Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google links redirect to wierd websites??


  • This topic is locked This topic is locked
3 replies to this topic

#1 hlockhart

hlockhart

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 21 October 2010 - 05:30 PM

I already downloaded SUPERAntiSpywaret found several problems and threats. However, the google links are still redirecting me. Before I ran the spyware program, my Avira kept popping up "quarantine, delete, deny, a threat called Fraudpack??) I kept deleting it, however it kept coming back.

Mozilla also mentioned that it was imperative that I update Adobe Flash during this time (not sure if it has anything to do with it).


I also ran ComboFix and this is what I got:
ComboFix 10-10-20.04 - Hilary Lockhart 10/21/2010 15:12:26.3.2 - x86
Running from: c:\documents and settings\Hilary Lockhart\My Documents\Downloads\help.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\aha154x.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2010-09-21 to 2010-10-21 )))))))))))))))))))))))))))))))
.

2010-10-20 18:42 . 2010-10-20 18:42 -------- d-----w- c:\documents and settings\Hilary Lockhart\Application Data\SUPERAntiSpyware.com
2010-10-20 18:42 . 2010-10-20 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-10-20 03:33 . 2010-10-20 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-10-20 03:33 . 2010-10-20 03:33 -------- d-----w- c:\program files\McAfee Security Scan
2010-10-19 03:31 . 2010-10-19 03:31 200704 ----a-w- c:\windows\Wlolua.exe
2010-10-13 09:37 . 2010-09-18 06:53 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll
2010-10-13 09:37 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 09:37 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-07 23:01 . 2010-10-19 23:42 -------- d-----w- C:\ComboFix
2010-09-23 01:10 . 2010-09-23 01:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-09-23 01:10 . 2010-09-23 01:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-10 19:20 . 2009-06-10 19:20 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-06-10 19:20 . 2009-06-10 19:20 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-06-10 19:22 . 2009-06-10 19:22 27976 ----a-w- c:\program files\mozilla firefox\plugins\atsc3cls.dll
2009-06-10 19:20 . 2009-06-10 19:20 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-10-07_23.07.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-21 22:03 . 2010-10-21 22:03 16384 c:\windows\Temp\Perflib_Perfdata_3bc.dat
+ 2010-10-21 22:03 . 2010-10-21 22:03 16384 c:\windows\Temp\Perflib_Perfdata_238.dat
+ 2009-05-05 18:28 . 2010-08-27 05:57 99840 c:\windows\system32\srvsvc.dll
- 2005-01-09 23:48 . 2010-10-07 22:36 80258 c:\windows\system32\perfc009.dat
+ 2005-01-09 23:48 . 2010-10-21 22:08 80258 c:\windows\system32\perfc009.dat
- 2009-05-05 18:26 . 2009-03-08 11:31 66560 c:\windows\system32\mshtmled.dll
+ 2009-05-05 18:26 . 2010-09-10 05:58 66560 c:\windows\system32\mshtmled.dll
+ 2007-08-14 01:54 . 2010-09-10 05:58 55296 c:\windows\system32\msfeedsbs.dll
- 2007-08-14 01:54 . 2010-06-24 12:21 55296 c:\windows\system32\msfeedsbs.dll
+ 2009-05-05 18:26 . 2010-09-10 05:58 43520 c:\windows\system32\licmgr10.dll
- 2009-05-05 18:25 . 2010-06-24 12:21 25600 c:\windows\system32\jsproxy.dll
+ 2009-05-05 18:25 . 2010-09-10 05:58 25600 c:\windows\system32\jsproxy.dll
- 2009-06-11 08:57 . 2010-06-24 12:22 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-06-11 08:57 . 2010-09-10 05:58 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2010-08-27 05:57 . 2010-08-27 05:57 99840 c:\windows\system32\dllcache\srvsvc.dll
