Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with findgala.com redirection of search engines


  • This topic is locked This topic is locked
19 replies to this topic

#1 pwaug

pwaug

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 15 February 2010 - 08:03 PM

Inspite selling Digital and then HP computers for over 20 years I am not too technical so please bear with me.
I was infected with the Security Antivirus 2 days ago while searching the web. I immediatly knew something was wrong so went the the Program listing and uninstalled all the strange programs associated with this Security breach I was recieving. This seemed to work as the Security breach messages stopped appearing. However, when I went to do a Google search my browser was redirected to Findgala.com.

I went through all of the steps in the "Automated Removal Instructions for Security Antivirus using Malwarebytes' Anti-Malware" process. After the Malwarebytes' scan 4 items were listed which I removed. I had difficulty with deletimg the C:\Windows\System32\Drivers\etc\HOSTS file and downloading the new HOST settings and was not sure the process worked. After reboot the Findgala.com problem still existed.

I ran the Malwarebytes' scan again and it listed no infections so went through the deleting process again for the
C:\Windows\System32\Drivers\etc\HOSTS file and loading the new files and again had problems. After rebooting the Findgala.com redirection of Google was still present.

I am not sure that I completed these last two steps correctly.

Will appreciate any help you can provide.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Paul at 18:58:34.25 on Mon 02/15/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1833 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\comcasttb\CIDGlobalLight.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Paul\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://my.netzero.net/s/search?r=minisearch
uWindow Title = Windows Internet Explorer provided by Comcast
uDefault_Page_URL = hxxp://www.comcast.net?cid=ie8_0904
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
mDefault_Search_URL = hxxp://my.netzero.net/s/search?r=minisearch
mSearch Page = hxxp://my.netzero.net/s/search?r=minisearch
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
mSearchAssistant = hxxp://my.netzero.net/s/search?r=minisearch
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\3.8.0.41\IPSBHO.DLL
BHO: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 3\Sup_SmartRAM.exe" /m
uRun: [ComcastAntispyClient] "c:\program files\comcasttb\comcastspywarescan\ComcastAntispy.exe" /hide
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [hpsysdrv] "c:\hp\support\hpsysdrv.exe"
mRun: [RtHDVCpl] "c:\windows\RtHDVCpl.exe"
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Trusted Zone: netzero.com
Trusted Zone: netzero.net
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229549419612
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton security suite\engine\3.8.0.41\CoIEPlg.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-12 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-12 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-12 482432]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100210.001\IDSvix86.sys [2010-2-12 343088]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-16 214664]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\3.8.0.41\ccSvcHst.exe [2010-2-12 117640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-7-7 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-12 102448]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\n360\0308000.029\symndisv.sys [2010-2-12 48688]
S3 acfva;acfva;c:\windows\system32\drivers\ACFVA32.sys [2009-8-17 87040]
S3 dgcfltr;DGC Filter Driver;c:\windows\system32\drivers\ACFDCP32.sys [2009-8-17 28928]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-3-19 21504]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-2 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-11-2 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-2 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-2 40552]
S3 mr97310c;CIF Dual-Mode Camera;c:\windows\system32\drivers\mr97310c.sys [2008-3-27 116992]
S3 rcmirror;rcmirror;c:\windows\system32\drivers\rcmirror.sys [2007-12-14 5120]

=============== Created Last 30 ================

2010-02-15 22:51:50 0 ----a-w- c:\users\paul\defogger_reenable
2010-02-15 17:13:42 0 d-----w- c:\users\paul\appdata\roaming\Malwarebytes
2010-02-15 17:13:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-15 17:13:17 0 d-----w- c:\programdata\Malwarebytes
2010-02-15 17:13:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-15 17:13:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-13 02:21:20 0 d-----w- c:\program files\Norton Support
2010-02-13 01:43:37 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-13 01:43:37 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-02-13 01:43:35 25648 ----a-w- c:\windows\system32\drivers\SymIMV.sys
2010-02-13 01:43:29 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-13 01:43:29 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-13 01:43:29 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-13 01:42:49 0 d-----w- c:\program files\Symantec
2010-02-13 01:42:18 0 d-----w- c:\windows\system32\drivers\N360
2010-02-13 01:42:16 0 d-----w- c:\program files\Norton Security Suite
2010-02-13 01:42:15 0 d-----w- c:\programdata\Norton
2010-02-13 01:42:03 0 d-----w- c:\programdata\NortonInstaller
2010-02-13 01:42:03 0 d-----w- c:\program files\NortonInstaller
2010-02-13 00:45:52 310 ----a-w- c:\windows\system32\UnifiedToolbarCleanup.bat
2010-02-12 19:47:06 0 d-sh--w- c:\programdata\SAUQV
2010-02-12 19:46:50 0 d-sh--w- c:\programdata\abb28c2
2010-02-02 02:43:03 0 d-----w- c:\users\paul\appdata\roaming\com.comcast.access.13A1FA90F0FC9DC009FB0956ADD0F13F8608561B.1
2010-02-02 02:41:57 0 d-----w- c:\program files\ComcastAccess
2010-02-02 02:41:43 0 d-----w- c:\programdata\com.comcast.access
2010-01-28 13:38:38 0 d-----w- c:\programdata\Sun
2010-01-23 23:24:23 1056768 ----a-w- c:\windows\system32\defltbase.sdb
2010-01-23 23:14:11 0 d--h--w- c:\windows\msdownld.tmp

