« previous next »
Pages: [1] 2   Go Down

Author Topic: [Resolved]redirected searches  (Read 1424 times)

0 Members and 1 Guest are viewing this topic.

Offline Scott

  • Bronze Member
  • Posts: 57
[Resolved]redirected searches
« on: February 03, 2010, 02:01:32 PM »
this is a dell optiplex computer with windows XP, I can not update Malewarebytes anti malware and all my searches get redirected

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:10 PM, on 2/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 winshield2009.microsoft.com
O1 - Hosts: 91.212.127.226 winshield2009.com
O1 - Hosts: 91.212.127.226 www.winshield2009.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://satorisoftware.webex.com/client/T26L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C005478-CC7F-4D4E-B9C9-5F0E316E34CA}: NameServer = 93.188.163.156,93.188.166.37
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.163.156,93.188.166.37
O17 - HKLM\System\CS3\Services\Tcpip\..\{4C005478-CC7F-4D4E-B9C9-5F0E316E34CA}: NameServer = 93.188.163.156,93.188.166.37
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 93.188.163.156,93.188.166.37
O17 - HKLM\System\CS4\Services\Tcpip\..\{4C005478-CC7F-4D4E-B9C9-5F0E316E34CA}: NameServer = 93.188.163.156,93.188.166.37
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.156,93.188.166.37
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7509 bytes
« Last Edit: February 04, 2010, 03:39:52 PM by PCBruiser »
Logged


Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7300
Re: [In Progress]redirected searches
« Reply #1 on: February 03, 2010, 02:30:57 PM »
Hi,

My name is PCBruiser (or PCB for short), and I will be helping you to remove any malware on your system.  Please do not run any anti-malware, anti-virus or so-called "registry cleaners" unless I specifically tell you to do so.  Running the wrong thing at the wrong time can seriously damage your system.

Please copy and print out these instructions using Notepad so they will be readily available to you. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, please ask your question(s) before doing anything further.

1.  Run HijackThis again, but this time choose Do a system scan only, that is the second option from the top in the HijackThis What would you like to do choices.  After HijackThis completes the system scan, check the box immediately to the left of the following item(s):

O1 - Hosts: 91.212.127.226 winshield2009.microsoft.com
O1 - Hosts: 91.212.127.226 winshield2009.com
O1 - Hosts: 91.212.127.226 http://www.winshield2009.com
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://satorisoftware.webex.com/client/T26L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C005478-CC7F-4D4E-B9C9-5F0E316E34CA}: NameServer = 93.188.163.156,93.188.166.37
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.163.156,93.188.166.37
O17 - HKLM\System\CS3\Services\Tcpip\..\{4C005478-CC7F-4D4E-B9C9-5F0E316E34CA}: NameServer = 93.188.163.156,93.188.166.37
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 93.188.163.156,93.188.166.37
O17 - HKLM\System\CS4\Services\Tcpip\..\{4C005478-CC7F-4D4E-B9C9-5F0E316E34CA}: NameServer = 93.188.163.156,93.188.166.37
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.156,93.188.166.37

Please be very careful, do NOT check any other boxes.

Next, click on Fix checked on the bottom left side of the HijackThis screen.

Next, reboot.

2.  We note you are using one or more products from IOBit.  IOBit has been accused by Malwarebytes of illegally using their intellectual property without permission.  Please see this for additional information on these allegations:  http://www.malwarebytes.org/forums/index.php?showtopic=29681

Additionally, both WOT and SiteAdvisor have flagged IOBit’s site.

A thread in the IOBit’s forum responded to the accusations from MalwareBytes.  It is noteworthy that several responses from users raising specific questions about IOBit’s response and finding it unsatisfactory were deleted and the thread was closed.  The bottom line from IOBit was: “No hard proof shows that IObit stole database of Malwarebytes.”

At least until the issues of possible database theft and spyware packaging is resolved, SpywareHammer recommends against the use of IOBit products.

