« previous next »
Pages: 1 2 [3] 4 5   Go Down

Author Topic: [In Active] Redirect searches  (Read 5554 times)

0 Members and 1 Guest are viewing this topic.

Offline cedarguy

  • Bronze Member
  • Posts: 40
Re: [In Progress] Redirect searches
« Reply #30 on: April 10, 2010, 10:03:18 PM »
K27, working on it now - cedarguy
Logged

Offline cedarguy

  • Bronze Member
  • Posts: 40
Re: [In Progress] Redirect searches
« Reply #31 on: April 11, 2010, 02:18:54 PM »
K27, the full report from F-Secure scan:

Scanning Report
Sunday, April 11, 2010 03:15:14 - 15:14:09
Computer name: XXX
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ D:\ F:\


--------------------------------------------------------------------------------

20 malware found
TrackingCookie.Questionmarket (spyware)
System (Disinfected)
TrackingCookie.2o7 (spyware)
System (Disinfected)
TrackingCookie.Advertising (spyware)
System (Disinfected)
TrackingCookie.Atdmt (spyware)
System (Disinfected)
Suspicious:W32/Malware!Gemini (spyware)
System (Disinfected)
TrackingCookie.Doubleclick (spyware)
System (Disinfected)
TrackingCookie.Revsci (spyware)
System (Disinfected)
TrackingCookie.Adrevolver (spyware)
System (Disinfected)
TrackingCookie.Webtrends (spyware)
System (Disinfected)
TrackingCookie.Mediaplex (spyware)
System (Disinfected)
TrackingCookie.Statcounter (spyware)
System (Disinfected)
TrackingCookie.Yieldmanager (spyware)
System (Disinfected)
Suspicious:W32/Malware!Gemini (virus)
C:\PROGRAM FILES\MIHOV IMAGE RESIZER\RESIZER.EXE (Not cleaned)
BehavesLike:BAT.Delete (virus)
C:\PROGRAM FILES\C_CLIENTS\RCLEAN2.CMD (Not cleaned & Submitted)
Suspicious:W32/Malware!Gemini (virus)
C:\PROGRAM FILES\COPYWRITER\UTILITIES\COLOR SWITCHER.EXE (Not cleaned & Submitted)
Suspicious:W32/Malware!Gemini (virus)
C:\PROGRAM FILES\COPYWRITER\UTILITIES\SORT LINES.EXE (Not cleaned & Submitted)
Suspicious:W32/Malware!Gemini (virus)
C:\PROGRAM FILES\COPYWRITER\UTILITIES\UNIT CONVERTER.EXE (Not cleaned & Submitted)
Suspicious:W32/Malware!Gemini (virus)
C:\PROGRAM FILES\COPYWRITER\UTILITIES\COLOR_SWITCHER\COLOR SWITCHER.EXE (Not cleaned & Submitted)
Suspicious:W32/Malware!Gemini (virus)
C:\DOCUMENTS AND SETTINGS\DOUG HOVELSON\MY DOCUMENTS\CODE\COMPUTER_REPAIR_UTILITY\VIRUS REMOVAL\CLAMWINPORTABLE\APP\CLAMWIN\BIN\CLAMSCAN.EXE (Not cleaned & Submitted)
Suspicious:W32/Malware!Gemini (virus)
C:\DOCUMENTS AND SETTINGS\DOUG HOVELSON\MY DOCUMENTS\CODE\COMPUTER_REPAIR_UTILITY\FILE MANAGEMENT\JKDEFRAG GUI\PROGRAMS\7ZA.EXE (Not cleaned & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 228117
System: 6193
Not scanned: 20
Actions:
Disinfected: 12
Renamed: 0
Deleted: 0
Not cleaned: 8
Submitted: 7
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3C3E9652-2458-48BD-AD34-00EEAED56125}\RP1171\A0150607.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3C3E9652-2458-48BD-AD34-00EEAED56125}\RP1171\A0150638.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3C3E9652-2458-48BD-AD34-00EEAED56125}\RP1171\A0150811.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3C3E9652-2458-48BD-AD34-00EEAED56125}\RP1168\A0150115.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3C3E9652-2458-48BD-AD34-00EEAED56125}\RP1168\A0150169.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3C3E9652-2458-48BD-AD34-00EEAED56125}\RP1168\A0150237.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3C3E9652-2458-48BD-AD34-00EEAED56125}\RP1168\A0150300.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3C3E9652-2458-48BD-AD34-00EEAED56125}\RP1168\A0150382.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3C3E9652-2458-48BD-AD34-00EEAED56125}\RP1167\A0149998.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3C3E9652-2458-48BD-AD34-00EEAED56125}\RP1167\A0150067.EXE
C:\DOCUMENTS AND SETTINGS\DOUG HOVELSON\LOCAL SETTINGS\TEMP\HSPERFDATA_DOUG HOVELSON\3084
C:\DOCUMENTS AND SETTINGS\DOUG HOVELSON\LOCAL SETTINGS\TEMP\HSPERFDATA_DOUG HOVELSON\4852
C:\DOCUMENTS AND SETTINGS\DOUG HOVELSON\LOCAL SETTINGS\TEMP\HSPERFDATA_DOUG HOVELSON\3644
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\MICROSOFT ANTIMALWARE\MPSCANCACHE-1.BIN

