Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirect virus


  • This topic is locked This topic is locked
15 replies to this topic

#1 rumiana

rumiana

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 06 August 2011 - 03:45 PM

I believe I have a Google redirect virus: my Google search result links are being redirected to unrelated sites; when search through Google and click on one of the search results, instead of going to the correct page, I am instead redirected to an advertisement or other unrelated sites.
I have had Norton Antivirus program running all the time - it did not find problem files, although the presence of the virus was obvious. Subsequently, I have run Malwarebytes and it found and removed some problem files, but I am still redirected during searches. Later, I have also tried Kasperski_TDSSKiller, PC Tools Spyware Doctor, and StopZilla, and they all found some problem files, and removed them, but the redirecting did not stop.

My computer configuration: AMD Athlon 64 Processor, 2.4 GHz, 2.00 GB RAM
OS: Windows XP Professional Ed. Version 2002

Thank you very much for the help!

P.S. I am attaching the ark.txt file as ark.zip, because it was too big to be attached if not zipped.


DDS.txt

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_26
Run by RT at 11:52:04 on 2011-08-06
Microsoft Windows XP Professional 5.1.2600.2.1251.359.1033.18.2047.817 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\PC Tools Security\pctsGui.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\PC Tools Security\pctsAuxs.exe
C:\Program Files\PC Tools Security\pctsSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZScanner.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: GOM Player + Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: GOM Player + Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Lexmark X73 Button Monitor] c:\progra~1\lexmar~1\ACMonitor_X73.exe
mRun: [Lexmark X73 Button Manager] c:\progra~1\lexmar~1\AcBtnMgr_X73.exe
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\3\printray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [vptray] c:\program files\navnt\vptray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ISTray] "c:\program files\pc tools security\pctsGui.exe" /hideGUI
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\viarai~1.lnk - c:\program files\via\raid\raid_tool.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with GetRight Pro - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open with GetRight Pro Browser - c:\program files\getright\GRbrowse.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A26391B5-2F7C-446D-A7EC-0234ED5FA72A} : DhcpNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: TPSvc - TPSvc.dll
SecurityProviders:
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-2-18 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-2-18 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-2-18 656320]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-5-12 59280]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2010-9-19 77312]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/10/30 20:11:44];c:\program files\cyberlink\powerdvd10\navfilter\000.fcl [2010-6-28 87536]
R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2001-9-24 9232]
R2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2001-9-24 454656]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-2-18 366840]
R2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-2-18 1150936]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S2 BrowserSeek Service;BrowserSeek Service;"c:\documents and settings\all users\application data\browserseek\browserseek1123.exe" "c:\program files\browserseek\browserseek.dll" sanayodo zuzojosan --> c:\documents and settings\all users\application data\browserseek\browserseek1123.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-19 136176]
S3 63655795;63655795; [x]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-3-19 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-3-28 41272]
.
=============== Created Last 30 ================
.
2011-07-28 21:53:25 -------- d-----w- c:\documents and settings\rt\local settings\application data\{22EC5C73-E325-4077-A3E8-816B9EA56E50}
2011-07-28 21:46:01 -------- d-----w- c:\program files\STOPzilla!
2011-07-28 21:45:59 -------- d-----w- c:\program files\common files\iS3
2011-07-27 19:34:14 0 ----a-w- c:\windows\Spoguqeruzona.bin
2011-07-26 18:51:51 -------- d-----w- c:\documents and settings\all users\application data\fE00000EoCiM00000
2011-07-26 02:56:12 164 ----a-w- c:\documents and settings\rt\application data\JWj15zE4.bat
2011-07-26 02:42:49 164 ----a-w- c:\documents and settings\rt\application data\oksCkUGI.bat
2011-07-26 01:08:03 -------- d-s---w- c:\documents and settings\rt\UserData
2011-07-26 01:07:15 -------- d-----w- c:\documents and settings\all users\application data\QueryScan
2011-07-26 01:06:20 102 ---h--w- c:\documents and settings\rt\application data\LocalAccountAuthority.bat
2011-07-26 01:05:44 154 ----a-w- c:\documents and settings\rt\application data\xp3wqz7vu.bat
2011-07-26 00:59:09 64000 --sha-r- c:\windows\system32\sysprtj8.dll
2011-07-26 00:31:45 -------- d-----w- c:\documents and settings\rt\local settings\application data\Alien Skin
2011-07-26 00:24:51 -------- d-----w- c:\documents and settings\all users\application data\Alien Skin
2011-07-25 21:59:38 546256 ----a-r- c:\windows\system32\SZComp5.dll
2011-07-25 21:59:38 22992 ----a-r- c:\windows\system32\SZIO5.dll
2011-07-25 21:59:38 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2011-07-25 21:59:36 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2011-07-25 21:59:36 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2011-07-25 21:59:36 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2011-07-25 21:59:36 456144 ----a-r- c:\windows\system32\SZBase5.dll
2011-07-25 21:59:36 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2011-07-25 21:59:36 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2011-07-25 21:59:34 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2011-07-25 21:59:34 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2011-07-25 21:59:34 230864 ----a-r- c:\windows\system32\IS3Win325.dll
.
==================== Find3M ====================
.
.
============= FINISH: 11:52:45.32 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:20 AM