3.  If you can install and update MBAM, please do so, and then run a Quick Scan.  When the scan completes, check all items it finds to remove them.

4.  Download Combofix from any of the links below, and save it to your desktop.  For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

a. Close any open browsers.

b. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:  Do not click combofix's window with your mouse while it's running. That may cause it to stall.

5.  Please post the following:

a. the MBAM log if you are able to run it
b. combofix.txt
c. a fresh HJT log
Logged
Don't Read?  Can't learn!

Offline Scott

  • Bronze Member
  • Posts: 57
Re: [In Progress]redirected searches
« Reply #2 on: February 04, 2010, 08:41:03 AM »
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

2/3/2010 5:00:22 PM
mbam-log-2010-02-03 (17-00-22).txt

Scan type: Quick Scan
Objects scanned: 115465
Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\16804844 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\16804844\16804844 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\000045d4.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\0000771f.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
ComboFix 10-02-03.06 - midnight mail 02/04/2010   9:25.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1578 [GMT -5:00]
Running from: c:\documents and settings\midnight mail\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Fonts\usps4cb.TTF
c:\windows\Fonts\uspsimb_compact.ttf
c:\windows\system32\service
c:\windows\system32\service\06092009_TIS17_SfFniAU.log
c:\windows\system32\service\18012010_TIS17_SfFniAU.log
c:\windows\system32\service\20042009_TIS17_SfFniAU.log
c:\windows\system32\Thumbs.db

.
(((((((((((((((((((((((((   Files Created from 2010-01-04 to 2010-02-04  )))))))))))))))))))))))))))))))
.

2010-02-04 14:03 . 2010-02-04 14:03   --------   d-----w-   c:\documents and settings\midnight mail\Application Data\AVG8
2010-02-03 19:54 . 2010-02-03 19:54   --------   d-----w-   c:\program files\Trend Micro
2010-02-03 15:59 . 2010-02-03 15:59   --------   d-----w-   c:\documents and settings\All Users\Application Data\IObit
2010-02-03 15:59 . 2010-02-03 15:59   --------   d-----w-   c:\program files\SDHelper (Spybot - Search & Destroy)
2010-02-03 15:23 . 2010-02-03 15:23   --------   d-----w-   c:\program files\IObit
2010-02-03 15:10 . 2010-02-03 15:59   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-02-03 15:06 . 2010-02-03 15:58   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-30 15:13 . 2010-01-30 15:14   --------   d-----w-   c:\documents and settings\midnight mail\Local Settings\Application Data\coawah
2010-01-26 14:31 . 2010-01-26 14:31   152576   ----a-w-   c:\documents and settings\midnight mail\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-26 14:31 . 2010-01-26 14:31   79488   ----a-w-   c:\documents and settings\midnight mail\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-22 14:40 . 2010-01-22 14:40   --------   d-----w-   C:\$AVG
2010-01-22 14:40 . 2010-01-22 14:40   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-01-22 14:40 . 2010-01-22 14:40   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-01-22 14:40 . 2010-01-22 14:40   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-01-22 14:39 . 2010-01-22 14:39   28424   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-01-22 14:39 . 2010-02-04 14:10   --------   d-----w-   c:\windows\system32\drivers\Avg
2010-01-22 14:39 . 2010-01-22 14:39   --------   d-----w-   c:\program files\AVG
2010-01-22 14:39 . 2010-02-04 14:10   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 21:54 . 2009-03-21 14:07   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-02-03 21:52 . 2009-05-18 13:08   5115824   -c--a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-26 14:32 . 2007-11-27 00:05   --------   d-----w-   c:\program files\Java
2010-01-07 21:07 . 2009-03-17 14:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-03-17 14:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2003-07-16 16:45   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2007-11-26 22:51   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2003-07-16 16:20   17408   ------w-   c:\windows\system32\corpol.dll
2009-12-08 18:05 . 2007-11-27 15:22   300384   -c--a-w-   c:\documents and settings\midnight mail\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 15:51 . 2003-07-16 16:17   471552   ----a-w-   c:\windows\AppPatch\aclayers.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-09 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-11-27 221247]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-10-22 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-22 14:40   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 17:28   684032   -c--a-w-   c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:vnc
"3392:TCP"= 3392:TCP:RDP3392

