Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirecting virus?


  • This topic is locked This topic is locked
32 replies to this topic

#1 Obsessed

Obsessed

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 07 August 2009 - 12:55 PM

Hi, I've posted on these forums before, but I can't remember my login password or username, so I hope I'm forgiven for creating another account. Last time, I posted in the wrong forum regarding a problem I was having about Google redirecting me. At first I didn't know what to make of it, but now I'm sure it's a virus as Yahoo redirects me also. Last time I downloaded Superantispyware just to be on the safe side and a number of threats were detected which I then took care of. However Google continued to redirect me. A few weeks ago I cleared out the laptop and transferred all my files to an external hard drive and stopped using the laptop. I'm now back on the laptop and have found that I cannot use system restore and hijack this, although downloaded, does not seem to open. So I followed the instructions in this thread and have attached the DDS report I got. I'm hoping someone can help shed some light on this as I'm completely computer illiterate and have no clue as to what seems to be the problem.

DDS (Ver_09-07-30.01) - NTFSx86
Run by ALLUSER at 18:39:57.24 on 07/08/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.630.286 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\ALLUSER.X300\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {57e90410-e787-b729-8884-c95160cdd800}: {008ddc06-159c-4888-927b-787e01409e75} - c:\windows\system32\hqgqcb.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {8d1da459-30a4-4757-ab43-15e7342f9a4d} - c:\windows\system32\geBtQkJc.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\a9c1b497-df4b-415d-931d-0a3a6c34d2c7.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ZCfgSvc.exe] c:\windows\system32\ZCfgSvc.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [BearShare] "c:\program files\bearshare\BearShare.exe" /pause
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\3\3connect\AutoUpdateSrv.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221554916107
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221555073503
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
TCP: NameServer = 85.255.112.154,85.255.112.227
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: awtqoNDu - awtqoNDu.dll
Notify: igfxcui - igfxdev.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
Notify: tuvTjHYq - tuvTjHYq.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\geBtQkJc

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alluse~1.x30\applic~1\mozilla\firefox\profiles\f44zvilz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [2008-10-21 10240]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S1 hxmmsgsa;hxmmsgsa;\??\c:\windows\system32\drivers\hxmmsgsa.sys --> c:\windows\system32\drivers\hxmmsgsa.sys [?]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]
S3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2009-5-20 16896]

=============== Created Last 30 ================

2009-08-07 18:31 --d----- c:\program files\Trend Micro
2009-08-07 18:29 --d----- c:\program files\SUPERAntiSpyware
2009-08-07 18:29 --d----- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2009-05-29 13:15 18,440 a------- c:\docume~1\alluse~1.x30\applic~1\GDIPFONTCACHEV1.DAT
2009-05-20 01:54 53,218 a--sh--- c:\windows\system32\cJkQtBeg.ini2

============= FINISH: 18:40:21.16 ===============

Attached Files

  • Attached File  DDS.txt   7.06KB   16 downloads

Edited by SifuMike, 18 August 2009 - 01:19 PM.
insert DDS log


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:56 AM

Posted 16 August 2009 - 08:47 PM

Hello Obsessed,

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

**********************

Note: If you already have Malwarebytes' Anti-Malware, then update and run it, and do a "Perform Full Scan"

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.



Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

**********************

Please do this:
1. Download HijackThis here:
http://www.trendsecure.com/portal/en-US/to...ools/hijackthis

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.
Please post it.


**********************

Let's look in a different place for signs.

Open HijackThis 2.0.2
Press the button 'View Misc Tools Section'
Press the button 'open uninstall manager'
Press the button 'save list'
Save it to your desktop.
Press Save. Save it your desktop.
A notepad file will open.
If no notepad opens then it will be on your desktop (where you saved it)
Post the content here in your reply.
Close HijackThis.

Edited by SifuMike, 16 August 2009 - 08:56 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Obsessed

Obsessed
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 18 August 2009 - 06:47 AM

Thanks for the reply SifuMike. Here's the Security Check document:

Results of screen317's Security Check version 0.98.9
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!


WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:

SUPERAntiSpyware Free Edition
Windows Defender
Malwarebytes' Anti-Malware
Adobe Flash Player 10
Adobe Reader 9
``````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe


``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

#4 Obsessed

Obsessed
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 18 August 2009 - 06:56 AM

I had downloaded Malwarebytes' Anti-Malware and Hijack this prior to posting here, however Malwarebytes would not launch after being installed and nothing would appear when I tried to open the Hijack this.exe file. On your suggestion, I tried to download both again, and once again Malwarebytes failed to launch and the Hijack.exe file won't open.

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:56 AM

Posted 18 August 2009 - 10:15 AM

Hi


If MBAM will not install, please rename the installer mbam-setup.exe. Example: newtool2.exe
Proceed installing the renamed installer of MBAM.

If MBAM will not run, go to the program directory of MBAM (e.g. C:\Program FIles\Malwarebytes Antimalware\) then rename mbam.exe to newtool.exe3, double click newtool3.exe to proceed in running a Full scan.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by SifuMike, 18 August 2009 - 10:16 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Obsessed

Obsessed
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 18 August 2009 - 11:02 AM

I renamed the installer to "newtool2.exe" and installed the program, however it failed to launch again. So I tried to reach the directory through my local disk (C:) but I get this message when I try to open the disk:

Posted Image

Edited by Obsessed, 18 August 2009 - 11:03 AM.


#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:56 AM

Posted 18 August 2009 - 01:17 PM

however Malwarebytes would not launch after being installed and nothing would appear when I tried to open the Hijack this.exe file

.

I think you are confused between launching and installing MBAM. :thumbup2:

You said MBAM would not launch so why are you renaming the installer to "newtool2.exe" and installing the program?

According to that it installed OK.


You said it would not run so you should be doing this:

If MBAM will not run, go to the program directory of MBAM (e.g. C:\Program FIles\Malwarebytes Antimalware\) then rename mbam.exe to newtool.exe3, double click newtool3.exe to proceed in running a Full scan.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Obsessed

Obsessed
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 18 August 2009 - 01:46 PM

Uh oh :thumbup2: I was following the instructions in order. I'm sorry.

In any case I can access the local drive now, but I can't seem to find an .exe file in the program's folder.

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:56 AM

Posted 18 August 2009 - 01:59 PM

By default, Windows doesn’t display file name extensions. They are there, you just cant see them. An extension is the three-character suffix

I recommend that you display extensions.

Fortunately, it only takes a few steps:
Choose My Computer from the Windows Start menu. (You can use any method for launching Explorer.)
Choose Folder Options from the Tools menu and click the View tab.
In the Folder Options dialog box, uncheck the Hide Extensions For Known File Types option.
Click OK.

Edited by SifuMike, 18 August 2009 - 02:01 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Obsessed

Obsessed
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 18 August 2009 - 04:32 PM

Ok. I changed the name and opened the program. Here's the log:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

18/08/2009 22:21:51
mbam-log-2009-08-18 (22-21-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 151721
Time elapsed: 22 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 6
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{008ddc06-159c-4888-927b-787e01409e75} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{008ddc06-159c-4888-927b-787e01409e75} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.154,85.255.112.227 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.154,85.255.112.227 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.154,85.255.112.227 -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\LocalService\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\hqgqcb.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-3-83-100030153-100001180-100026018-7312.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\ExpressVids.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:56 AM

Posted 18 August 2009 - 04:40 PM

Hi Obsessed,

What antivirus are you running on the computer? :thumbup2:

Edited by SifuMike, 18 August 2009 - 04:42 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Obsessed

Obsessed
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 19 August 2009 - 06:46 AM

I have superantispyware.

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:56 AM