--------------------------------------------------------------------------------

Options
Scanning engines:
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2009 Product support | Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products
Logged

Offline cedarguy

  • Bronze Member
  • Posts: 40
Re: [In Progress] Redirect searches
« Reply #32 on: April 11, 2010, 03:38:24 PM »
K27, apparently made a mistake - tried to run the existing COMBOFIX on my computer and it returned a message saying it was compromised and I should run a fresh version from online...(which I'll do) said it was infected with Virus or Win32/FakeSpypro...cedarguy
Logged

Offline cedarguy

  • Bronze Member
  • Posts: 40
Re: [In Progress] Redirect searches
« Reply #33 on: April 11, 2010, 03:48:04 PM »
K27, downloaded new ComboFix - from a link you had posted in previous response to my problems -- and got same message of infection from Microsoft Essentials - wondering if Bleepingcomputer.com site is hacked? - cedarguy
Logged

Offline cedarguy

  • Bronze Member
  • Posts: 40
Re: [In Progress] Redirect searches
« Reply #34 on: April 11, 2010, 04:35:07 PM »
K27, I can't get ComboFix to run - it keeps getting flagged for the FakeSpypro virus everytime I try to download it...cedarguy
Logged

Offline K27

  • Malware Removal Staff
  • Gold Member
  • Posts: 2342
    • Go Good IT Solutions
Re: [In Progress] Redirect searches
« Reply #35 on: April 11, 2010, 11:57:12 PM »
cedarguy,

Please uninstall "ClamWin" FreeAntiVirus and please refain from downloading any other security programs as they will conflict with our tools and report false positives.
I have tried the Combo-fix download at Bleeping Computer and it works fine, it sounds like Security Essentials thinks it is a virus, which is not uncommon, please disable MS Security Essentials and try the download again.

If that fails, then please Update MBAM via the update tab and then run a full scan, have it remove anything it finds and post the logs back to me.

Thanks,
K27.
Logged
SpywareHammer - Knowledgebase

The internet is the new age battle of the old age clash between good and evil

Offline cedarguy

  • Bronze Member
  • Posts: 40
Re: [In Progress] Redirect searches
« Reply #36 on: April 12, 2010, 12:04:05 AM »
K27, will do. I think ClamWin free antivirus downloaded itself - I didn't deliberately bring it on board in any case...cedarguy
Logged

Offline cedarguy

  • Bronze Member
  • Posts: 40
Re: [In Progress] Redirect searches
« Reply #37 on: April 12, 2010, 01:20:40 AM »
K27, here's the ComboFix log file:

ComboFix 10-04-11.03 - Doug Hovelson 04/12/2010   1:26.3.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1471.769 [GMT -5:00]
Running from: c:\documents and settings\Doug Hovelson\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Avanquest NetDefense Firewall *enabled* {E9CD9D09-CF58-4ec3-9B3F-E6B12C3E4171}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gotomon.log . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2010-03-12 to 2010-04-12  )))))))))))))))))))))))))))))))
.

2010-04-12 06:23 . 2010-04-12 06:49   --------   d-----w-   \ComboFix
2010-04-11 04:47 . 2010-04-11 04:47   --------   d-----w-   c:\documents and settings\All Users\Application Data\F-Secure
2010-04-07 13:16 . 2010-04-07 13:16   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-02 05:08 . 2010-04-02 05:08   --------   d-----w-   c:\program files\iPod
2010-04-02 05:08 . 2010-04-02 05:10   --------   d-----w-   c:\program files\iTunes
2010-04-02 05:08 . 2010-04-02 05:10   --------   d-----w-   c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-02 04:50 . 2010-04-02 04:50   --------   d-----w-   c:\program files\Bonjour
2010-03-29 05:26 . 2010-03-29 05:26   --------   d-----w-   c:\program files\Open XML Format SDK

