Search engines redirected, missngpage

uw4ever18 · 07-09-2009, 10:54 AM

Originally whenever I would try to google anything the webpage would open but say "done, but with error on page", and I was looking at a blank screen. The same happened for the yahoo search engine as well. I ran Spybot and Malwarebytes and dumped everything I could find, but still had the issue. Then I installed IE 8. Now google searches return the normal listings that you would expect, except, when ever I click on a link I am redirected, usually to a missnpage dot com website. I believe I have followd the directions in the "Read before posting" post. Here is everything that was requested. Please let me know if I missed anything.
Thank you in advance for the help, I really appreciate the fact that you are volunteering your time to help other poeple.

Ryan

DDS (Ver_09-06-26.01) - NTFSx86
Run by rstorey at 9:31:19.53 on Thu 07/09/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1104 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\program Files\micfan\fants.exe
svchost
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Centurion\CARES\CARES Super\CaresSuper.exe
C:\Program Files\Centurion\CARES\CARES IP\CaresIP.exe
C:\Program Files\Centurion\CARES\CARES FTP\CaresFTP.exe
C:\Program Files\Centurion\CARES\CARES FTP\ComFTP\ComFTP.exe
C:\Program Files\Centurion\CARES\CARES Super\SUPER COM\CARES Query\CaresQAQuery.exe
C:\Program Files\Centurion\CARES\CARES Agent\caresagent.exe
C:\PROGRA~1\CENTUR~1\CARES\CARESA~1\CCSTEL~1.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Private Shell\pshell.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\rstorey\Local Settings\Temporary Internet Files\Content.IE5\CXOFKP4C\dds[1].scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uStart Page = hxxp://my.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {421a46a8-4913-4999-acf8-8ef019afcb91} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [kell] c:\program files\micfan\fants.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\system32\hoyokuli.dll c:\windows\system32\hepefige.dll ,c:\progra~1\micfan\fants.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-10-4 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-10-4 177776]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-11-15 169200]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-11-15 1756912]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-27 101936]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-12-19 87936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090708.002\naveng.sys [2009-7-9 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090708.002\navex15.sys [2009-7-9 876144]
S0 zefpr;zefpr;c:\windows\system32\drivers\cjfkve.sys --> c:\windows\system32\drivers\cjfkve.sys [?]
S2 sfx;sfx;c:\windows\system32\svchost.exe -k sfx [2004-8-4 14336]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-10-4 83568]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]

=============== Created Last 30 ================

2009-07-09 08:44 <DIR> --dsh--- c:\documents and settings\rstorey\PrivacIE
2009-07-09 08:43 <DIR> --dsh--- c:\documents and settings\rstorey\IETldCache
2009-07-09 08:26 <DIR> -cd-h--- c:\windows\ie8
2009-07-09 08:10 <DIR> --d----- c:\program files\CCleaner
2009-07-08 07:57 1 a------- c:\windows\934fdfg34fgjf23
2009-07-08 07:56 <DIR> --dshr-- c:\program files\micfan
2009-07-08 07:56 <DIR> --d----- c:\program files\sfx
2009-07-08 07:56 2 a------- c:\windows\0101120101464849.dat
2009-07-08 07:55 2 a------- c:\windows\010112010146118114.dat
2009-07-08 07:55 <DIR> --dsh--- c:\windows\System Volume Information
2009-06-10 07:01 262,144 a------- C:\ntuser.dat

==================== Find3M ====================

2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys

============= FINISH: 9:31:36.51 ===============

forhockey · 07-11-2009, 12:27 AM

Hi uw4ever18,

Sorry for the delay in looking into your log, as we are extremely busy in this section of the forums. If you still require assistance and are not seeking help elsewhere, then please carry out my instructions.

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------

Please re-run DDS and post the resulting logs

Thanks

uw4ever18 · 07-13-2009, 09:12 AM

Forhockey,
Thank you for getting back to me, yes I still need help please. I apologize that it has taken me so long to get back to you, I don't usually check my emails on the weekend, but durning the week I will be able to reply back to you within an hour or so. Below is the information that you requested. I wasn't sure if you wanted the two attachments again so I am sending those as well just in case. Let me know what I need to do next. Thank you for taking the time to help me.

DDS (Ver_09-06-26.01) - NTFSx86
Run by rstorey at 8:00:35.78 on Mon 07/13/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1260 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\program Files\micfan\fants.exe
svchost
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Documents and Settings\rstorey\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uStart Page = hxxp://my.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {421a46a8-4913-4999-acf8-8ef019afcb91} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [kell] c:\program files\micfan\fants.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\system32\hoyokuli.dll c:\windows\system32\hepefige.dll ,c:\progra~1\micfan\fants.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-10-4 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-10-4 177776]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-11-15 169200]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-11-15 1756912]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-27 101936]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-12-19 87936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090712.003\naveng.sys [2009-7-13 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090712.003\navex15.sys [2009-7-13 876144]
S0 zefpr;zefpr;c:\windows\system32\drivers\cjfkve.sys --> c:\windows\system32\drivers\cjfkve.sys [?]
S2 sfx;sfx;c:\windows\system32\svchost.exe -k sfx [2004-8-4 14336]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2007-12-19 26144]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-10-4 83568]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]

=============== Created Last 30 ================

2009-07-13 07:15 <DIR> --dsh--- c:\documents and settings\rstorey\IECompatCache
2009-07-10 06:48 <DIR> --d----- c:\windows\system32\KB905474
2009-07-10 06:47 221,184 a------- c:\windows\system32\wmpns.dll
2009-07-09 08:44 <DIR> --dsh--- c:\documents and settings\rstorey\PrivacIE
2009-07-09 08:43 <DIR> --dsh--- c:\documents and settings\rstorey\IETldCache
2009-07-09 08:26 <DIR> -cd-h--- c:\windows\ie8
2009-07-09 08:10 <DIR> --d----- c:\program files\CCleaner
2009-07-08 07:57 1 a------- c:\windows\934fdfg34fgjf23
2009-07-08 07:56 <DIR> --dshr-- c:\program files\micfan
2009-07-08 07:56 <DIR> --d----- c:\program files\sfx
2009-07-08 07:56 2 a------- c:\windows\0101120101464849.dat
2009-07-08 07:55 2 a------- c:\windows\010112010146118114.dat
2009-07-08 07:55 <DIR> --dsh--- c:\windows\System Volume Information

==================== Find3M ====================

2009-06-10 07:01 262,144 a------- C:\ntuser.dat
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys

============= FINISH: 8:00:54.51 ===============

forhockey · 07-14-2009, 08:44 PM

Hi uw4ever18,

Not a problem. We all live busy lives. The work I'm doing here is voluntary, so my replies might be delayed.

Did you install WinPcap 4.0.2 on your computer?

---------------------------------------------------------------------------

Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Please stick with me until the very end until I say your machine is malware free. The absence of any symptoms doesn't mean a malware-free computer

--------------------------------------------------------------

Download Combofix from >>Here<<
Save it to your desktop.

--------------------------------------------------------------------

* IMPORTANT !!! Place combo-fix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

You can get help on disabling your protection programs here
Double click on combo-fix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Click on Yes, to continue scanning for malware.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you (Located in C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

uw4ever18 · 07-15-2009, 09:26 AM

I ran Combofix and the redirects seem to have stopped. Here are the logs you requested. Let me know what the next step is.

ComboFix 09-07-14.08 - rstorey 07/15/2009 8:10.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1235 [GMT -7:00]
Running from: c:\documents and settings\rstorey\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\94334206.ini
c:\program files\sFX
c:\windows\Installer\924a226.msi
c:\windows\system32\avayuray.ini
c:\windows\system32\jebifoye.dll
c:\windows\system32\meyumedi.dll
c:\windows\system32\rezatovu.dll

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SFX
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_sfx

((((((((((((((((((((((((( Files Created from 2009-06-15 to 2009-07-15 )))))))))))))))))))))))))))))))
.