Posted 19 August 2009 - 10:30 AM

Hi Obsessed,


SuperAntiSpyware is not an antivirus. It detects and removes Spyware, Adware, Trojans, Dialers, Worms, KeyLoggers, HiJackers and many other types of threats but not viruses.

You need an antivirus, a firewall as well as Superantispyware to be fully protected.


Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus :!:

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new DDS log.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirus scan is not present which should be able to deal with most and prevent further reinfection.

Edited by SifuMike, 19 August 2009 - 10:31 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Obsessed

Obsessed
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 19 August 2009 - 12:06 PM

Hi back at you SifuMike :thumbup2:

Here's the Avira full scan report:

Avira AntiVir Personal
Report file date: 19 August 2009 17:29

Scanning for 1648693 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : X300

Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 29/07/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 21/07/2009 13:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 10:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 12:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 24/06/2009 09:21:42
ANTIVIR2.VDF : 7.1.5.88 2668032 Bytes 10/08/2009 16:27:54
ANTIVIR3.VDF : 7.1.5.137 417792 Bytes 19/08/2009 16:27:57
Engineversion : 8.2.1.3
AEVDF.DLL : 8.1.1.1 106868 Bytes 28/07/2009 13:31:50
AESCRIPT.DLL : 8.1.2.25 459130 Bytes 19/08/2009 16:28:05
AESCN.DLL : 8.1.2.4 127348 Bytes 23/07/2009 09:59:39
AERDL.DLL : 8.1.2.4 430452 Bytes 23/07/2009 09:59:39
AEPACK.DLL : 8.1.3.18 401783 Bytes 28/07/2009 13:31:50
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 23/07/2009 09:59:39
AEHEUR.DLL : 8.1.0.155 1921400 Bytes 19/08/2009 16:28:04
AEHELP.DLL : 8.1.6.0 233846 Bytes 19/08/2009 16:27:59
AEGEN.DLL : 8.1.1.57 356725 Bytes 19/08/2009 16:27:59
AEEMU.DLL : 8.1.0.9 393588 Bytes 09/10/2008 14:32:40
AECORE.DLL : 8.1.7.6 184694 Bytes 23/07/2009 09:59:39
AEBB.DLL : 8.1.0.3 53618 Bytes 09/10/2008 14:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 05/12/2008 10:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 20/01/2009 14:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 05/12/2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 24/03/2009 15:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/01/2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/01/2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02/02/2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 05/12/2008 10:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 15/05/2009 15:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 17/04/2009 10:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: 19 August 2009 17:29

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gxvxcserv.sys\modules
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gxvxcserv.sys\start
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gxvxcserv.sys\type
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gxvxcserv.sys\imagepath
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gxvxcserv.sys\group
[INFO] The registry entry is invisible.
'7650' objects were checked, '5' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ASKUpgrade.exe' - '1' Module(s) have been scanned
Scan process 'AskService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'MSASCui.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process '1XConfig.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
39 processes with 39 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '56' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp1ED.tmp
[DETECTION] Is the TR/TDss.UZ.2 Trojan
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp1EE.tmp
[DETECTION] Is the TR/Patched.GE Trojan
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp2.tmp
[DETECTION] Is the TR/TDss.UZ.2 Trojan
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp3.tmp
[DETECTION] Is the TR/Patched.GE Trojan
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp4.tmp
[DETECTION] Is the TR/TDss.UZ.2 Trojan
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp5.tmp
[DETECTION] Is the TR/TDss.UZ.2 Trojan
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp6.tmp
[DETECTION] Is the TR/Patched.GE Trojan
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp7.tmp
[DETECTION] Is the TR/Patched.GE Trojan
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp8.tmp
[DETECTION] Is the TR/TDss.UZ.2 Trojan
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp9.tmp
[DETECTION] Is the TR/Patched.GE Trojan
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp95.tmp
[DETECTION] Is the TR/TDss.UZ.2 Trojan
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp96.tmp
[DETECTION] Is the TR/Patched.GE Trojan
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmpA.tmp
[DETECTION] Is the TR/Patched.GE Trojan
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmpB.tmp