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 05:56 . 2008-04-20 18:56   --------   d-----w-   c:\documents and settings\Doug Hovelson\Application Data\gtk-2.0
2010-04-11 21:15 . 2007-01-08 21:37   59870   -c--a-w-   c:\documents and settings\Doug Hovelson\Application Data\wklnhst.dat
2010-04-11 20:13 . 2008-07-07 05:47   --------   d-----w-   c:\program files\Mihov Image Resizer
2010-04-11 09:50 . 2008-02-03 09:59   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
2010-04-11 04:31 . 2007-02-01 08:16   --------   d-----w-   c:\program files\Common Files\Java
2010-04-11 04:30 . 2007-02-01 08:17   --------   d-----w-   c:\program files\Java
2010-04-08 20:19 . 2010-01-11 22:25   --------   d-----w-   c:\program files\Bing Toolbar
2010-04-08 17:01 . 2007-01-08 23:37   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-04-08 16:58 . 2008-12-22 06:34   --------   d-----w-   c:\program files\Common Files\AntiVirus
2010-04-02 05:08 . 2008-09-10 21:50   --------   d-----w-   c:\program files\Common Files\Apple
2010-04-02 05:00 . 2007-03-30 19:28   --------   d-----w-   c:\program files\QuickTime
2010-04-02 04:31 . 2008-04-06 03:45   --------   d-----w-   c:\program files\Safari
2010-03-31 18:34 . 2007-12-15 19:34   --------   d-----w-   c:\program files\PSPad editor
2010-03-11 06:48 . 2007-02-01 21:45   --------   d-----w-   c:\program files\Common Files\SupportSoft
2010-03-11 06:46 . 2007-02-01 21:45   --------   d-----w-   c:\program files\Qwest
2010-03-10 23:28 . 2009-10-20 00:25   --------   d-----w-   c:\program files\Microsoft Security Essentials
2010-03-10 21:28 . 2010-03-10 21:27   9078208   ----a-w-   c:\documents and settings\Doug Hovelson\QCSetup_2_7.exe
2010-03-06 02:33 . 2007-08-28 03:53   --------   d-----w-   c:\program files\Google
2010-02-22 05:19 . 2010-02-22 05:10   --------   d-----w-   c:\documents and settings\Doug Hovelson\Application Data\Scribus
2010-02-21 19:37 . 2009-11-06 22:20   206616   ----a-w-   c:\documents and settings\John Butane\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-21 05:17 . 2007-01-08 21:37   206616   -c--a-w-   c:\documents and settings\Doug Hovelson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-21 04:27 . 2009-03-02 20:19   --------   d-----w-   c:\program files\OpenOffice.org 3
2010-02-18 07:23 . 2007-06-26 04:44   736   -c--a-w-   c:\documents and settings\Edwin Stritt\Application Data\wklnhst.dat
2010-02-18 06:37 . 2010-02-18 06:37   --------   d-----w-   c:\documents and settings\Edwin Stritt\Application Data\Windows Search
2010-02-12 07:59 . 2009-04-17 05:37   --------   d-----w-   c:\documents and settings\Doug Hovelson\Application Data\Notepad++
2005-10-10 23:08 . 2008-02-08 09:29   492032   -c--a-w-   c:\program files\Encrypt.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{03e037d3-f080-4c0b-bdb5-a70c693ae36d}"= "c:\program files\Labpixies\tbLab0.dll" [2010-02-18 2349080]

[HKEY_CLASSES_ROOT\clsid\{03e037d3-f080-4c0b-bdb5-a70c693ae36d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{03e037d3-f080-4c0b-bdb5-a70c693ae36d}]
2010-02-18 06:39   2349080   ----a-w-   c:\program files\Labpixies\tbLab0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-07-09 02:29   1174920   ----a-w-   c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{03e037d3-f080-4c0b-bdb5-a70c693ae36d}"= "c:\program files\Labpixies\tbLab0.dll" [2010-02-18 2349080]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-09 1174920]

[HKEY_CLASSES_ROOT\clsid\{03e037d3-f080-4c0b-bdb5-a70c693ae36d}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{03E037D3-F080-4C0B-BDB5-A70C693AE36D}"= "c:\program files\Labpixies\tbLab0.dll" [2010-02-18 2349080]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-09 1174920]