2009-07-14 18:09 . 2009-07-14 18:09 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-14 18:09 . 2009-07-14 18:09 -------- d-----w- c:\program files\Java
2009-07-13 14:15 . 2009-07-13 14:15 -------- d-sh--w- c:\documents and settings\rstorey\IECompatCache
2009-07-10 13:48 . 2009-07-10 13:48 -------- d-----w- c:\windows\system32\KB905474
2009-07-10 13:48 . 2009-03-11 05:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-07-10 13:48 . 2009-03-11 05:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2009-07-10 13:47 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-07-09 15:44 . 2009-07-09 15:44 -------- d-sh--w- c:\documents and settings\rstorey\PrivacIE
2009-07-09 15:43 . 2009-07-09 15:43 -------- d-sh--w- c:\documents and settings\rstorey\IETldCache
2009-07-09 15:26 . 2009-07-09 15:28 -------- dc-h--w- c:\windows\ie8
2009-07-09 15:10 . 2009-07-09 15:10 -------- d-----w- c:\program files\CCleaner
2009-07-08 14:56 . 2009-07-08 14:56 -------- d-sh--r- c:\program files\micfan
2009-07-08 14:55 . 2009-07-08 14:55 -------- d-sh--w- c:\windows\System Volume Information

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-15 15:16 . 2007-12-20 00:02 -------- d-----w- c:\program files\Symantec AntiVirus
2009-07-14 18:06 . 2009-01-30 22:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 14:38 . 2007-12-20 00:20 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-13 20:36 . 2009-01-30 22:15 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 20:36 . 2009-01-30 22:15 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-13 14:32 . 2008-04-14 20:15 -------- d-----w- c:\docume~1\rstorey\APPLIC~1\Move Networks
2009-07-09 17:11 . 2009-01-29 13:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-29 18:46 . 2007-12-20 00:24 -------- d-----w- c:\program files\TTERMPRO
2009-06-16 15:26 . 2008-01-08 20:19 -------- d-----w- c:\docume~1\rstorey\APPLIC~1\Yahoo!
2009-06-10 14:01 . 2009-06-10 14:01 262144 ----a-w- C:\ntuser.dat
2009-06-10 14:01 . 2007-12-20 17:43 -------- d-----w- c:\program files\Yahoo!
2009-06-10 14:01 . 2007-12-20 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-10 14:01 . 2008-01-08 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-06-05 17:40 . 2009-01-29 13:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-03 19:49 . 2009-06-03 19:49 -------- d-----w- c:\docume~1\rstorey\APPLIC~1\Yahoo! Messenger
2009-04-27 13:29 . 2007-12-20 17:30 67480 ----a-w- c:\documents and settings\rstorey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-04 68856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-14 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Centurion\\CARES\\CARES Agent\\CCSTeleComMod.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 2:27 PM 169200]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 8:52 AM 101936]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [12/19/2007 4:05 PM 87936]
S0 ljeop;ljeop;c:\windows\system32\drivers\mmzgygbr.sys --> c:\windows\system32\drivers\mmzgygbr.sys [?]
S0 zefpr;zefpr;c:\windows\system32\drivers\cjfkve.sys --> c:\windows\system32\drivers\cjfkve.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 1:22 PM 34064]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]

2009-07-15 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-07-10 05:18]
.
- - - - ORPHANS REMOVED - - - -

BHO-{421a46a8-4913-4999-acf8-8ef019afcb91} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-15 08:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(804)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\scardsvr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-07-15 8:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-15 15:20

Pre-Run: 47,072,231,424 bytes free
Post-Run: 47,142,506,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

170 --- E O F --- 2009-07-15 10:01

Ryan

uw4ever18 · 07-15-2009, 04:34 PM

Also, yes, I did install WinPcap 4.0.2. I am a network engineer and I use Wireshark to look at packet captures.

forhockey · 07-15-2009, 09:24 PM

Hi uw4ever18,

Quote:

Also, yes, I did install WinPcap 4.0.2. I am a network engineer and I use Wireshark to look at packet captures.

As long as you are aware of the program then there is no need to worry about someone sniffing your network.

--------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/393268-search-engines-redirected-missngpage.html#post2231008

Collect::
c:\windows\system32\drivers\mmzgygbr.sys
c:\windows\system32\drivers\cjfkve.sys
Folder::
c:\program files\micfan
Driver::
zefpr
ljeop

Save this as CFScript

Referring to the picture above, drag CFScript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis. Please submit "[4]-Submit_Date_Time.zip" by following the prompts.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

--------------------------------------------------------------

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c PEV -l "%systemdrive%\proquota.exe" >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply.

-----------------------------------------------

Please reply back with the following logs:

C:\ComboFix.txt
Log.txt

uw4ever18 · 07-16-2009, 10:00 AM

Forhockey,
I followed your directions, but this did not happen:

"When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis. Please submit "[4]-Submit_Date_Time.zip" by following the prompts.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file."

When CF finished running I had Combofix.txt file only. I copy and pasted the command into the CLI and got the log.txt file also. Both of these are posted below. As always, thanks for the help, and let me know what you need me to do next.

ComboFix 09-07-14.08 - rstorey 07/16/2009 8:41.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1378 [GMT -7:00]
Running from: c:\documents and settings\rstorey\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\rstorey\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 )))))))))))))))))))))))))))))))
.

2009-07-14 18:09 . 2009-07-14 18:09 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-14 18:09 . 2009-07-14 18:09 -------- d-----w- c:\program files\Java
2009-07-13 14:15 . 2009-07-13 14:15 -------- d-sh--w- c:\documents and settings\rstorey\IECompatCache
2009-07-10 13:48 . 2009-07-10 13:48 -------- d-----w- c:\windows\system32\KB905474
2009-07-10 13:48 . 2009-03-11 05:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-07-10 13:48 . 2009-03-11 05:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2009-07-10 13:47 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-07-09 15:44 . 2009-07-09 15:44 -------- d-sh--w- c:\documents and settings\rstorey\PrivacIE
2009-07-09 15:43 . 2009-07-09 15:43 -------- d-sh--w- c:\documents and settings\rstorey\IETldCache
2009-07-09 15:26 . 2009-07-09 15:28 -------- dc-h--w- c:\windows\ie8
2009-07-09 15:10 . 2009-07-09 15:10 -------- d-----w- c:\program files\CCleaner
2009-07-08 14:55 . 2009-07-08 14:55 -------- d-sh--w- c:\windows\System Volume Information

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-16 15:25 . 2007-12-20 00:02 -------- d-----w- c:\program files\Symantec AntiVirus
2009-07-14 18:06 . 2009-01-30 22:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 14:38 . 2007-12-20 00:20 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-13 20:36 . 2009-01-30 22:15 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 20:36 . 2009-01-30 22:15 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-13 14:32 . 2008-04-14 20:15 -------- d-----w- c:\docume~1\rstorey\APPLIC~1\Move Networks
2009-07-09 17:11 . 2009-01-29 13:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-29 18:46 . 2007-12-20 00:24 -------- d-----w- c:\program files\TTERMPRO
2009-06-16 15:26 . 2008-01-08 20:19 -------- d-----w- c:\docume~1\rstorey\APPLIC~1\Yahoo!
2009-06-10 14:01 . 2009-06-10 14:01 262144 ----a-w- C:\ntuser.dat
2009-06-10 14:01 . 2007-12-20 17:43 -------- d-----w- c:\program files\Yahoo!
2009-06-10 14:01 . 2007-12-20 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-10 14:01 . 2008-01-08 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-06-05 17:40 . 2009-01-29 13:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-03 19:49 . 2009-06-03 19:49 -------- d-----w- c:\docume~1\rstorey\APPLIC~1\Yahoo! Messenger
2009-04-27 13:29 . 2007-12-20 17:30 67480 ----a-w- c:\documents and settings\rstorey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-07-15_15.16.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-16 15:24 . 2009-07-16 15:24 16384 c:\windows\Temp\Perflib_Perfdata_764.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-04 68856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-14 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Centurion\\CARES\\CARES Agent\\CCSTeleComMod.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 2:27 PM 169200]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 8:52 AM 101936]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [12/19/2007 4:05 PM 87936]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 1:22 PM 34064]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]

2009-07-16 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-07-10 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-16 08:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\TMP00000090E0A070E2A6FB4AC7 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(300)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-16 8:45
ComboFix-quarantined-files.txt 2009-07-16 15:45
ComboFix2.txt 2009-07-16 15:29
ComboFix3.txt 2009-07-15 15:20

Pre-Run: 47,089,418,240 bytes free
Post-Run: 47,075,823,616 bytes free

130 --- E O F --- 2009-07-15 10:01

----a-w- 50,176 2008-04-14 00:12:32 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 50,176 Blocks: 98

forhockey · 07-17-2009, 04:40 PM

Hi uw4ever18,

Can you please go to start -> run -> type in the following into the text box:

C:\Qoobox\ComboFix2.txt
Click OK.

A log will open. Please post the results in your next reply.

Please repeat the same instructions above for the following file:

C:\Qoobox\ComboFix-quarantined-files.txt

uw4ever18 · 07-20-2009, 07:28 AM

Here you go:

ComboFix 09-07-14.08 - rstorey 07/16/2009 8:20.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1268 [GMT -7:00]
Running from: c:\documents and settings\rstorey\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\rstorey\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\micfan
c:\program files\micfan\fants.dll
c:\program files\micfan\fants.exe

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ljeop
-------\Service_zefpr

((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 )))))))))))))))))))))))))))))))
.

