\PhotoManager.exe" /autorun
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [After Dark QuickAccess] "c:\after dark\After Dark.exe" /taskbar
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [GoToMyPC] "c:\program files\citrix\gotomypc\g2svc.exe" -logon
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
StartupFolder: c:\docume~1\seagat~1\startm~1\programs\startup\afterd~1.lnk - c:\after dark\after dark online\AD Online Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

RSPR?S?C?P?P?01234RSPR?S?C?P?P?01234

=============== Created Last 30 ================

2008-12-04 17:05 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2008-12-04 17:05 29,576 a------- c:\windows\system32\drivers\kcom.sys
2008-12-04 17:05 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2008-12-04 17:05 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2008-12-04 17:05 <DIR> --d----- c:\program files\Spyware Doctor
2008-12-04 17:05 <DIR> --d----- c:\docume~1\seagat~1\applic~1\PC Tools
2008-12-03 11:05 60,744 a------- c:\documents and settings\seagate marine sales\g2mdlhlpx.exe
2008-11-25 15:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SSScanAppDataDir
2008-11-25 15:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MSScanAppDataDir
2008-11-24 09:57 176,235 a------- c:\windows\system32\Primomonnt.dll
2008-11-24 09:57 <DIR> --d----- c:\windows\PrimoPDF4
2008-11-20 13:53 <DIR> --d----- c:\program files\MSECache
2008-11-20 13:52 <DIR> --d----- C:\Cat5
2008-11-20 13:50 <DIR> --d----- C:\Cat5Installer
2008-11-12 10:52 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 10:52 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2008-11-10 10:37 376 a------- c:\windows\ODBC.INI

==================== Find3M ====================

2008-12-04 12:26 5,018 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-24 06:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 10:45 295,424 a------- c:\windows\system32\termsrv.dll
2008-10-15 10:45 507,904 a------- c:\windows\system32\winlogon.exe
2008-10-03 12:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-15 07:12 1,846,400 -------- c:\windows\system32\dllcache\win32k.sys
2008-09-09 20:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-09 20:14 1,307,648 -------- c:\windows\system32\dllcache\msxml6.dll
2008-09-08 05:41 333,824 -------- c:\windows\system32\dllcache\srv.sys
2007-10-01 14:05 724,984 a------- c:\documents and settings\seagate marine sales\gotomypc_437.exe
2007-10-01 13:43 3,902,784 a------- c:\documents and settings\seagate marine sales\gosetup.exe
2008-09-05 10:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 11:43:03.20 ===============

[sUBs]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.

[tgaston]

That did it! Thanks! I attached the log report anyway.


ComboFix 08-12-06.01 - Seagate Marine Sales 2008-12-06 14:01:55.1 - NTFSx86

Running from: c:\documents and settings\Seagate Marine Sales\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Seagate Marine Sales\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
framedyn.dll is missing
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ntnet.drv
c:\windows\system32\sysaudio.sys

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-06 11:45 . 2008-12-06 11:45 250 --a------ c:\windows\gmer.ini
2008-12-05 14:21 . 2008-12-05 14:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-12-04 17:05 . 2008-12-05 11:23 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-04 17:05 . 2008-12-04 17:05 <DIR> d-------- c:\documents and settings\Seagate Marine Sales\Application Data\PC Tools
2008-12-04 17:05 . 2008-12-06 14:14 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-04 17:05 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-04 17:05 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-04 17:05 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-04 17:05 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-03 11:05 . 2008-12-03 11:05 60,744 --a------ c:\documents and settings\Seagate Marine Sales\g2mdlhlpx.exe
2008-11-25 15:42 . 2008-11-25 15:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2008-11-25 15:42 . 2008-11-25 15:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\MSScanAppDataDir
2008-11-24 09:57 . 2008-11-24 09:57 <DIR> d-------- c:\windows\PrimoPDF4
2008-11-24 09:57 . 2006-12-11 16:12 176,235 --a------ c:\windows\system32\Primomonnt.dll
2008-11-20 13:53 . 2008-11-20 13:53 <DIR> d-------- c:\program files\MSECache
2008-11-20 13:53 . 2008-11-21 16:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-20 13:52 . 2008-12-04 14:14 <DIR> d-------- C:\Cat5
2008-11-20 13:50 . 2008-11-20 13:51 <DIR> d-------- C:\Cat5Installer
2008-11-12 10:52 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 10:52 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 10:37 . 2008-11-10 10:37 376 --a------ c:\windows\ODBC.INI
2008-11-10 10:35 . 2008-11-10 10:35 <DIR> d-------- c:\program files\Microsoft.NET
2008-11-10 10:31 . 2008-11-10 10:31 <DIR> dr-h----- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 19:44 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-04 17:26 5,018 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-12-03 16:05 --------- d-----w c:\program files\Citrix
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 15:45 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2007-10-01 19:05 724,984 ----a-w c:\documents and settings\Seagate Marine Sales\gotomypc_437.exe
2007-10-01 18:43 3,902,784 ----a-w c:\documents and settings\Seagate Marine Sales\gosetup.exe
2008-09-05 15:47 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.

