Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Incorrect Google search results


  • Please log in to reply
9 replies to this topic

#1 eatworksleepdie

eatworksleepdie

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:Michigan
  • Local time:03:55 PM

Posted 30 December 2008 - 01:31 AM

hello! I wish I was coming to bleeping computer under better circumstances, but alas it looks like I have a broken interwebz.

The computer is a Dell Inspiron 1501 running XP SP3
in both Firefox 3.0.5 and IE 7 Google search results come up with incorrect search results. I'm thinking I have a malware problem, but haven't been able to come up with a solution yet after doing some searching/self-testing on my own.. ugh.

So far, I've ran:
malwarebytes anti-malware (came up with 7 problems, I left them alone)
super anti-spyware free home edition (came up with 56 possible problems, I quarantined them)
combofix (not sure what that did :thumbsup:)

I also uninstalled an old version of symantec

I'm still getting the same results through Google searching.
EG: whatever is in the blue title, is not the same web address as what's in the green URL.

below is my DDS report
*************************************************************************


DDS (Version 1.1.0) - NTFSx86
Run by lisa at 1:13:36.81 on Tue 12/30/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.497 [GMT -5:00]

FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\lisa\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=rvzlNPrArrV9DrZMsdPUn0_Pwp0
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lisa\applic~1\mozilla\firefox\profiles\w780j3yb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-22 55024]
R2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2008-12-21 78104]
R2 OpenCASE Media Agent;OpenCASE Media Agent;"c:\program files\opencase\opencase media agent\MediaAgent.exe" [2008-1-16 814728]
R3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S4 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" [2007-1-20 1174152]

=============== Created Last 30 ================

2008-12-30 00:23 <DIR> --d----- C:\ComboFix
2008-12-30 00:22 <DIR> --d----- C:\cmdcons
2008-12-30 00:07 161,792 a------- c:\windows\SWREG.exe
2008-12-30 00:07 98,816 a------- c:\windows\sed.exe
2008-12-29 23:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-29 23:18 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-29 23:18 <DIR> --d----- c:\docume~1\lisa\applic~1\SUPERAntiSpyware.com
2008-12-29 22:25 <DIR> --d----- c:\docume~1\lisa\applic~1\Malwarebytes
2008-12-29 22:25 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-29 22:25 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-29 22:25 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-29 22:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-19 22:58 <DIR> --d----- c:\docume~1\lisa\applic~1\iWinArcade
2008-12-19 20:24 <DIR> --d----- c:\docume~1\lisa\applic~1\iWin
2008-12-19 20:23 <DIR> --d----- c:\program files\iWin Games
2008-12-19 19:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\iWin Games
2008-12-19 19:10 <DIR> --d----- c:\program files\iWin.com Games
2008-12-05 11:56 49 a------- c:\windows\NeroDigital.ini

==================== Find3M ====================

2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 05:02 247,326 -------- c:\windows\system32\dllcache\strmdll.dll

============= FINISH: 1:13:45.15 ===============


so what do you think!?

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:55 PM

Posted 06 January 2009 - 10:02 AM

Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following the following checkboxes:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
Please post the contents of the ark.txt as your next reply.

#3 eatworksleepdie

eatworksleepdie
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:Michigan
  • Local time:03:55 PM

Posted 06 January 2009 - 07:48 PM

Below are the results:


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-06 19:26:41
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEE97CF20]

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \FileSystem\Fastfat \Fat EB748D20
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.14 ----

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:55 PM

Posted 07 January 2009 - 10:13 AM

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

#5 eatworksleepdie

eatworksleepdie
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:Michigan
  • Local time:03:55 PM

Posted 07 January 2009 - 05:46 PM

here's the results of goored...


GooredFix v1.72 by jpshortstuff
Log created at 17:44 on 07/01/2009 running Option #1 (lisa)
Firefox version 3.0.5 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{98e34367-8df7-42b4-837b-20b892ff0847}"="C:\Program Files\iWin Games\firefox\"

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:55 PM

Posted 08 January 2009 - 05:41 PM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log as a reply to this

#7 eatworksleepdie

eatworksleepdie
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:Michigan
  • Local time:03:55 PM

Posted 08 January 2009 - 06:21 PM

I haven't said thank you yet for your help so far and in the future, so thank you!!.. :thumbsup:

below is my combofix log..

*************************************


ComboFix 09-01-08.01 - lisa 2009-01-08 18:06:19.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.556 [GMT -5:00]
Running from: c:\documents and settings\lisa\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\wdmaud.sys

.
((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.