2009-07-14 18:09 . 2009-07-14 18:09 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-14 18:09 . 2009-07-14 18:09 -------- d-----w- c:\program files\Java
2009-07-13 14:15 . 2009-07-13 14:15 -------- d-sh--w- c:\documents and settings\rstorey\IECompatCache
2009-07-10 13:48 . 2009-07-10 13:48 -------- d-----w- c:\windows\system32\KB905474
2009-07-10 13:48 . 2009-03-11 05:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-07-10 13:48 . 2009-03-11 05:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2009-07-10 13:47 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-07-09 15:44 . 2009-07-09 15:44 -------- d-sh--w- c:\documents and settings\rstorey\PrivacIE
2009-07-09 15:43 . 2009-07-09 15:43 -------- d-sh--w- c:\documents and settings\rstorey\IETldCache
2009-07-09 15:26 . 2009-07-09 15:28 -------- dc-h--w- c:\windows\ie8
2009-07-09 15:10 . 2009-07-09 15:10 -------- d-----w- c:\program files\CCleaner
2009-07-08 14:55 . 2009-07-08 14:55 -------- d-sh--w- c:\windows\System Volume Information

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-16 15:25 . 2007-12-20 00:02 -------- d-----w- c:\program files\Symantec AntiVirus
2009-07-14 18:06 . 2009-01-30 22:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 14:38 . 2007-12-20 00:20 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-13 20:36 . 2009-01-30 22:15 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 20:36 . 2009-01-30 22:15 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-13 14:32 . 2008-04-14 20:15 -------- d-----w- c:\docume~1\rstorey\APPLIC~1\Move Networks
2009-07-09 17:11 . 2009-01-29 13:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-29 18:46 . 2007-12-20 00:24 -------- d-----w- c:\program files\TTERMPRO
2009-06-16 15:26 . 2008-01-08 20:19 -------- d-----w- c:\docume~1\rstorey\APPLIC~1\Yahoo!
2009-06-10 14:01 . 2009-06-10 14:01 262144 ----a-w- C:\ntuser.dat
2009-06-10 14:01 . 2007-12-20 17:43 -------- d-----w- c:\program files\Yahoo!
2009-06-10 14:01 . 2007-12-20 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-10 14:01 . 2008-01-08 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-06-05 17:40 . 2009-01-29 13:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-03 19:49 . 2009-06-03 19:49 -------- d-----w- c:\docume~1\rstorey\APPLIC~1\Yahoo! Messenger
2009-04-27 13:29 . 2007-12-20 17:30 67480 ----a-w- c:\documents and settings\rstorey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-07-15_15.16.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-16 15:26 . 2009-07-16 15:26 16384 c:\windows\Temp\Perflib_Perfdata_9c8.dat
+ 2009-07-16 15:24 . 2009-07-16 15:24 16384 c:\windows\Temp\Perflib_Perfdata_764.dat
+ 2009-07-15 19:58 . 2009-07-15 19:58 16384 c:\windows\Temp\Perflib_Perfdata_1570.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-04 68856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-14 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Centurion\\CARES\\CARES Agent\\CCSTeleComMod.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 2:27 PM 169200]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 8:52 AM 101936]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [12/19/2007 4:05 PM 87936]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 1:22 PM 34064]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]

2009-07-16 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-07-10 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-16 08:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(604)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\scardsvr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-07-16 8:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-16 15:29
ComboFix2.txt 2009-07-15 15:20

Pre-Run: 47,107,780,608 bytes free
Post-Run: 47,080,198,144 bytes free

160 --- E O F --- 2009-07-15 10:01

2009-07-16 15:22:18 . 2009-07-16 15:22:18 974 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_zefpr.reg.dat
2009-07-16 15:22:18 . 2009-07-16 15:22:18 1,016 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_ljeop.reg.dat
2009-07-16 15:19:57 . 2009-07-16 15:41:26 680 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2009-07-15 15:19:18 . 2009-07-15 15:19:18 157 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{421a46a8-4913-4999-acf8-8ef019afcb91}.reg.dat
2009-07-15 15:13:31 . 2009-07-15 15:13:31 117,748 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\_924a226_.msi.zip
2009-07-15 15:12:56 . 2009-07-15 15:12:56 3,368 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_sfx.reg.dat
2009-07-15 15:12:56 . 2009-07-15 15:12:56 1,398 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}.reg.dat
2009-07-15 15:12:56 . 2009-07-15 15:12:56 1,398 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}.reg.dat
2009-07-15 15:12:56 . 2009-07-15 15:12:56 766 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_SFX.reg.dat
2009-07-15 15:12:48 . 2009-07-16 15:43:21 8,753 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-07-15 15:08:22 . 2009-07-16 15:40:54 672 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-07-08 14:56:55 . 2009-07-08 14:56:52 61,440 ----a-w- C:\Qoobox\Quarantine\C\Program Files\micfan\fants.exe.vir
2009-07-08 14:56:54 . 2009-07-14 18:07:58 24,576 ----a-w- C:\Qoobox\Quarantine\C\Program Files\micfan\fants.dll.vir
2009-07-08 14:56:16 . 2009-07-08 14:56:16 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\94334206.ini.vir
2009-01-29 12:55:16 . 2009-01-29 12:55:16 120 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\avayuray.ini.vir
2004-08-04 12:00:00 . 2004-08-04 12:00:00 61,440 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\924a226.msi.vir
1601-01-01 00:12:31 . 2009-02-01 10:19:44 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\jebifoye.dll.vir
1601-01-01 00:12:31 . 2009-02-01 10:19:54 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\meyumedi.dll.vir
1601-01-01 00:12:31 . 2009-02-01 10:20:29 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\rezatovu.dll.vir

forhockey · 07-20-2009, 03:38 PM

Hello,

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c PEV -l "%systemdrive%\proquota.exe" >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply.

-----------------------------------------------

Perform an online scan with Panda ActiveScan

Click on Scan Your PC Now
A "pop up" window will appear, or a new tab will open.
Click on Register
Choose the option you like most, but we recommend the Free Registration.
Click on Register
Enter your e-mail address, and create a password.
Select "I do not want to receive any type of information". (unless you want to receive such information)
Click on Send
Confirm registration, and continue by entering your user name and password, then click on Enter
Select Full Scan, then Click on Scan Now
Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
Please ignore the offer to buy the program. Click on Export To
Export the log and save it to your desktop.
Please attach the contents of that log in your next reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------

Please reply back with:

1. log.txt
2. Panda Active Scan
3. Update on how your system is behaving?

uw4ever18 · 07-21-2009, 10:14 AM

Forhockey,
Here are the two logs that you requested. My computer seems to be running fine, the search engine redirects have stopped.

----a-w- 50,176 2008-04-14 00:12:32 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 50,176 Blocks: 98

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-07-21 09:11:22
PROTECTIONS: 1
MALWARE: 15
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Symantec AntiVirus Corporate Edition 10.0.2.2000 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00032724 adware/portalscan Adware No 0 Yes No c:\windows\system32\idleui.dll
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\rstorey\Cookies\rstorey@trafficmp[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\rstorey\Cookies\rstorey@tribalfusion[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\rstorey\Cookies\rstorey@ad.yieldmanager[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\rstorey\Cookies\rstorey@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\rstorey\Cookies\rstorey@bs.serving-sys[2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\rstorey\Cookies\rstorey@adtech[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\rstorey\Cookies\rstorey@ads.pointroll[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\rstorey\Cookies\rstorey@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\rstorey\Cookies\rstorey@questionmarket[1].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\rgraham\Cookies\rgraham@target[1].txt
00405709 adware/systemguard2009 Adware No 0 Yes No hkey_current_user\software\avscan
01674655 Trj/Wow.XD Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{090C338B-9E18-4E0B-8AC4-87D65EA40044}\RP1\A0000221.dll
01674655 Trj/Wow.XD Virus/Trojan No 1 Yes Yes C:\Qoobox\Quarantine\C\Program Files\micfan\fants.dll.vir
01797982 Trj/Zlob.KH Virus/Trojan No 1 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\Installer\_924a226_.msi.zip[924a226.msi]
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{090C338B-9E18-4E0B-8AC4-87D65EA40044}\RP1\A0000230.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{090C338B-9E18-4E0B-8AC4-87D65EA40044}\RP1\A0000032.sys
;===================================================================================================================================================================================
SUSPECTS
Sent Location U
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description U
;===================================================================================================================================================================================
210625 HIGH MS09-026 U
210624 HIGH MS09-025 U
210621 HIGH MS09-022 U
210618 HIGH MS09-019 U
208380 HIGH MS09-015 U
208378 HIGH MS09-013 U
208377 HIGH MS09-012 U
206981 HIGH MS09-007 U
206980 HIGH MS09-006 U
;===================================================================================================================================================================================

forhockey · 07-21-2009, 05:34 PM

Hello, we're almost there!!

**Disable your Anti-Virus**

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
c:\windows\system32\idleui.dll
Registry::
[-hkey_current_user\software\avscan]
FCopy::
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe | C:\Windows\system32\proquota.exe
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe | C:\Windows\$NtServicePackUninstall$\proquota.exe
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe | C:\Windows\ServicePackFiles\i386\proquota.exe

Save this as CFScript

Referring to the picture above, drag CFScript into Combo-Fix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

uw4ever18 · 07-22-2009, 08:30 AM

Here is the log you requested. While Combofix was running a Windows message popped up saying that some files were replaced and it prompted me to re-install windows. I hit cancel since this is my work computer and I don't have the Windows discs. I wanted to let you know before I did anything. As far as I can tell Windows seems to be running fine.

ComboFix 09-07-21.03 - rstorey 07/22/2009 7:18.4.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1241 [GMT -7:00]
Running from: c:\documents and settings\rstorey\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\rstorey\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\windows\system32\idleui.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\idleui.dll

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe --> c:\windows\system32\proquota.exe
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe --> c:\windows\$NtServicePackUninstall$\proquota.exe
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe --> c:\windows\ServicePackFiles\i386\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-06-22 to 2009-07-22 )))))))))))))))))))))))))))))))
.