[DETECTION] Is the TR/TDss.UZ.2 Trojan
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmpC.tmp
[DETECTION] Is the TR/Patched.GE Trojan
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmpD.tmp
[DETECTION] Is the TR/TDss.UZ.2 Trojan
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmpE.tmp
[DETECTION] Is the TR/Patched.GE Trojan
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\MPSampleSubmit\awtqoNDu.dll.xor
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\MPSampleSubmit\hqgqcb.dll.xor
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\MPSampleSubmit\tuvTjHYq.dll.xor
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\Temp\134873.tmp
[DETECTION] Is the TR/Drop.Agent.sad Trojan
C:\WINDOWS\Temp\138599.tmp
[DETECTION] Is the TR/Drop.Agent.sad Trojan
C:\WINDOWS\Temp\172387.tmp
[DETECTION] Is the TR/Drop.Agent.sad Trojan
C:\WINDOWS\Temp\2140087.tmp
[DETECTION] Is the TR/Drop.Agent.sad Trojan
C:\WINDOWS\Temp\526346.tmp
[DETECTION] Is the TR/Drop.Agent.sad Trojan
C:\WINDOWS\Temp\84902.tmp
[DETECTION] Is the TR/Drop.Agent.sad Trojan
C:\WINDOWS\Temp\88407.tmp
[DETECTION] Is the TR/Drop.Agent.sad Trojan

Beginning disinfection:
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp1ED.tmp
[DETECTION] Is the TR/TDss.UZ.2 Trojan
[NOTE] The file was moved to '4afc3027.qua'!
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp1EE.tmp
[DETECTION] Is the TR/Patched.GE Trojan
[NOTE] The file was moved to '49dfcb50.qua'!
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp2.tmp
[DETECTION] Is the TR/TDss.UZ.2 Trojan
[NOTE] The file was moved to '49dcd408.qua'!
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp3.tmp
[DETECTION] Is the TR/Patched.GE Trojan
[NOTE] The file was moved to '49e3ec70.qua'!
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp4.tmp
[DETECTION] Is the TR/TDss.UZ.2 Trojan
[NOTE] The file was moved to '49dddbc0.qua'!
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp5.tmp
[DETECTION] Is the TR/TDss.UZ.2 Trojan
[NOTE] The file was moved to '49dec398.qua'!
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp6.tmp
[DETECTION] Is the TR/Patched.GE Trojan
[NOTE] The file was moved to '4b903bd8.qua'!
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp7.tmp
[DETECTION] Is the TR/Patched.GE Trojan
[NOTE] The file was moved to '49d93368.qua'!
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp8.tmp
[DETECTION] Is the TR/TDss.UZ.2 Trojan
[NOTE] The file was moved to '49da3b20.qua'!
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp9.tmp
[DETECTION] Is the TR/Patched.GE Trojan
[NOTE] The file was moved to '49db22f8.qua'!
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp95.tmp
[DETECTION] Is the TR/TDss.UZ.2 Trojan
[NOTE] The file was moved to '4afc3028.qua'!
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmp96.tmp
[DETECTION] Is the TR/Patched.GE Trojan
[NOTE] The file was moved to '49d51249.qua'!
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmpA.tmp
[DETECTION] Is the TR/Patched.GE Trojan
[NOTE] The file was moved to '49d61a01.qua'!
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmpB.tmp
[DETECTION] Is the TR/TDss.UZ.2 Trojan
[NOTE] The file was moved to '49d701d9.qua'!
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmpC.tmp
[DETECTION] Is the TR/Patched.GE Trojan
[NOTE] The file was moved to '49d00991.qua'!
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmpD.tmp
[DETECTION] Is the TR/TDss.UZ.2 Trojan
[NOTE] The file was moved to '49d171a9.qua'!
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\tmpE.tmp
[DETECTION] Is the TR/Patched.GE Trojan
[NOTE] The file was moved to '49d27961.qua'!
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\MPSampleSubmit\awtqoNDu.dll.xor
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4b003032.qua'!
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\MPSampleSubmit\hqgqcb.dll.xor
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4af3302c.qua'!
C:\Documents and Settings\ALLUSER.X300\Local Settings\Temp\MPSampleSubmit\tuvTjHYq.dll.xor
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4b023030.qua'!
C:\WINDOWS\Temp\134873.tmp
[DETECTION] Is the TR/Drop.Agent.sad Trojan
[NOTE] The file was moved to '4ac02fee.qua'!
C:\WINDOWS\Temp\138599.tmp
[DETECTION] Is the TR/Drop.Agent.sad Trojan
[NOTE] The file was moved to '4ac42fee.qua'!
C:\WINDOWS\Temp\172387.tmp
[DETECTION] Is the TR/Drop.Agent.sad Trojan
[NOTE] The file was moved to '4abe2ff2.qua'!
C:\WINDOWS\Temp\2140087.tmp
[DETECTION] Is the TR/Drop.Agent.sad Trojan
[NOTE] The file was moved to '4ac02fec.qua'!
C:\WINDOWS\Temp\526346.tmp
[DETECTION] Is the TR/Drop.Agent.sad Trojan
[NOTE] The file was moved to '4ac22fed.qua'!
C:\WINDOWS\Temp\84902.tmp
[DETECTION] Is the TR/Drop.Agent.sad Trojan
[NOTE] The file was moved to '4ac52fef.qua'!
C:\WINDOWS\Temp\88407.tmp
[DETECTION] Is the TR/Drop.Agent.sad Trojan
[NOTE] The file was moved to '4ac02ff3.qua'!


End of the scan: 19 August 2009 18:00
Used time: 31:24 Minute(s)