2009-01-06 19:16 . 2009-01-06 19:16 250 --a------ c:\windows\gmer.ini
2008-12-29 23:19 . 2008-12-29 23:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-29 23:18 . 2009-01-08 18:02 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-29 23:18 . 2008-12-29 23:18 <DIR> d-------- c:\documents and settings\lisa\Application Data\SUPERAntiSpyware.com
2008-12-29 22:25 . 2009-01-08 18:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-29 22:25 . 2008-12-29 22:25 <DIR> d-------- c:\documents and settings\lisa\Application Data\Malwarebytes
2008-12-29 22:25 . 2008-12-29 22:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-19 22:58 . 2008-12-19 22:58 <DIR> d-------- c:\documents and settings\lisa\Application Data\iWinArcade
2008-12-19 20:24 . 2008-12-19 20:24 <DIR> d-------- c:\documents and settings\lisa\Application Data\iWin
2008-12-19 20:23 . 2008-12-29 23:59 <DIR> d-------- c:\program files\iWin Games
2008-12-19 19:16 . 2008-12-19 22:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\iWin Games
2008-12-19 19:10 . 2008-12-19 19:12 <DIR> d-------- c:\program files\iWin.com Games
2008-12-19 15:47 . 2008-12-19 15:47 <DIR> d-------- c:\documents and settings\lisa\Application Data\PlayFirst
2008-12-19 15:41 . 2008-12-19 15:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\PlayFirst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 23:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-30 05:17 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-30 05:16 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-30 05:16 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-23 19:41 --------- d-----w c:\program files\Trillian
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-11-20 13:59 --------- d-----w c:\program files\2Wire
2008-11-20 13:35 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-20 04:12 --------- d-----w c:\program files\Yahoo!
2008-11-17 15:43 --------- d-----w c:\program files\iTunes
2008-11-17 15:43 --------- d-----w c:\program files\iPod
2008-11-17 15:43 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-17 15:41 --------- d-----w c:\program files\Bonjour
2008-11-17 15:40 --------- d-----w c:\program files\QuickTime
2008-11-17 15:39 --------- d-----w c:\program files\Common Files\Apple
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-30_ 0.25.25.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-07 00:16:03 884,736 ----a-w c:\windows\gmer.dll
+ 2009-01-07 00:15:10 811,008 ----a-w c:\windows\gmer.exe
+ 2009-01-07 00:16:03 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-22 185896]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-30 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-06-09 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= wdmaud.sys

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2005-12-19 09:08 1347584 c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2005-09-08 06:20 122940 c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 17:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 17:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-05-22 13:21 214560 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 14:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-09-22 05:47 761947 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-09-22 05:06 282624 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wltrysvc"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"SavRoam"=3 (0x3)
"ose"=3 (0x3)
"NICCONFIGSVC"=2 (0x2)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=

R4 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [2008-12-21 78104]
R4 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [2008-01-16 814728]

--- Other Services/Drivers In Memory ---

*Deregistered* - SASDIFSV
*Deregistered* - SASENUM
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=rvzlNPrArrV9DrZMsdPUn0_Pwp0
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\SearchEngineQuery.dll - O16 -: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400}
hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
FF - ProfilePath - c:\documents and settings\lisa\Application Data\Mozilla\Firefox\Profiles\w780j3yb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 18:08:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-01-08 18:09:58
ComboFix-quarantined-files.txt 2009-01-08 23:09:46
ComboFix2.txt 2008-12-30 05:26:02

Pre-Run: 58,487,037,952 bytes free
Post-Run: 58,492,133,376 bytes free

197 --- E O F --- 2008-12-20 00:10:55


********************************************

Something I did also right before I ran combofix was uninstall both super anti spyware and malware bytes just to make sure there were no conflicts going on..

Edited by eatworksleepdie, 08 January 2009 - 06:25 PM.


#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:55 PM

Posted 09 January 2009 - 01:08 PM

Are you still having the problem? wdmaud.sys is known to cause these redirects and ComboFix has removed this.

#9 eatworksleepdie

eatworksleepdie
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:Michigan
  • Local time:03:55 PM

Posted 09 January 2009 - 04:36 PM

The wife says it's all fixed! (it's her computer that she managed to break.) It appears to be good to go! Thanks for fixing our computer, and for all the help. you/you folks are great.

So I should be ok to re-install malware bytes and/or super anti-spyware? Is one better than the other? Or maybe something else?

thanks again lawrence.

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:55 PM

Posted 09 January 2009 - 05:13 PM

MBAM and SAS are good products and worthy of being installed.

Now that your clean:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here for your particular Windows Version:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

or

Windows Vista System Restore Guide


Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


I am closing this topic. Please message a moderator if you need it reopened.

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users