2009-07-22 14:18 . 2009-07-22 14:18 -------- d-----w- c:\windows\ServicePackFiles
2009-07-22 14:18 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-22 13:36 . 2009-07-19 08:00 259368 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2de604.vdb\ECMSVR32.DLL
2009-07-22 13:36 . 2009-06-29 20:11 875728 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2de604.vdb\NAVEX15.SYS
2009-07-22 13:36 . 2009-06-29 20:11 87888 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2de604.vdb\NAVENG.SYS
2009-07-22 13:36 . 2009-02-18 19:41 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2de604.vdb\CCERASER.DLL
2009-07-22 13:36 . 2009-02-12 23:03 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2de604.vdb\NAVEX32A.DLL
2009-07-22 13:36 . 2009-02-12 23:03 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2de604.vdb\NAVENG32.DLL
2009-07-22 13:36 . 2009-02-06 19:26 101936 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2de604.vdb\ERASER.SYS
2009-07-22 13:36 . 2009-02-06 19:26 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2de604.vdb\EECTRL.SYS
2009-07-22 13:35 . 2009-06-29 20:11 875728 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dea06.vdb\NAVEX15.SYS
2009-07-22 13:35 . 2009-06-29 20:11 87888 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dea06.vdb\NAVENG.SYS
2009-07-22 13:35 . 2009-02-12 23:03 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dea06.vdb\NAVEX32A.DLL
2009-07-22 13:35 . 2009-02-12 23:03 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dea06.vdb\NAVENG32.DLL
2009-07-22 13:35 . 2009-07-21 08:00 259368 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dea06.vdb\ECMSVR32.DLL
2009-07-22 13:35 . 2009-02-18 19:41 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dea06.vdb\CCERASER.DLL
2009-07-22 13:35 . 2009-02-06 19:26 101936 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dea06.vdb\ERASER.SYS
2009-07-22 13:35 . 2009-02-06 19:26 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dea06.vdb\EECTRL.SYS
2009-07-21 14:42 . 2008-06-20 00:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-07-21 14:42 . 2009-07-21 14:42 -------- d-----w- c:\program files\Panda Security
2009-07-21 14:42 . 2009-07-21 14:42 -------- d-----w- c:\windows\LastGood
2009-07-16 16:47 . 2009-07-16 16:47 -------- d-----w- c:\documents and settings\rstorey\Local Settings\Application Data\{A88DAD0D-C6B2-4347-9322-97F3078B3D99}
2009-07-14 18:09 . 2009-07-14 18:09 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-14 18:09 . 2009-07-14 18:09 -------- d-----w- c:\program files\Java
2009-07-13 14:15 . 2009-07-13 14:15 -------- d-sh--w- c:\documents and settings\rstorey\IECompatCache
2009-07-10 13:48 . 2009-07-10 13:48 -------- d-----w- c:\windows\system32\KB905474
2009-07-10 13:48 . 2009-03-11 05:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-07-10 13:48 . 2009-03-11 05:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2009-07-10 13:47 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-07-09 15:44 . 2009-07-09 15:44 -------- d-sh--w- c:\documents and settings\rstorey\PrivacIE
2009-07-09 15:43 . 2009-07-09 15:43 -------- d-sh--w- c:\documents and settings\rstorey\IETldCache
2009-07-09 15:26 . 2009-07-09 15:28 -------- dc-h--w- c:\windows\ie8
2009-07-09 15:10 . 2009-07-09 15:10 -------- d-----w- c:\program files\CCleaner
2009-07-08 14:55 . 2009-07-08 14:55 -------- d-sh--w- c:\windows\System Volume Information

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-22 14:15 . 2007-12-20 00:02 -------- d-----w- c:\program files\Symantec AntiVirus
2009-07-22 13:32 . 2007-12-20 17:37 7680 ----a-r- c:\documents and settings\rstorey\Application Data\Microsoft\Installer\{8E5348CA-A6E7-4670-8787-1A6F7407EBED}\VSW9CD1_5EDE29BF.exe
2009-07-22 13:32 . 2007-12-20 17:37 39936 ----a-r- c:\documents and settings\rstorey\Application Data\Microsoft\Installer\{8E5348CA-A6E7-4670-8787-1A6F7407EBED}\VRT210.exe
2009-07-22 13:32 . 2007-12-20 17:37 22528 ----a-r- c:\documents and settings\rstorey\Application Data\Microsoft\Installer\{8E5348CA-A6E7-4670-8787-1A6F7407EBED}\VSW9C9F_5EDE29BF.exe
2009-07-22 13:32 . 2007-12-20 17:37 39936 ----a-r- c:\documents and settings\rstorey\Application Data\Microsoft\Installer\{8E5348CA-A6E7-4670-8787-1A6F7407EBED}\VSW9BEB_5EDE29BF.exe
2009-07-16 16:47 . 2007-12-19 23:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-16 16:47 . 2008-07-02 17:16 -------- d-----w- c:\program files\Cisco Press
2009-07-16 16:40 . 2008-01-08 18:55 -------- d-----w- c:\program files\TestKing
2009-07-14 18:06 . 2009-01-30 22:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 17:39 . 2009-06-05 18:05 3775175 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-14 14:38 . 2007-12-20 00:20 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-13 20:36 . 2009-01-30 22:15 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 20:36 . 2009-01-30 22:15 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-13 14:32 . 2009-05-06 20:57 127872 ----a-w- c:\documents and settings\rstorey\Application Data\Move Networks\uninstall.exe
2009-07-13 14:32 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\rstorey\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-07-13 14:32 . 2008-04-14 20:15 -------- d-----w- c:\documents and settings\rstorey\Application Data\Move Networks
2009-07-09 17:11 . 2009-01-29 13:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-29 18:46 . 2007-12-20 00:24 -------- d-----w- c:\program files\TTERMPRO
2009-06-18 13:39 . 2009-06-18 13:39 1685856 ----a-w- c:\documents and settings\rstorey\Application Data\Move Networks\MoveMediaPlayerWinSilent_071503000010.exe
2009-06-16 15:26 . 2008-01-08 20:19 -------- d-----w- c:\documents and settings\rstorey\Application Data\Yahoo!
2009-06-16 06:35 . 2009-06-16 06:35 97144 ----a-w- c:\documents and settings\rstorey\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-06-10 14:01 . 2009-06-10 14:01 262144 ----a-w- C:\ntuser.dat
2009-06-10 14:01 . 2007-12-20 17:43 -------- d-----w- c:\program files\Yahoo!
2009-06-10 14:01 . 2007-12-20 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-10 14:01 . 2008-01-08 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-06-05 17:40 . 2009-01-29 13:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-03 19:49 . 2009-06-03 19:49 -------- d-----w- c:\documents and settings\rstorey\Application Data\Yahoo! Messenger
2009-05-27 02:50 . 2009-06-10 14:00 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-05-06 20:57 . 2009-05-06 20:57 1685856 ----a-w- c:\documents and settings\rstorey\Application Data\Move Networks\MoveMediaPlayerWin_071500000347.exe
2009-04-27 13:29 . 2007-12-20 17:30 67480 ----a-w- c:\documents and settings\rstorey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-07-15_15.16.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-16 16:01 . 2009-07-16 16:01 16384 c:\windows\Temp\Perflib_Perfdata_9fc.dat
+ 2009-07-16 15:24 . 2009-07-16 15:24 16384 c:\windows\Temp\Perflib_Perfdata_764.dat
+ 2009-07-16 16:47 . 2009-07-16 16:47 7406 c:\windows\Installer\{391EF88F-1FE7-42BF-9CC7-7799859F245A}\CisONTTest_51518082C96B4CAFA42FDA7EDE83337C.exe
+ 2009-07-16 16:47 . 2009-07-16 16:47 7406 c:\windows\Installer\{391EF88F-1FE7-42BF-9CC7-7799859F245A}\CCNPONT_51518082C96B4CAFA42FDA7EDE83337C.exe
+ 2009-07-16 16:47 . 2009-07-16 16:47 7406 c:\windows\Installer\{391EF88F-1FE7-42BF-9CC7-7799859F245A}\ARPPRODUCTICON.exe
+ 2009-07-16 16:40 . 2009-07-16 16:40 4086 c:\windows\Installer\{2628A36F-C0D3-4F26-88B3-4ED1C762A7D0}\controlPanelIcon.exe
+ 2009-07-16 16:40 . 2009-07-16 16:40 184832 c:\windows\Installer\45fe58.msi
+ 2009-04-17 15:59 . 2009-04-17 15:59 128256 c:\windows\Downloaded Program Files\as2stubie.dll
+ 2009-07-16 16:47 . 2009-07-16 16:47 1707520 c:\windows\Installer\45fe60.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-04 68856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-14 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Centurion\\CARES\\CARES Agent\\CCSTeleComMod.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 2:27 PM 169200]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 8:52 AM 101936]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [12/19/2007 4:05 PM 87936]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 1:22 PM 34064]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]

2009-07-16 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-07-10 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-22 07:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-07-22 7:22
ComboFix-quarantined-files.txt 2009-07-22 14:22
ComboFix2.txt 2009-07-16 15:45
ComboFix3.txt 2009-07-16 15:29
ComboFix4.txt 2009-07-15 15:20

Pre-Run: 46,881,128,448 bytes free
Post-Run: 46,897,487,872 bytes free

175 --- E O F --- 2009-07-17 07:11

Ried · 07-23-2009, 06:36 AM

Hello uw4ever18

forhockey is away from the computer for the next several days and has asked me to follow up with you.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

Green to go
Yellow for caution
Red to stop

WOT has an addon available for both Firefox and IE.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

- Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

- Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.