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/22/2010 9:40 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/22/2010 9:40 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/22/2010 9:39 AM 285392]
R3 {E6759E0C-470B-44DC-A4A1-627E68BB3A85};AIM 3.0 SI164;c:\windows\system32\drivers\a302.sys [11/26/2007 5:36 PM 11319]
.
Contents of the 'Scheduled Tasks' folder

2010-02-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-09 15:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 09:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x8A8458C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a3b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
 ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
 ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Intel(R) PRO/1000 MT Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7439bb0
 PacketIndicateHandler -> NDIS.sys @ 0xf7446a21
 SendHandler -> NDIS.sys @ 0xf742487b
user & kernel MBR OK

**************************************************************************
.
Completion time: 2010-02-04  09:32:15
ComboFix-quarantined-files.txt  2010-02-04 14:32

Pre-Run: 99,034,607,616 bytes free
Post-Run: 99,508,961,280 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 43A3B56E1E615F213D434B5B7BBF4ACB
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:48 AM, on 2/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost

Logged

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7300
Re: [In Progress]redirected searches
« Reply #3 on: February 04, 2010, 09:23:09 AM »
Hi,

Please repost the HJT log - it has been cut off and is incomplete.
Logged
Don't Read?  Can't learn!

Offline Scott

  • Bronze Member
  • Posts: 57
Re: [In Progress]redirected searches
« Reply #4 on: February 04, 2010, 09:34:34 AM »
Sorry

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:21 AM, on 2/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5489 bytes
Logged

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7300
Re: [In Progress]redirected searches
« Reply #5 on: February 04, 2010, 10:00:48 AM »
Hi,

I need you to rerun ComboFix but in a special way.

1.  Open notepad, go to the format menu, uncheck Word Wrap, and then copy/paste the text in the code box below into it:

Code: [Select]

KILLALL::

File::
c:\windows\system32\drivers\a302.sys

DirLook::
c:\documents and settings\midnight mail\Local Settings\Application Data\coawah

Driver::
{E6759E0C-470B-44DC-A4A1-627E68BB3A85}


Save this to your Desktop as CFScript.txt.

2.  Close all open browsers.




3.  Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at "C:\ComboFix.txt"

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.

4.  Please post the following:

a. combofix.txt
b. a fresh HJT log
c. we may not be done yet, but please tell me how your system is running now.
« Last Edit: February 04, 2010, 10:12:13 AM by PCBruiser »
Logged
Don't Read?  Can't learn!

Offline Scott

  • Bronze Member
  • Posts: 57
Re: [In Progress]redirected searches
« Reply #6 on: February 04, 2010, 10:37:14 AM »
it is running a little better now
Logged

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7300
Re: [In Progress]redirected searches
« Reply #7 on: February 04, 2010, 10:49:32 AM »
You still need to follow my instructions, and I will have more to do after that as well.
Logged
Don't Read?  Can't learn!

Offline Scott

  • Bronze Member
  • Posts: 57
Re: [In Progress]redirected searches
« Reply #8 on: February 04, 2010, 10:57:32 AM »
ComboFix 10-02-03.06 - midnight mail 02/04/2010  11:42:57.4.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1713 [GMT -5:00]
Running from: c:\documents and settings\midnight mail\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\midnight mail\Desktop\CFScript.txt..txt

FILE ::
"c:\windows\system32\drivers\a302.sys"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\a302.sys
c:\windows\system32\Thumbs.db

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_{E6759E0C-470B-44DC-A4A1-627E68BB3A85}


(((((((((((((((((((((((((   Files Created from 2010-01-04 to 2010-02-04  )))))))))))))))))))))))))))))))
.