The scan has been done completely.

4945 Scanned directories
180406 Files were scanned
27 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
27 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
180378 Files not concerned
1721 Archives were scanned
1 Warnings
28 Notes
7650 Objects were scanned with rootkit scan
5 Hidden objects were found

Edited by Obsessed, 19 August 2009 - 12:11 PM.


#15 Obsessed

Obsessed
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 19 August 2009 - 12:11 PM

And the fresh DDS log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by ALLUSER at 18:06:45.43 on 19/08/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.630.302 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
svchost.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Documents and Settings\ALLUSER.X300\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {8d1da459-30a4-4757-ab43-15e7342f9a4d} - c:\windows\system32\geBtQkJc.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\a9c1b497-df4b-415d-931d-0a3a6c34d2c7.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ZCfgSvc.exe] c:\windows\system32\ZCfgSvc.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [BearShare] "c:\program files\bearshare\BearShare.exe" /pause
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\3\3connect\AutoUpdateSrv.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221554916107
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221555073503
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: awtqoNDu - awtqoNDu.dll
Notify: igfxcui - igfxdev.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
Notify: tuvTjHYq - tuvTjHYq.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\geBtQkJc

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alluse~1.x30\applic~1\mozilla\firefox\profiles\f44zvilz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-19 11608]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-19 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-19 185089]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-8-8 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-8-8 234888]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-19 55656]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [2008-10-21 10240]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S1 hxmmsgsa;hxmmsgsa;\??\c:\windows\system32\drivers\hxmmsgsa.sys --> c:\windows\system32\drivers\hxmmsgsa.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]
S3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2009-5-20 16896]

=============== Created Last 30 ================

2009-08-19 17:25 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-19 17:25 <DIR> --d----- c:\program files\Avira
2009-08-19 17:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-08-18 21:22 <DIR> --d----- c:\docume~1\alluse~1.x30\applic~1\Malwarebytes
2009-08-18 16:52 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-18 16:52 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-18 16:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-18 16:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-14 01:56 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-14 01:55 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-09 11:30 <DIR> --d----- c:\program files\common files\xing shared
2009-08-09 11:30 348,160 a------- c:\windows\system32\msvcr71.dll
2009-08-09 11:30 499,712 a------- c:\windows\system32\msvcp71.dll
2009-08-08 21:24 <DIR> --d----- c:\program files\DVDVideoSoft
2009-08-08 21:24 <DIR> --d----- c:\program files\common files\DVDVideoSoft
2009-08-08 20:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Azureus
2009-08-08 20:14 <DIR> --d----- c:\docume~1\alluse~1.x30\applic~1\Azureus
2009-08-08 20:13 <DIR> --d----- c:\program files\Vuze
2009-08-08 20:13 <DIR> --d----- c:\program files\common files\i4j_jres
2009-08-08 20:13 <DIR> --d----- c:\program files\AskBarDis
2009-08-07 20:16 <DIR> --d----- c:\docume~1\alluse~1.x30\applic~1\BitTorrent
2009-08-07 20:16 <DIR> --d----- c:\program files\BitTorrent
2009-08-07 18:31 <DIR> --d----- c:\program files\Trend Micro
2009-08-07 18:29 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-07 18:29 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-05 10:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 17:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 17:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 17:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 13:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 13:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 15:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 07:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-29 13:15 18,440 a------- c:\docume~1\alluse~1.x30\applic~1\GDIPFONTCACHEV1.DAT
2009-05-20 01:54 53,218 a--sh--- c:\windows\system32\cJkQtBeg.ini2

============= FINISH: 18:07:12.08 ===============

Edited by Obsessed, 19 August 2009 - 12:12 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users