- Most importantly, Think Prevention

-----------------------------------------------------

**Kindly respond one more time and let me know if we may consider this thread resolved.

uw4ever18 · 07-24-2009, 08:50 AM

Ried,
I have followed the instructions from your post, please consider this thread resolved. Additionally, please thank Forhockey for the time and effort he put into resolving my issue. The help is greatly appreciated.

Ryan

Ried · 07-24-2009, 11:22 PM

I'll be sure he gets the message, Ryan.

Take care. :wave;

07-11-2009, 12:27 AM	#2 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,947 OS: Windows 7 Ultimate	Re: Search engines redirected, missngpage Hi uw4ever18, Sorry for the delay in looking into your log, as we are extremely busy in this section of the forums. If you still require assistance and are not seeking help elsewhere, then please carry out my instructions. Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription. -------------------------------------------------------------- Please re-run DDS and post the resulting logs Thanks __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum

07-14-2009, 08:44 PM	#4 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,947 OS: Windows 7 Ultimate	Re: Search engines redirected, missngpage Hi uw4ever18, Not a problem. We all live busy lives. The work I'm doing here is voluntary, so my replies might be delayed. Did you install WinPcap 4.0.2 on your computer? --------------------------------------------------------------------------- Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. Please stick with me until the very end until I say your machine is malware free. The absence of any symptoms doesn't mean a malware-free computer -------------------------------------------------------------- Download Combofix from >>Here<< Save it to your desktop. -------------------------------------------------------------------- * IMPORTANT !!! Place combo-fix.exe on your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix. You can get help on disabling your protection programs here Double click on combo-fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement. ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed. Click on Yes, to continue scanning for malware. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you (Located in C:\ComboFix.txt). Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. --------------------------------------------------------------------------------------------- Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this. __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum

07-15-2009, 09:26 AM	#5 (permalink)
uw4ever18 Registered User Join Date: Jul 2009 Posts: 9 OS: Windows XP sp2	Re: Search engines redirected, missngpage I ran Combofix and the redirects seem to have stopped. Here are the logs you requested. Let me know what the next step is. ComboFix 09-07-14.08 - rstorey 07/15/2009 8:10.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1235 [GMT -7:00] Running from: c:\documents and settings\rstorey\Desktop\Combo-Fix.exe AV: Symantec AntiVirus Corporate Edition On-access scanning disabled (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\94334206.ini c:\program files\sFX c:\windows\Installer\924a226.msi c:\windows\system32\avayuray.ini c:\windows\system32\jebifoye.dll c:\windows\system32\meyumedi.dll c:\windows\system32\rezatovu.dll c:\windows\system32\proquota.exe . . . is missing!! . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SFX -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} -------\Service_sfx ((((((((((((((((((((((((( Files Created from 2009-06-15 to 2009-07-15 ))))))))))))))))))))))))))))))) . 2009-07-14 18:09 . 2009-07-14 18:09 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-07-14 18:09 . 2009-07-14 18:09 -------- d-----w- c:\program files\Java 2009-07-13 14:15 . 2009-07-13 14:15 -------- d-sh--w- c:\documents and settings\rstorey\IECompatCache 2009-07-10 13:48 . 2009-07-10 13:48 -------- d-----w- c:\windows\system32\KB905474 2009-07-10 13:48 . 2009-03-11 05:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe 2009-07-10 13:48 . 2009-03-11 05:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe 2009-07-10 13:47 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll 2009-07-09 15:44 . 2009-07-09 15:44 -------- d-sh--w- c:\documents and settings\rstorey\PrivacIE 2009-07-09 15:43 . 2009-07-09 15:43 -------- d-sh--w- c:\documents and settings\rstorey\IETldCache 2009-07-09 15:26 . 2009-07-09 15:28 -------- dc-h--w- c:\windows\ie8 2009-07-09 15:10 . 2009-07-09 15:10 -------- d-----w- c:\program files\CCleaner 2009-07-08 14:56 . 2009-07-08 14:56 -------- d-sh--r- c:\program files\micfan 2009-07-08 14:55 . 2009-07-08 14:55 -------- d-sh--w- c:\windows\System Volume Information . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-15 15:16 . 2007-12-20 00:02 -------- d-----w- c:\program files\Symantec AntiVirus 2009-07-14 18:06 . 2009-01-30 22:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-07-14 14:38 . 2007-12-20 00:20 -------- d-----w- c:\program files\Common Files\Adobe 2009-07-13 20:36 . 2009-01-30 22:15 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-07-13 20:36 . 2009-01-30 22:15 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-07-13 14:32 . 2008-04-14 20:15 -------- d-----w- c:\docume~1\rstorey\APPLIC~1\Move Networks 2009-07-09 17:11 . 2009-01-29 13:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-06-29 18:46 . 2007-12-20 00:24 -------- d-----w- c:\program files\TTERMPRO 2009-06-16 15:26 . 2008-01-08 20:19 -------- d-----w- c:\docume~1\rstorey\APPLIC~1\Yahoo! 2009-06-10 14:01 . 2009-06-10 14:01 262144 ----a-w- C:\ntuser.dat 2009-06-10 14:01 . 2007-12-20 17:43 -------- d-----w- c:\program files\Yahoo! 2009-06-10 14:01 . 2007-12-20 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! 2009-06-10 14:01 . 2008-01-08 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion 2009-06-05 17:40 . 2009-01-29 13:15 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-06-03 19:49 . 2009-06-03 19:49 -------- d-----w- c:\docume~1\rstorey\APPLIC~1\Yahoo! Messenger 2009-04-27 13:29 . 2007-12-20 17:30 67480 ----a-w- c:\documents and settings\rstorey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-04 68856] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-14 148888] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Centurion\\CARES\\CARES Agent\\CCSTeleComMod.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 2:27 PM 169200] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 8:52 AM 101936] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [12/19/2007 4:05 PM 87936] S0 ljeop;ljeop;c:\windows\system32\drivers\mmzgygbr.sys --> c:\windows\system32\drivers\mmzgygbr.sys [?] S0 zefpr;zefpr;c:\windows\system32\drivers\cjfkve.sys --> c:\windows\system32\drivers\cjfkve.sys [?] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 1:22 PM 34064] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-07-15 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20] 2009-07-15 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-07-10 05:18] . - - - - ORPHANS REMOVED - - - - BHO-{421a46a8-4913-4999-acf8-8ef019afcb91} - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://my.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/http://www.yahoo.com . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-15 08:16 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(976) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(804) c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKEEPER.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\windows\system32\scardsvr.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\windows\system32\ati2evxx.exe c:\program files\Apoint\hidfind.exe c:\program files\Apoint\ApntEx.exe c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe . ************************************************************************ . Completion time: 2009-07-15 8:20 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-15 15:20 Pre-Run: 47,072,231,424 bytes free Post-Run: 47,142,506,496 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 170 --- E O F --- 2009-07-15 10:01 Ryan

07-15-2009, 04:34 PM	#6 (permalink)
uw4ever18 Registered User Join Date: Jul 2009 Posts: 9 OS: Windows XP sp2	Re: Search engines redirected, missngpage Also, yes, I did install WinPcap 4.0.2. I am a network engineer and I use Wireshark to look at packet captures.