Posted 07 August 2011 - 12:48 PM

Hello rumiana ,

Posted Image

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to rumiana.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 rumiana

rumiana
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 08 August 2011 - 03:54 PM

When I tried to run ComboFix, I was getting messages:

Windows cannot find NIRCMD. Make sure you typed the name correctly...
Windows cannot find HIDEC. Make sure you typed the name correctly...

After the second attempt (after I renamed it to rumiana.exe,) it gave the same messages, then kind of start to run, but did not succeed, and the messages were:

ComboFix is preparing to run
'NIRCMD' is not recognized as an internal or external command, operable program, or batch file

Attempting to create a new System Restore point
'NIRCMD' is not recognized as an internal or external command, operable program, or batch file

...and the computer hangs at this point... (I am writing from another computer now)

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:20 AM

Posted 09 August 2011 - 06:02 AM

Please try it in Safe Mode. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 rumiana

rumiana
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 09 August 2011 - 06:17 AM

Unfortunately, one of the effects of the virus attack was that my computer does not run in Safe Mode anymore.

Thanks,
Rumiana

#6 rumiana

rumiana
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 09 August 2011 - 09:38 AM

A side effect of my efforts to run ComboFix is that I am not able to Shut Down my computer - on pressing the Shut Down button, it restarts; it restarts even if I try to switch it off from the hardware switch off button on the case.

Thanks,
Rumiana

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:20 AM

Posted 11 August 2011 - 04:42 PM

Hello,

Could you please post the MBAM report you got earlier? Or, if you're able to, please run it again and ssee if it finds anything new. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 rumiana

rumiana
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 11 August 2011 - 06:03 PM

The MBAM report from yesterday (shown below) says there is no malicious items and infections.

Thanks,
Rumiana


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7430

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

8/10/2011 9:14:58 PM
mbam-log-2011-08-10 (21-14-57).txt

Scan type: Full scan (C:\|)
Objects scanned: 245821
Time elapsed: 1 hour(s), 42 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:20 AM

Posted 11 August 2011 - 08:24 PM

Hello,

Let's see about deleting some of those bad files and folders and see if then we can get something to run.

Navigate to and delete the following folders, if they exist:

c:\documents and settings\all users\application data\browserseek
c:\program files\browserseek
c:\documents and settings\rt\local settings\application data\{22EC5C73-E325-4077-A3E8-816B9EA56E50}
c:\program files\ask.com <-------or anything to do with Ask

And the following files, if they exist :

c:\windows\Spoguqeruzona.bin
c:\documents and settings\all users\application data\fE00000EoCiM00000
c:\documents and settings\rt\application data\JWj15zE4.bat
c:\documents and settings\rt\application data\oksCkUGI.bat
c:\documents and settings\rt\application data\xp3wqz7vu.bat
c:\windows\system32\sysprtj8.dll

After you delete the ones you do find, empty your recycle bin and reboot your computer. Then please try to run ComboFix again and post the report if it does indeed run. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 rumiana

rumiana
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 11 August 2011 - 09:44 PM

After I deleted the suggested files and folders I found, ComboFix was able to run and the report is posted below.