- 2007-08-14 01:54 . 2009-03-08 11:31 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-08-14 01:54 . 2010-09-10 05:58 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-05-06 15:57 . 2010-09-10 05:58 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2009-05-06 15:57 . 2010-06-24 12:21 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-08-14 01:44 . 2010-09-10 05:58 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2007-08-14 01:54 . 2010-06-24 12:21 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2007-08-14 01:54 . 2010-09-10 05:58 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2010-10-14 06:56 . 2010-10-14 06:56 21504 c:\windows\Installer\46b3493.msi
+ 2010-10-13 10:04 . 2010-06-24 12:22 12800 c:\windows\ie8updates\KB2360131-IE8\xpshims.dll
+ 2010-10-13 10:04 . 2009-03-08 11:31 66560 c:\windows\ie8updates\KB2360131-IE8\mshtmled.dll
+ 2010-10-13 10:04 . 2010-06-24 12:21 55296 c:\windows\ie8updates\KB2360131-IE8\msfeedsbs.dll
+ 2010-10-13 10:04 . 2009-03-08 11:34 43008 c:\windows\ie8updates\KB2360131-IE8\licmgr10.dll
+ 2010-10-13 10:04 . 2010-06-24 12:21 25600 c:\windows\ie8updates\KB2360131-IE8\jsproxy.dll
+ 2009-05-06 16:08 . 2010-08-26 12:52 5120 c:\windows\system32\xpsp4res.dll
- 2009-05-06 16:08 . 2010-07-22 05:57 5120 c:\windows\system32\xpsp4res.dll
+ 2009-05-05 18:29 . 2010-09-10 05:58 916480 c:\windows\system32\wininet.dll
- 2009-05-05 18:29 . 2010-06-24 12:22 916480 c:\windows\system32\wininet.dll
+ 2009-05-05 18:28 . 2010-08-27 08:02 119808 c:\windows\system32\t2embed.dll
- 2009-05-05 18:28 . 2009-10-15 16:28 119808 c:\windows\system32\t2embed.dll
- 2009-05-05 18:28 . 2010-07-22 15:49 590848 c:\windows\system32\rpcrt4.dll
+ 2009-05-05 18:28 . 2010-08-16 08:45 590848 c:\windows\system32\rpcrt4.dll
+ 2005-01-09 23:48 . 2010-10-21 22:08 462866 c:\windows\system32\perfh009.dat
- 2005-01-09 23:48 . 2010-10-07 22:36 462866 c:\windows\system32\perfh009.dat
- 2009-05-05 18:27 . 2010-06-24 12:22 206848 c:\windows\system32\occache.dll
+ 2009-05-05 18:27 . 2010-09-10 05:58 206848 c:\windows\system32\occache.dll
+ 2009-05-05 18:27 . 2010-09-10 05:58 611840 c:\windows\system32\mstime.dll
- 2009-05-05 18:27 . 2010-06-24 12:22 611840 c:\windows\system32\mstime.dll
+ 2007-08-14 01:54 . 2010-09-10 05:58 602112 c:\windows\system32\msfeeds.dll
+ 2009-05-05 18:26 . 2010-09-18 19:23 974848 c:\windows\system32\mfc42u.dll
+ 2009-05-05 18:26 . 2010-09-18 06:53 974848 c:\windows\system32\mfc42.dll
+ 2009-05-05 18:26 . 2010-09-18 06:53 953856 c:\windows\system32\mfc40u.dll
+ 2009-05-05 18:26 . 2010-09-18 06:53 954368 c:\windows\system32\mfc40.dll
+ 2010-10-20 03:34 . 2010-10-20 03:34 232912 c:\windows\system32\Macromed\Flash\FlashUtil10k_Plugin.exe
- 2009-05-05 18:24 . 2010-06-24 12:21 184320 c:\windows\system32\iepeers.dll
+ 2009-05-05 18:24 . 2010-09-10 05:58 184320 c:\windows\system32\iepeers.dll
- 2009-05-05 18:24 . 2010-06-24 12:21 387584 c:\windows\system32\iedkcs32.dll
+ 2009-05-05 18:24 . 2010-09-10 05:58 387584 c:\windows\system32\iedkcs32.dll
+ 2009-05-05 18:24 . 2010-08-26 12:22 173056 c:\windows\system32\ie4uinit.exe
- 2009-05-05 18:24 . 2010-06-23 12:08 173056 c:\windows\system32\ie4uinit.exe
- 2005-01-09 16:59 . 2010-08-13 16:49 332280 c:\windows\system32\FNTCACHE.DAT
+ 2005-01-09 16:59 . 2010-10-13 10:21 332280 c:\windows\system32\FNTCACHE.DAT
+ 2009-05-05 18:28 . 2010-08-26 13:39 357248 c:\windows\system32\drivers\srv.sys