------- Sigcheck -------

2004-08-04 06:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-10-15 10:45 295424 63999d0abd8dabfd76a9c07f6e104868 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-12 67128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-30 68856]
"Auto Run Software for Photo Frame"="c:\program files\Philips\Philips PhotoFrame\PhotoManager.exe" [2007-02-16 2273280]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-11-17 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-11-17 98304]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 8192]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 110592]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-11-16 106496]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 94208]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 258856]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 c:\windows\KHALMNPR.Exe]

c:\documents and settings\Seagate Marine Sales\Start Menu\Programs\Startup\
After Dark Online Scheduler.lnk - c:\after dark\After Dark Online\AD Online Scheduler.exe [2006-01-28 33792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-03-12 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-01-04 671744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-06-20 10:09 10536 c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= sysaudio.sys

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 17:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-After Dark QuickAccess - c:\after dark\After Dark.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

c:\windows\system32\msvcrt.dll - c:\windows\system32\mfc42.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\userdic.tlx
c:\windows\system32\ssceam2.clx
c:\windows\system32\ssceam.tlx
c:\windows\system32\wspelldlg.hlp
c:\windows\system32\wspell.ocx
O16 -: {245338C3-BCA3-4A2C-A7B7-53345999A8E8}
hxxp://www.thehulltruth.com/registered/wspellam.cab
c:\windows\Downloaded Program Files\wspellam.inf

c:\windows\NPRemvu.ocx - O16 -: {CF38E898-0A6B-11D6-83C6-0080AD7D6076}
hxxp://70.46.89.247/common/NPRemvu.cab
c:\windows\Downloaded Program Files\NPRemvu.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 14:12:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(3244)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\Spyware Doctor\pctsAuxs.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
.
**************************************************************************
.
Completion time: 2008-12-06 14:25:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 19:25:05

Pre-Run: 62,817,247,232 bytes free
Post-Run: 62,923,681,792 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

204 --- E O F --- 2008-12-05 22:22:47

[sUBs]

ComboFix is complaining of a few missing patched files. Do you have another Service Pack 2 machine where we could copy these files from?

[tgaston]

Sorry, but I don't.

[sUBs]

Do this ....


Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@echo off
Vfind -ltf %systemroot%\winlogon.ex* >log.txt
Start Log.txt
del %0

Save this as Look.bat Choose to "Save type as - All Files"
It should look like this:
Double click on look.bat & allow it to run

Post back to tell me what it says

[tgaston]

I just tried that a few times. When I opened the LOOK file, it quickly went to a black window and then went to a notepad window and the name changed to "log". The black window didn't stay up long enough to read what it said.

[sUBs]

The notepad named log is what I want

[tgaston]

It opens in an empty notepad page.

[sUBs]

That cannot be. Are you certain that you didnt miscopy it?

[tgaston]

I just tried it a few more times. When I save it on my desktop it looks just like you said it should. When I open it, a command prompt page flashes and then a blank notepad page comes up. The desktop icon also changes and its name changes to "log".

[sUBs]

Let's try an alternate route. Use this instead...

Quote:

@echo off
cd /d %systemdrive%\
dir %systemroot%\winlogon.ex* >log.txt
Notepad log.txt
del %0

[tgaston]

The command box said file not found. The notepad window had the following.

Volume in drive C is HP_PAVILION
Volume Serial Number is BCBB-56EA

Directory of C:\WINDOWS

[sUBs]

That's not possible. Please check if this file exist

c:\windows\system32\winlogon.exe

This file must exist or you will not be able to boot the machine

[sUBs]

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.