Thanks a lot,
Rumiana


ComboFix 11-08-11.03 - RT 08/11/2011 22:18:47.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1251.359.1033.18.2047.1650 [GMT -4:00]
Running from: c:\documents and settings\RT\Desktop\rumiana.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\QueryScan
c:\documents and settings\RT\Application Data\Adobe\plugs
c:\documents and settings\RT\Application Data\Adobe\plugs\mmc164
c:\documents and settings\RT\Application Data\Adobe\shed
c:\documents and settings\RT\Application Data\LocalAccountAuthority.bat
c:\documents and settings\RT\WINDOWS
C:\Thumbs.db
c:\windows\d.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_BROWSERSEEK_SERVICE
-------\Legacy_MOUSEDRIVER
-------\Legacy_MSINSTALLPATCH
-------\Legacy_NWSAPAGENT
-------\Legacy_PLUG_MANAGER
-------\Service_BrowserSeek Service
-------\Service_Nwsapagent
.
.
((((((((((((((((((((((((( Files Created from 2011-07-12 to 2011-08-12 )))))))))))))))))))))))))))))))
.
.
2011-08-08 19:39 . 2011-08-08 19:39 -------- d-----w- C:\rumiana
2011-08-08 19:30 . 2011-08-08 19:39 -------- d-----w- C:\ComboFix
2011-07-27 19:51 . 2011-07-27 19:51 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-07-27 19:45 . 2011-07-27 19:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-07-26 01:08 . 2011-07-26 01:08 -------- d-s---w- c:\documents and settings\RT\UserData
2011-07-26 00:31 . 2011-07-26 00:31 -------- d-----w- c:\documents and settings\RT\Local Settings\Application Data\Alien Skin
2011-07-26 00:24 . 2011-07-26 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Alien Skin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-06 20:40 . 2011-08-06 20:40 54675 ----a-w- C:\ark.zip
2011-06-21 18:03 . 2011-05-17 08:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2010-01-20 11:08 . 2010-12-10 01:26 114688 ----a-w- c:\program files\internet explorer\plugins\ChimeShim.dll
2011-06-22 08:37 . 2011-03-28 21:38 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-09-20 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Lexmark X73 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X73.exe" [2001-10-08 53248]
"Lexmark X73 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe" [2001-07-11 53248]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 36864]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2010-10-3 565248]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders
.
[HKLM\~\startupfolder\C:^Documents and Settings^RT^Start Menu^Programs^Startup^WordWeb.lnk]
path=c:\documents and settings\RT\Start Menu\Programs\Startup\WordWeb.lnk
backup=c:\windows\pss\WordWeb.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2010-06-29 02:50 75048 ------w- c:\program files\CyberLink\Shared files\brs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-14 15:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl10]
2010-02-03 04:08 87336 ------w- c:\program files\CyberLink\PowerDVD10\PDVD10Serv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD10\\PowerDVD Cinema\\PowerDVDCinema10.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2/18/2011 9:36 PM 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2/18/2011 9:37 PM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2/18/2011 9:37 PM 656320]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [9/19/2010 9:41 PM 77312]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/10/30 20:11];c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl [6/28/2010 10:50 PM 87536]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/19/2011 7:49 AM 136176]
S3 63655795;63655795; [x]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/19/2011 7:49 AM 136176]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2/18/2011 9:36 PM 366840]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-19 11:49]
.
2011-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-19 11:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with GetRight Pro - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with GetRight Pro Browser - c:\program files\GetRight\GRbrowse.htm
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\RT\Application Data\Mozilla\Firefox\Profiles\jdyi06e1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 61758
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Notify-TPSvc - TPSvc.dll
MSConfigStartUp-cleanhtm - c:\documents and settings\RT\Application Data\cleanhtm.exe
MSConfigStartUp-HNUTHXlne - c:\docume~1\RT\LOCALS~1\Temp\lsass.exe
MSConfigStartUp-HNUTHXloc - c:\docume~1\RT\LOCALS~1\Temp\avp.exe
MSConfigStartUp-Jpuferujomurara - c:\windows\obazusuq.dll
MSConfigStartUp-Local Account Service - c:\documents and settings\RT\Application Data\lssas.exe
MSConfigStartUp-MKbMc - c:\windows\gdi32.exe
MSConfigStartUp-MKctc - c:\windows\msmgm.exe
MSConfigStartUp-MKfpe - c:\windows\winamp.exe
MSConfigStartUp-q53nLse2:veEgbOD - c:\documents and settings\RT\Application Data\Microsoft\Windows\oulwsvm.exe
MSConfigStartUp-Ryixa - c:\windows\chtapcpt.dll
MSConfigStartUp-ti57l5 - c:\documents and settings\RT\Application Data\ip3d.exe
MSConfigStartUp-XMZH42I4GI - c:\windows\Rdubaa.exe
AddRemove-Alien Skin Bokeh 2 - c:\program files\Alien Skin\Bokeh 2\Alien Skin Bokeh 2 Uninstaller.exe
AddRemove-Clarity Seek Service - c:\program files\Clarity Seek Service\uninst.exe
AddRemove-Setup Support for Browser Seek and Clarity Seek - c:\program files\Setup Support for Browser Seek and Clarity Seek\uninst.exe
AddRemove-_{05D60953-9012-44DF-A1A6-9DD97AD6580A} - c:\program files\Corel\Corel Painter X\MSILauncher {05D60953-9012-44DF-A1A6-9DD97AD6580A}
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-11 22:30
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\NavLogon.dll
.
- - - - - - - > 'explorer.exe'(1376)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NavNT\defwatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NavNT\rtvscan.exe
c:\windows\system32\PSIService.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\MsgSys.EXE
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-08-11 22:34:37 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-12 02:34
.
Pre-Run: 51,393,507,328 bytes free
Post-Run: 51,899,506,688 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 62D2F23186EC0884CAA2F9935ACB879A

