Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Is Redirecting!


  • Please log in to reply
9 replies to this topic

#1 David McSparron

David McSparron

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 13 February 2009 - 10:51 AM

Hi there,

I have recently noticed that my google searches are redirecting to spam sites.

I browse with Firefox, but IE is effected as well. Neither Spybot nor McAfee have picked up anything.

Please help, I would really appreciate it!

Thanks, Dave.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:54:04, on 13/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAnalog DevicesSoundMAXSMTray.exe
C:Program FilesSony EricssonMobile2Application LauncherApplication Launcher.exe
C:Program FilesMcAfee.comAgentmcagent.exe
C:Program FilesJavajre6binjusched.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesBelkinBelkin 802.11g Wireless PCI Card Configuration Utilityutility.exe
C:Program FilesLogitechSetPointKEM.exe
C:Program FilesLogitechSetPointKHALMNPR.EXE
C:Program FilesCommon FilesTeleca SharedGeneric.exe
C:Program FilesSony EricssonMobile2Mobile Phone Monitorepmworker.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesMcAfeeSiteAdvisorMcSACore.exe
C:PROGRA~1McAfeeMSCmcmscsvc.exe
c:PROGRA~1COMMON~1mcafeemnamcnasvc.exe
c:PROGRA~1COMMON~1mcafeemcproxymcproxy.exe
C:PROGRA~1McAfeeVIRUSS~1McShield.exe
C:Program FilesMcAfeeMPFMPFSrv.exe
C:Program FilesMcAfeeMSKMskSrver.exe
C:Program FilesAnalog DevicesSoundMAXSMAgent.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:PROGRA~1McAfeeVIRUSS~1mcsysmon.exe
C:Program FilesSibelius SoftwareSibelius 5Sibelius.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:WINDOWSsystem32rundll32.exe
C:Program FilesMicrosoft OfficeOFFICE11OUTLOOK.EXE
C:Program FilesMicrosoft OfficeOFFICE11WINWORD.EXE
C:Program FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.update.microsoft.com/windowsupd...t.aspx?ln=en-us
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://uk.search.yahoo.com/search?fr=mcafee&p=%s
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:PROGRA~1mcafeemskmskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre6binssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:Program FilesMcAfeeVirusScanscriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:PROGRA~1mcafeeSITEAD~1mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:PROGRA~1mcafeeSITEAD~1mcieplg.dll
O4 - HKLM..Run: [Smapp] C:Program FilesAnalog DevicesSoundMAXSMTray.exe
O4 - HKLM..Run: [NeroFilterCheck] C:WINDOWSsystem32NeroCheck.exe
O4 - HKLM..Run: [Sony Ericsson PC Suite] "C:Program FilesSony EricssonMobile2Application LauncherApplication Launcher.exe" /startoptions
O4 - HKLM..Run: [mcagent_exe] "C:Program FilesMcAfee.comAgentmcagent.exe" /runkey
O4 - HKLM..Run: [McENUI] C:PROGRA~1McAfeeMHNMcENUI.exe /hide
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre6binjusched.exe"
O4 - HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:Program FilesLogitechSetPointKEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1228697449817
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191190889873
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLMSystemCS1ServicesTcpip..{45E68200-9F12-48A5-A655-8346F43ED6BC}: NameServer = 192.168.2.10
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:PROGRA~1mcafeeSITEAD~1mcieplg.dll
O23 - Service: getPlusŪ Helper - NOS Microsystems Ltd. - C:Program FilesNOSbingetPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1150Intel 32IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6binjqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:Program FilesMcAfeeSiteAdvisorMcSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:PROGRA~1McAfeeMSCmcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:PROGRA~1COMMON~1mcafeemnamcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:PROGRA~1McAfeeVIRUSS~1mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:PROGRA~1COMMON~1mcafeemcproxymcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:PROGRA~1McAfeeVIRUSS~1McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:PROGRA~1McAfeeVIRUSS~1mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:Program FilesMcAfeeMPFMPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:Program FilesMcAfeeMSKMskSrver.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:Program FilesAnalog DevicesSoundMAXSMAgent.exe

--
End of file - 8690 bytes

Merged posts. ~ OB

Edited by Orange Blossom, 13 February 2009 - 10:02 PM.


BC AdBot (Login to Remove)

 


#2 David McSparron

David McSparron
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 20 February 2009 - 01:37 PM

The problem is gone for now, although it has done this in the past, only to reappear.

Should I still be seeking help? Could there be an underlying problem?

Dave.

#3 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:02 PM

Posted 21 February 2009 - 11:36 AM

hi,

Log looks ok but that dosnt mean you dont have malware. We will get a download to use to check for malware. Link and directions:

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click **Remove Selected.**
*A restart may be required to finish the clean up process*
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the MBAM log in reply

How Can I Reduce My Risk to Malware?