+ 2009-05-06 16:08 . 2010-07-12 12:55 218112 c:\windows\system32\dllcache\wordpad.exe
- 2007-08-14 01:54 . 2010-06-24 12:22 916480 c:\windows\system32\dllcache\wininet.dll
+ 2007-08-14 01:54 . 2010-09-10 05:58 916480 c:\windows\system32\dllcache\wininet.dll
- 2009-06-16 14:36 . 2009-10-15 16:28 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2009-06-16 14:36 . 2010-08-27 08:02 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2009-05-06 15:54 . 2010-08-26 13:39 357248 c:\windows\system32\dllcache\srv.sys
+ 2009-04-15 14:51 . 2010-08-16 08:45 590848 c:\windows\system32\dllcache\rpcrt4.dll
- 2009-04-15 14:51 . 2010-07-22 15:49 590848 c:\windows\system32\dllcache\rpcrt4.dll
+ 2007-08-14 01:44 . 2010-09-10 05:58 206848 c:\windows\system32\dllcache\occache.dll
- 2007-08-14 01:44 . 2010-06-24 12:22 206848 c:\windows\system32\dllcache\occache.dll
- 2007-08-14 01:54 . 2010-06-24 12:22 611840 c:\windows\system32\dllcache\mstime.dll
+ 2007-08-14 01:54 . 2010-09-10 05:58 611840 c:\windows\system32\dllcache\mstime.dll
+ 2009-05-06 15:57 . 2010-09-10 05:58 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2010-09-18 19:23 . 2010-09-18 19:23 974848 c:\windows\system32\dllcache\mfc42u.dll
+ 2009-05-05 18:26 . 2010-09-18 06:53 974848 c:\windows\system32\dllcache\mfc42.dll
+ 2009-06-11 08:57 . 2010-09-10 05:58 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2009-06-11 08:57 . 2010-06-24 12:21 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2007-08-14 01:54 . 2010-09-10 05:58 184320 c:\windows\system32\dllcache\iepeers.dll
- 2007-08-14 01:54 . 2010-06-24 12:21 184320 c:\windows\system32\dllcache\iepeers.dll
- 2010-06-09 07:11 . 2010-06-24 12:21 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2010-06-09 07:11 . 2010-09-10 05:58 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2007-08-14 01:39 . 2010-06-24 12:21 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-08-14 01:39 . 2010-09-10 05:58 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2007-08-14 01:39 . 2010-06-23 12:08 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2007-08-14 01:39 . 2010-08-26 12:22 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2010-04-20 05:30 . 2010-09-01 11:51 285824 c:\windows\system32\dllcache\atmfd.dll
+ 2009-05-05 18:23 . 2010-08-23 16:12 617472 c:\windows\system32\comctl32.dll
- 2009-05-05 18:23 . 2008-04-14 12:41 617472 c:\windows\system32\comctl32.dll
+ 2009-05-05 18:23 . 2010-09-01 11:51 285824 c:\windows\system32\atmfd.dll
+ 2010-09-24 04:02 . 2010-09-24 04:02 798208 c:\windows\Installer\277b6c5.msp
+ 2010-10-13 10:04 . 2010-06-24 12:22 916480 c:\windows\ie8updates\KB2360131-IE8\wininet.dll
+ 2010-10-13 10:04 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2360131-IE8\spuninst\updspapi.dll
+ 2010-10-13 10:04 . 2009-05-26 09:01 231288 c:\windows\ie8updates\KB2360131-IE8\spuninst\spuninst.exe
+ 2010-10-13 10:04 . 2010-06-24 12:22 206848 c:\windows\ie8updates\KB2360131-IE8\occache.dll
+ 2010-10-13 10:04 . 2010-06-24 12:22 611840 c:\windows\ie8updates\KB2360131-IE8\mstime.dll
+ 2010-10-13 10:04 . 2010-06-24 12:21 599040 c:\windows\ie8updates\KB2360131-IE8\msfeeds.dll
+ 2010-10-13 10:04 . 2010-06-24 12:21 247808 c:\windows\ie8updates\KB2360131-IE8\ieproxy.dll
+ 2010-10-13 10:04 . 2010-06-24 12:21 184320 c:\windows\ie8updates\KB2360131-IE8\iepeers.dll
+ 2010-10-13 10:04 . 2010-06-24 12:21 743424 c:\windows\ie8updates\KB2360131-IE8\iedvtool.dll
+ 2010-10-13 10:04 . 2010-06-24 12:21 387584 c:\windows\ie8updates\KB2360131-IE8\iedkcs32.dll
