Google Search Results being Hijacked and Redirected

Komari · 07-01-2009, 02:04 PM

Sometimes, when I search for things on Google and click on a result, I'm redirected to another site. I'm using Firefox. The problem used to be much worse, but I used Super AntiSpyware, SDFix, and MalwareBytes's Anti Malware, in that order. Super AntiSpyware found and took out a bunch of bad cookies, SDFix wormed out and deleted an "a.exe" virus (which I don't think even has to do with my Google Search problem, but at least it got rid of something bad), and MalwareBytes's Anti Malware found quite a few Vundo programs and trojans, and deleted them all.
Like I said, the problem is better now (I'm only redirected half the time, instead of constantly), but it's definitely still there. Now all of my anti-spyware programs are coming up clean, and aren't finding anything.

My log:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 11

04.95 on 07/01/2009 Wed
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.2.932.81.1033.18.502.84 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\stsystra.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\WTClient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Nuance\NaturallySpeaking10\Program\natspeak.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://en.wikipedia.org/
uSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.yahoo.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Anti-Phishing Filter: {41d68ed8-4cff-4115-88a6-6ebb8af19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 52\axcmd.exe" /automount
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MskAgent.exe
mRun: [MSKDetectorExe] c:\progra~1\mcafee\spamki~1\MSKDetct.exe /startup
mRun: [VirusScan Online] c:\progra~1\mcafee.com\vso\mcvsshld.exe
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [WTClient] WTClient.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking10\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking10\Ereg.ini
dRun: [Power2GoExpress] NA
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\dragon~1.lnk - c:\program files\nuance\naturallyspeaking10\program\natspeak.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\MSOFFICE.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - c:\program files\mcafee\spamkiller\mcapfbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL gjocvu.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\rqRHbYRJ

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\fnkmejdg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\windows\system32\dnaml\npdbplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 55024]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-6-28 38160]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-7-25 114464]
RUnknown htyivcvh;htyivcvh; [x]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-3-5 16512]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]

=============== Created Last 30 ================

2009-06-28 22:06 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-06-28 22:05 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-28 22:05 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-28 22:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-28 22:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-28 21:16 <DIR> --d----- c:\windows\ERUNT
2009-06-28 20:46 <DIR> --d----- C:\SDFix
2009-06-26 11:42 <DIR> --d----- c:\docume~1\owner\applic~1\BitTorrent
2009-06-26 11:41 <DIR> --d----- c:\program files\BitTorrent

==================== Find3M ====================

2009-05-15 19:36 85,504 a------- c:\windows\system32\ff_vfw.dll
2009-05-15 19:36 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-05-07 08:44 344,064 -------- c:\windows\system32\localspl.dll
2009-04-28 21:31 668,160 a------- c:\windows\system32\wininet.dll
2009-04-28 21:31 81,920 -------- c:\windows\system32\ieencode.dll
2009-04-17 02:58 1,846,656 -------- c:\windows\system32\win32k.sys
2009-04-15 08:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-01-25 12:52 1,715 a------- c:\docume~1\owner\applic~1\SAS7_000.DAT
2006-10-21 14:26 986 -------- c:\docume~1\owner\applic~1\wklnhst.dat
2008-12-02 22:37 918,215 a--sh--- c:\windows\system32\JRYbHRqr.ini2

============= FINISH: 11:09:23.35 ===============

mas_pogi · 07-02-2009, 10:54 AM

hi.

Welcome to TSF

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

-------------------------------------------------------------------------

I am sorry to inform you that one or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.
-------------------------------------------------------------------------------------------------------------------

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

----------------------------------------------------------------------------------------------------------

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. You can find instructions HERE.
Double click on Combo-Fix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Mark

Komari · 07-02-2009, 01:43 PM

Well, do you think that a transaction I made back in May will have been seen by the backdoor trojan?
And by the way, ComboFix failed to tell me that I didn't have the recovery console installed before scanning, and it didn't prompt me to download the recovery console. It just told me that I didn't have it after it was done.

ComboFix results:

ComboFix 09-07-01.04 - Owner 2/2009 Thu 12:20.1 - NTFSx86
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 3
.empty" was unexpected at this time.

PEV Error: DesktopFile
PEV Error: DesktopFolder
PEV Error: FavFile
PEV Error: LocalAppDataFile
PEV Error: LocalAppDataFolder
PEV Error: LocalSettingsFile
PEV Error: MenuFile
PEV Error: MenuFolder
PEV Error: PersonalFile
PEV Error: StartUpFile

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\1324b.msi
c:\windows\system32\dbxDgrevCheck.dll
c:\windows\system32\disk.dll
c:\windows\system32\drivers\hjgruiswuhbqlr.sys
c:\windows\system32\hjgruimqfqjnsr.dll
c:\windows\system32\hjgruiorigsubr.dll
c:\windows\system32\hjgruirntkscpk.dat
c:\windows\system32\hjgruitonekllx.dat
c:\windows\system32\JRYbHRqr.ini
c:\windows\system32\JRYbHRqr.ini2
c:\windows\wiaserviv.log
D:\Autorun.inf
D:\Desktop.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruivakvppjw

((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))
.

2009-07-01 01:24 . 2009-07-01 01:24 -------- d-----w- c:\documents and settings\sandy\Local Settings\Application Data\Scansoft
2009-06-29 05:06 . 2009-06-29 05:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-29 05:06 . 2009-06-29 05:06 -------- d-----w- c:\docume~1\Owner\APPLIC~1\Malwarebytes
2009-06-29 05:05 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-29 05:05 . 2009-06-29 05:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 05:05 . 2009-06-29 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-29 05:05 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-29 04:16 . 2009-06-29 04:16 -------- d-----w- c:\windows\ERUNT
2009-06-29 03:46 . 2009-06-29 04:45 -------- d-----w- C:\SDFix
2009-06-26 18:42 . 2009-06-28 00:24 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-06-26 18:42 . 2009-06-28 00:24 -------- d-----w- c:\docume~1\Owner\APPLIC~1\BitTorrent
2009-06-26 18:41 . 2009-06-26 18:42 -------- d-----w- c:\program files\BitTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 19:33 . 2007-05-07 05:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-02 19:33 . 2008-08-18 00:09 -------- d-----w- c:\program files\DNA
2009-07-02 19:33 . 2008-08-18 00:09 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-07-02 19:33 . 2008-08-18 00:09 -------- d-----w- c:\docume~1\Owner\APPLIC~1\DNA
2009-06-27 23:20 . 2006-07-25 18:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-27 22:20 . 2008-12-07 05:35 -------- d-----w- c:\program files\NEXTON
2009-06-21 06:09 . 2009-05-24 22:04 -------- d-----w- c:\program files\Essentials Codec Pack
2009-06-20 02:22 . 2007-11-18 02:46 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2009-06-20 02:22 . 2007-11-18 02:46 -------- d-----w- c:\docume~1\Owner\APPLIC~1\gtk-2.0
2009-06-03 04:58 . 2007-02-03 23:46 -------- d-----w- c:\program files\EA GAMES
2009-05-26 07:10 . 2006-09-09 02:32 80552 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-26 04:23 . 2009-05-26 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-26 04:22 . 2009-05-26 04:22 -------- d-----w- c:\program files\Microsoft Works
2009-05-26 04:20 . 2009-05-26 04:20 -------- d-----w- c:\program files\Microsoft.NET
2009-05-25 03:42 . 2009-05-23 04:45 -------- d-----w- c:\program files\MKVtoolnix
2009-05-25 01:51 . 2009-05-25 01:51 -------- d-----w- c:\program files\Gabest
2009-05-24 23:07 . 2009-05-24 23:07 -------- d-----w- c:\program files\ffdshow
2009-05-24 22:10 . 2009-05-23 06:05 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-05-21 05:17 . 2009-03-22 20:38 -------- d-----w- c:\program files\WinAVI Video Converter
2009-05-21 05:17 . 2009-01-07 22:17 -------- d-----w- c:\program files\Wakan
2009-05-16 02:36 . 2009-05-24 23:07 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-05-16 02:36 . 2009-05-24 23:07 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-05-07 15:44 . 2004-08-26 16:11 344064 ------w- c:\windows\system32\localspl.dll
2009-04-29 04:31 . 2004-08-26 16:12 668160 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:31 . 2004-08-26 16:11 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-08-26 16:12 1846656 ------w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-08-26 16:12 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-06-26 321344]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-03-20 216520]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-25 169984]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-24 573440]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-11-12 1236992]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-07-02 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 212992]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-28 999424]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-12-27 413696]
"WTClient"="WTClient.exe" - c:\windows\system32\WTClient.exe [2007-04-11 40960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking10\Program\natspeak.exe [2008-7-27 2807144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-7 113664]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-11 111376]
Microsoft Office Shortcut Bar.lnk - c:\program files\Microsoft Office\Office\MSOFFICE.EXE [1997-7-11 333824]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 51984]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 23:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:*:Disabled:UDP port 5353