07-16-2009, 10:00 AM	#8 (permalink)
uw4ever18 Registered User Join Date: Jul 2009 Posts: 9 OS: Windows XP sp2	Re: Search engines redirected, missngpage Forhockey, I followed your directions, but this did not happen: "When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis. Please submit "[4]-Submit_Date_Time.zip" by following the prompts. Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file." When CF finished running I had Combofix.txt file only. I copy and pasted the command into the CLI and got the log.txt file also. Both of these are posted below. As always, thanks for the help, and let me know what you need me to do next. ComboFix 09-07-14.08 - rstorey 07/16/2009 8:41.3.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1378 [GMT -7:00] Running from: c:\documents and settings\rstorey\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\rstorey\Desktop\CFScript.txt AV: Symantec AntiVirus Corporate Edition On-access scanning disabled (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\proquota.exe . . . is missing!! . ((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 ))))))))))))))))))))))))))))))) . 2009-07-14 18:09 . 2009-07-14 18:09 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-07-14 18:09 . 2009-07-14 18:09 -------- d-----w- c:\program files\Java 2009-07-13 14:15 . 2009-07-13 14:15 -------- d-sh--w- c:\documents and settings\rstorey\IECompatCache 2009-07-10 13:48 . 2009-07-10 13:48 -------- d-----w- c:\windows\system32\KB905474 2009-07-10 13:48 . 2009-03-11 05:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe 2009-07-10 13:48 . 2009-03-11 05:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe 2009-07-10 13:47 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll 2009-07-09 15:44 . 2009-07-09 15:44 -------- d-sh--w- c:\documents and settings\rstorey\PrivacIE 2009-07-09 15:43 . 2009-07-09 15:43 -------- d-sh--w- c:\documents and settings\rstorey\IETldCache 2009-07-09 15:26 . 2009-07-09 15:28 -------- dc-h--w- c:\windows\ie8 2009-07-09 15:10 . 2009-07-09 15:10 -------- d-----w- c:\program files\CCleaner 2009-07-08 14:55 . 2009-07-08 14:55 -------- d-sh--w- c:\windows\System Volume Information . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-16 15:25 . 2007-12-20 00:02 -------- d-----w- c:\program files\Symantec AntiVirus 2009-07-14 18:06 . 2009-01-30 22:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-07-14 14:38 . 2007-12-20 00:20 -------- d-----w- c:\program files\Common Files\Adobe 2009-07-13 20:36 . 2009-01-30 22:15 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-07-13 20:36 . 2009-01-30 22:15 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-07-13 14:32 . 2008-04-14 20:15 -------- d-----w- c:\docume~1\rstorey\APPLIC~1\Move Networks 2009-07-09 17:11 . 2009-01-29 13:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-06-29 18:46 . 2007-12-20 00:24 -------- d-----w- c:\program files\TTERMPRO 2009-06-16 15:26 . 2008-01-08 20:19 -------- d-----w- c:\docume~1\rstorey\APPLIC~1\Yahoo! 2009-06-10 14:01 . 2009-06-10 14:01 262144 ----a-w- C:\ntuser.dat 2009-06-10 14:01 . 2007-12-20 17:43 -------- d-----w- c:\program files\Yahoo! 2009-06-10 14:01 . 2007-12-20 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! 2009-06-10 14:01 . 2008-01-08 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion 2009-06-05 17:40 . 2009-01-29 13:15 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-06-03 19:49 . 2009-06-03 19:49 -------- d-----w- c:\docume~1\rstorey\APPLIC~1\Yahoo! Messenger 2009-04-27 13:29 . 2007-12-20 17:30 67480 ----a-w- c:\documents and settings\rstorey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((( SnapShot@2009-07-15_15.16.51 ))))))))))))))))))))))))))))))))))))))))) . + 2009-07-16 15:24 . 2009-07-16 15:24 16384 c:\windows\Temp\Perflib_Perfdata_764.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-04 68856] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-14 148888] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Centurion\\CARES\\CARES Agent\\CCSTeleComMod.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 2:27 PM 169200] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 8:52 AM 101936] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [12/19/2007 4:05 PM 87936] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 1:22 PM 34064] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-07-16 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20] 2009-07-16 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-07-10 05:18] . . ------- Supplementary Scan ------- . uStart Page = hxxp://my.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/http://www.yahoo.com . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-16 08:43 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\TEMP\TMP00000090E0A070E2A6FB4AC7 524288 bytes executable scan completed successfully hidden files: 1 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(944) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(300) c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-07-16 8:45 ComboFix-quarantined-files.txt 2009-07-16 15:45 ComboFix2.txt 2009-07-16 15:29 ComboFix3.txt 2009-07-15 15:20 Pre-Run: 47,089,418,240 bytes free Post-Run: 47,075,823,616 bytes free 130 --- E O F --- 2009-07-15 10:01 ----a-w- 50,176 2008-04-14 00:12:32 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe Entries: 1 (1) Directories: 0 Files: 1 Bytes: 50,176 Blocks: 98

07-17-2009, 04:40 PM	#9 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,947 OS: Windows 7 Ultimate	Re: Search engines redirected, missngpage Hi uw4ever18, Can you please go to start -> run -> type in the following into the text box: C:\Qoobox\ComboFix2.txt Click OK. A log will open. Please post the results in your next reply. Please repeat the same instructions above for the following file: C:\Qoobox\ComboFix-quarantined-files.txt __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum

07-20-2009, 07:28 AM	#10 (permalink)
uw4ever18 Registered User Join Date: Jul 2009 Posts: 9 OS: Windows XP sp2	Re: Search engines redirected, missngpage Here you go: ComboFix 09-07-14.08 - rstorey 07/16/2009 8:20.2.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1268 [GMT -7:00] Running from: c:\documents and settings\rstorey\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\rstorey\Desktop\CFScript.txt AV: Symantec AntiVirus Corporate Edition On-access scanning disabled (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\micfan c:\program files\micfan\fants.dll c:\program files\micfan\fants.exe c:\windows\system32\proquota.exe . . . is missing!! . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_ljeop -------\Service_zefpr ((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 ))))))))))))))))))))))))))))))) . 2009-07-14 18:09 . 2009-07-14 18:09 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-07-14 18:09 . 2009-07-14 18:09 -------- d-----w- c:\program files\Java 2009-07-13 14:15 . 2009-07-13 14:15 -------- d-sh--w- c:\documents and settings\rstorey\IECompatCache 2009-07-10 13:48 . 2009-07-10 13:48 -------- d-----w- c:\windows\system32\KB905474 2009-07-10 13:48 . 2009-03-11 05:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe 2009-07-10 13:48 . 2009-03-11 05:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe 2009-07-10 13:47 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll 2009-07-09 15:44 . 2009-07-09 15:44 -------- d-sh--w- c:\documents and settings\rstorey\PrivacIE 2009-07-09 15:43 . 2009-07-09 15:43 -------- d-sh--w- c:\documents and settings\rstorey\IETldCache 2009-07-09 15:26 . 2009-07-09 15:28 -------- dc-h--w- c:\windows\ie8 2009-07-09 15:10 . 2009-07-09 15:10 -------- d-----w- c:\program files\CCleaner 2009-07-08 14:55 . 2009-07-08 14:55 -------- d-sh--w- c:\windows\System Volume Information . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-16 15:25 . 2007-12-20 00:02 -------- d-----w- c:\program files\Symantec AntiVirus 2009-07-14 18:06 . 2009-01-30 22:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-07-14 14:38 . 2007-12-20 00:20 -------- d-----w- c:\program files\Common Files\Adobe 2009-07-13 20:36 . 2009-01-30 22:15 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-07-13 20:36 . 2009-01-30 22:15 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-07-13 14:32 . 2008-04-14 20:15 -------- d-----w- c:\docume~1\rstorey\APPLIC~1\Move Networks 2009-07-09 17:11 . 2009-01-29 13:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-06-29 18:46 . 2007-12-20 00:24 -------- d-----w- c:\program files\TTERMPRO 2009-06-16 15:26 . 2008-01-08 20:19 -------- d-----w- c:\docume~1\rstorey\APPLIC~1\Yahoo! 2009-06-10 14:01 . 2009-06-10 14:01 262144 ----a-w- C:\ntuser.dat 2009-06-10 14:01 . 2007-12-20 17:43 -------- d-----w- c:\program files\Yahoo! 2009-06-10 14:01 . 2007-12-20 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! 2009-06-10 14:01 . 2008-01-08 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion 2009-06-05 17:40 . 2009-01-29 13:15 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-06-03 19:49 . 2009-06-03 19:49 -------- d-----w- c:\docume~1\rstorey\APPLIC~1\Yahoo! Messenger 2009-04-27 13:29 . 2007-12-20 17:30 67480 ----a-w- c:\documents and settings\rstorey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((( SnapShot@2009-07-15_15.16.51 ))))))))))))))))))))))))))))))))))))))))) . + 2009-07-16 15:26 . 2009-07-16 15:26 16384 c:\windows\Temp\Perflib_Perfdata_9c8.dat + 2009-07-16 15:24 . 2009-07-16 15:24 16384 c:\windows\Temp\Perflib_Perfdata_764.dat + 2009-07-15 19:58 . 2009-07-15 19:58 16384 c:\windows\Temp\Perflib_Perfdata_1570.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-04 68856] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-14 148888] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Centurion\\CARES\\CARES Agent\\CCSTeleComMod.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 2:27 PM 169200] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 8:52 AM 101936] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [12/19/2007 4:05 PM 87936] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 1:22 PM 34064] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-07-16 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20] 2009-07-16 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-07-10 05:18] . . ------- Supplementary Scan ------- . uStart Page = hxxp://my.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/http://www.yahoo.com . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-16 08:25 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(944) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(604) c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKEEPER.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\windows\system32\scardsvr.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\windows\system32\ati2evxx.exe c:\program files\Apoint\ApntEx.exe c:\program files\Apoint\hidfind.exe c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe . ************************************************************************ . Completion time: 2009-07-16 8:29 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-16 15:29 ComboFix2.txt 2009-07-15 15:20 Pre-Run: 47,107,780,608 bytes free Post-Run: 47,080,198,144 bytes free 160 --- E O F --- 2009-07-15 10:01 2009-07-16 15:22:18 . 2009-07-16 15:22:18 974 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_zefpr.reg.dat 2009-07-16 15:22:18 . 2009-07-16 15:22:18 1,016 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_ljeop.reg.dat 2009-07-16 15:19:57 . 2009-07-16 15:41:26 680 ----a-w- C:\Qoobox\Quarantine\catchme.txt 2009-07-15 15:19:18 . 2009-07-15 15:19:18 157 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{421a46a8-4913-4999-acf8-8ef019afcb91}.reg.dat 2009-07-15 15:13:31 . 2009-07-15 15:13:31 117,748 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\_924a226_.msi.zip 2009-07-15 15:12:56 . 2009-07-15 15:12:56 3,368 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_sfx.reg.dat 2009-07-15 15:12:56 . 2009-07-15 15:12:56 1,398 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}.reg.dat 2009-07-15 15:12:56 . 2009-07-15 15:12:56 1,398 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}.reg.dat 2009-07-15 15:12:56 . 2009-07-15 15:12:56 766 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_SFX.reg.dat 2009-07-15 15:12:48 . 2009-07-16 15:43:21 8,753 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2009-07-15 15:08:22 . 2009-07-16 15:40:54 672 ----a-w- C:\Qoobox\Quarantine\catchme.log 2009-07-08 14:56:55 . 2009-07-08 14:56:52 61,440 ----a-w- C:\Qoobox\Quarantine\C\Program Files\micfan\fants.exe.vir 2009-07-08 14:56:54 . 2009-07-14 18:07:58 24,576 ----a-w- C:\Qoobox\Quarantine\C\Program Files\micfan\fants.dll.vir 2009-07-08 14:56:16 . 2009-07-08 14:56:16 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\94334206.ini.vir 2009-01-29 12:55:16 . 2009-01-29 12:55:16 120 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\avayuray.ini.vir 2004-08-04 12:00:00 . 2004-08-04 12:00:00 61,440 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\924a226.msi.vir 1601-01-01 00:12:31 . 2009-02-01 10:19:44 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\jebifoye.dll.vir 1601-01-01 00:12:31 . 2009-02-01 10:19:54 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\meyumedi.dll.vir 1601-01-01 00:12:31 . 2009-02-01 10:20:29 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\rezatovu.dll.vir