+ 2010-10-13 10:04 . 2010-06-23 12:08 173056 c:\windows\ie8updates\KB2360131-IE8\ie4uinit.exe
+ 2010-10-08 10:02 . 2010-10-08 10:02 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\b1646e54b708b9824f4193f87eb00c0e\System.Web.Extensions.Design.ni.dll
+ 2010-10-08 10:02 . 2010-10-08 10:02 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\504a93e73da77c502ecf98bfdfc1485e\System.Web.Entity.ni.dll
+ 2010-10-08 10:02 . 2010-10-08 10:02 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\f22334fbd9497d79448fffef515ae0cc\System.Web.Entity.Design.ni.dll
+ 2010-10-08 10:02 . 2010-10-08 10:02 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\af5452305588da228a74e30324681d20\System.Web.DynamicData.ni.dll
+ 2010-10-13 09:37 . 2010-08-23 16:12 1054208 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
+ 2009-05-05 18:29 . 2010-08-31 13:42 1852800 c:\windows\system32\win32k.sys
+ 2009-05-05 18:28 . 2010-09-10 05:58 1210880 c:\windows\system32\urlmon.dll
+ 2009-05-05 18:27 . 2010-07-16 12:05 1288192 c:\windows\system32\ole32.dll
+ 2009-05-05 18:26 . 2010-09-10 05:58 5957120 c:\windows\system32\mshtml.dll
+ 2009-10-28 03:40 . 2010-10-20 03:34 5969360 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2007-08-14 01:34 . 2010-09-10 05:58 1986560 c:\windows\system32\iertutil.dll
- 2007-08-14 01:34 . 2010-06-24 12:21 1986560 c:\windows\system32\iertutil.dll
+ 2009-05-06 15:52 . 2010-08-31 13:42 1852800 c:\windows\system32\dllcache\win32k.sys
+ 2007-08-14 01:54 . 2010-09-10 05:58 1210880 c:\windows\system32\dllcache\urlmon.dll
+ 2010-07-16 12:05 . 2010-07-16 12:05 1288192 c:\windows\system32\dllcache\ole32.dll
+ 2007-08-14 01:54 . 2010-09-10 05:58 5957120 c:\windows\system32\dllcache\mshtml.dll
+ 2009-05-06 15:57 . 2010-09-10 05:58 1986560 c:\windows\system32\dllcache\iertutil.dll
- 2009-05-06 15:57 . 2010-06-24 12:21 1986560 c:\windows\system32\dllcache\iertutil.dll
+ 2010-10-21 16:26 . 2010-10-21 16:26 3940864 c:\windows\Installer\e8e73.msi
+ 2010-10-13 10:04 . 2010-06-24 12:22 1210368 c:\windows\ie8updates\KB2360131-IE8\urlmon.dll
+ 2010-10-13 10:04 . 2010-06-24 12:22 5951488 c:\windows\ie8updates\KB2360131-IE8\mshtml.dll
+ 2010-10-13 10:04 . 2010-06-24 12:21 1986560 c:\windows\ie8updates\KB2360131-IE8\iertutil.dll
+ 2010-10-08 10:02 . 2010-10-08 10:02 2405376 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\da367bc2ecf2c9c5b4f858b6dba9e2ea\System.Web.Extensions.ni.dll
+ 2010-10-08 10:02 . 2010-10-08 10:02 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\8e34e273d036b7468fc4e951a1fde437\System.ServiceModel.Web.ni.dll
+ 2010-10-08 10:00 . 2010-10-08 10:00 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
- 2009-05-06 16:14 . 2009-05-06 16:14 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
+ 2005-01-09 23:49 . 2010-08-26 06:36 10841088 c:\windows\system32\wmp.dll
- 2005-01-09 23:49 . 2009-07-14 06:43 10841088 c:\windows\system32\wmp.dll
+ 2009-05-06 15:53 . 2010-10-13 10:00 35385288 c:\windows\system32\MRT.exe
+ 2007-08-14 01:54 . 2010-09-10 05:58 11080192 c:\windows\system32\ieframe.dll
+ 2009-07-14 06:43 . 2010-08-26 06:36 10841088 c:\windows\system32\dllcache\wmp.dll
- 2009-07-14 06:43 . 2009-07-14 06:43 10841088 c:\windows\system32\dllcache\wmp.dll
+ 2009-05-06 15:57 . 2010-09-10 05:58 11080192 c:\windows\system32\dllcache\ieframe.dll
+ 2010-10-13 10:04 . 2010-06-25 00:51 11077120 c:\windows\ie8updates\KB2360131-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6dfc55bb-bfff-485a-9709-90c3fdf6db58}"= "c:\program files\Wisdom-soft\tbWisd.dll" [2007-07-17 1379352]

