Recommended for You:
Fix up your PC Fast

TuneUp Utilities 2012 takes out the trash: Get back long lost disk space and performance in a snap – Free Download!






You are not connected. Please login or register

SecuraGeek Forums » Malware/Threat Removal » internet redirection google results

View previous topic View next topic Go down  Message [Page 1 of 1]

1 internet redirection google results on Tue Jul 06, 2010 3:05 am

Hidden Snake


Member
Member
hi. i'm new here. i was looking over this thread: http://www.helpmyos.com/malware-threat-removal-f6/internet-search-redirecting-t2035.htm

this virus keeps redirectgin my search results. Sad

so, not sure what to do. but i have run dds.

DDS (Ver_10-03-17.01) - NTFSx86
Run by snakes at 10:53:05.81 on Mon 07/05/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1457 [GMT -6]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lockbox\flockbox.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\RivaTuner v2.24\RivaTuner.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\snakes\Desktop\dds.com

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdmcks.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [USRpdA] c:\windows\system32\usrmlnka.exe runservices \device\3cpipe-USRpdA
mRun: [flockbox] c:\program files\lockbox\flockbox.exe /a
mRun: [3c1807pd]
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [VirtualCloneDrive] "c:\program files\virtualclonedrive\VCDDaemon.exe" /s
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\snakes\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\sony handheld\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rivatu~1.lnk - c:\program files\rivatuner v2.24\RivaTuner.exe
uPolicies-explorer: NoStrCmpLogical = 00000000
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
Trusted Zone: turbotax.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186008465000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\snakes\applic~1\mozilla\firefox\profiles\vth0gc3b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {E043994C-BEC7-46D8-86F5-CE6D03C21D94} - c:\documents and settings\snakes\local settings\application data\{E043994C-BEC7-46D8-86F5-CE6D03C21D94}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [2008-7-21 17264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-4 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-8-2 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-4 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-4 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-4 297752]
S3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys --> c:\windows\system32\drivers\AmdTools.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\9.tmp --> c:\windows\system32\9.tmp [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2010-07-03 07:17:44 20 ----a-w- c:\documents and settings\snakes\defogger_reenable
2010-07-01 20:18:45 0 d-----w- c:\docume~1\snakes\applic~1\WB Games
2010-07-01 07:17:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-07-01 07:17:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-07-01 07:17:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-07-01 07:17:54 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-07-01 07:17:54 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-07-01 07:17:54 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-07-01 07:17:54 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-07-01 07:17:53 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-07-01 07:17:53 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-07-01 07:17:53 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-07-01 07:17:52 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-07-01 07:17:51 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-06-30 00:14:14 356427 ----a-w- c:\documents and settings\snakes\.recently-used.xbel
2010-06-25 08:52:24 0 d-----w- c:\docume~1\snakes\applic~1\Moyea
2010-06-25 08:51:58 0 d-----w- c:\program files\Moyea
2010-06-25 00:10:22 0 d-----w- c:\program files\Chopper XP
2010-06-23 00:17:26 0 d-----w- c:\docume~1\snakes\applic~1\AGameAWeek
2010-06-14 03:48:56 289 ----a-w- c:\windows\SLEUTH.INI
2010-06-14 03:48:51 0 d-----w- c:\program files\Science Sleuths
2010-06-14 03:45:59 0 ----a-w- c:\windows\SETUP32.INI
2010-06-09 04:24:52 0 d-----w- c:\docume~1\snakes\applic~1\NVIDIA

==================== Find3M ====================

2010-06-30 22:31:48 2041 ----a-w- c:\program files\totals.xml
2010-06-30 22:31:48 1297 ----a-w- c:\program files\config.xml
2010-06-01 07:14:56 12814 ----a-w- c:\windows\ocejuzes.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-01 02:50:38 3284 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-19 22:04:51 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-04-19 22:04:51 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-04-16 16:09:09 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09:05 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-12 23:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2009-10-28 16:57:34 5306880 ----a-w- c:\program files\flashplayer_10_sa_debug.exe
2007-06-04 03:15:08 118784 ----a-w- c:\program files\FreeMeter.exe
2006-08-16 21:43:28 750592 ----a-w- c:\program files\SAFlashPlayer v8.0.15.0.Exe
2001-08-18 06:59:12 28160 ----a-w- c:\program files\AnimateGifs.exe

============= FINISH: 11:03:17.75 ===============

thanks! Ahhhh

2 Re: internet redirection google results on Tue Jul 06, 2010 3:11 am

Sneakyone


Secondary Administrator
Secondary Administrator
Hi, Welcome to helpmyos.com! Smile

My username is Sneakyone and I will be assisting you on your issue. Thumb up

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

3 Re: internet redirection google results on Tue Jul 06, 2010 3:41 am

Hidden Snake


Member
Member
k combofix ran. heres the log.