==================== Find3M ====================

2010-02-13 01:43:33 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-13 01:43:33 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-13 01:43:33 143360 ----a-w- c:\windows\inf\infstor.dat
2010-02-10 17:22:07 10126 ----a-w- c:\users\paul\appdata\roaming\wklnhst.dat
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-08 20:01:02 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:01:02 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-04 18:30:05 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-04 18:29:41 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-04 18:28:52 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-04 18:28:51 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-04 18:28:51 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-04 18:28:49 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-04 18:28:27 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-04 18:28:21 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-04 18:27:12 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-11-03 02:23:24 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-03-19 13:22:58 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-11-05 19:00:06 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-08-13 01:48:18 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008081220080813\index.dat
2007-12-18 15:08:56 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 18:59:19.91 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:03 PM

Posted 19 February 2010 - 06:31 AM

Hi pwaug,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If the issue is not resolved yet please update me on the current condition of your computer and provide me with the fresh logs.

#3 pwaug

pwaug
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 19 February 2010 - 08:07 AM

farbar,

I still have the findgala.com virus. It only seems to be affecting Google through Windows Explorer and no other search engines. Since I have reported the problems I haven't done any scans, updates or install new apps etc, but I have deleted files from my docuement folders, but these were old files.

Do you still need fresh logs?

Thanks,

pwaug

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:03 PM

Posted 19 February 2010 - 09:57 AM

No need for new logs pwaug.

Let's start with what routine cleaning.
  1. You have still some leftovers from an incomplete uninstalled McAfee AntiVirus on your computer.
    To remove McAfee AntiVirus I recommend you to use McAfee Consumer Product Removal tool (MCPR.exe).

    For download and instruction to use McAfee Consumer Product Removal tool click on majorgeeks.com

  2. You have the latest version of Java (Java 6 Update 18) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components:
    Click "start" and then "Control Panel" icon.
    Doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    Java™ 6 Update 7
    Java™ SE Runtime Environment 6 Update 1


  3. To Clear the Java Runtime Environment (JRE) cache, do this:
    • Click Start > Settings > Control Panel.
    • Double-click the Java icon.
      -The Java Control Panel appears.
    • Click "Settings" under Temporary Internet Files.
      -The Temporary Files Settings dialog box appears.
    • Click "Delete Files".
      -The Delete Temporary Files dialog box appears.
      -There are three options on this window to clear the cache.
      • Delete Files
      • View Applications
      • View Applets
    • Click "OK" on Delete Temporary Files window.
      -Note: This deletes all the Downloaded Applications and Applets from the cache.
    • Click "OK" on Temporary Files Settings window.
    • Close the Java Control Panel.
    You can also view these instructions along with screenshots here.

  4. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

      Note: Please don't use the registry cleaner of CCleaner or any other registry cleaner unless you know what you are doing.

  5. Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you uninstall the following program via Add or Remove Programs if your are using it:

    Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    If you uninstalled it also remove the folder in bold: C:\Program Files\Viewpoint

  6. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  7. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt


#5 pwaug

pwaug
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 19 February 2010 - 11:57 AM

I completed all steps as outlined including removal of Viewpoint. Malware found no infections and did not ask me to restart. Google is still being redirected to Findgala.com
Thanks for your help and please let me know next steps.

pwaug

Here are the logs:

Malwarebytes' Anti-Malware 1.44
Database version: 3761
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

2/19/2010 11:46:40 AM
mbam-log-2010-02-19 (11-46-40).txt

Scan type: Quick Scan
Objects scanned: 102001
Time elapsed: 5 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