2010-02-03 19:54 . 2010-02-03 19:54   --------   d-----w-   c:\program files\Trend Micro
2010-02-03 15:59 . 2010-02-03 15:59   --------   d-----w-   c:\documents and settings\All Users\Application Data\IObit
2010-02-03 15:59 . 2010-02-03 15:59   --------   d-----w-   c:\program files\SDHelper (Spybot - Search & Destroy)
2010-02-03 15:10 . 2010-02-03 15:59   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-02-03 15:06 . 2010-02-03 15:58   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-30 15:13 . 2010-01-30 15:14   --------   d-----w-   c:\documents and settings\midnight mail\Local Settings\Application Data\coawah
2010-01-26 14:31 . 2010-01-26 14:31   152576   ----a-w-   c:\documents and settings\midnight mail\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-26 14:31 . 2010-01-26 14:31   79488   ----a-w-   c:\documents and settings\midnight mail\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-22 14:39 . 2010-02-04 14:51   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-04 16:37 . 2007-11-27 15:22   299584   -c--a-w-   c:\documents and settings\midnight mail\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-03 21:54 . 2009-03-21 14:07   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-02-03 21:52 . 2009-05-18 13:08   5115824   -c--a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-26 14:32 . 2007-11-27 00:05   --------   d-----w-   c:\program files\Java
2010-01-07 21:07 . 2009-03-17 14:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-03-17 14:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2003-07-16 16:45   832512   ------w-   c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2007-11-26 22:51   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2003-07-16 16:20   17408   ------w-   c:\windows\system32\corpol.dll
2009-11-21 15:51 . 2003-07-16 16:17   471552   ----a-w-   c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\midnight mail\Local Settings\Application Data\coawah ----



(((((((((((((((((((((((((((((   SnapShot@2010-02-04_14.30.21   )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-04 16:48 . 2010-02-04 16:48   16384              c:\windows\temp\Perflib_Perfdata_544.dat
+ 2007-11-26 16:09 . 2010-02-04 16:48   890272              c:\windows\system32\FNTCACHE.DAT
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-09 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-11-27 221247]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-10-22 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 17:28   684032   -c--a-w-   c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:vnc
"3392:TCP"= 3392:TCP:RDP3392

.
Contents of the 'Scheduled Tasks' folder

2010-02-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-09 15:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 11:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x8A8088C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a3b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
 ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
 ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Intel(R) PRO/1000 MT Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7439bb0
 PacketIndicateHandler -> NDIS.sys @ 0xf7446a21
 SendHandler -> NDIS.sys @ 0xf742487b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3652)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\windows\system32\wscntfy.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2010-02-04  11:51:39 - machine was rebooted
ComboFix-quarantined-files.txt  2010-02-04 16:51
ComboFix2.txt  2010-02-04 14:32

Pre-Run: 99,645,411,328 bytes free
Post-Run: 99,547,074,560 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - CF5D5719559642A59FF3D09D35E1C9F5


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:10 AM, on 2/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5341 bytes
Logged

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7300
Re: [In Progress]redirected searches
« Reply #9 on: February 04, 2010, 11:04:41 AM »
Hi,

Good.

1.  Your system does not have any anti-virus protection, and that's really dangerous.  Please download and install AntiVir PE (FREE) from here:

http://www.free-av.com/

Make sure you install AntiVir Guard, the real-time protection. Next open AntiVir and update it to the current definitions. If you would prefer to use a different anti-virus, Avast! is another equally good free one to use.

2.  Your system does not have a software firewall installed.  This exposes you to many malware exploits you really don't want to have on your system.  Please download and install Online Armor Free from here:

http://www.tallemu.com/

The link to the free version is on the left hand side of that page.

If you would prefer to use a different firewall, you can try a different one, but check it with me first to make sure it is legitimate firewall software.

3.  Please run a full system scan with AntiVir, and post the log from the scan along with a fresh HJT log.  Please reconfirm that your system is still working properly after these steps.
Logged
Don't Read?  Can't learn!