[HKEY_CLASSES_ROOT\clsid\{03e037d3-f080-4c0b-bdb5-a70c693ae36d}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19   94208   ----a-w-   c:\documents and settings\Doug Hovelson\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19   94208   ----a-w-   c:\documents and settings\Doug Hovelson\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19   94208   ----a-w-   c:\documents and settings\Doug Hovelson\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RCUI"="c:\progra~1\RINGCE~1\RINGCE~1\RCUI.exe" [2009-05-04 479232]
"RCHotKey"="c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe" [2008-03-12 32768]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WinColorReminder"="c:\program files\Pro Imaging Powertoys\Microsoft Color Control Panel Applet for Windows XP\WinColorReminder.exe" [2005-10-31 101120]
"Google Update"="c:\documents and settings\Doug Hovelson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-11 135664]
"Nero PhotoShow Media Manager"="c:\progra~1\Nero\NEROPH~1\data\xtras\mssysmgr.exe" [2006-05-10 249856]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"QuickCare"="c:\program files\Qwest\Quickcare\bin\sprtcmd.exe" [2010-01-16 206120]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-5-11 738968]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-01-12 23:45   10800   ------w-   c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Doug Hovelson^Start Menu^Programs^Startup^Automotix.lnk]
backup=c:\windows\pss\Automotix.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Doug Hovelson^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Doug Hovelson\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Doug Hovelson^Start Menu^Programs^Startup^magicBlock.lnk]
path=c:\documents and settings\Doug Hovelson\Start Menu\Programs\Startup\magicBlock.lnk
backup=c:\windows\pss\magicBlock.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Doug Hovelson^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-11 20:21   135664   ----atw-   c:\documents and settings\Doug Hovelson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SystemSuite Task Manager"=3 (0x3)
"stlisten"=3 (0x3)
"stdiscover"=3 (0x3)
"gusvc"=2 (0x2)
"gupdate"=2 (0x2)
"GoToMyPC"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\VCOM\\SystemSuite\\SSuite.exe"=
"c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\web server extensions\\40\\bin\\tcptest.exe"=
"c:\\Documents and Settings\\John Butane\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Documents and Settings\\Edwin Stritt\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Documents and Settings\\Doug Hovelson\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"d:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Documents and Settings\\Doug Hovelson\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Microsoft Expression\\Media 2\\Media.exe"=
"d:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\Qwest\Quickcare\bin\sprtsvc.exe [3/11/2010 1:47 AM 206120]
R2 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\Qwest\Quickcare\bin\tgsrvc.exe [3/11/2010 1:47 AM 185640]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [11/8/2009 2:07 AM 13384]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [11/7/2009 10:22 PM 10688]
S1 hrblretf;hrblretf;\??\c:\windows\system32\drivers\hrblretf.sys --> c:\windows\system32\drivers\hrblretf.sys [?]
S1 ktkcdkob;ktkcdkob;\??\c:\windows\system32\drivers\ktkcdkob.sys --> c:\windows\system32\drivers\ktkcdkob.sys [?]
S1 kwsgqubr;kwsgqubr;\??\c:\windows\system32\drivers\kwsgqubr.sys --> c:\windows\system32\drivers\kwsgqubr.sys [?]
S1 MpKsl1e7d6095;MpKsl1e7d6095;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E63B5724-3F1D-4899-85FC-2BDE796F2561}\MpKsl1e7d6095.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E63B5724-3F1D-4899-85FC-2BDE796F2561}\MpKsl1e7d6095.sys [?]
S1 oguxxapp;oguxxapp;\??\c:\windows\system32\drivers\oguxxapp.sys --> c:\windows\system32\drivers\oguxxapp.sys [?]
S1 rbgxykav;rbgxykav;\??\c:\windows\system32\drivers\rbgxykav.sys --> c:\windows\system32\drivers\rbgxykav.sys [?]
S1 tlayckgw;tlayckgw;\??\c:\windows\system32\drivers\tlayckgw.sys --> c:\windows\system32\drivers\tlayckgw.sys [?]
S1 ugwlqgve;ugwlqgve;\??\c:\windows\system32\drivers\ugwlqgve.sys --> c:\windows\system32\drivers\ugwlqgve.sys [?]
S1 vuaymudx;vuaymudx;\??\c:\windows\system32\drivers\vuaymudx.sys --> c:\windows\system32\drivers\vuaymudx.sys [?]
S2 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2/8/2008 7:33 AM 43544]
S3 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [10/27/2008 5:54 PM 22408]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 TFilter;TFilter;\??\c:\progra~1\AVANQU~1\SYSTEM~1\TFilter.sys --> c:\progra~1\AVANQU~1\SYSTEM~1\TFilter.sys [?]
S3 Uvnc_service;Uvnc_service;d:\program files\UltraVNC Addons\uvnc_service.exe [11/8/2009 2:07 AM 63296]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/11/2009 3:21 PM 135664]
S4 RsFx0101;RsFx0101 Driver;c:\windows\system32\drivers\RsFx0101.sys [2/8/2008 7:27 AM 239128]
S4 stdiscover;Sun Service Tag Discovery;c:\program files\Sun\servicetag\stdiscoverer.exe [4/30/2008 3:35 PM 73728]
S4 stlisten;Sun Service Tag Listener;c:\program files\Sun\servicetag\stlisten.exe [4/30/2008 3:35 PM 78336]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uStart Page = hxxp://www.bing.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to  Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Doug Hovelson\Application Data\Mozilla\Firefox\Profiles\if9daj08.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=MSNTDF&PC=MSNTDF&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.mirostart.com/?cfg=2-73-0-3xSQ\n
FF - component: c:\documents and settings\Doug Hovelson\Application Data\Mozilla\Firefox\Profiles\if9daj08.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - component: c:\documents and settings\Doug Hovelson\Application Data\Mozilla\Firefox\Profiles\if9daj08.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\enbar3.dll
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - component: c:\program files\MSN Toolbar\Platform\5.0.1051.0\Firefox\components\DomBridge.dll
FF - plugin: c:\documents and settings\Doug Hovelson\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\MSN Toolbar\Platform\5.0.1051.0\npwinext.dll
FF - plugin: c:\program files\OpenOffice.org 3\program\npsoplugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
------- File Associations -------
.
.txt=CopyWriter TXT-File
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 01:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MsDepSvc]
"ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-484763869-776561741-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\smss.exe
c:\windows\system32\csrss.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\services.exe
c:\windows\system32\lsass.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\System32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\spoolsv.exe
c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\windows\system32\svchost.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\svchost.exe
c:\windows\System32\svchost.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\System32\snmp.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\windows\system32\svchost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wuauclt.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\documents and settings\Doug Hovelson\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\alg.exe
c:\windows\system32\wuauclt.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-04-12  02:07:43 - machine was rebooted
ComboFix-quarantined-files.txt  2010-04-12 07:07
ComboFix2.txt  2010-04-10 09:09
ComboFix3.txt  2010-04-08 20:38