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/17/2008 4:11 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 4:11 PM 55024]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/31/2009 10:03 PM 24652]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [3/5/2009 10:16 PM 16512]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 4:11 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.wikipedia.org/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\fnkmejdg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\windows\system32\DNAML\npdbplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 12:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-277335353-1467319134-3029339847-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0789EEA0-258B-C4C5-BA73-71E7651D648B}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3568)
c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll
c:\progra~1\mcafee.com\vso\McVSSkt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\windows\system32\conime.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\windows\system32\drivers\WTSrv.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\McAfee.com\VSO\McVSEscn.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\windows\system32\WISPTIS.EXE
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee.com\VSO\mcvsftsn.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-02 12:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-02 19:37

Pre-Run: 30,849,073,152 bytes free
Post-Run: 32,170,000,384 bytes free

250 --- E O F --- 2009-06-15 05:01

Komari · 07-02-2009, 03:31 PM

I almost forgot to mention that after ComboFix was done, I manually restarted my computer. When I logged on again, my computer had apparently restored itself to a prior restore point. My desktop was reverted to the one I had before, I had two icons linking to Bittorrent, and I had an Internet Explorer icon on my desktop (I deleted that icon long ago). Is this a result of someone remotely controlling my computer?

Komari · 07-02-2009, 05:02 PM

And McAfee Security Center turned itself back on, even though I turned it off before using ComboFix and not manually turning McAfee Security Center back on myself.

mas_pogi · 07-03-2009, 08:33 AM

hi.

Quote:

And by the way, ComboFix failed to tell me that I didn't have the recovery console installed before scanning, and it didn't prompt me to download the recovery console. It just told me that I didn't have it after it was done

Combofix.exe encountered an error and I will ask you to upload some files for review. Please see the instruction below on how to upload it.

For your other queries, I'll answer them later. I'll have to ask some expert to take a look at your log=)

--------------------------------------------------------------------------
Open Notepad and copy/paste the contents in the code box below, into Notepad.

Code:

@echo off
zip UploadThis C:\QooBox\BackEnv\*
exit

Save this as komari.bat in your desktop. Choose to "Save type as - All Files"

It should look like this:

Double-click komari.bat to run it. After it is completed, it will produce a zip file at desktop called Uploadthis.zip.

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

At comment, copy and paste this one.

Quote:

requested by Subs from
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/390809-google-search-results-being-hijacked-redirected.html#post2219647

Please let me know if you successfully submitted the file. Thanks.

Mark

Komari · 07-03-2009, 06:22 PM

I successfully submitted the file. :)

mas_pogi · 07-04-2009, 10:39 AM

hi.

Quote:

Originally Posted by Komari

I successfully submitted the file. :)

Thank you very much. I got it.

Before we continue with fixes, please download this app for testing and save it your desktop.

here

Double-click it to run.

If everything runs fine, it shall produce a log.

Let me know what it says. POst it back here.

mark

Komari · 07-05-2009, 03:17 PM

C:\Documents and Settings\Administrator.HAZINA\Desktop\mas_pogi_was_here
C:\Documents and Settings\sandy\Desktop\sUBs_was_here

test concluded successfully

mas_pogi · 07-06-2009, 08:52 AM

hi

Quote:

Originally Posted by Komari

C:\Documents and Settings\Administrator.HAZINA\Desktop\mas_pogi_was_here
C:\Documents and Settings\sandy\Desktop\sUBs_was_here

test concluded successfully

Good =)

Lets re-run Combofix.exe again

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. You can find instructions HERE.

Double-click on Combofix.exe to run it.

*Be sure to allow ComboFix.exe to update if prompted.
*Also allow installation of Recovery Console.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt so we can continue cleaning the system.

Thanks.

Mark

Komari · 07-07-2009, 11:24 PM

Once again, ComboFix failed to prompt me to install the recovery console.

ComboFix 09-07-07.A2 - Owner 7/2009 Tue 21:55.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.932.81.1033.18.502.265 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 3
The syntax of the command is incorrect.

PEV Error: DesktopFile
PEV Error: DesktopFolder
PEV Error: FavFile
PEV Error: LocalAppDataFile
PEV Error: LocalAppDataFolder
PEV Error: LocalSettingsFile
PEV Error: MenuFile
PEV Error: MenuFolder
PEV Error: PersonalFile
PEV Error: StartUpFile

((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 )))))))))))))))))))))))))))))))
.

2009-07-02 22:42 . 2009-07-02 22:42 -------- d-----w- c:\documents and settings\Owner\Application Data\RenPy
2009-07-01 01:24 . 2009-07-01 01:24 -------- d-----w- c:\documents and settings\sandy\Local Settings\Application Data\Scansoft
2009-06-29 05:06 . 2009-06-29 05:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-29 05:05 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-29 05:05 . 2009-06-29 05:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 05:05 . 2009-06-29 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-29 05:05 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-29 04:16 . 2009-06-29 04:16 -------- d-----w- c:\windows\ERUNT
2009-06-29 03:46 . 2009-06-29 04:45 -------- d-----w- C:\SDFix
2009-06-26 18:42 . 2009-06-28 00:24 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-06-26 18:41 . 2009-06-26 18:42 -------- d-----w- c:\program files\BitTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 04:58 . 2008-08-18 00:09 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-07-08 02:32 . 2007-11-18 02:46 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2009-07-08 02:18 . 2007-05-07 05:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-08 02:17 . 2008-08-18 00:09 -------- d-----w- c:\program files\DNA
2009-06-27 23:20 . 2006-07-25 18:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-27 22:20 . 2008-12-07 05:35 -------- d-----w- c:\program files\NEXTON
2009-06-21 06:09 . 2009-05-24 22:04 -------- d-----w- c:\program files\Essentials Codec Pack
2009-06-03 04:58 . 2007-02-03 23:46 -------- d-----w- c:\program files\EA GAMES
2009-05-26 07:10 . 2006-09-09 02:32 80552 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-26 04:23 . 2009-05-26 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-26 04:22 . 2009-05-26 04:22 -------- d-----w- c:\program files\Microsoft Works
2009-05-26 04:20 . 2009-05-26 04:20 -------- d-----w- c:\program files\Microsoft.NET
2009-05-25 03:42 . 2009-05-23 04:45 -------- d-----w- c:\program files\MKVtoolnix
2009-05-25 01:51 . 2009-05-25 01:51 -------- d-----w- c:\program files\Gabest
2009-05-24 23:07 . 2009-05-24 23:07 -------- d-----w- c:\program files\ffdshow
2009-05-24 22:10 . 2009-05-23 06:05 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-05-21 05:17 . 2009-03-22 20:38 -------- d-----w- c:\program files\WinAVI Video Converter
2009-05-21 05:17 . 2009-01-07 22:17 -------- d-----w- c:\program files\Wakan
2009-05-19 08:36 . 2009-06-13 21:36 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe
2009-05-19 08:36 . 2009-06-13 21:36 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat
2009-05-19 08:36 . 2009-06-13 21:36 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat
2009-05-19 08:36 . 2009-06-13 21:36 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe
2009-05-19 08:36 . 2009-06-13 21:36 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe
2009-05-19 08:36 . 2009-06-13 21:36 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe
2009-05-19 08:36 . 2009-06-13 21:36 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe
2009-05-19 08:36 . 2009-06-13 21:36 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll
2009-05-16 02:36 . 2009-05-24 23:07 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-05-16 02:36 . 2009-05-24 23:07 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-05-07 15:44 . 2004-08-26 16:11 344064 ------w- c:\windows\system32\localspl.dll
2009-04-29 04:31 . 2004-08-26 16:12 668160 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:31 . 2004-08-26 16:11 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-08-26 16:12 1846656 ------w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-08-26 16:12 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-06-26 321344]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-03-20 216520]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-25 169984]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-24 573440]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-11-12 1236992]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-07-02 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 212992]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-28 999424]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-12-27 413696]
"WTClient"="WTClient.exe" - c:\windows\system32\WTClient.exe [2007-04-11 40960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking10\Program\natspeak.exe [2008-7-27 2807144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-7 113664]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-11 111376]
Microsoft Office Shortcut Bar.lnk - c:\program files\Microsoft Office\Office\MSOFFICE.EXE [1997-7-11 333824]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 51984]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 23:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:*:Disabled:UDP port 5353