DDS (Ver_09-12-01.01) - NTFSx86
Run by Paul at 11:51:20.99 on Fri 02/19/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1581 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Program Files\comcasttb\CIDGlobalLight.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Paul\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ND5GE4J6\dds[1].scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://my.netzero.net/s/search?r=minisearch
uWindow Title = Windows Internet Explorer provided by Comcast
uDefault_Page_URL = hxxp://www.comcast.net?cid=ie8_0904
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
mDefault_Search_URL = hxxp://my.netzero.net/s/search?r=minisearch
mSearch Page = hxxp://my.netzero.net/s/search?r=minisearch
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
mSearchAssistant = hxxp://my.netzero.net/s/search?r=minisearch
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\3.8.0.41\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 3\Sup_SmartRAM.exe" /m
uRun: [ComcastAntispyClient] "c:\program files\comcasttb\comcastspywarescan\ComcastAntispy.exe" /hide
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [hpsysdrv] "c:\hp\support\hpsysdrv.exe"
mRun: [RtHDVCpl] "c:\windows\RtHDVCpl.exe"
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Trusted Zone: netzero.com
Trusted Zone: netzero.net
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229549419612
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton security suite\engine\3.8.0.41\CoIEPlg.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-12 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-12 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-12 482432]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100210.001\IDSvix86.sys [2010-2-12 343088]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\3.8.0.41\ccSvcHst.exe [2010-2-12 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-12 102448]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\n360\0308000.029\symndisv.sys [2010-2-12 48688]
S3 acfva;acfva;c:\windows\system32\drivers\ACFVA32.sys [2009-8-17 87040]
S3 dgcfltr;DGC Filter Driver;c:\windows\system32\drivers\ACFDCP32.sys [2009-8-17 28928]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-3-19 21504]
S3 mr97310c;CIF Dual-Mode Camera;c:\windows\system32\drivers\mr97310c.sys [2008-3-27 116992]
S3 rcmirror;rcmirror;c:\windows\system32\drivers\rcmirror.sys [2007-12-14 5120]

=============== Created Last 30 ================

2010-02-19 16:24:37 0 d-----w- c:\programdata\Yahoo! Companion
2010-02-19 16:24:32 0 d-----w- c:\program files\CCleaner
2010-02-19 15:54:59 0 ----a-w- c:\windows\system32\RENE58F.tmp
2010-02-19 15:54:59 0 ----a-w- c:\windows\system32\RENE58E.tmp
2010-02-19 15:54:59 0 ----a-w- c:\windows\system32\RENE57E.tmp
2010-02-15 22:51:50 0 ----a-w- c:\users\paul\defogger_reenable
2010-02-15 17:13:42 0 d-----w- c:\users\paul\appdata\roaming\Malwarebytes
2010-02-15 17:13:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-15 17:13:17 0 d-----w- c:\programdata\Malwarebytes
2010-02-15 17:13:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-15 17:13:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-13 02:21:20 0 d-----w- c:\program files\Norton Support
2010-02-13 01:43:37 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-13 01:43:37 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-02-13 01:43:35 25648 ----a-w- c:\windows\system32\drivers\SymIMV.sys
2010-02-13 01:43:29 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-13 01:43:29 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-13 01:43:29 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-13 01:42:49 0 d-----w- c:\program files\Symantec
2010-02-13 01:42:18 0 d-----w- c:\windows\system32\drivers\N360
2010-02-13 01:42:16 0 d-----w- c:\program files\Norton Security Suite
2010-02-13 01:42:15 0 d-----w- c:\programdata\Norton
2010-02-13 01:42:03 0 d-----w- c:\programdata\NortonInstaller
2010-02-13 01:42:03 0 d-----w- c:\program files\NortonInstaller
2010-02-13 00:45:52 310 ----a-w- c:\windows\system32\UnifiedToolbarCleanup.bat
2010-02-12 19:47:06 0 d-sh--w- c:\programdata\SAUQV
2010-02-12 19:46:50 0 d-sh--w- c:\programdata\abb28c2
2010-02-02 02:43:03 0 d-----w- c:\users\paul\appdata\roaming\com.comcast.access.13A1FA90F0FC9DC009FB0956ADD0F13F8608561B.1
2010-02-02 02:41:57 0 d-----w- c:\program files\ComcastAccess
2010-02-02 02:41:43 0 d-----w- c:\programdata\com.comcast.access
2010-01-28 13:38:38 0 d-----w- c:\programdata\Sun
2010-01-23 23:24:23 1056768 ----a-w- c:\windows\system32\defltbase.sdb
2010-01-23 23:14:11 0 d--h--w- c:\windows\msdownld.tmp