Offline Scott

  • Bronze Member
  • Posts: 57
Re: [In Progress]redirected searches
« Reply #10 on: February 04, 2010, 11:09:09 AM »
I had AVG 9.0 but I could not disable it to run combo fix so I had to delete it for now
Logged

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7300
Re: [In Progress]redirected searches
« Reply #11 on: February 04, 2010, 11:22:52 AM »
OK, you can substitute AVG for AntiVir if you wish.  It is a good anti-virus also.
Logged
Don't Read?  Can't learn!

Offline Scott

  • Bronze Member
  • Posts: 57
Re: [In Progress]redirected searches
« Reply #12 on: February 04, 2010, 11:53:10 AM »
I take it the Windows firewall is not any good either


Avira AntiVir Personal
Report file date: Thursday, February 04, 2010  12:20

Scanning for 1727978 virus strains and unwanted programs.

Licensee        : Avira AntiVir Personal - FREE Antivirus
Serial number   : 0000149996-ADJIE-0000001
Platform        : Windows XP
Windows version : (Service Pack 3)  [5.1.2600]
Boot mode       : Normally booted
Username        : SYSTEM
Computer name   : PC11

Version information:
BUILD.DAT       : 9.0.0.415     21609 Bytes   11/8/2009 10:00:00
AVSCAN.EXE      : 9.0.3.10     466689 Bytes  10/13/2009 16:26:33
AVSCAN.DLL      : 9.0.3.0       40705 Bytes   2/27/2009 15:58:24
LUKE.DLL        : 9.0.3.2      209665 Bytes   2/20/2009 16:35:49
LUKERES.DLL     : 9.0.2.0       12033 Bytes   2/27/2009 15:58:52
VBASE000.VDF    : 7.10.0.0   19875328 Bytes   11/6/2009 12:35:52
VBASE001.VDF    : 7.10.1.0    1372672 Bytes  11/19/2009 17:18:35
VBASE002.VDF    : 7.10.3.1    3143680 Bytes   1/20/2010 17:18:43
VBASE003.VDF    : 7.10.3.75    996864 Bytes   1/26/2010 17:18:45
VBASE004.VDF    : 7.10.3.76      2048 Bytes   1/26/2010 17:18:45
VBASE005.VDF    : 7.10.3.77      2048 Bytes   1/26/2010 17:18:46
VBASE006.VDF    : 7.10.3.78      2048 Bytes   1/26/2010 17:18:46
VBASE007.VDF    : 7.10.3.79      2048 Bytes   1/26/2010 17:18:46
VBASE008.VDF    : 7.10.3.80      2048 Bytes   1/26/2010 17:18:46
VBASE009.VDF    : 7.10.3.81      2048 Bytes   1/26/2010 17:18:46
VBASE010.VDF    : 7.10.3.82      2048 Bytes   1/26/2010 17:18:46
VBASE011.VDF    : 7.10.3.83      2048 Bytes   1/26/2010 17:18:46
VBASE012.VDF    : 7.10.3.84      2048 Bytes   1/26/2010 17:18:47
VBASE013.VDF    : 7.10.3.85      2048 Bytes   1/26/2010 17:18:47
VBASE014.VDF    : 7.10.3.122    172544 Bytes   1/29/2010 17:18:47
VBASE015.VDF    : 7.10.3.149     79872 Bytes    2/1/2010 17:18:47
VBASE016.VDF    : 7.10.3.174     68608 Bytes    2/3/2010 17:18:48
VBASE017.VDF    : 7.10.3.199     76800 Bytes    2/4/2010 17:18:48
VBASE018.VDF    : 7.10.3.200      2048 Bytes    2/4/2010 17:18:48
VBASE019.VDF    : 7.10.3.201      2048 Bytes    2/4/2010 17:18:48
VBASE020.VDF    : 7.10.3.202      2048 Bytes    2/4/2010 17:18:48
VBASE021.VDF    : 7.10.3.203      2048 Bytes    2/4/2010 17:18:49
VBASE022.VDF    : 7.10.3.204      2048 Bytes    2/4/2010 17:18:49
VBASE023.VDF    : 7.10.3.205      2048 Bytes    2/4/2010 17:18:49
VBASE024.VDF    : 7.10.3.206      2048 Bytes    2/4/2010 17:18:49
VBASE025.VDF    : 7.10.3.207      2048 Bytes    2/4/2010 17:18:49