#4 David McSparron

David McSparron
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 22 February 2009 - 10:27 AM

The scan didn't find anything. Hmmm...

Malwarebytes' Anti-Malware 1.34
Database version: 1792
Windows 5.1.2600 Service Pack 3

22/02/2009 15:23:16
mbam-log-2009-02-22 (15-23-16).txt

Scan type: Full Scan (C:\|D:\|I:\|)
Objects scanned: 107380
Time elapsed: 34 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:02 PM

Posted 22 February 2009 - 03:38 PM

ok we can get one more download as a check for malware. Its called combofix. there is a guide to read first. Read through the guide, download to your desktop, disable any AV etc as explained in the guide, double click the icon and follow the prompts. Post the combofix log.

The guide;
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

How Can I Reduce My Risk to Malware?


#6 David McSparron

David McSparron
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 23 February 2009 - 06:21 PM

Thank you very much for your time. Here is my combofix log:

ComboFix 09-02-21.01 - David 2009-02-23 23:08:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1536.1119 [GMT 0:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ntnet.drv

.
((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-02-22 14:46 . 2009-02-22 14:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-22 14:46 . 2009-02-22 14:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-22 14:46 . 2009-02-22 14:46 <DIR> d-------- c:\documents and settings\David\Application Data\Malwarebytes
2009-02-22 14:46 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-22 14:46 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-13 15:53 . 2009-02-13 15:53 <DIR> d-------- c:\program files\Trend Micro
2009-02-13 11:37 . 2009-02-13 11:42 <DIR> d-------- c:\program files\Advanced Registry Optimizer
2009-02-13 11:27 . 2009-02-13 11:27 <DIR> d-------- c:\documents and settings\David\Application Data\uniblue
2009-02-13 11:26 . 2009-02-13 11:26 <DIR> d-------- c:\program files\Uniblue
2009-02-10 16:02 . 2009-02-10 16:02 244 --ah----- C:\sqmnoopt16.sqm
2009-02-10 16:02 . 2009-02-10 16:02 232 --ah----- C:\sqmdata16.sqm
2009-02-10 12:43 . 2009-02-10 12:43 244 --ah----- C:\sqmnoopt15.sqm
2009-02-10 12:43 . 2009-02-10 12:43 232 --ah----- C:\sqmdata15.sqm
2009-02-10 12:42 . 2009-02-10 12:42 268 --ah----- C:\sqmdata14.sqm
2009-02-10 12:42 . 2009-02-10 12:42 244 --ah----- C:\sqmnoopt14.sqm
2009-02-10 01:09 . 2009-02-10 01:09 <DIR> d-------- c:\program files\Audacity
2009-02-09 23:33 . 2009-02-09 23:33 244 --ah----- C:\sqmnoopt13.sqm
2009-02-09 23:33 . 2009-02-09 23:33 232 --ah----- C:\sqmdata13.sqm
2009-02-09 22:39 . 2009-02-09 22:39 <DIR> d-------- c:\program files\NOS
2009-02-09 22:39 . 2009-02-09 22:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-02-09 18:34 . 2009-02-09 18:34 244 --ah----- C:\sqmnoopt12.sqm
2009-02-09 18:34 . 2009-02-09 18:34 232 --ah----- C:\sqmdata12.sqm
2009-02-09 01:28 . 2009-02-09 01:28 268 --ah----- C:\sqmdata11.sqm
2009-02-09 01:28 . 2009-02-09 01:28 244 --ah----- C:\sqmnoopt11.sqm
2009-02-08 18:42 . 2009-02-08 18:42 244 --ah----- C:\sqmnoopt10.sqm
2009-02-08 18:42 . 2009-02-08 18:42 232 --ah----- C:\sqmdata10.sqm
2009-02-08 12:11 . 2009-02-08 12:11 244 --ah----- C:\sqmnoopt09.sqm
2009-02-08 12:11 . 2009-02-08 12:11 232 --ah----- C:\sqmdata09.sqm
2009-02-05 23:00 . 2009-02-05 23:00 244 --ah----- C:\sqmnoopt08.sqm
2009-02-05 23:00 . 2009-02-05 23:00 232 --ah----- C:\sqmdata08.sqm
2009-02-04 22:01 . 2009-02-04 22:01 244 --ah----- C:\sqmnoopt07.sqm
2009-02-04 22:01 . 2009-02-04 22:01 232 --ah----- C:\sqmdata07.sqm
2009-02-03 23:57 . 2009-02-03 23:57 244 --ah----- C:\sqmnoopt06.sqm
2009-02-03 23:57 . 2009-02-03 23:57 232 --ah----- C:\sqmdata06.sqm
2009-02-03 22:17 . 2009-02-03 22:17 244 --ah----- C:\sqmnoopt05.sqm
2009-02-03 22:17 . 2009-02-03 22:17 232 --ah----- C:\sqmdata05.sqm
2009-02-02 22:34 . 2009-02-02 22:34 244 --ah----- C:\sqmnoopt04.sqm
2009-02-02 22:34 . 2009-02-02 22:34 232 --ah----- C:\sqmdata04.sqm
2009-02-02 15:36 . 2009-02-02 15:36 244 --ah----- C:\sqmnoopt03.sqm
2009-02-02 15:36 . 2009-02-02 15:36 232 --ah----- C:\sqmdata03.sqm
2009-02-02 00:41 . 2009-02-02 00:41 244 --ah----- C:\sqmnoopt02.sqm
2009-02-02 00:41 . 2009-02-02 00:41 232 --ah----- C:\sqmdata02.sqm
2009-02-01 12:34 . 2009-02-01 12:34 244 --ah----- C:\sqmnoopt01.sqm
2009-02-01 12:34 . 2009-02-01 12:34 232 --ah----- C:\sqmdata01.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 12:03 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-13 12:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-13 11:47 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-28 21:59 --------- d-----w c:\program files\McAfee
2009-01-12 18:14 --------- d-----w c:\program files\Microsoft Works
2009-01-06 00:05 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-01-05 00:18 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-05 00:17 --------- d-----w c:\program files\Java
2008-12-26 23:34 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-26 22:32 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-12-26 22:26 --------- d-----w c:\program files\Common Files\McAfee
2008-12-26 22:25 --------- d-----w c:\program files\McAfee.com
2008-12-25 19:15 --------- d-----w c:\documents and settings\David\Application Data\Teleca
2008-12-25 19:15 --------- d-----w c:\documents and settings\David\Application Data\Sony Ericsson
2008-12-25 19:11 --------- d-----w c:\program files\Common Files\Teleca Shared
2008-12-25 19:11 --------- d-----w c:\program files\Common Files\Sony Ericsson Shared
2008-12-25 19:11 --------- d-----w c:\documents and settings\All Users\Application Data\Teleca
2008-12-25 19:11 --------- d-----w c:\documents and settings\All Users\Application Data\Sony Ericsson
2008-12-25 19:10 --------- d-----w c:\program files\Sony Ericsson
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-08 01:11 604 ---ha-w c:\program files\STLL Notifier
2008-09-10 13:49 5,817,064 ----a-w c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KernelFaultCheck"="c:\windows\system32\dumprep 0 -k" [X]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2008-06-13 1176808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin 802.11g Wireless PCI Card Configuration Utility.lnk - c:\program files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe [2008-12-07 327765]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-09-30 581632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= wdmaud.sys