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/17/2008 4:11 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 4:11 PM 55024]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/31/2009 10:03 PM 24652]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [3/5/2009 10:16 PM 16512]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 4:11 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.wikipedia.org/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fnkmejdg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\windows\system32\DNAML\npdbplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 22:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-277335353-1467319134-3029339847-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0789EEA0-258B-C4C5-BA73-71E7651D648B}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(264)
c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll
c:\progra~1\mcafee.com\vso\McVSSkt.dll
.
Completion time: 2009-07-08 22:03
ComboFix-quarantined-files.txt 2009-07-08 05:03
ComboFix2.txt 2009-07-02 19:37

Pre-Run: 32,070,881,280 bytes free
Post-Run: 32,043,589,632 bytes free

207 --- E O F --- 2009-06-15 05:01

mas_pogi · 07-08-2009, 06:44 PM

hi.

Quote:

Once again, ComboFix failed to prompt me to install the recovery console.

We will continue.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------------------
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. You can find instructions HERE.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

FOLDER::
C:\SDFix

DDS::
uInternet Connection Wizard,ShellNext = iexplore

REGNULL::
[HKEY_USERS\S-1-5-21-277335353-1467319134-3029339847-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0789EEA0-258B-C4C5-BA73-71E7651D648B}*]

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

--------------------------------------------------------------------------

Please uninstall the following. Using windows ADD/REMOVE program at the control panel.

P2P program ( Perils of P2P File Sharing )
BitTorrent

Foistware
Viewpoint Media Player
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:
http://www.clickz.com/news/article.php/3561546

Please also delete this folder.

c:\program files\Viewpoint

Outdated java runtimes: (Older versions have vulnerabilities that malicious sites can use to exploit and infect your system)

J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 3

After you uninstall you outdated java, please download the Java(TM) 6 Update 14 here. Install it.

--------------------------------------------------------------------------

Run ESET Online Scan

*Close any open programs
*Turn off the real time scanner of any existing antivirus program while performing the online scan. You can find the instructions You can find instructions HERE.

Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic and also let me know how things are now.

-------------------------------------------------------------------------

How's your computer?

In your reply, please post

C:\combofix.txt
ESET scan result
Answer to my questions

Mark

Komari · 07-08-2009, 10:23 PM

ComboFix:

ComboFix 09-07-08.04 - Owner 8/2009 Wed 18:53.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.932.81.1033.18.502.257 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 3
The syntax of the command is incorrect.

PEV Error: DesktopFile
PEV Error: DesktopFolder
PEV Error: FavFile
PEV Error: LocalAppDataFile
PEV Error: LocalAppDataFolder
PEV Error: LocalSettingsFile
PEV Error: MenuFile
PEV Error: MenuFolder
PEV Error: PersonalFile
PEV Error: StartUpFile

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\SDFix
c:\sdfix\Add_DBFix_RunOnce_key.inf
c:\sdfix\apps\assosfix.reg
c:\sdfix\apps\Cghtme.exe
c:\sdfix\apps\cliptext.exe
c:\sdfix\apps\DBFix.inf
c:\sdfix\apps\download.exe
c:\sdfix\apps\dummy.sys
c:\sdfix\apps\Enable_Command_Prompt.inf
c:\sdfix\apps\Enable_Command_Prompt.reg
c:\sdfix\apps\ERDNT.E_E
c:\sdfix\apps\ERDNTDOS.LOC
c:\sdfix\apps\ERDNTWIN.LOC
c:\sdfix\apps\ERUNT.EXE
c:\sdfix\apps\ERUNT.LOC
c:\sdfix\apps\fix.reg
c:\sdfix\apps\FixBeep.reg
c:\sdfix\apps\FixBH.reg
c:\sdfix\apps\FixComponents.reg
c:\sdfix\apps\FIXCU.reg
c:\sdfix\apps\FIXLM.reg
c:\sdfix\apps\FixPath.exe
c:\sdfix\apps\FixRedir.reg
c:\sdfix\apps\FixSchedule.reg
c:\sdfix\apps\FixWebCheck.reg
c:\sdfix\apps\fixXP.reg
c:\sdfix\apps\FixXPsp2.reg
c:\sdfix\apps\grep.exe
c:\sdfix\apps\HaxdFix.reg
c:\sdfix\apps\HPFix.reg
c:\sdfix\apps\HPFix2.reg
c:\sdfix\apps\HPFix3.reg
c:\sdfix\apps\HPFix4.reg
c:\sdfix\apps\HPFix5.reg
c:\sdfix\apps\HPFix6.reg
c:\sdfix\apps\HPFix7.reg
c:\sdfix\apps\HPFix8.reg
c:\sdfix\apps\HPFix9.reg
c:\sdfix\apps\Installed.txt
c:\sdfix\apps\isadmin.exe
c:\sdfix\apps\leg2.txt
c:\sdfix\apps\legacy.txt
c:\sdfix\apps\legacybk.txt
c:\sdfix\apps\locate.com
c:\sdfix\apps\LS.exe
c:\sdfix\apps\MD5File.exe
c:\sdfix\apps\moveex.exe
c:\sdfix\apps\MyGcpvFix.reg
c:\sdfix\apps\MyGkFix2.reg
c:\sdfix\apps\Process.exe
c:\sdfix\apps\procs.exe
c:\sdfix\apps\psservice.exe
c:\sdfix\apps\Rem.txt
c:\sdfix\apps\Rem2.txt
c:\sdfix\apps\Replace\regedit.exe
c:\sdfix\apps\Replace\w2k\AUTOEXEC.NT
c:\sdfix\apps\Replace\w2k\beep.sys
c:\sdfix\apps\Replace\w2k\command.com
c:\sdfix\apps\Replace\w2k\command.PIF
c:\sdfix\apps\Replace\w2k\CONFIG.NT
c:\sdfix\apps\Replace\w2k\null.sys
c:\sdfix\apps\Replace\xp\AUTOEXEC.NT
c:\sdfix\apps\Replace\xp\beep.sys
c:\sdfix\apps\Replace\xp\command.com
c:\sdfix\apps\Replace\xp\command.PIF
c:\sdfix\apps\Replace\xp\CONFIG.NT
c:\sdfix\apps\Replace\xp\null.sys
c:\sdfix\apps\Reset_AppInit_DLLs.reg
c:\sdfix\apps\RestartIt!.exe
c:\sdfix\apps\Restore_SafeBoot_Windows2000.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP2.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP3.reg
c:\sdfix\apps\Restore_SecurityCenter.reg
c:\sdfix\apps\Restore_SharedAccess.reg
c:\sdfix\apps\sc.exe
c:\sdfix\apps\sed.exe
c:\sdfix\apps\SF.exe
c:\sdfix\apps\shutdown.exe
c:\sdfix\apps\srv2.txt
c:\sdfix\apps\srv2bk.txt
c:\sdfix\apps\svc.txt
c:\sdfix\apps\svcbk.txt
c:\sdfix\apps\Swreg.exe
c:\sdfix\apps\swsc.exe
c:\sdfix\apps\UnRAR.exe
c:\sdfix\apps\unzip.exe
c:\sdfix\apps\vfind.exe
c:\sdfix\apps\WINMSG.EXE
c:\sdfix\apps\winsec.reg
c:\sdfix\apps\zip.exe
c:\sdfix\backups\backupreg.zip
c:\sdfix\backups\backups.zip
c:\sdfix\backups\catchme.log
c:\sdfix\backups\HOSTS
c:\sdfix\catchme.exe
c:\sdfix\DBFix.bat
c:\sdfix\dummy.sys
c:\sdfix\Report.txt
c:\sdfix\RunThis.bat
c:\sdfix\SDFIX_ReadMe_Online.url
c:\sdfix\W2K_VirusAlert_Repair.inf
c:\sdfix\XP_VirusAlert_Repair.inf
c:\windows\system32\drivers\hjgruippwsobau.sys
c:\windows\system32\hjgruiilvfoerk.dll
c:\windows\system32\hjgruiiqhyfxrd.dat
c:\windows\system32\hjgruinpjidyvb.dll
c:\windows\system32\hjgruiqrulufdd.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiqskjcbwv

((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-02 22:42 . 2009-07-02 22:42 -------- d-----w- c:\documents and settings\Owner\Application Data\RenPy
2009-07-01 01:24 . 2009-07-01 01:24 -------- d-----w- c:\documents and settings\sandy\Local Settings\Application Data\Scansoft
2009-06-29 05:06 . 2009-06-29 05:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-29 05:05 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-29 05:05 . 2009-06-29 05:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 05:05 . 2009-06-29 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-29 05:05 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-29 04:16 . 2009-06-29 04:16 -------- d-----w- c:\windows\ERUNT
2009-06-26 18:42 . 2009-06-28 00:24 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-06-26 18:41 . 2009-06-26 18:42 -------- d-----w- c:\program files\BitTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 01:47 . 2008-08-18 00:09 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-07-09 01:03 . 2007-05-07 05:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-09 01:03 . 2008-08-18 00:09 -------- d-----w- c:\program files\DNA
2009-07-08 02:32 . 2007-11-18 02:46 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2009-06-27 23:20 . 2006-07-25 18:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-27 22:20 . 2008-12-07 05:35 -------- d-----w- c:\program files\NEXTON
2009-06-21 06:09 . 2009-05-24 22:04 -------- d-----w- c:\program files\Essentials Codec Pack
2009-06-03 04:58 . 2007-02-03 23:46 -------- d-----w- c:\program files\EA GAMES
2009-05-26 07:10 . 2006-09-09 02:32 80552 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-26 04:23 . 2009-05-26 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-26 04:22 . 2009-05-26 04:22 -------- d-----w- c:\program files\Microsoft Works
2009-05-26 04:20 . 2009-05-26 04:20 -------- d-----w- c:\program files\Microsoft.NET
2009-05-25 03:42 . 2009-05-23 04:45 -------- d-----w- c:\program files\MKVtoolnix
2009-05-25 01:51 . 2009-05-25 01:51 -------- d-----w- c:\program files\Gabest
2009-05-24 23:07 . 2009-05-24 23:07 -------- d-----w- c:\program files\ffdshow
2009-05-24 22:10 . 2009-05-23 06:05 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-05-21 05:17 . 2009-03-22 20:38 -------- d-----w- c:\program files\WinAVI Video Converter
2009-05-21 05:17 . 2009-01-07 22:17 -------- d-----w- c:\program files\Wakan
2009-05-19 08:36 . 2009-06-13 21:36 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe
2009-05-19 08:36 . 2009-06-13 21:36 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat
2009-05-19 08:36 . 2009-06-13 21:36 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat
2009-05-19 08:36 . 2009-06-13 21:36 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe
2009-05-19 08:36 . 2009-06-13 21:36 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe
2009-05-19 08:36 . 2009-06-13 21:36 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe
2009-05-19 08:36 . 2009-06-13 21:36 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe
2009-05-19 08:36 . 2009-06-13 21:36 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll
2009-05-16 02:36 . 2009-05-24 23:07 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-05-16 02:36 . 2009-05-24 23:07 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-05-07 15:44 . 2004-08-26 16:11 344064 ------w- c:\windows\system32\localspl.dll
2009-04-29 04:31 . 2004-08-26 16:12 668160 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:31 . 2004-08-26 16:11 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-08-26 16:12 1846656 ------w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-08-26 16:12 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-02_19.33.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-26 18:07 . 2009-07-09 01:02 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-08-26 18:07 . 2009-07-02 18:46 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-08-26 18:07 . 2009-07-09 01:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-08-26 18:07 . 2009-07-02 18:46 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-08-26 18:07 . 2009-07-09 01:02 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-08-26 18:07 . 2009-07-02 18:46 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-06-26 321344]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-03-20 216520]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-25 169984]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-24 573440]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-11-12 1236992]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-07-02 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 212992]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-28 999424]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-12-27 413696]
"WTClient"="WTClient.exe" - c:\windows\system32\WTClient.exe [2007-04-11 40960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking10\Program\natspeak.exe [2008-7-27 2807144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-7 113664]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-11 111376]
Microsoft Office Shortcut Bar.lnk - c:\program files\Microsoft Office\Office\MSOFFICE.EXE [1997-7-11 333824]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 51984]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 23:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:*:Disabled:UDP port 5353

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/17/2008 4:11 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 4:11 PM 55024]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/31/2009 10:03 PM 24652]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [3/5/2009 10:16 PM 16512]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 4:11 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.wikipedia.org/
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fnkmejdg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\windows\system32\DNAML\npdbplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 18:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-07-09 19:01
ComboFix-quarantined-files.txt 2009-07-09 02:01
ComboFix2.txt 2009-07-08 05:03
ComboFix3.txt 2009-07-02 19:37

Pre-Run: 32,088,817,664 bytes free
Post-Run: 32,058,601,472 bytes free

320 --- E O F --- 2009-06-15 05:01

ESET:

It found 6 malicious files:
C:\Documents and Settings\Owner\Desktop\SDFix.exe Win32/PrcView application
C:\Documents and Settings\Owner\Desktop\stuff to keep\Kanon(2).7z probably a variant of Win32/HackTool.Patcher.A application
C:\Qoobox\Quarantine\C\SDFix\apps\Process.exe.vir Win32/PrcView application
C:\Qoobox\Quarantine\C\WINDOWS\system32\JRYbHRqr.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\JRYbHRqr.ini2.vir Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP370\A0119601.exe Win32/PrcView application

The Kanon(2).7z is a completely safe file, I downloaded it from a trustworthy source. It's an English patch for a game I have, so no it isn't a bad patcher

. The SDFix is safe, I believe. I dunno about the other files.

My thoughts:
I don't seem to still have the sypmtoms, but they're on and off, so that could be speak of the devil. And why is it that whenever I run ComboFix, my desktop gets reverted, and some weird icons appear on my desktop?

mas_pogi · 07-09-2009, 07:27 AM

hi.

Quote:

I don't seem to still have the sypmtoms, but they're on and off, so

Because you are reinfected again. Though Combofix already taken it down in your last log again, I want you to kindly review the site you are visiting especially the ones installing codecs. Also review the programs you installed lately. They might be the installer of rootkit that causes infestation.

Your last log is good already though.

Quote:

The SDFix is safe, I believe. I dunno about the other files.

SDfix has not been updated lately. I suggest to refrain of using it. Some of malwares today has a counter with our tool. I don't want you to be surprise that your computer wouldn't boot anymore. Just to be in the safe side..

Kaspersky found malware in Qoobox folder. Don't worry about them. Qoobox is our tool quarantine folder. We will purge them soon. Your System restore will be extinguish to remove any malware restore point also.

Congratulations! You now appear clean!

We Need to Clean Up Our Mess

Uninstall ComboFix
Remove Combofix now that we're done with it.
- Click on your Start Menu, then Run....
- Now copy and paste this one in the runbox. Then HIT enter.
  Code:
```
ComboFix /u
```
Uninstalling ComboFix will do the following:
1. Delete ComboFix and its components from your computer.
2. Delete other tools commonly used during the malware removal process.
3. Resets clock settings to standard format.
4. Re-hides file extensions and hidden/system files.
5. Clears System Restore cache and creates new restore point.
Please also delete the DDS.scr located at your desktop.
Please also delete the komari.bat located at your desktop.

-----------------------------------------------
Recommendations
Below are some recommendations to lower your chances of (re)infection.