07-20-2009, 03:38 PM	#11 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,947 OS: Windows 7 Ultimate	Re: Search engines redirected, missngpage Hello, Go Start > Run and copy/paste the following single-line command into the Run box and click OK: cmd /c PEV -l "%systemdrive%\proquota.exe" >Log.txt&Log.txt&del Log.txt A Notepad file will open. Post the contents of Log.txt in your next reply. ----------------------------------------------- Perform an online scan with Panda ActiveScan Click on Scan Your PC Now A "pop up" window will appear, or a new tab will open. Click on Register Choose the option you like most, but we recommend the Free Registration. Click on Register Enter your e-mail address, and create a password. Select "I do not want to receive any type of information". (unless you want to receive such information) Click on Send Confirm registration, and continue by entering your user name and password, then click on Enter Select Full Scan, then Click on Scan Now Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser. If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect Please ignore the offer to buy the program. Click on Export To Export the log and save it to your desktop. Please attach the contents of that log in your next reply. * Turn off the real time scanner of any existing antivirus program while performing the online scan -------------------------------------------------------------- Please reply back with: 1. log.txt 2. Panda Active Scan 3. Update on how your system is behaving? __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum

07-21-2009, 10:14 AM	#12 (permalink)
uw4ever18 Registered User Join Date: Jul 2009 Posts: 9 OS: Windows XP sp2	Re: Search engines redirected, missngpage Forhockey, Here are the two logs that you requested. My computer seems to be running fine, the search engine redirects have stopped. ----a-w- 50,176 2008-04-14 00:12:32 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe Entries: 1 (1) Directories: 0 Files: 1 Bytes: 50,176 Blocks: 98 ;********************************************************************************************************************************************************************************* ANALYSIS: 2009-07-21 09:11:22 PROTECTIONS: 1 MALWARE: 15 SUSPECTS: 0 ;********************************************************************************************************************************************************************************* PROTECTIONS Description Version Active Updated ;=================================================================================================================================================================================== Symantec AntiVirus Corporate Edition 10.0.2.2000 Yes Yes ;=================================================================================================================================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=================================================================================================================================================================================== 00032724 adware/portalscan Adware No 0 Yes No c:\windows\system32\idleui.dll 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\rstorey\Cookies\rstorey@trafficmp[2].txt 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\rstorey\Cookies\rstorey@tribalfusion[1].txt 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\rstorey\Cookies\rstorey@ad.yieldmanager[2].txt 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\rstorey\Cookies\rstorey@serving-sys[2].txt 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\rstorey\Cookies\rstorey@bs.serving-sys[2].txt 00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\rstorey\Cookies\rstorey@adtech[1].txt 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\rstorey\Cookies\rstorey@ads.pointroll[1].txt 00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\rstorey\Cookies\rstorey@realmedia[2].txt 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\rstorey\Cookies\rstorey@questionmarket[1].txt 00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\rgraham\Cookies\rgraham@target[1].txt 00405709 adware/systemguard2009 Adware No 0 Yes No hkey_current_user\software\avscan 01674655 Trj/Wow.XD Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{090C338B-9E18-4E0B-8AC4-87D65EA40044}\RP1\A0000221.dll 01674655 Trj/Wow.XD Virus/Trojan No 1 Yes Yes C:\Qoobox\Quarantine\C\Program Files\micfan\fants.dll.vir 01797982 Trj/Zlob.KH Virus/Trojan No 1 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\Installer\_924a226_.msi.zip[924a226.msi] 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{090C338B-9E18-4E0B-8AC4-87D65EA40044}\RP1\A0000230.sys 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{090C338B-9E18-4E0B-8AC4-87D65EA40044}\RP1\A0000032.sys ;=================================================================================================================================================================================== SUSPECTS Sent Location U ;=================================================================================================================================================================================== ;=================================================================================================================================================================================== VULNERABILITIES Id Severity Description U ;=================================================================================================================================================================================== 210625 HIGH MS09-026 U 210624 HIGH MS09-025 U 210621 HIGH MS09-022 U 210618 HIGH MS09-019 U 208380 HIGH MS09-015 U 208378 HIGH MS09-013 U 208377 HIGH MS09-012 U 206981 HIGH MS09-007 U 206980 HIGH MS09-006 U ;===================================================================================================================================================================================