==================== Find3M ====================

2010-02-19 16:48:06 10328 ----a-w- c:\users\paul\appdata\roaming\wklnhst.dat
2010-02-13 01:43:33 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-13 01:43:33 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-13 01:43:33 143360 ----a-w- c:\windows\inf\infstor.dat
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-08 20:01:02 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:01:02 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-04 18:30:05 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-04 18:29:41 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-04 18:28:52 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-04 18:28:51 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-04 18:28:51 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-04 18:28:49 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-04 18:28:27 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-04 18:28:21 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-04 18:27:12 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-11-03 02:23:24 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-03-19 13:22:58 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-11-05 19:00:06 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-08-13 01:48:18 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008081220080813\index.dat
2007-12-18 15:08:56 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 11:52:03.85 ===============


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:03 PM

Posted 19 February 2010 - 12:08 PM

You need to disable Norton properly before running ComboFix.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#7 pwaug

pwaug
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 19 February 2010 - 02:45 PM

Combo Fix logs:

ComboFix 10-02-18.09 - Paul 02/19/2010 14:28:01.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.2179 [GMT -5:00]
Running from: c:\users\Paul\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1347099794-415979838-337147864-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\windows\msvrc20.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-19 to 2010-02-19 )))))))))))))))))))))))))))))))
.