Install Spyware Blaster and update it regularly
If you wish, the commercial version provides automatic updating.
Install the MVPs hosts file, and update it regularly
You can use the HostMan host file manager to do this automaticly if you wish.
For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
Install an Anti-Spyware program, and update it regularly
Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
SUPERAntiSpyware is another good scanner with high detection and removal rates.
Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
Keep Windows (and your other Microsoft software) up to date!
I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
Keep your other software up to date as well
Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
Stay up to date!
The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

Please respond to this thread one more time so we can mark this thread as resolved.

Maraming salamat.

Mark

Komari · 07-09-2009, 02:55 PM

So I have to do a System Restore to get rid of all the malware? I'm not done.

mas_pogi · 07-09-2009, 06:04 PM

hi.

Quote:

Uninstalling ComboFix will do the following:
1. Delete ComboFix and its components from your computer.
2. Delete other tools commonly used during the malware removal process.
3. Resets clock settings to standard format.
4. Re-hides file extensions and hidden/system files.
5. Clears System Restore cache and creates new restore point

If you already done with Combofix uinstallation, then you already flushed the system restore.

Mark

mas_pogi · 07-12-2009, 05:56 AM

Since the problem appears to be resolved, it will now be archived.

Mark

07-02-2009, 10:54 AM	#2 (permalink)
mas_pogi Analyst, Security Team Join Date: Apr 2008 Location: Tokyo, JP Posts: 1,476 OS: Vista, Linux Mint	Re: Google Search Results being Hijacked and Redirected hi. Welcome to TSF You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. ------------------------------------------------------------------------- I am sorry to inform you that one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and download and execute files. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? ------------------------------------------------------------------------ Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper. ------------------------------------------------------------------------------------------------------------------- Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ---------------------------------------------------------------------------------------------------------- Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 Link 3 Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. You can find instructions HERE. Double click on Combo-Fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt** in your next reply. Mark __________________ To accomplish great things, we must not only act, but also dream; not only plan, but also believe. If I have been helping you and do not reply within 24 hours, please send me a message. I'm a member of U.N.I.T.E and A.S.A.P Last edited by mas_pogi; 07-02-2009 at 10:57 AM.

07-02-2009, 01:43 PM	#3 (permalink)
Komari Registered User Join Date: Jul 2009 Posts: 16 OS: Windows XP Home Ed.	Re: Google Search Results being Hijacked and Redirected Well, do you think that a transaction I made back in May will have been seen by the backdoor trojan? And by the way, ComboFix failed to tell me that I didn't have the recovery console installed before scanning, and it didn't prompt me to download the recovery console. It just told me that I didn't have it after it was done. ComboFix results: ComboFix 09-07-01.04 - Owner 2/2009 Thu 12:20.1 - NTFSx86 Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe AV: McAfee VirusScan On-access scanning disabled (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall Plus disabled {94894B63-8C7F-4050-BDA4-813CA00DA3E8} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . /wow section - STAGE 3 .empty" was unexpected at this time. PEV Error: DesktopFile PEV Error: DesktopFolder PEV Error: FavFile PEV Error: LocalAppDataFile PEV Error: LocalAppDataFolder PEV Error: LocalSettingsFile PEV Error: MenuFile PEV Error: MenuFolder PEV Error: PersonalFile PEV Error: StartUpFile ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Installer\1324b.msi c:\windows\system32\dbxDgrevCheck.dll c:\windows\system32\disk.dll c:\windows\system32\drivers\hjgruiswuhbqlr.sys c:\windows\system32\hjgruimqfqjnsr.dll c:\windows\system32\hjgruiorigsubr.dll c:\windows\system32\hjgruirntkscpk.dat c:\windows\system32\hjgruitonekllx.dat c:\windows\system32\JRYbHRqr.ini c:\windows\system32\JRYbHRqr.ini2 c:\windows\wiaserviv.log D:\Autorun.inf D:\Desktop.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_hjgruivakvppjw ((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 ))))))))))))))))))))))))))))))) . 2009-07-01 01:24 . 2009-07-01 01:24 -------- d-----w- c:\documents and settings\sandy\Local Settings\Application Data\Scansoft 2009-06-29 05:06 . 2009-06-29 05:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-06-29 05:06 . 2009-06-29 05:06 -------- d-----w- c:\docume~1\Owner\APPLIC~1\Malwarebytes 2009-06-29 05:05 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-29 05:05 . 2009-06-29 05:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-29 05:05 . 2009-06-29 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-06-29 05:05 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-29 04:16 . 2009-06-29 04:16 -------- d-----w- c:\windows\ERUNT 2009-06-29 03:46 . 2009-06-29 04:45 -------- d-----w- C:\SDFix 2009-06-26 18:42 . 2009-06-28 00:24 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent 2009-06-26 18:42 . 2009-06-28 00:24 -------- d-----w- c:\docume~1\Owner\APPLIC~1\BitTorrent 2009-06-26 18:41 . 2009-06-26 18:42 -------- d-----w- c:\program files\BitTorrent . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-02 19:33 . 2007-05-07 05:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-07-02 19:33 . 2008-08-18 00:09 -------- d-----w- c:\program files\DNA 2009-07-02 19:33 . 2008-08-18 00:09 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA 2009-07-02 19:33 . 2008-08-18 00:09 -------- d-----w- c:\docume~1\Owner\APPLIC~1\DNA 2009-06-27 23:20 . 2006-07-25 18:27 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-06-27 22:20 . 2008-12-07 05:35 -------- d-----w- c:\program files\NEXTON 2009-06-21 06:09 . 2009-05-24 22:04 -------- d-----w- c:\program files\Essentials Codec Pack 2009-06-20 02:22 . 2007-11-18 02:46 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0 2009-06-20 02:22 . 2007-11-18 02:46 -------- d-----w- c:\docume~1\Owner\APPLIC~1\gtk-2.0 2009-06-03 04:58 . 2007-02-03 23:46 -------- d-----w- c:\program files\EA GAMES 2009-05-26 07:10 . 2006-09-09 02:32 80552 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-05-26 04:23 . 2009-05-26 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-05-26 04:22 . 2009-05-26 04:22 -------- d-----w- c:\program files\Microsoft Works 2009-05-26 04:20 . 2009-05-26 04:20 -------- d-----w- c:\program files\Microsoft.NET 2009-05-25 03:42 . 2009-05-23 04:45 -------- d-----w- c:\program files\MKVtoolnix 2009-05-25 01:51 . 2009-05-25 01:51 -------- d-----w- c:\program files\Gabest 2009-05-24 23:07 . 2009-05-24 23:07 -------- d-----w- c:\program files\ffdshow 2009-05-24 22:10 . 2009-05-23 06:05 -------- d-----w- c:\program files\Combined Community Codec Pack 2009-05-21 05:17 . 2009-03-22 20:38 -------- d-----w- c:\program files\WinAVI Video Converter 2009-05-21 05:17 . 2009-01-07 22:17 -------- d-----w- c:\program files\Wakan 2009-05-16 02:36 . 2009-05-24 23:07 85504 ----a-w- c:\windows\system32\ff_vfw.dll 2009-05-16 02:36 . 2009-05-24 23:07 60273 ----a-w- c:\windows\system32\pthreadGC2.dll 2009-05-07 15:44 . 2004-08-26 16:11 344064 ------w- c:\windows\system32\localspl.dll 2009-04-29 04:31 . 2004-08-26 16:12 668160 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:31 . 2004-08-26 16:11 81920 ------w- c:\windows\system32\ieencode.dll 2009-04-17 09:58 . 2004-08-26 16:12 1846656 ------w- c:\windows\system32\win32k.sys 2009-04-15 15:11 . 2004-08-26 16:12 584192 ----a-w- c:\windows\system32\rpcrt4.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-06-26 321344] "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-03-20 216520] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-25 169984] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264] "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-24 573440] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-11-12 1236992] "VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552] "OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248] "MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-07-02 303104] "MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 212992] "MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592] "MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792] "VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840] "MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-28 999424] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920] "DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-12-27 413696] "WTClient"="WTClient.exe" - c:\windows\system32\WTClient.exe [2007-04-11 40960] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="NA" [X] "ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\Owner\Start Menu\Programs\Startup\ Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking10\Program\natspeak.exe [2008-7-27 2807144] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-7 113664] Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-11 111376] Microsoft Office Shortcut Bar.lnk - c:\program files\Microsoft Office\Office\MSOFFICE.EXE [1997-7-11 333824] Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 51984] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 23:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5353:UDP"= 5353:UDP::Disabled:UDP port 5353 R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/17/2008 4:11 PM 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 4:11 PM 55024] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/31/2009 10:03 PM 24652] S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [3/5/2009 10:16 PM 16512] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 4:11 PM 7408] . Contents of the 'Scheduled Tasks' folder 2009-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Aim6 - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://en.wikipedia.org/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie mStart Page = hxxp://www.yahoo.com uInternet Connection Wizard,ShellNext = iexplore uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\fnkmejdg.default\ FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query= FF - prefs.js: browser.search.selectedEngine - AIM Search FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/ FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query= FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdbplug.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll FF - plugin: c:\windows\system32\DNAML\npdbplug.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: browser.sessionstore.resume_from_crash - false . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-02 12:32 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-277335353-1467319134-3029339847-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0789EEA0-258B-C4C5-BA73-71E7651D648B}] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(848) c:\program files\SUPERAntiSpyware\SASWINLO.dll - - - - - - - > 'explorer.exe'(3568) c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll c:\progra~1\mcafee.com\vso\McVSSkt.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\WLTRYSVC.EXE c:\windows\system32\BCMWLTRY.EXE c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe c:\program files\McAfee.com\Agent\Mcdetect.exe c:\progra~1\McAfee.com\Agent\McTskshd.exe c:\progra~1\McAfee.com\PERSON~1\MpfService.exe c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe c:\windows\system32\conime.exe c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS c:\windows\system32\wdfmgr.exe c:\windows\system32\drivers\WTSrv.exe c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe c:\windows\system32\igfxsrvc.exe c:\progra~1\McAfee.com\VSO\McVSEscn.exe c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe c:\windows\system32\WISPTIS.EXE c:\program files\iPod\bin\iPodService.exe c:\progra~1\McAfee.com\VSO\mcvsftsn.exe c:\windows\system32\wscntfy.exe . ************************************************************************* . Completion time: 2009-07-02 12:37 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-02 19:37 Pre-Run: 30,849,073,152 bytes free Post-Run: 32,170,000,384 bytes free 250 --- E O F --- 2009-06-15 05:01