07-22-2009, 08:30 AM	#14 (permalink)
uw4ever18 Registered User Join Date: Jul 2009 Posts: 9 OS: Windows XP sp2	Re: Search engines redirected, missngpage Here is the log you requested. While Combofix was running a Windows message popped up saying that some files were replaced and it prompted me to re-install windows. I hit cancel since this is my work computer and I don't have the Windows discs. I wanted to let you know before I did anything. As far as I can tell Windows seems to be running fine. ComboFix 09-07-21.03 - rstorey 07/22/2009 7:18.4.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1241 [GMT -7:00] Running from: c:\documents and settings\rstorey\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\rstorey\Desktop\CFScript.txt AV: Symantec AntiVirus Corporate Edition On-access scanning disabled (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FILE :: "c:\windows\system32\idleui.dll" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\idleui.dll . --------------- FCopy --------------- c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe --> c:\windows\system32\proquota.exe c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe --> c:\windows\$NtServicePackUninstall$\proquota.exe c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe --> c:\windows\ServicePackFiles\i386\proquota.exe . ((((((((((((((((((((((((( Files Created from 2009-06-22 to 2009-07-22 ))))))))))))))))))))))))))))))) . 2009-07-22 14:18 . 2009-07-22 14:18 -------- d-----w- c:\windows\ServicePackFiles 2009-07-22 14:18 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe 2009-07-22 13:36 . 2009-07-19 08:00 259368 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2de604.vdb\ECMSVR32.DLL 2009-07-22 13:36 . 2009-06-29 20:11 875728 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2de604.vdb\NAVEX15.SYS 2009-07-22 13:36 . 2009-06-29 20:11 87888 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2de604.vdb\NAVENG.SYS 2009-07-22 13:36 . 2009-02-18 19:41 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2de604.vdb\CCERASER.DLL 2009-07-22 13:36 . 2009-02-12 23:03 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2de604.vdb\NAVEX32A.DLL 2009-07-22 13:36 . 2009-02-12 23:03 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2de604.vdb\NAVENG32.DLL 2009-07-22 13:36 . 2009-02-06 19:26 101936 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2de604.vdb\ERASER.SYS 2009-07-22 13:36 . 2009-02-06 19:26 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2de604.vdb\EECTRL.SYS 2009-07-22 13:35 . 2009-06-29 20:11 875728 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dea06.vdb\NAVEX15.SYS 2009-07-22 13:35 . 2009-06-29 20:11 87888 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dea06.vdb\NAVENG.SYS 2009-07-22 13:35 . 2009-02-12 23:03 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dea06.vdb\NAVEX32A.DLL 2009-07-22 13:35 . 2009-02-12 23:03 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dea06.vdb\NAVENG32.DLL 2009-07-22 13:35 . 2009-07-21 08:00 259368 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dea06.vdb\ECMSVR32.DLL 2009-07-22 13:35 . 2009-02-18 19:41 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dea06.vdb\CCERASER.DLL 2009-07-22 13:35 . 2009-02-06 19:26 101936 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dea06.vdb\ERASER.SYS 2009-07-22 13:35 . 2009-02-06 19:26 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dea06.vdb\EECTRL.SYS 2009-07-21 14:42 . 2008-06-20 00:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys 2009-07-21 14:42 . 2009-07-21 14:42 -------- d-----w- c:\program files\Panda Security 2009-07-21 14:42 . 2009-07-21 14:42 -------- d-----w- c:\windows\LastGood 2009-07-16 16:47 . 2009-07-16 16:47 -------- d-----w- c:\documents and settings\rstorey\Local Settings\Application Data\{A88DAD0D-C6B2-4347-9322-97F3078B3D99} 2009-07-14 18:09 . 2009-07-14 18:09 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-07-14 18:09 . 2009-07-14 18:09 -------- d-----w- c:\program files\Java 2009-07-13 14:15 . 2009-07-13 14:15 -------- d-sh--w- c:\documents and settings\rstorey\IECompatCache 2009-07-10 13:48 . 2009-07-10 13:48 -------- d-----w- c:\windows\system32\KB905474 2009-07-10 13:48 . 2009-03-11 05:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe 2009-07-10 13:48 . 2009-03-11 05:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe 2009-07-10 13:47 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll 2009-07-09 15:44 . 2009-07-09 15:44 -------- d-sh--w- c:\documents and settings\rstorey\PrivacIE 2009-07-09 15:43 . 2009-07-09 15:43 -------- d-sh--w- c:\documents and settings\rstorey\IETldCache 2009-07-09 15:26 . 2009-07-09 15:28 -------- dc-h--w- c:\windows\ie8 2009-07-09 15:10 . 2009-07-09 15:10 -------- d-----w- c:\program files\CCleaner 2009-07-08 14:55 . 2009-07-08 14:55 -------- d-sh--w- c:\windows\System Volume Information . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-22 14:15 . 2007-12-20 00:02 -------- d-----w- c:\program files\Symantec AntiVirus 2009-07-22 13:32 . 2007-12-20 17:37 7680 ----a-r- c:\documents and settings\rstorey\Application Data\Microsoft\Installer\{8E5348CA-A6E7-4670-8787-1A6F7407EBED}\VSW9CD1_5EDE29BF.exe 2009-07-22 13:32 . 2007-12-20 17:37 39936 ----a-r- c:\documents and settings\rstorey\Application Data\Microsoft\Installer\{8E5348CA-A6E7-4670-8787-1A6F7407EBED}\VRT210.exe 2009-07-22 13:32 . 2007-12-20 17:37 22528 ----a-r- c:\documents and settings\rstorey\Application Data\Microsoft\Installer\{8E5348CA-A6E7-4670-8787-1A6F7407EBED}\VSW9C9F_5EDE29BF.exe 2009-07-22 13:32 . 2007-12-20 17:37 39936 ----a-r- c:\documents and settings\rstorey\Application Data\Microsoft\Installer\{8E5348CA-A6E7-4670-8787-1A6F7407EBED}\VSW9BEB_5EDE29BF.exe 2009-07-16 16:47 . 2007-12-19 23:04 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-07-16 16:47 . 2008-07-02 17:16 -------- d-----w- c:\program files\Cisco Press 2009-07-16 16:40 . 2008-01-08 18:55 -------- d-----w- c:\program files\TestKing 2009-07-14 18:06 . 2009-01-30 22:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-07-14 17:39 . 2009-06-05 18:05 3775175 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-07-14 14:38 . 2007-12-20 00:20 -------- d-----w- c:\program files\Common Files\Adobe 2009-07-13 20:36 . 2009-01-30 22:15 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-07-13 20:36 . 2009-01-30 22:15 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-07-13 14:32 . 2009-05-06 20:57 127872 ----a-w- c:\documents and settings\rstorey\Application Data\Move Networks\uninstall.exe 2009-07-13 14:32 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\rstorey\Application Data\Move Networks\plugins\npqmp071503000010.dll 2009-07-13 14:32 . 2008-04-14 20:15 -------- d-----w- c:\documents and settings\rstorey\Application Data\Move Networks 2009-07-09 17:11 . 2009-01-29 13:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-06-29 18:46 . 2007-12-20 00:24 -------- d-----w- c:\program files\TTERMPRO 2009-06-18 13:39 . 2009-06-18 13:39 1685856 ----a-w- c:\documents and settings\rstorey\Application Data\Move Networks\MoveMediaPlayerWinSilent_071503000010.exe 2009-06-16 15:26 . 2008-01-08 20:19 -------- d-----w- c:\documents and settings\rstorey\Application Data\Yahoo! 2009-06-16 06:35 . 2009-06-16 06:35 97144 ----a-w- c:\documents and settings\rstorey\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe 2009-06-10 14:01 . 2009-06-10 14:01 262144 ----a-w- C:\ntuser.dat 2009-06-10 14:01 . 2007-12-20 17:43 -------- d-----w- c:\program files\Yahoo! 2009-06-10 14:01 . 2007-12-20 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! 2009-06-10 14:01 . 2008-01-08 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion 2009-06-05 17:40 . 2009-01-29 13:15 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-06-03 19:49 . 2009-06-03 19:49 -------- d-----w- c:\documents and settings\rstorey\Application Data\Yahoo! Messenger 2009-05-27 02:50 . 2009-06-10 14:00 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe 2009-05-06 20:57 . 2009-05-06 20:57 1685856 ----a-w- c:\documents and settings\rstorey\Application Data\Move Networks\MoveMediaPlayerWin_071500000347.exe 2009-04-27 13:29 . 2007-12-20 17:30 67480 ----a-w- c:\documents and settings\rstorey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((( SnapShot@2009-07-15_15.16.51 ))))))))))))))))))))))))))))))))))))))))) . + 2009-07-16 16:01 . 2009-07-16 16:01 16384 c:\windows\Temp\Perflib_Perfdata_9fc.dat + 2009-07-16 15:24 . 2009-07-16 15:24 16384 c:\windows\Temp\Perflib_Perfdata_764.dat + 2009-07-16 16:47 . 2009-07-16 16:47 7406 c:\windows\Installer\{391EF88F-1FE7-42BF-9CC7-7799859F245A}\CisONTTest_51518082C96B4CAFA42FDA7EDE83337C.exe + 2009-07-16 16:47 . 2009-07-16 16:47 7406 c:\windows\Installer\{391EF88F-1FE7-42BF-9CC7-7799859F245A}\CCNPONT_51518082C96B4CAFA42FDA7EDE83337C.exe + 2009-07-16 16:47 . 2009-07-16 16:47 7406 c:\windows\Installer\{391EF88F-1FE7-42BF-9CC7-7799859F245A}\ARPPRODUCTICON.exe + 2009-07-16 16:40 . 2009-07-16 16:40 4086 c:\windows\Installer\{2628A36F-C0D3-4F26-88B3-4ED1C762A7D0}\controlPanelIcon.exe + 2009-07-16 16:40 . 2009-07-16 16:40 184832 c:\windows\Installer\45fe58.msi + 2009-04-17 15:59 . 2009-04-17 15:59 128256 c:\windows\Downloaded Program Files\as2stubie.dll + 2009-07-16 16:47 . 2009-07-16 16:47 1707520 c:\windows\Installer\45fe60.msi . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-04 68856] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-14 148888] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Centurion\\CARES\\CARES Agent\\CCSTeleComMod.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 2:27 PM 169200] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 8:52 AM 101936] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [12/19/2007 4:05 PM 87936] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 1:22 PM 34064] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-07-21 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20] 2009-07-16 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-07-10 05:18] . . ------- Supplementary Scan ------- . uStart Page = hxxp://my.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/http://www.yahoo.com . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-22 07:20 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(944) c:\windows\system32\Ati2evxx.dll . Completion time: 2009-07-22 7:22 ComboFix-quarantined-files.txt 2009-07-22 14:22 ComboFix2.txt 2009-07-16 15:45 ComboFix3.txt 2009-07-16 15:29 ComboFix4.txt 2009-07-15 15:20 Pre-Run: 46,881,128,448 bytes free Post-Run: 46,897,487,872 bytes free 175 --- E O F --- 2009-07-17 07:11

07-23-2009, 06:36 AM	#15 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,897 OS: WinXP and Vista	Re: Search engines redirected, missngpage Hello uw4ever18 forhockey is away from the computer for the next several days and has asked me to follow up with you. Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links: The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK: ComboFix /u -------------------------------------------------------------------- Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal. To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites: Green to go Yellow for caution Red to stop WOT has an addon available for both Firefox and IE. SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page. - Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer - Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released. - Most importantly, Think Prevention ----------------------------------------------------- **Kindly respond one more time and let me know if we may consider this thread resolved. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

07-24-2009, 08:50 AM	#16 (permalink)
uw4ever18 Registered User Join Date: Jul 2009 Posts: 9 OS: Windows XP sp2	Re: Search engines redirected, missngpage Ried, I have followed the instructions from your post, please consider this thread resolved. Additionally, please thank Forhockey for the time and effort he put into resolving my issue. The help is greatly appreciated. Ryan

07-24-2009, 11:22 PM	#17 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,897 OS: WinXP and Vista	Re: Search engines redirected, missngpage I'll be sure he gets the message, Ryan. Take care. :wave; __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."