2010-02-19 19:33 . 2010-02-19 19:33 -------- d-----w- c:\users\Paul\AppData\Local\temp
2010-02-19 19:33 . 2010-02-19 19:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-19 16:24 . 2010-02-19 16:24 -------- d-----w- c:\programdata\Yahoo! Companion
2010-02-19 16:24 . 2010-02-19 16:24 -------- d-----w- c:\program files\CCleaner
2010-02-19 16:05 . 2010-02-13 17:06 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100219.002\NAVEX32A.DLL
2010-02-19 16:05 . 2010-02-13 17:06 1324720 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100219.002\NAVEX15.SYS
2010-02-19 16:05 . 2010-02-13 17:06 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100219.002\NAVENG.SYS
2010-02-19 16:05 . 2010-02-13 17:06 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100219.002\EECTRL.SYS
2010-02-19 16:05 . 2010-02-13 17:06 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100219.002\CCERASER.DLL
2010-02-19 16:05 . 2010-02-13 17:06 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100219.002\ECMSVR32.DLL
2010-02-19 16:05 . 2010-02-13 17:06 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100219.002\NAVENG32.DLL
2010-02-19 16:05 . 2010-02-13 17:06 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100219.002\ERASER.SYS
2010-02-19 15:47 . 2010-02-12 22:41 558448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-02-15 17:14 . 2010-02-15 17:14 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-15 17:13 . 2010-02-15 17:13 -------- d-----w- c:\users\Paul\AppData\Roaming\Malwarebytes
2010-02-15 17:13 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-15 17:13 . 2010-02-15 17:13 -------- d-----w- c:\programdata\Malwarebytes
2010-02-15 17:13 . 2010-02-15 17:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-15 17:13 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-14 13:44 . 2010-02-14 13:44 -------- d-----w- c:\users\Paul\AppData\Local\ICS
2010-02-14 13:25 . 2010-02-14 13:25 -------- d-----w- c:\users\Paul\AppData\Local\Symantec
2010-02-13 02:21 . 2010-02-14 16:13 -------- d-----w- c:\program files\Norton Support
2010-02-13 02:03 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\Scxpx86.dll
2010-02-13 02:03 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\IDSvix86.sys
2010-02-13 02:03 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\IDSXpx86.sys
2010-02-13 02:03 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\IDSxpx86.dll
2010-02-13 02:03 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\IDSviA64.sys
2010-02-13 01:43 . 2010-02-13 01:42 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-13 01:43 . 2010-02-13 01:42 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-02-13 01:43 . 2010-02-13 01:42 25648 ----a-w- c:\windows\system32\drivers\SymIMV.sys
2010-02-13 01:43 . 2010-02-13 01:42 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-13 01:42 . 2010-02-14 16:13 -------- d-----w- c:\program files\Symantec
2010-02-13 01:42 . 2010-02-13 01:42 1291104 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2010-02-13 01:42 . 2010-02-13 01:42 136840 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2010-02-13 01:42 . 2010-02-13 01:42 776952 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2010-02-13 01:42 . 2010-02-14 16:11 -------- d-----w- c:\windows\system32\drivers\N360
2010-02-13 01:42 . 2010-02-14 16:13 -------- d-----w- c:\program files\Norton Security Suite
2010-02-13 01:42 . 2010-02-13 01:43 -------- d-----w- c:\programdata\Norton
2010-02-13 01:42 . 2010-02-13 01:42 -------- d-----w- c:\programdata\NortonInstaller
2010-02-13 01:42 . 2010-02-13 01:42 -------- d-----w- c:\program files\NortonInstaller
2010-02-13 00:45 . 2010-02-13 00:45 310 ----a-w- c:\windows\system32\UnifiedToolbarCleanup.bat
2010-02-12 19:47 . 2010-02-14 16:13 -------- d-sh--w- c:\programdata\SAUQV
2010-02-12 19:46 . 2010-02-14 16:13 -------- d-sh--w- c:\programdata\abb28c2
2010-02-11 20:28 . 2010-02-11 20:28 1762568 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2010-02-02 02:43 . 2010-02-02 02:43 -------- d-----w- c:\users\Paul\AppData\Roaming\com.comcast.access.13A1FA90F0FC9DC009FB0956ADD0F13F8608561B.1
2010-02-02 02:41 . 2010-02-02 02:41 -------- d-----w- c:\program files\ComcastAccess
2010-02-02 02:41 . 2010-02-02 02:41 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-02 02:41 . 2010-02-02 02:41 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-02 02:41 . 2010-02-02 03:05 -------- d-----w- c:\programdata\com.comcast.access
2010-02-02 02:41 . 2010-02-02 02:42 -------- d-----w- c:\users\Paul\AppData\Local\ComcastAccess
2010-01-23 23:14 . 2010-01-23 23:14 -------- d--h--w- c:\windows\msdownld.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 16:48 . 2007-12-28 12:30 10328 ----a-w- c:\users\Paul\AppData\Roaming\wklnhst.dat
2010-02-19 16:32 . 2008-07-08 02:08 -------- d-----w- c:\programdata\Viewpoint
2010-02-19 16:24 . 2007-12-18 15:58 -------- d-----w- c:\program files\Yahoo!
2010-02-19 15:55 . 2007-12-18 15:50 -------- d-----w- c:\program files\Java
2010-02-19 15:55 . 2007-12-18 15:50 -------- d-----w- c:\program files\Common Files\Java
2010-02-19 15:54 . 2010-02-19 15:54 0 ----a-w- c:\windows\system32\RENE58F.tmp
2010-02-19 15:54 . 2010-02-19 15:54 0 ----a-w- c:\windows\system32\RENE58E.tmp
2010-02-19 15:54 . 2010-02-19 15:54 0 ----a-w- c:\windows\system32\RENE57E.tmp
2010-02-15 23:54 . 2009-05-23 15:04 -------- d-----w- c:\users\Paul\AppData\Roaming\CallingID
2010-02-14 16:13 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-14 16:13 . 2007-12-18 15:59 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-14 16:13 . 2007-12-18 15:52 -------- d-----w- c:\program files\Microsoft Works
2010-02-14 16:13 . 2007-12-18 15:42 -------- d-----w- c:\program files\Common Files\SureThing Shared
2010-02-14 16:13 . 2009-01-13 18:00 -------- d-----w- c:\program files\ABBYY FineReader 6.0 Sprint
2010-02-13 21:19 . 2007-12-18 15:59 -------- d-----w- c:\programdata\Symantec
2010-02-13 01:42 . 2010-02-13 01:43 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-13 01:42 . 2010-02-13 01:43 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-11 20:37 . 2007-12-18 15:38 -------- d-----w- c:\programdata\WildTangent
2010-02-02 02:41 . 2009-05-06 22:31 144162 ----a-w- c:\users\Paul\AppData\Roaming\Move Networks\uninstall.exe
2010-02-02 02:41 . 2009-12-18 03:27 5603776 ----a-w- c:\users\Paul\AppData\Roaming\Move Networks\plugins\npqmp071706000001.dll
2010-02-02 02:41 . 2008-02-16 00:25 -------- d-----w- c:\users\Paul\AppData\Roaming\Move Networks
2010-01-29 22:15 . 2008-08-16 18:08 -------- d-----w- c:\program files\MSECache
2010-01-21 21:09 . 2008-03-06 01:24 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-12 19:56 . 2010-01-12 19:56 -------- d-----w- c:\program files\Citrix
2010-01-02 06:38 . 2010-01-22 13:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 13:00 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 13:00 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 13:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-01-01 14:16 . 2008-01-02 20:33 15485984 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\SetupGamesClient.exe
2009-12-26 01:12 . 2009-12-26 01:12 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-18 03:27 . 2009-12-18 03:27 97216 ----a-w- c:\users\Paul\AppData\Roaming\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-17 22:14 . 2008-11-03 04:18 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-11 11:43 . 2010-02-10 17:26 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-11 11:43 . 2010-02-10 17:26 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-12-08 20:01 . 2010-02-10 17:26 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 20:01 . 2010-02-10 17:26 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:01 . 2010-02-10 17:26 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 17:26 . 2010-02-10 17:26 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-12-04 18:30 . 2010-02-10 17:26 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-04 18:29 . 2010-02-10 17:26 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-04 18:28 . 2010-02-10 17:26 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-04 18:28 . 2010-02-10 17:26 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-04 18:28 . 2010-02-10 17:26 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-04 18:28 . 2010-02-10 17:26 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-04 18:28 . 2010-02-10 17:26 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-04 18:28 . 2010-02-10 17:26 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-04 18:27 . 2010-02-10 17:26 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-04 15:56 . 2010-02-10 17:26 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-04 15:56 . 2010-02-10 17:26 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2007-12-18 15:08 . 2007-12-18 15:03 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" [2009-02-19 202064]
"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-08-19 1589208]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"RtHDVCpl"="c:\windows\RtHDVCpl.exe" [2008-01-15 4874240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
"QuickTime Task"="c:\program files\quicktime\qttask.exe" [2009-05-28 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:c7,15,98,16,20,f7,c9,01