07-02-2009, 03:31 PM	#4 (permalink)
Komari Registered User Join Date: Jul 2009 Posts: 16 OS: Windows XP Home Ed.	Re: Google Search Results being Hijacked and Redirected I almost forgot to mention that after ComboFix was done, I manually restarted my computer. When I logged on again, my computer had apparently restored itself to a prior restore point. My desktop was reverted to the one I had before, I had two icons linking to Bittorrent, and I had an Internet Explorer icon on my desktop (I deleted that icon long ago). Is this a result of someone remotely controlling my computer?

07-02-2009, 05:02 PM	#5 (permalink)
Komari Registered User Join Date: Jul 2009 Posts: 16 OS: Windows XP Home Ed.	Re: Google Search Results being Hijacked and Redirected And McAfee Security Center turned itself back on, even though I turned it off before using ComboFix and not manually turning McAfee Security Center back on myself.

07-03-2009, 06:22 PM	#7 (permalink)
Komari Registered User Join Date: Jul 2009 Posts: 16 OS: Windows XP Home Ed.	Re: Google Search Results being Hijacked and Redirected I successfully submitted the file. :)

07-05-2009, 03:17 PM	#9 (permalink)
Komari Registered User Join Date: Jul 2009 Posts: 16 OS: Windows XP Home Ed.	Re: Google Search Results being Hijacked and Redirected C:\Documents and Settings\Administrator.HAZINA\Desktop\mas_pogi_was_here C:\Documents and Settings\sandy\Desktop\sUBs_was_here test concluded successfully

07-07-2009, 11:24 PM	#11 (permalink)
Komari Registered User Join Date: Jul 2009 Posts: 16 OS: Windows XP Home Ed.	Re: Google Search Results being Hijacked and Redirected Once again, ComboFix failed to prompt me to install the recovery console. ComboFix 09-07-07.A2 - Owner 7/2009 Tue 21:55.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.932.81.1033.18.502.265 [GMT -7:00] Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe AV: McAfee VirusScan On-access scanning disabled (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall Plus disabled {94894B63-8C7F-4050-BDA4-813CA00DA3E8} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . /wow section - STAGE 3 The syntax of the command is incorrect. PEV Error: DesktopFile PEV Error: DesktopFolder PEV Error: FavFile PEV Error: LocalAppDataFile PEV Error: LocalAppDataFolder PEV Error: LocalSettingsFile PEV Error: MenuFile PEV Error: MenuFolder PEV Error: PersonalFile PEV Error: StartUpFile ((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 ))))))))))))))))))))))))))))))) . 2009-07-02 22:42 . 2009-07-02 22:42 -------- d-----w- c:\documents and settings\Owner\Application Data\RenPy 2009-07-01 01:24 . 2009-07-01 01:24 -------- d-----w- c:\documents and settings\sandy\Local Settings\Application Data\Scansoft 2009-06-29 05:06 . 2009-06-29 05:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-06-29 05:05 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-29 05:05 . 2009-06-29 05:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-29 05:05 . 2009-06-29 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-06-29 05:05 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-29 04:16 . 2009-06-29 04:16 -------- d-----w- c:\windows\ERUNT 2009-06-29 03:46 . 2009-06-29 04:45 -------- d-----w- C:\SDFix 2009-06-26 18:42 . 2009-06-28 00:24 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent 2009-06-26 18:41 . 2009-06-26 18:42 -------- d-----w- c:\program files\BitTorrent . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-08 04:58 . 2008-08-18 00:09 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA 2009-07-08 02:32 . 2007-11-18 02:46 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0 2009-07-08 02:18 . 2007-05-07 05:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-07-08 02:17 . 2008-08-18 00:09 -------- d-----w- c:\program files\DNA 2009-06-27 23:20 . 2006-07-25 18:27 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-06-27 22:20 . 2008-12-07 05:35 -------- d-----w- c:\program files\NEXTON 2009-06-21 06:09 . 2009-05-24 22:04 -------- d-----w- c:\program files\Essentials Codec Pack 2009-06-03 04:58 . 2007-02-03 23:46 -------- d-----w- c:\program files\EA GAMES 2009-05-26 07:10 . 2006-09-09 02:32 80552 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-05-26 04:23 . 2009-05-26 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-05-26 04:22 . 2009-05-26 04:22 -------- d-----w- c:\program files\Microsoft Works 2009-05-26 04:20 . 2009-05-26 04:20 -------- d-----w- c:\program files\Microsoft.NET 2009-05-25 03:42 . 2009-05-23 04:45 -------- d-----w- c:\program files\MKVtoolnix 2009-05-25 01:51 . 2009-05-25 01:51 -------- d-----w- c:\program files\Gabest 2009-05-24 23:07 . 2009-05-24 23:07 -------- d-----w- c:\program files\ffdshow 2009-05-24 22:10 . 2009-05-23 06:05 -------- d-----w- c:\program files\Combined Community Codec Pack 2009-05-21 05:17 . 2009-03-22 20:38 -------- d-----w- c:\program files\WinAVI Video Converter 2009-05-21 05:17 . 2009-01-07 22:17 -------- d-----w- c:\program files\Wakan 2009-05-19 08:36 . 2009-06-13 21:36 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe 2009-05-19 08:36 . 2009-06-13 21:36 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat 2009-05-19 08:36 . 2009-06-13 21:36 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat 2009-05-19 08:36 . 2009-06-13 21:36 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe 2009-05-19 08:36 . 2009-06-13 21:36 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe 2009-05-19 08:36 . 2009-06-13 21:36 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe 2009-05-19 08:36 . 2009-06-13 21:36 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe 2009-05-19 08:36 . 2009-06-13 21:36 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll 2009-05-16 02:36 . 2009-05-24 23:07 85504 ----a-w- c:\windows\system32\ff_vfw.dll 2009-05-16 02:36 . 2009-05-24 23:07 60273 ----a-w- c:\windows\system32\pthreadGC2.dll 2009-05-07 15:44 . 2004-08-26 16:11 344064 ------w- c:\windows\system32\localspl.dll 2009-04-29 04:31 . 2004-08-26 16:12 668160 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:31 . 2004-08-26 16:11 81920 ------w- c:\windows\system32\ieencode.dll 2009-04-17 09:58 . 2004-08-26 16:12 1846656 ------w- c:\windows\system32\win32k.sys 2009-04-15 15:11 . 2004-08-26 16:12 584192 ----a-w- c:\windows\system32\rpcrt4.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-06-26 321344] "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-03-20 216520] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-25 169984] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264] "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-24 573440] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-11-12 1236992] "VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552] "OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248] "MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-07-02 303104] "MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 212992] "MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592] "MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792] "VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840] "MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-28 999424] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920] "DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-12-27 413696] "WTClient"="WTClient.exe" - c:\windows\system32\WTClient.exe [2007-04-11 40960] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="NA" [X] "ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\Owner\Start Menu\Programs\Startup\ Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking10\Program\natspeak.exe [2008-7-27 2807144] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-7 113664] Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-11 111376] Microsoft Office Shortcut Bar.lnk - c:\program files\Microsoft Office\Office\MSOFFICE.EXE [1997-7-11 333824] Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 51984] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 23:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5353:UDP"= 5353:UDP::Disabled:UDP port 5353 R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/17/2008 4:11 PM 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 4:11 PM 55024] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/31/2009 10:03 PM 24652] S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [3/5/2009 10:16 PM 16512] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 4:11 PM 7408] . Contents of the 'Scheduled Tasks' folder 2009-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://en.wikipedia.org/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mStart Page = hxxp://www.yahoo.com uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fnkmejdg.default\ FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query= FF - prefs.js: browser.search.selectedEngine - AIM Search FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/ FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query= FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdbplug.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll FF - plugin: c:\windows\system32\DNAML\npdbplug.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: browser.sessionstore.resume_from_crash - false . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-07 22:01 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-277335353-1467319134-3029339847-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0789EEA0-258B-C4C5-BA73-71E7651D648B}] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(840) c:\program files\SUPERAntiSpyware\SASWINLO.dll - - - - - - - > 'explorer.exe'(264) c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll c:\progra~1\mcafee.com\vso\McVSSkt.dll . Completion time: 2009-07-08 22:03 ComboFix-quarantined-files.txt 2009-07-08 05:03 ComboFix2.txt 2009-07-02 19:37 Pre-Run: 32,070,881,280 bytes free Post-Run: 32,043,589,632 bytes free 207 --- E O F --- 2009-06-15 05:01 Last edited by Komari; 07-07-2009 at 11:26 PM.*