Pre-Run: 40,612,204,544 bytes free
Post-Run: 41,231,343,616 bytes free

- - End Of File - - BC12F2509F01077D3DBA257EEFEE76ED
Logged

Offline cedarguy

  • Bronze Member
  • Posts: 40
Re: [In Progress] Redirect searches
« Reply #38 on: April 12, 2010, 01:27:40 AM »
K27, seems like I can't figure out how to disable the Avanquest firewall, which I see is listed as enabled. It's not my primary firewall, I thought I'd disabled it for good...don't know if this makes a difference? The only thing I can think of is that there seems to be an old Avanquest/SystemSuite program on the computer that was supposedly deleted when I upgraded to a new version few years back...guess I could delete the whole program...well, thanks for the work - what a process this is! - cedarguy
Logged

Offline K27

  • Malware Removal Staff
  • Gold Member
  • Posts: 2342
    • Go Good IT Solutions
Re: [In Progress] Redirect searches
« Reply #39 on: April 12, 2010, 05:33:57 AM »
cedarguy,

Please post the log located at C:\Qoobox\Add-Remove Programs.txt

Thanks,
K27.
Logged
SpywareHammer - Knowledgebase

The internet is the new age battle of the old age clash between good and evil

Offline cedarguy

  • Bronze Member
  • Posts: 40
Re: [In Progress] Redirect searches
« Reply #40 on: April 12, 2010, 12:56:08 PM »
K27, here's that log from the Qoobox folder - thanks - (I thought that I'd unloaded LabPixies...) cedarguy