R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\N360\0308000.029\SymEFA.sys [2/12/2010 9:33 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\N360\0308000.029\BHDrvx86.sys [2/12/2010 9:33 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\N360\0308000.029\cchpx86.sys [2/12/2010 9:33 PM 482432]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\IDSvix86.sys [2/12/2010 9:03 PM 343088]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [6/17/2009 12:49 PM 616408]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe [2/12/2010 9:33 PM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/12/2010 11:21 AM 102448]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\N360\0308000.029\symndisv.sys [2/12/2010 9:33 PM 48688]
S3 acfva;acfva;c:\windows\System32\drivers\ACFVA32.sys [8/17/2009 7:35 PM 87040]
S3 dgcfltr;DGC Filter Driver;c:\windows\System32\drivers\ACFDCP32.sys [8/17/2009 7:35 PM 28928]
S3 mr97310c;CIF Dual-Mode Camera;c:\windows\System32\drivers\mr97310c.sys [3/27/2008 7:14 AM 116992]
S3 rcmirror;rcmirror;c:\windows\System32\drivers\rcmirror.sys [12/14/2007 12:48 PM 5120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-02-19 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2009-06-27 18:51]

2009-03-11 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-03-10 22:15]

2010-02-19 c:\windows\Tasks\User_Feed_Synchronization-{53B7AD21-2174-4C97-B99B-62DA551F2183}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
Trusted Zone: netzero.com
Trusted Zone: netzero.net
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-MCODS



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-19 14:33
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
.
Completion time: 2010-02-19 14:36:08
ComboFix-quarantined-files.txt 2010-02-19 19:36

Pre-Run: 293,325,828,096 bytes free
Post-Run: 293,276,327,936 bytes free

- - End Of File - - 4A2AD8A5A730A045508A75D87B95F122


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:03 PM

Posted 20 February 2010 - 01:14 AM

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


CODE
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select save in: desktop
  • Fill in File name: test.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate and double-click test.bat on the desktop.
  • A notepad opens, copy and paste the content it (log1.txt) to your reply.


#9 pwaug

pwaug
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 20 February 2010 - 07:44 AM

It would not all me to save the test.bat to the desktop (said I needed to use administrator, but I was logged in as administrator) so I saved it to another folder and then ran the program.

Here is the file:


Windows IP Configuration

Host Name . . . . . . . . . . . . : Paul-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hsd1.pa.comcast.net.