07-08-2009, 10:23 PM	#13 (permalink)
Komari Registered User Join Date: Jul 2009 Posts: 16 OS: Windows XP Home Ed.	Re: Google Search Results being Hijacked and Redirected ComboFix: ComboFix 09-07-08.04 - Owner 8/2009 Wed 18:53.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.932.81.1033.18.502.257 [GMT -7:00] Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt AV: McAfee VirusScan On-access scanning disabled (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall Plus disabled {94894B63-8C7F-4050-BDA4-813CA00DA3E8} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . /wow section - STAGE 3 The syntax of the command is incorrect. PEV Error: DesktopFile PEV Error: DesktopFolder PEV Error: FavFile PEV Error: LocalAppDataFile PEV Error: LocalAppDataFolder PEV Error: LocalSettingsFile PEV Error: MenuFile PEV Error: MenuFolder PEV Error: PersonalFile PEV Error: StartUpFile ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\SDFix c:\sdfix\Add_DBFix_RunOnce_key.inf c:\sdfix\apps\assosfix.reg c:\sdfix\apps\Cghtme.exe c:\sdfix\apps\cliptext.exe c:\sdfix\apps\DBFix.inf c:\sdfix\apps\download.exe c:\sdfix\apps\dummy.sys c:\sdfix\apps\Enable_Command_Prompt.inf c:\sdfix\apps\Enable_Command_Prompt.reg c:\sdfix\apps\ERDNT.E_E c:\sdfix\apps\ERDNTDOS.LOC c:\sdfix\apps\ERDNTWIN.LOC c:\sdfix\apps\ERUNT.EXE c:\sdfix\apps\ERUNT.LOC c:\sdfix\apps\fix.reg c:\sdfix\apps\FixBeep.reg c:\sdfix\apps\FixBH.reg c:\sdfix\apps\FixComponents.reg c:\sdfix\apps\FIXCU.reg c:\sdfix\apps\FIXLM.reg c:\sdfix\apps\FixPath.exe c:\sdfix\apps\FixRedir.reg c:\sdfix\apps\FixSchedule.reg c:\sdfix\apps\FixWebCheck.reg c:\sdfix\apps\fixXP.reg c:\sdfix\apps\FixXPsp2.reg c:\sdfix\apps\grep.exe c:\sdfix\apps\HaxdFix.reg c:\sdfix\apps\HPFix.reg c:\sdfix\apps\HPFix2.reg c:\sdfix\apps\HPFix3.reg c:\sdfix\apps\HPFix4.reg c:\sdfix\apps\HPFix5.reg c:\sdfix\apps\HPFix6.reg c:\sdfix\apps\HPFix7.reg c:\sdfix\apps\HPFix8.reg c:\sdfix\apps\HPFix9.reg c:\sdfix\apps\Installed.txt c:\sdfix\apps\isadmin.exe c:\sdfix\apps\leg2.txt c:\sdfix\apps\legacy.txt c:\sdfix\apps\legacybk.txt c:\sdfix\apps\locate.com c:\sdfix\apps\LS.exe c:\sdfix\apps\MD5File.exe c:\sdfix\apps\moveex.exe c:\sdfix\apps\MyGcpvFix.reg c:\sdfix\apps\MyGkFix2.reg c:\sdfix\apps\Process.exe c:\sdfix\apps\procs.exe c:\sdfix\apps\psservice.exe c:\sdfix\apps\Rem.txt c:\sdfix\apps\Rem2.txt c:\sdfix\apps\Replace\regedit.exe c:\sdfix\apps\Replace\w2k\AUTOEXEC.NT c:\sdfix\apps\Replace\w2k\beep.sys c:\sdfix\apps\Replace\w2k\command.com c:\sdfix\apps\Replace\w2k\command.PIF c:\sdfix\apps\Replace\w2k\CONFIG.NT c:\sdfix\apps\Replace\w2k\null.sys c:\sdfix\apps\Replace\xp\AUTOEXEC.NT c:\sdfix\apps\Replace\xp\beep.sys c:\sdfix\apps\Replace\xp\command.com c:\sdfix\apps\Replace\xp\command.PIF c:\sdfix\apps\Replace\xp\CONFIG.NT c:\sdfix\apps\Replace\xp\null.sys c:\sdfix\apps\Reset_AppInit_DLLs.reg c:\sdfix\apps\RestartIt!.exe c:\sdfix\apps\Restore_SafeBoot_Windows2000.reg c:\sdfix\apps\Restore_SafeBoot_WindowsXP.reg c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP2.reg c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP3.reg c:\sdfix\apps\Restore_SecurityCenter.reg c:\sdfix\apps\Restore_SharedAccess.reg c:\sdfix\apps\sc.exe c:\sdfix\apps\sed.exe c:\sdfix\apps\SF.exe c:\sdfix\apps\shutdown.exe c:\sdfix\apps\srv2.txt c:\sdfix\apps\srv2bk.txt c:\sdfix\apps\svc.txt c:\sdfix\apps\svcbk.txt c:\sdfix\apps\Swreg.exe c:\sdfix\apps\swsc.exe c:\sdfix\apps\UnRAR.exe c:\sdfix\apps\unzip.exe c:\sdfix\apps\vfind.exe c:\sdfix\apps\WINMSG.EXE c:\sdfix\apps\winsec.reg c:\sdfix\apps\zip.exe c:\sdfix\backups\backupreg.zip c:\sdfix\backups\backups.zip c:\sdfix\backups\catchme.log c:\sdfix\backups\HOSTS c:\sdfix\catchme.exe c:\sdfix\DBFix.bat c:\sdfix\dummy.sys c:\sdfix\Report.txt c:\sdfix\RunThis.bat c:\sdfix\SDFIX_ReadMe_Online.url c:\sdfix\W2K_VirusAlert_Repair.inf c:\sdfix\XP_VirusAlert_Repair.inf c:\windows\system32\drivers\hjgruippwsobau.sys c:\windows\system32\hjgruiilvfoerk.dll c:\windows\system32\hjgruiiqhyfxrd.dat c:\windows\system32\hjgruinpjidyvb.dll c:\windows\system32\hjgruiqrulufdd.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_hjgruiqskjcbwv ((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 ))))))))))))))))))))))))))))))) . 2009-07-02 22:42 . 2009-07-02 22:42 -------- d-----w- c:\documents and settings\Owner\Application Data\RenPy 2009-07-01 01:24 . 2009-07-01 01:24 -------- d-----w- c:\documents and settings\sandy\Local Settings\Application Data\Scansoft 2009-06-29 05:06 . 2009-06-29 05:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-06-29 05:05 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-29 05:05 . 2009-06-29 05:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-29 05:05 . 2009-06-29 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-06-29 05:05 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-29 04:16 . 2009-06-29 04:16 -------- d-----w- c:\windows\ERUNT 2009-06-26 18:42 . 2009-06-28 00:24 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent 2009-06-26 18:41 . 2009-06-26 18:42 -------- d-----w- c:\program files\BitTorrent . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-09 01:47 . 2008-08-18 00:09 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA 2009-07-09 01:03 . 2007-05-07 05:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-07-09 01:03 . 2008-08-18 00:09 -------- d-----w- c:\program files\DNA 2009-07-08 02:32 . 2007-11-18 02:46 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0 2009-06-27 23:20 . 2006-07-25 18:27 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-06-27 22:20 . 2008-12-07 05:35 -------- d-----w- c:\program files\NEXTON 2009-06-21 06:09 . 2009-05-24 22:04 -------- d-----w- c:\program files\Essentials Codec Pack 2009-06-03 04:58 . 2007-02-03 23:46 -------- d-----w- c:\program files\EA GAMES 2009-05-26 07:10 . 2006-09-09 02:32 80552 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-05-26 04:23 . 2009-05-26 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-05-26 04:22 . 2009-05-26 04:22 -------- d-----w- c:\program files\Microsoft Works 2009-05-26 04:20 . 2009-05-26 04:20 -------- d-----w- c:\program files\Microsoft.NET 2009-05-25 03:42 . 2009-05-23 04:45 -------- d-----w- c:\program files\MKVtoolnix 2009-05-25 01:51 . 2009-05-25 01:51 -------- d-----w- c:\program files\Gabest 2009-05-24 23:07 . 2009-05-24 23:07 -------- d-----w- c:\program files\ffdshow 2009-05-24 22:10 . 2009-05-23 06:05 -------- d-----w- c:\program files\Combined Community Codec Pack 2009-05-21 05:17 . 2009-03-22 20:38 -------- d-----w- c:\program files\WinAVI Video Converter 2009-05-21 05:17 . 2009-01-07 22:17 -------- d-----w- c:\program files\Wakan 2009-05-19 08:36 . 2009-06-13 21:36 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe 2009-05-19 08:36 . 2009-06-13 21:36 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat 2009-05-19 08:36 . 