1-2-3 PayPal Website Payments
AAScripter v2.0
Acrobat.com
ActivePerl 5.10.0 Build 1005
ActivePerl 5.6.1 Build 630
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.1
Adobe Shockwave Player 11.5
Adobe SVG Viewer 3.0
AdsenseCoder
Anfy
Apache HTTP Server 2.0.58
Apache Tomcat 6.0.18
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Automotix (remove only)
AutoSum Add-in for Microsoft FrontPage
AutoXray EZ-Update (remove only)
AutoXray USB to SDL Serial Cable 531563
AVS Audio Editor version 4.2
AVS Update Manager 1.0
AVS4YOU Software Navigator 1.3
Bing Bar
Bing Bar Platform
Bing Toolbar
BitMeter
Bonjour
Book Search Pro
CallingID
Carl Zeiss
CCleaner (remove only)
Clipboard Live
CloudBerry Twitter Plug-in for IE 1.0
Code Snippet Editor
CodeSnap Classic
Compatibility Pack for the 2007 Office system
CopyWriter 3.00
Creative Commons Add-in for Microsoft Office
Critical Update for Windows Media Player 11 (KB959772)
Customizable Alerts
Danere StyleMaker v1.4
del.icio.us Buttons for Internet Explorer
DHTML Help Add-In for Microsoft FrontPage
Dia (remove only)
Digital Locker Assistant
DIGOpt
Disk Manager
Document Selector Add-in
Driver Genius Professional Edition 2007
Dropbox
EditRocket 3.4.1
Egg
EPSON Printer Software
Evernote
FBIde 0.4.6 + FreeBASIC 0.15
FOREXTrader
Form Fill (Windows Live Toolbar)
FOX News Live
FreeSpell+ProSpell (remove only)
FrontPage Theme Cleaner
GIMP 2.6.6
Global ProBiz Business Card Maker
Google Chrome
Google Chrome Frame
Google Gears
Google Update Helper
Google Updater
GPL Ghostscript 8.63
Hidden Utilities XP
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual Basic 2008 Express Edition SP1 (Beta) - ENU (KB945282)
Hotfix for Microsoft Visual Basic 2008 Express Edition SP1 (Beta) - ENU (KB946040)
Hotfix for Microsoft Visual Basic 2008 Express Edition SP1 (Beta) - ENU (KB946308)
Hotfix for Microsoft Visual Basic 2008 Express Edition SP1 (Beta) - ENU (KB946344)
Hotfix for Microsoft Visual Basic 2008 Express Edition SP1 (Beta) - ENU (KB947540)
Hotfix for Microsoft Visual Basic 2008 Express Edition SP1 (Beta) - ENU (KB947789)
Hotfix for Microsoft Visual Basic 2008 Express Edition SP1 (Beta) - ENU (KB948127)
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB946344)
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB946581)
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB951708)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
How-To Series Windows Forms Controls VB 08
IIS Diagnostics Toolkit January 2006 (x86)
Image Components
ImageWorkerSetup
Inkscape 0.46
Insert File Plugin for Windows Live Writer
Internet Information Services (IIS) 7.0 Manager
IrfanView (remove only)
IsoBuster 2.6
iTunes
Java Auto Updater
Java(TM) 6 Update 19
Java(TM) SE Development Kit 7
Jimco Meta
Jimco Open Web
Jimco Scripter 2.0
Jimco Style Sheet Links
Junk Mail filter update
Labpixies Toolbar
Live Writer Code Prettify Plugin
LocalCooling 1.04
Magic Map (North America Edition)
magicBlock
Malwarebytes' Anti-Malware
Management-Ware Mass Mailing News
Map Button (Windows Live Toolbar)
Microsoft .NET Compact Framework 2.0 SP2
Microsoft .NET Compact Framework 3.5
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft ASP.NET 2.0 AJAX Extensions 1.0
Microsoft ASP.NET MVC RC
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Color Control Panel Applet for Windows XP
Microsoft Default Manager
Microsoft Device Emulator version 3.0 - ENU
Microsoft Direct Mail Manager
Microsoft Document Explorer 2008
Microsoft Expression Media 2 SP2
Microsoft FrontPage 2000 SR-1
Microsoft FxCop 1.35
Microsoft Office 2000 SR-1 Professional
Microsoft Office 2000 Web Archive Add-On
Microsoft Office 2003 International Character Toolbar
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office 2003 WordprocessingML Transform Inference Tool
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Converter Pack
Microsoft Office Excel Viewer 2003
Microsoft Office Live Add-in 1.3
Microsoft Office PowerPoint Viewer 2003
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office SharePoint Designer 2007
Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
Microsoft Office SharePoint Designer MUI (English) 2007
Microsoft Office Spreadsheet Updated Function Reference
Microsoft Office Visual Web Developer 2007
Microsoft Office Visual Web Developer MUI (English) 2007
Microsoft Office XP Primary Interop Assemblies
Microsoft Outlook 2000 OST Integrity Check Tool
Microsoft Picture It! Express 9
Microsoft Publisher 2000 SR-1
Microsoft Search Enhancement Pack
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Silverlight 3 Beta SDK
Microsoft Silverlight Tools for Visual Web Developer Express 2008 SP1 - ENU
Microsoft Software Update for Web Folders  (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server 2008
Microsoft SQL Server 2008 (SQLEXPRESS)
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 Express Edition
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server 2008 Native Client