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : hsd1.pa.comcast.net.
Description . . . . . . . . . . . : NVIDIA nForce 10/100 Mbps Ethernet
Physical Address. . . . . . . . . : 00-1E-8C-06-39-D6
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::f85d:dca6:e0dc:120a%8(Preferred)
IPv4 Address. . . . . . . . . . . : 76.120.153.150(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.248.0
Lease Obtained. . . . . . . . . . : Saturday, February 20, 2010 7:19:34 AM
Lease Expires . . . . . . . . . . : Tuesday, February 23, 2010 7:31:45 PM
Default Gateway . . . . . . . . . : 76.120.152.1
DHCP Server . . . . . . . . . . . : 68.87.75.10
DHCPv6 IAID . . . . . . . . . . . : 201334412
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0E-F9-9D-29-00-1E-8C-06-39-D6
DNS Servers . . . . . . . . . . . : 68.87.75.198
68.87.64.150
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 6TO4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 13:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : hsd1.pa.comcast.net.
Description . . . . . . . . . . . : isatap.hsd1.pa.comcast.net.
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 15:

Connection-specific DNS Suffix . : hsd1.pa.comcast.net.
Description . . . . . . . . . . . : 6TO4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:4c78:9996::4c78:9996(Preferred)
Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
DNS Servers . . . . . . . . . . . : 68.87.75.198
68.87.64.150
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: cns.summitpark.pa.pitt.comcast.net
Address: 68.87.75.198

Name: google.com
Address: 66.249.91.104

Server: cns.summitpark.pa.pitt.comcast.net
Address: 68.87.75.198

Name: yahoo.com
Addresses: 69.147.114.224
209.131.36.159
209.191.93.53



Pinging google.com [66.249.80.104] with 32 bytes of data:

Reply from 66.249.80.104: bytes=32 time=19ms TTL=52

Reply from 66.249.80.104: bytes=32 time=21ms TTL=52



Ping statistics for 66.249.80.104:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 19ms, Maximum = 21ms, Average = 20ms



Pinging yahoo.com [69.147.114.224] with 32 bytes of data:

Reply from 69.147.114.224: bytes=32 time=15ms TTL=52

Reply from 69.147.114.224: bytes=32 time=15ms TTL=52



Ping statistics for 69.147.114.224:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 15ms, Maximum = 15ms, Average = 15ms

===========================================================================
Interface List
8 ...00 1e 8c 06 39 d6 ...... NVIDIA nForce 10/100 Mbps Ethernet
1 ........................... Software Loopback Interface 1
14 ...00 00 00 00 00 00 00 e0 6TO4 Adapter
9 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
15 ...00 00 00 00 00 00 00 e0 isatap.hsd1.pa.comcast.net.
16 ...00 00 00 00 00 00 00 e0 6TO4 Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 76.120.152.1 76.120.153.150 20
76.120.152.0 255.255.248.0 On-link 76.120.153.150 276
76.120.153.150 255.255.255.255 On-link 76.120.153.150 276
76.120.159.255 255.255.255.255 On-link 76.120.153.150 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 76.120.153.150 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 76.120.153.150 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
16 1125 ::/0 2002:c058:6301::c058:6301
1 306 ::1/128 On-link
16 1025 2002::/16 On-link
16 281 2002:4c78:9996::4c78:9996/128
On-link
8 276 fe80::/64 On-link
8 276 fe80::f85d:dca6:e0dc:120a/128
On-link
1 306 ff00::/8 On-link
8 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:03 PM

Posted 20 February 2010 - 09:39 AM

There is no redirection at that level. It is probably limited to IE.

Close Internet Explorer. Go to start > Control Panel > internet options.
  • Under General tab press Delete... then make sure all the sections are checked and click Delete.
  • Under Advanced tab click Restore advanced settings
  • Make sure under Security tab the Default is selected.
  • Also under Privacy tab the Default is selected.
  • Tell me if you get redirected when using Google search.


#11 pwaug

pwaug
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 20 February 2010 - 11:01 AM

I completed the steps as you outlined but Google is still redirected to Findgala.com

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:03 PM

Posted 20 February 2010 - 12:32 PM

We need to do a test. Firefox is a light weight internet browser and it can be easily installed. You may later on keep it or uninstall it easily.

Please Download Firefox from its official site and save it to your desktop.
  • Run the installer.
  • When it gives you to the option import from IE select no.
  • After launching it please see if Google searches get redirected in Firefox.


#13 pwaug

pwaug
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 21 February 2010 - 05:26 PM

Sorry for the delay in completing this step--had to make a quick overnight trip out of town.

Downloaded FireFox, did a Google search, it worked fine--no redirection to Findgala.com. (Whew, Firefox sure is fast)



#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:03 PM

Posted 21 February 2010 - 05:36 PM

No worries about the delay. We have narrowed down the problem to IE and you have a reserve browser.

Open a notepad (go to Start > Run and type in Notepad and click OK).
Copy/paste the following text inside the code box into a new notepad document.