VBASE026.VDF    : 7.10.3.208      2048 Bytes    2/4/2010 17:18:49
VBASE027.VDF    : 7.10.3.209      2048 Bytes    2/4/2010 17:18:49
VBASE028.VDF    : 7.10.3.210      2048 Bytes    2/4/2010 17:18:50
VBASE029.VDF    : 7.10.3.211      2048 Bytes    2/4/2010 17:18:50
VBASE030.VDF    : 7.10.3.212      2048 Bytes    2/4/2010 17:18:50
VBASE031.VDF    : 7.10.3.213     20992 Bytes    2/4/2010 17:18:50
Engineversion   : 8.2.1.158
AEVDF.DLL       : 8.1.1.3      106868 Bytes    2/4/2010 17:18:57
AESCRIPT.DLL    : 8.1.3.13     823674 Bytes    2/4/2010 17:18:56
AESCN.DLL       : 8.1.4.0      127348 Bytes    2/4/2010 17:18:55
AESBX.DLL       : 8.1.1.1      246132 Bytes   11/8/2009 12:38:44
AERDL.DLL       : 8.1.3.4      479605 Bytes    2/4/2010 17:18:55
AEPACK.DLL      : 8.2.0.5      422262 Bytes    2/4/2010 17:18:55
AEOFFICE.DLL    : 8.1.0.38     196987 Bytes   11/8/2009 12:38:38
AEHEUR.DLL      : 8.1.1.4     2326899 Bytes    2/4/2010 17:18:54
AEHELP.DLL      : 8.1.10.0     237942 Bytes    2/4/2010 17:18:51
AEGEN.DLL       : 8.1.1.86     369012 Bytes    2/4/2010 17:18:51
AEEMU.DLL       : 8.1.1.0      393587 Bytes   11/8/2009 12:38:26
AECORE.DLL      : 8.1.11.1     184694 Bytes    2/4/2010 17:18:50
AEBB.DLL        : 8.1.0.3       53618 Bytes   11/8/2009 12:38:20
AVWINLL.DLL     : 9.0.0.3       18177 Bytes  12/12/2008 13:47:59
AVPREF.DLL      : 9.0.3.0       44289 Bytes   8/26/2009 20:14:02
AVREP.DLL       : 8.0.0.3      155905 Bytes   1/20/2009 19:34:28
AVREG.DLL       : 9.0.0.0       36609 Bytes   12/5/2008 15:32:09
AVARKT.DLL      : 9.0.0.3      292609 Bytes   3/24/2009 20:05:41
AVEVTLOG.DLL    : 9.0.0.7      167169 Bytes   1/30/2009 15:37:08
SQLITE3.DLL     : 3.6.1.0      326401 Bytes   1/28/2009 20:03:49
SMTPLIB.DLL     : 9.2.0.25      28417 Bytes    2/2/2009 13:21:33
NETNT.DLL       : 9.0.0.0       11521 Bytes   12/5/2008 15:32:10
RCIMAGE.DLL     : 9.0.0.25    2438913 Bytes   5/15/2009 20:39:58
RCTEXT.DLL      : 9.0.73.0      86785 Bytes  10/13/2009 17:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Thursday, February 04, 2010  12:20

Starting search for hidden objects.
'39609' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'apcsystray.exe' - '1' Module(s) have been scanned
Scan process 'acrotray.exe' - '1' Module(s) have been scanned
Scan process 'McciTrayApp.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'winvnc4.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'QBCFMonitorService.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'mainserv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
31 processes with 31 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
    [INFO]      No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
    [INFO]      No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '60' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
    [WARNING]   The file could not be opened!
    [NOTE]      This file is a Windows system file.
    [NOTE]      This file cannot be opened for scanning.
C:\pagefile.sys
    [WARNING]   The file could not be opened!
    [NOTE]      This file is a Windows system file.
    [NOTE]      This file cannot be opened for scanning.