Microsoft SQL Server 2008 RsFx Driver
Microsoft SQL Server 2008 Setup Support Files (English)
Microsoft SQL Server 2008 Tools
Microsoft SQL Server Compact 3.5 for Devices ENU
Microsoft SQL Server Compact 3.5 SP1 Design Tools English Beta
Microsoft SQL Server Compact 3.5 SP1 English Beta
Microsoft SQL Server Database Publishing Wizard 1.3
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Sync Framework 2.0 Core Components (x86) ENU
Microsoft Sync Framework 2.0 Provider Services (x86) ENU
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual Basic 2008 Express Edition SP1 (Beta) - ENU
Microsoft Visual Basic Power Packs 3.0
Microsoft Visual Basic Professional Step by Step
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30428
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual Keyboard
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2008 Remote Debugger - ENU
Microsoft Visual Studio Web Authoring Component
Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU
Microsoft Web Platform Installer 2.0
Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools
Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense
Microsoft Windows SDK for Visual Studio 2008 SP1 (Beta) Express Tools for .NET Framework
Microsoft Windows SDK for Visual Studio 2008 SP1 (Beta) Express Tools for Win32
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Web - enu
Microsoft Windows SDK for Visual Studio 2008 Tools
Microsoft Windows SDK for Visual Studio 2008 Win32 Tools
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft Word 2002
Microsoft® Stock Actions for the Research Task Pane
Mihov Image Resizer 1.1 (remove only)
Miro
MobileMe Control Panel
Mozilla Firefox (3.6.3)
MSDN Library for Visual Studio 2008 - ENU
MSDN Library for Visual Studio 2008 Express Editions SP1
MSN
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Nero 7 Ultra Edition
Nero PhotoShow Express 4
neroxml
NetBeans IDE 6.7 RC1
Notepad++
Office 2003 Add-in Latin and Cyrillic Transliteration
Office Update Answer Wizard Extension for Office 2000
OneCare Advisor (Windows Live Toolbar)
Open XML SDK 2.0 August 2009 CTP for Microsoft Office
OpenOffice.org 3.2
Opera 10.10
OverDrive Media Console
Paint.NET v3.36
PDFCreator
PHP Rocket Add-in 1.2 and PHP 4.06
Picasa 3
Picasa Plugin for Windows Live Writer
Platform
Polaroid Picture v1.7
Popup Blocker (Windows Live Toolbar)
Postbox (1.0b10)
PrimoPDF
PrimoPDF Redistribution Package
ProWrite 2005
PSPad editor
Quick Templates
QuickTime
Qwest Quickcare 2.7
RealPlayer
Remove Hidden Data Tool
Rhapsody Player Engine
RingCentral Call Controller
S3GSetup
Safari
Scribus 1.3.6svn
Scripting Help Add-In for Microsoft FrontPage
ScrubberSetup
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Seesmic Desktop
Seesmic Look
Segoe UI
Serif PagePlus 9.0
Serif PagePlus X2
Serif PagePlus X2 Resources
Serif PhotoPlus 6.0
Server-Side Include Add-in (SSIbot)
SiteSpinner V2.7
Smart Menus (Windows Live Toolbar)
SmartDraw 2007
SmartDraw PDF Filter
Sony Player Plug-in for Windows Media Player
Sothink SlidingMenu 2.0
SQL Server System CLR Types
StumbleUpon IE Toolbar
Sun Download Manager 2.0 (web)
Sun GlassFish Enterprise Server v2.1
Sun GlassFish Enterprise Server v3 Prelude
Sun Service Tags
Sun(TM) Download Manager 2.0
Surf Canyon Search Engine Assistant
SyncToy 2.1 (x86)
Tabbed Browsing (Windows Live Toolbar)
Tag Inspector Add-in 1.0
TaxCut 2002
Times Reader
TopStyle Lite (Version 3.0)
TweetDeck
UltraVNC 1.0.8.2
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Visual Studio Web Authoring Component (KB945140)
Update for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB967144)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIA Platform Device Manager
Visual C++ 2008 x86 Runtime - (v9.0.30428)
Visual C++ 2008 x86 Runtime - v9.0.30428.01
Visual Studio 2005 Tools for Office Second Edition Runtime
Visual Studio Tools for the Office system 3.0 Runtime
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258) (Beta)
VLC media player 1.0.3
w3compiler
Web Deployment Tool Beta 2
WebEx
Winamp
Windows 7 Upgrade Advisor
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Imaging Component
Windows Installer Clean Up
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Favorites for Windows Live Toolbar
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Live Upload Tool
Windows Live Writer
Windows Live Writer Blog This for Mozilla Firefox
Windows Live Writer Contacts Plug In
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Mobile 5.0 SDK R2 for Pocket PC
Windows Mobile 5.0 SDK R2 for Smartphone
Windows PowerShell(TM) 1.0
Windows Presentation Foundation
Windows Search 4.0
Windows XP Service Pack 3
WLW Bit.ly
WordpressThemeGen
XAMPP 1.7.1
Xara FrontPage Add-in 1.0
Xara ScreenMaker3D
XML Notepad 2007
XML to Schema
XML:Wrench
XZAKT Media FrontFX PrintWeb
Yahoo! Install Manager
Zemanta for Live Writer 0.61.0
Logged