[HKEY_CLASSES_ROOT\clsid\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
2007-07-17 22:59 1379352 ----a-w- c:\program files\Wisdom-soft\tbWisd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6dfc55bb-bfff-485a-9709-90c3fdf6db58}"= "c:\program files\Wisdom-soft\tbWisd.dll" [2007-07-17 1379352]

[HKEY_CLASSES_ROOT\clsid\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6DFC55BB-BFFF-485A-9709-90C3FDF6DB58}"= "c:\program files\Wisdom-soft\tbWisd.dll" [2007-07-17 1379352]

[HKEY_CLASSES_ROOT\clsid\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-09 2828184]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"SmileboxTray"="c:\documents and settings\Hilary Lockhart\Application Data\Smilebox\SmileboxTray.exe" [2010-10-05 304448]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-03-29 2937528]
"DirectPlayerCore"="c:\program files\NBC Direct\DirectPlayerCore.exe" [2010-03-25 1146880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"SMSERIAL"="sm56hlpr.exe" [2006-01-11 544768]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 413696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"MacrokeyManager"="WTMKM.exe" [2007-11-14 1969824]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"ACS_CDU680"="c:\program files\ACS_CDU680\EVDO-Modem\BIN\RDVCHG.EXE" [2008-06-04 316664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 09:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 11:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 05:17 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 17:54 150016 ----a-w- c:\program files\Hp\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-08 19:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
2010-10-05 07:52 304448 ----a-w- c:\documents and settings\Hilary Lockhart\Application Data\Smilebox\SmileboxTray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Pinnacle\\Shared Files\\Programs\\MediaManager\\PMSManager.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\NBC Direct\\DirectPlayerCore.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56324:TCP"= 56324:TCP:Pando Media Booster
"56324:UDP"= 56324:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;\??\c:\docume~1\HILARY~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\HILARY~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
R1 SASKUTIL;SASKUTIL;\??\c:\docume~1\HILARY~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\HILARY~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/6/2009 7:40 PM 108289]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [12/16/2009 5:38 PM 375296]
R2 WTService;WTService;c:\windows\system32\atwtusb.exe -s --> c:\windows\system32\atwtusb.exe -s [?]
S2 gupdate1c9ee0438cdf155;Google Update Service (gupdate1c9ee0438cdf155);c:\program files\Google\Update\GoogleUpdate.exe [6/15/2009 2:57 PM 133104]
S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [8/7/2010 9:46 AM 87040]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-15 21:56]

2010-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-15 21:56]

2010-10-21 c:\windows\Tasks\User_Feed_Synchronization-{CEF61C24-D765-4605-8A73-22B3BB3C34A7}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = https://qbo.intuit.com/c10/v31.157/710218224/frameset
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: plaxo.com\www
FF - ProfilePath - c:\documents and settings\Hilary Lockhart\Application Data\Mozilla\Firefox\Profiles\f20githn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rlz=1R0MOZA_en
FF - component: c:\documents and settings\Hilary Lockhart\Application Data\Mozilla\Firefox\Profiles\f20githn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Hilary Lockhart\Application Data\IDM\bin\flash\platform\WINNT\plugins\npidmdcp.dll
FF - plugin: c:\documents and settings\Hilary Lockhart\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Hilary Lockhart\Application Data\Mozilla\Firefox\Profiles\f20githn.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\Hilary Lockhart\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\NBC Direct\npDirectPlayerMozilla.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3736)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-21 15:20:08
ComboFix-quarantined-files.txt 2010-10-21 22:20
ComboFix2.txt 2010-10-07 23:09
ComboFix3.txt 2010-09-23 01:05

Pre-Run: 188,095,209,472 bytes free
Post-Run: 188,238,872,576 bytes free

- - End Of File - - D210F0CAFA17160016BAB34094AFBBEA

Any news as to what causes the google redirects??

Edited by hamluis, 21 October 2010 - 07:15 PM.
Moved from XP forum to Malware Removal Logs ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:53 PM

Posted 30 October 2010 - 03:12 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok,

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

In your next post I need the following

1.logs from DDS
2.log from RKUnHooker
3.let me know of any problems you may have had
[/list]
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:53 PM

Posted 02 November 2010 - 02:15 AM

Hello

three day bump

It has been Three days since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:53 PM

Posted 05 November 2010 - 01:00 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users