CODE
@ECHO OFF
regedit /e look1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes"
regedit /e look2.txt "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes"
Type look*.txt >log.txt
start log.txt
del look1.txt look2.txt
del %0

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select save in: desktop
  • Fill in File name: look.bat
  • Save as type: All file types (*.*)
  • Click save
  • Close the Notepad.
  • Locate look.bat on the desktop. It should look like this:
  • Right-click to run it as administrator.
  • A notepad opens, copy and paste the content (log.txt) to your reply.


#15 pwaug

pwaug
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 21 February 2010 - 06:51 PM

Here is the log:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}]
"DisplayName"="AIM Search"
"URL"="http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query={searchTerms}&invocationType=TB50TRie7"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0BC6E3FA-78EF-4886-842C-5A1258C4455A}]
"DisplayName"="Search the Web"
"URL"="http://search.imgag.com/?appid=kwtb&component=&c=GNKWO50020&sbs=2&sc=2&f=web&vernum=3.2&uid=&did=%7b8c2859c0-941d-11dd-b52b-001e8c0639d6%7d&q={searchTerms}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0E63F1B4-D78C-4980-931A-552D332F442F}]
"DisplayName"="Ask.com"
"URL"="http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{31957995-94AF-463D-A9EA-DEDCBB740509}]
"DisplayName"="Yahoo! Search"
"URL"="http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{3A0C2600-2D1C-4CC8-9E5D-EA498D1DD681}]
"DisplayName"="Live Search"
"URL"="http://search.live.com/results.aspx?q={searchTerms}&amp;entrypoint={referrer:source?}&amp;FORM=HVDUS7"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{D46F38D5-21EA-4D0F-A077-4F9E622231BE}"
"Version"=dword:00000002
"DownloadRetries"=dword:00000000
"DownloadUpdates"=dword:00000001
"UpgradeTime"=hex:a0,81,9c,e3,23,6e,ca,01

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}]
"DisplayName"="AIM Search"
"URL"="http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query={searchTerms}&invocationType=TB50TRie7"
"SortIndex"=dword:00000002

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0BC6E3FA-78EF-4886-842C-5A1258C4455A}]
"DisplayName"="Search the Web"
"URL"="http://search.imgag.com/?appid=kwtb&component=&c=GNKWO50020&sbs=2&sc=2&f=web&vernum=3.2&uid=&did=%7b8c2859c0-941d-11dd-b52b-001e8c0639d6%7d&q={searchTerms}"
"SortIndex"=dword:00000006

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0E63F1B4-D78C-4980-931A-552D332F442F}]
"DisplayName"="Ask.com"
"URL"="http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd"
"FaviconURLFallback"="http://uk.ask.com/favicon.ico"
"FaviconPath"="C:\\Users\\Paul\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0E63F1B4-D78C-4980-931A-552D332F442F}.ico"
"SortIndex"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{31957995-94AF-463D-A9EA-DEDCBB740509}]
"SuggestionsURLFallback"="http://ie.search.yahoo.com/os?appid=ie8&command={SearchTerms}"
"FaviconURLFallback"="http://search.yahoo.com/favicon.ico"
"FaviconPath"="C:\\Users\\Paul\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{31957995-94AF-463D-A9EA-DEDCBB740509}.ico"
"SortIndex"=dword:00000007

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3A0C2600-2D1C-4CC8-9E5D-EA498D1DD681}]
"DisplayName"="Live Search"
"URL"="http://search.live.com/results.aspx?q={searchTerms}&amp;entrypoint={referrer:source?}&amp;FORM=HVDUS7"
"SuggestionsURLFallback"="http://api.search.live.com/qsml.aspx?query={searchTerms}&src=IE-SearchBox&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={Language}"
"FaviconURLFallback"="http://www.live.com/favicon.ico"
"FaviconPath"="C:\\Users\\Paul\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{3A0C2600-2D1C-4CC8-9E5D-EA498D1DD681}.ico"
"SortIndex"=dword:00000005

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{D46F38D5-21EA-4D0F-A077-4F9E622231BE}]
"DisplayName"="Google"
"URL"="http://findgala.com/?&uid=294&q={searchTerms}"
"SuggestionsURLFallback"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
"FaviconURLFallback"="http://www.google.com/favicon.ico"
"FaviconPath"="C:\\Users\\Paul\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{D46F38D5-21EA-4D0F-A077-4F9E622231BE}.ico"
"SortIndex"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E519AA1F-E8A8-47ED-92E3-BCFB65055819}]
"URL"="http://search.comcast.net/search?cat=Web&con=toolbar&q={searchTerms}"
"DisplayName"="Comcast Search"
"SortIndex"=dword:00000003






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users