2009-06-13 21:36 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat 2009-05-19 08:36 . 2009-06-13 21:36 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe 2009-05-19 08:36 . 2009-06-13 21:36 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe 2009-05-19 08:36 . 2009-06-13 21:36 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe 2009-05-19 08:36 . 2009-06-13 21:36 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe 2009-05-19 08:36 . 2009-06-13 21:36 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll 2009-05-16 02:36 . 2009-05-24 23:07 85504 ----a-w- c:\windows\system32\ff_vfw.dll 2009-05-16 02:36 . 2009-05-24 23:07 60273 ----a-w- c:\windows\system32\pthreadGC2.dll 2009-05-07 15:44 . 2004-08-26 16:11 344064 ------w- c:\windows\system32\localspl.dll 2009-04-29 04:31 . 2004-08-26 16:12 668160 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:31 . 2004-08-26 16:11 81920 ------w- c:\windows\system32\ieencode.dll 2009-04-17 09:58 . 2004-08-26 16:12 1846656 ------w- c:\windows\system32\win32k.sys 2009-04-15 15:11 . 2004-08-26 16:12 584192 ----a-w- c:\windows\system32\rpcrt4.dll . ((((((((((((((((((((((((((((( SnapShot@2009-07-02_19.33.35 ))))))))))))))))))))))))))))))))))))))))) . + 2004-08-26 18:07 . 2009-07-09 01:02 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2004-08-26 18:07 . 2009-07-02 18:46 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2004-08-26 18:07 . 2009-07-09 01:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2004-08-26 18:07 . 2009-07-02 18:46 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2004-08-26 18:07 . 2009-07-09 01:02 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2004-08-26 18:07 . 2009-07-02 18:46 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-06-26 321344] "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-03-20 216520] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-25 169984] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264] "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-24 573440] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-11-12 1236992] "VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552] "OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248] "MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-07-02 303104] "MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 212992] "MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592] "MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792] "VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840] "MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-28 999424] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920] "DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-12-27 413696] "WTClient"="WTClient.exe" - c:\windows\system32\WTClient.exe [2007-04-11 40960] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="NA" [X] "ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\Owner\Start Menu\Programs\Startup\ Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking10\Program\natspeak.exe [2008-7-27 2807144] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-7 113664] Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-11 111376] Microsoft Office Shortcut Bar.lnk - c:\program files\Microsoft Office\Office\MSOFFICE.EXE [1997-7-11 333824] Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 51984] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 23:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5353:UDP"= 5353:UDP::Disabled:UDP port 5353 R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/17/2008 4:11 PM 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 4:11 PM 55024] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/31/2009 10:03 PM 24652] S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [3/5/2009 10:16 PM 16512] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 4:11 PM 7408] . Contents of the 'Scheduled Tasks' folder 2009-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://en.wikipedia.org/ mStart Page = hxxp://www.yahoo.com uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fnkmejdg.default\ FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query= FF - prefs.js: browser.search.selectedEngine - AIM Search FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/ FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query= FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdbplug.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll FF - plugin: c:\windows\system32\DNAML\npdbplug.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: browser.sessionstore.resume_from_crash - false . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-08 18:59 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(848) c:\program files\SUPERAntiSpyware\SASWINLO.dll . Completion time: 2009-07-09 19:01 ComboFix-quarantined-files.txt 2009-07-09 02:01 ComboFix2.txt 2009-07-08 05:03 ComboFix3.txt 2009-07-02 19:37 Pre-Run: 32,088,817,664 bytes free Post-Run: 32,058,601,472 bytes free 320 --- E O F --- 2009-06-15 05:01 ESET: It found 6 malicious files: C:\Documents and Settings\Owner\Desktop\SDFix.exe Win32/PrcView application C:\Documents and Settings\Owner\Desktop\stuff to keep\Kanon(2).7z probably a variant of Win32/HackTool.Patcher.A application C:\Qoobox\Quarantine\C\SDFix\apps\Process.exe.vir Win32/PrcView application C:\Qoobox\Quarantine\C\WINDOWS\system32\JRYbHRqr.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\system32\JRYbHRqr.ini2.vir Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP370\A0119601.exe Win32/PrcView application The Kanon(2).7z is a completely safe file, I downloaded it from a trustworthy source. It's an English patch for a game I have, so no it isn't a bad patcher. The SDFix is safe, I believe. I dunno about the other files. My thoughts: I don't seem to still have the sypmtoms, but they're on and off, so that could be speak of the devil. And why is it that whenever I run ComboFix, my desktop gets reverted, and some weird icons appear on my desktop?

07-09-2009, 02:55 PM	#15 (permalink)
Komari Registered User Join Date: Jul 2009 Posts: 16 OS: Windows XP Home Ed.	Re: Google Search Results being Hijacked and Redirected So I have to do a System Restore to get rid of all the malware? I'm not done.

07-12-2009, 05:56 AM	#17 (permalink)
mas_pogi Analyst, Security Team Join Date: Apr 2008 Location: Tokyo, JP Posts: 1,476 OS: Vista, Linux Mint	Re: Google Search Results being Hijacked and Redirected Since the problem appears to be resolved, it will now be archived. Mark __________________ To accomplish great things, we must not only act, but also dream; not only plan, but also believe. If I have been helping you and do not reply within 24 hours, please send me a message. I'm a member of U.N.I.T.E and A.S.A.P