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:20 AM

Posted 11 August 2011 - 11:05 PM

Hello,

You're so welcome. :)

Wonderful! How is it running now please? Could I see a fresh DDS log also?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 rumiana

rumiana
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 12 August 2011 - 04:12 AM

It seems it does not redirect my google searches anymore! The fresh DDS log is below.
Thanks so much again!
Rumiana


.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_26
Run by RT at 5:04:00 on 2011-08-12
Microsoft Windows XP Professional 5.1.2600.2.1251.359.1033.18.2047.1327 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Lexmark X73 Button Monitor] c:\progra~1\lexmar~1\ACMonitor_X73.exe
mRun: [Lexmark X73 Button Manager] c:\progra~1\lexmar~1\AcBtnMgr_X73.exe
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\3\printray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [vptray] c:\program files\navnt\vptray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\viarai~1.lnk - c:\program files\via\raid\raid_tool.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with GetRight Pro - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open with GetRight Pro Browser - c:\program files\getright\GRbrowse.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A26391B5-2F7C-446D-A7EC-0234ED5FA72A} : DhcpNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SecurityProviders:
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\rt\application data\mozilla\firefox\profiles\jdyi06e1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 61758
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npSfAppM.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-2-18 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-2-18 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-2-18 656320]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2010-9-19 77312]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/10/30 20:11:44];c:\program files\cyberlink\powerdvd10\navfilter\000.fcl [2010-6-28 87536]
R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2001-9-24 9232]
R3 NAVAP;NAVAP;c:\program files\navnt\navap.sys [2001-9-24 176208]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101013.002\NAVENG.sys [2011-2-18 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101013.002\NAVEX15.sys [2011-2-18 1371184]
S3 63655795;63655795; [x]
.
=============== Created Last 30 ================
.
2011-08-12 02:15:49 -------- d-sha-r- C:\cmdcons
2011-08-12 02:04:38 518144 ----a-w- c:\windows\SWREG.exe
2011-08-12 02:04:38 256000 ----a-w- c:\windows\PEV.exe
2011-08-08 19:41:22 98816 ----a-w- c:\windows\sed.exe
2011-08-08 19:41:22 208896 ----a-w- c:\windows\MBR.exe
2011-08-08 19:41:03 -------- d-----w- C:\rumiana13503r
2011-08-08 19:39:32 -------- d-----w- C:\rumiana
2011-08-08 19:30:59 -------- d-----w- C:\ComboFix
2011-07-26 01:08:03 -------- d-s---w- c:\documents and settings\rt\UserData
2011-07-26 00:31:45 -------- d-----w- c:\documents and settings\rt\local settings\application data\Alien Skin
2011-07-26 00:24:51 -------- d-----w- c:\documents and settings\all users\application data\Alien Skin
.
==================== Find3M ====================
.
2011-06-21 18:03:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 5:05:14.14 ===============

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:20 AM

Posted 12 August 2011 - 11:32 AM

Hello,

I'm glad it's better, and you're most welcome. :)

Looks good. Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

Your Adobe is out of date, which makes it vulnerable to attack, so you should update it as soon as possible.

If you have any questions or concerns, please feel free to ask, otherwise I believe we're done here. :thumbup2:

Take care,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 rumiana

rumiana
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 13 August 2011 - 12:00 PM

Which Adobe program exactly do you mean?

Thanks,
Rumiana

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:20 AM

Posted 13 August 2011 - 12:10 PM

Hi,

This one : c:\program files\adobe\acrobat 8.0\acrobat :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users