End of the scan: Thursday, February 04, 2010  12:49
Used time: 28:56 Minute(s)

The scan has been done completely.

   4172 Scanned directories
 231684 Files were scanned
      0 Viruses and/or unwanted programs were found
      0 Files were classified as suspicious
      0 files were deleted
      0 Viruses and unwanted programs were repaired
      0 Files were moved to quarantine
      0 Files were renamed
      2 Files cannot be scanned
 231682 Files not concerned
    880 Archives were scanned
      2 Warnings
      2 Notes
  39609 Objects were scanned with rootkit scan
      0 Hidden objects were found

Logged

Offline Scott

  • Bronze Member
  • Posts: 57
Re: [In Progress]redirected searches
« Reply #13 on: February 04, 2010, 11:57:19 AM »
here is the hjt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:15 PM, on 2/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5870 bytes


everything seems to be okay so far
Logged

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7300
Re: [In Progress]redirected searches
« Reply #14 on: February 04, 2010, 03:39:26 PM »
    Excellent.  Your system is malware free now.

    You are correct.  The firewall in XP does not provide good protection at all.  In only provides limited inbound protection against threats.  Since the vast majority of the threats are outbound these days, the XP firewall does nothing to protect your system.  I strongly recommend using a third party software firewall, and OA is the one I usually recommend.

    Before we finish, we need to delete the tools we used, and all the files/folders they quarantined.

    Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the icon.
  • Click the large "Cleanup" button.
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
  • Make sure you have an Internet Connection.
  • If you have a firewall that throws out a message that OTMI3 is attempting to contact the Internet that it should be allowed.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Here are some tips for keeping safe on the Internet.

1.  Always use your AntiVirus and Firewall software.  Update your AntiVirus virus definitions at least once a day.  Scan with it at least once every 2 days.  Check for updates to your Firewall weekly.

2.  Keep using MBAM.  Update the definitions daily and do a quick scan at least once every 2 days.  The free version does not have any real time protection.  If you want extra security, the paid version offers real time protection plus automatic definition updates.

3.  Download and use SpywareBlaster from Javacool. 

4.  Download and use Spybot S&D.  Do not install or use the TeaTimer feature, it can conflict with other security software. 

5.  Use an alternative browser rather than IE.  Two excellent and well tested free ones are Firefox and Opera.  If you use Firefox, make sure to install the AdBlock Plus and NoScript extensions.    WOT ("Web of Trust") is another site evaluation program similar to SiteSdvisor, so it is a good second opinion as to the safety of sites you may visit.  You will find these extensions and hundreds more on the Firefox site.

6.  Download and use McAfee SiteAdvisor.  SiteAdvisor does not work with Opera. 

7.  Always keep your Java version up to date.  Check regularly for updates to Java HERE.

8.  Regularly check the Calendar of Updates for updates to your security software. 

9.  Please read and follow the recommendations in this article.  So how did I get infected in the first place?

10.  Fortunately, not all computer slowdowns and other problems are the result of malware.  Defragmenting, cleaning browser caches, emptying temp folders and other procedures can often speed performance dramatically.  An excellent guide and some additional tools to accomplish these tasks can be found at Slow Computer May Not Be Malware Related.

11.  Always do backups.  For more information on designing a good backup strategy for your system, please see this LINK.

12.  Never use P2P programs or download any software or other files from P2P.  Most of those files are hopelessly infected with malware, are intended to do harm, and will kill your system.  Continuing to use P2P for any purpose in today's environment is a major mistake.

Following these recommendations will help to prevent future malware infestations, and keep your system running in good shape. 

Logged
Don't Read?  Can't learn!
Pages: [1] 2   Go Up
« previous next »