Offline cedarguy

  • Bronze Member
  • Posts: 40
Re: [In Progress] Redirect searches
« Reply #41 on: April 12, 2010, 01:05:19 PM »
K27, I'll remove Labpixies unless you say otherwise...cedarguy
Logged

Offline K27

  • Malware Removal Staff
  • Gold Member
  • Posts: 2342
    • Go Good IT Solutions
Re: [In Progress] Redirect searches
« Reply #42 on: April 12, 2010, 01:07:55 PM »
Please remove Labpixies and Ask toolbar bar,

Thanks
Logged
SpywareHammer - Knowledgebase

The internet is the new age battle of the old age clash between good and evil

Offline K27

  • Malware Removal Staff
  • Gold Member
  • Posts: 2342
    • Go Good IT Solutions
Re: [In Progress] Redirect searches
« Reply #43 on: April 12, 2010, 01:34:57 PM »
cedarguy,

Please go to VirSCAN where you will see a browse button at the top of the screen.
  • Click the Browse button
  • Locate the following file(s)

c:\windows\system32\drivers\hrblretf.sys
c:\windows\system32\drivers\kwsgqubr.sys
c:\windows\system32\drivers\ugwlqgve.sys

  • Click Upload button
  • Once the scan has finished, click the Save to Clipboard button at the bottom of the page
  • Open Notepad and right click and then click paste
  • Post Report(s) back to this thread

Note: you may need to show hidden files to locate the files requested:

Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Look for "Hidden files and folders"
Select "Show hidden files and folders"
Click on Apply.
Next go to the side of the Search box and select All files and folders. Go down to More advanced options.
Be sure the first three boxes are selected:

  • Search System folders
  • Search Hidden Files and folders
  • Search SubFolders

Remember to hide hidden files/folders by reversing the action when you have finished


Please post the report back to this thread.

Thanks,
K27
Logged
SpywareHammer - Knowledgebase

The internet is the new age battle of the old age clash between good and evil

Offline cedarguy

  • Bronze Member
  • Posts: 40
Re: [In Progress] Redirect searches
« Reply #44 on: April 12, 2010, 03:09:16 PM »
K27, I've run the latest scans - the files in question were in a different place than indicated on my computer, I had to locate them and save them to desktop to run them through the virus scanner. So they are named slightly different from the original files...anyway, here's the first of the three this one is for kwsgqubr.sys...cedarguy

VirSCAN.org Scanned Report :
Scanned time   : 2010/04/12 15:40:50 (CDT)
Scanner results: Scanners did not find malware!
File Name      : kws.nfo
File Size      : 6017814 byte
File Type      :
MD5            : 4f8b9930f37950606e9ffae9c0b33741
SHA1           : 41c21a56bd612e3c8ca356313527bd880850680d
Online report  : http://virscan.org/report/182f68a7d11cb87b5f76e0d645a09f11.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      4.5.0.8         20100413043122    2010-04-13  0.08   -
AhnLab V3      2010.04.11.00   2010.04.11        2010-04-11  0.08   -
AntiVir        8.2.1.210       7.10.6.64         2010-04-12  0.25   -
Antiy          2.0.18          20100412.4183175  2010-04-12  0.02   -
Arcavir        2009            201004121326      2010-04-12  0.10   -
Authentium     5.1.1           201004121504      2010-04-12  1.32   -
AVAST!         4.7.4           100412-1          2010-04-12  0.25   -
AVG            8.5.720         271.1.1/2806      2010-04-12  0.24   -
BitDefender    7.81008.5613128 7.31178           2010-04-13  3.63   -
ClamAV         0.95.3          10730             2010-04-12  0.25   -
Comodo         3.13.579        4580              2010-04-12  0.08   -
CP Secure      1.3.0.5         2010.04.13        2010-04-13  0.27   -
Dr.Web         5.0.2.3300      2010.04.13        2010-04-13  6.51   -
F-Prot         4.4.4.56        20100412          2010-04-12  1.25   -
F-Secure       7.02.73807      2010.04.12.10     2010-04-12  10.66  -
Fortinet       4.0.14          11.689            2010-04-12  0.08   -
GData          19.10986/19.881 20100412          2010-04-12  0.08   -
ViRobot        20100412        2010.04.12        2010-04-12  0.08   -
Ikarus         T3.1.01.80      2010.04.12.75611  2010-04-12  5.70   -
JiangMin       13.0.900        2010.04.12        2010-04-12  0.08   -
Kaspersky      5.5.10          2010.04.11        2010-04-11  0.03   -
KingSoft       2009.2.5.15     2010.4.12.21      2010-04-12  0.08   -
McAfee         5400.1158       5945              2010-04-08  0.02   -
Microsoft      1.5605          2010.04.12        2010-04-12  0.08   -
Norman         6.04.11         6.04.00           2010-04-12  6.01   -
Panda          9.05.01         2010.04.12        2010-04-12  0.08   -
Trend Micro    9.120-1004      6.992.01          2010-04-12  0.02   -
Quick Heal     10.00           2010.04.12        2010-04-12  0.08   -
Rising         20.0            22.43.00.04       2010-04-12  0.08   -
Sophos         3.06.0          4.52              2010-04-13  3.46   -
Sunbelt        3.9.2412.2      6167              2010-04-12  0.08   -
Symantec       1.3.0.24        20100412.003      2010-04-12  0.14   -
nProtect       20100412.03     7941349           2010-04-12  0.08   -
The Hacker     6.5.2.0         v00259            2010-04-12  0.08   -
VBA32          3.12.12.4       20100408.2021     2010-04-08  2.81   -
VirusBuster    4.5.11.10       10.124.6/2045053  2010-04-12  2.51   -
Logged
Pages: 1 2 [3] 4 5   Go Up
« previous next »