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2007-03-28 01:07 593920 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-01-05 00:18 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-26 206096]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2008-12-07 17149]
R3 RDID1065;Roland SH-201;c:\windows\system32\drivers\Rdwm1065.sys [2008-12-08 171185]
R3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [2007-09-30 56576]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-09 33752]
.
Contents of the 'Scheduled Tasks' folder

2008-12-26 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\r6qwxvs2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/firefox
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 23:10:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-23 23:12:29
ComboFix-quarantined-files.txt 2009-02-23 23:12:26

Pre-Run: 75,594,440,704 bytes free
Post-Run: 75,613,708,288 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

174 --- E O F --- 2009-02-12 10:15:31

#7 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:02 PM

Posted 23 February 2009 - 08:18 PM

hi,

thanks for the info. Dont see anything i recognize as malware. Do you know what this application is:

c:\program files\NOS

How Can I Reduce My Risk to Malware?


#8 David McSparron

David McSparron
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 24 February 2009 - 04:29 PM

The folder contains "getPlus_HelperSvc".

Seems it's the GetPlus application from NOS Microsystems. Can't say I knew of it. Assumedly it's safe to delete?

All seems to be well with my PC - Google is running fine and my PC is operating smoothly. Would you agree that we should call it a day now?

The Anti-Malware software you pointed me to should prove very useful in the future.

#9 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:02 PM

Posted 24 February 2009 - 09:32 PM

hi,

getPlus_HelperSvc


a download manager, most likely installed with some software. You can keep it.

You can remove combofix like this:

start>run and type in combofix /u
click ok or enter
Note: there is a space after the x and before the /

Malwarebytes is excellent. You have to update it manually. The paid version offers auto updates and a real time protection component.
Yes, i think we can call it a day.

Some info for your reference:

Reducing Your Risk To Malware:
The Short Version:

1) Keep your OS,(Windows) browser (IE, FireFox) and other Software up to date to "patch" possible vulnerabilities.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install files from ads, links or popups.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing.*

8) Install and know the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer.

10) If your habits include: warez, cracks etc or you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

How Can I Reduce My Risk to Malware?


#10 David McSparron

David McSparron
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 25 February 2009 - 03:06 AM

Thank you very much for all of your help and effort.

Bye for now.

Dave.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users