ComboFix 10-07-03.01 - snakes 07/03/2010 03:10:23.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1379 [GMT -6:00]
Running from: c:\documents and settings\snakes\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\snakes\Application Data\inst.exe
c:\documents and settings\snakes\Local Settings\Application Data\{E043994C-BEC7-46D8-86F5-CE6D03C21D94}
c:\documents and settings\snakes\Local Settings\Application Data\{E043994C-BEC7-46D8-86F5-CE6D03C21D94}\chrome.manifest
c:\documents and settings\snakes\Local Settings\Application Data\{E043994C-BEC7-46D8-86F5-CE6D03C21D94}\chrome\content\_cfg.js
c:\documents and settings\snakes\Local Settings\Application Data\{E043994C-BEC7-46D8-86F5-CE6D03C21D94}\chrome\content\overlay.xul
c:\documents and settings\snakes\Local Settings\Application Data\{E043994C-BEC7-46D8-86F5-CE6D03C21D94}\install.rdf
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\ocejuzes.dll
c:\windows\system32\tmp1.tmp
E:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-06-03 to 2010-07-03 )))))))))))))))))))))))))))))))
.

2010-07-03 20:04 . 2010-07-03 20:04 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-07-03 19:08 . 2010-07-03 20:22 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-03 19:07 . 2010-07-03 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-07-03 19:07 . 2010-07-03 19:07 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-07-03 04:06 . 2010-07-03 04:06 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-01 20:18 . 2010-07-01 20:18 -------- d-----w- c:\documents and settings\snakes\Application Data\WB Games
2010-07-01 07:17 . 2010-06-02 10:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-07-01 07:17 . 2010-06-02 10:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-07-01 07:17 . 2010-06-02 10:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-07-01 07:17 . 2010-05-26 17:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-07-01 07:17 . 2010-05-26 17:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-07-01 07:17 . 2010-05-26 17:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-07-01 07:17 . 2010-05-26 17:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-07-01 07:17 . 2010-05-26 17:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-07-01 07:17 . 2010-02-04 16:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-07-01 07:17 . 2010-02-04 16:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-07-01 07:17 . 2010-02-04 16:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-07-01 07:17 . 2010-02-04 16:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-06-25 08:52 . 2010-06-25 08:52 -------- d-----w- c:\documents and settings\snakes\Application Data\Moyea
2010-06-25 08:51 . 2010-06-25 08:51 -------- d-----w- c:\program files\Moyea
2010-06-25 00:10 . 2010-06-25 00:10 -------- d-----w- c:\program files\Chopper XP
2010-06-23 01:38 . 2010-06-30 17:26 -------- d-----w- c:\documents and settings\snakes\Application Data\vlc
2010-06-23 00:17 . 2010-06-23 00:17 -------- d-----w- c:\documents and settings\snakes\Application Data\AGameAWeek
2010-06-14 03:48 . 2010-06-14 03:48 -------- d-----w- c:\program files\Science Sleuths
2010-06-09 04:24 . 2010-06-09 04:24 -------- d-----w- c:\documents and settings\snakes\Application Data\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-03 20:23 . 2007-12-17 15:23 188152 ----a-w- c:\documents and settings\snakes\Application Data\Mozilla\Firefox\Profiles\vth0gc3b.default\FlashGot.exe
2010-07-03 20:13 . 2009-09-22 22:49 2140 ----a-w- c:\program files\totals.xml
2010-07-03 20:13 . 2009-09-22 22:49 1297 ----a-w- c:\program files\config.xml
2010-07-03 06:48 . 2009-09-30 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-03 04:04 . 2009-03-02 22:27 -------- d-----w- c:\program files\sysclean
2010-07-02 21:01 . 2009-11-23 15:47 1 ----a-w- c:\documents and settings\snakes\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-02 16:24 . 2007-08-01 22:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-01 20:10 . 2007-08-02 02:23 -------- d-----w- c:\program files\Games
2010-06-30 00:12 . 2008-02-11 20:47 -------- d-----w- c:\documents and settings\snakes\Application Data\gtk-2.0
2010-06-29 17:13 . 2007-08-15 03:26 -------- d-----w- c:\documents and settings\snakes\Application Data\Free Download Manager
2010-06-20 08:53 . 2009-08-02 04:23 -------- d-----w- c:\documents and settings\snakes\Application Data\uTorrent
2010-06-17 07:04 . 2010-05-27 19:36 120 ----a-w- c:\windows\Fhadirogod.dat
2010-06-17 07:04 . 2010-05-27 19:36 0 ----a-w- c:\windows\Wlagaf.bin
2010-06-05 00:04 . 2009-07-15 05:29 60 ---h--w- c:\windows\popcreg.dat
2010-06-05 00:04 . 2009-05-16 22:22 236 ----a-w- c:\windows\popcinfot.dat
2010-05-27 06:46 . 2007-08-16 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-26 15:29 . 2010-05-26 15:29 -------- d-----w- c:\program files\Ubisoft
2010-05-18 19:12 . 2010-04-09 03:33 -------- d-----w- c:\documents and settings\snakes\Application Data\dvdcss
2010-05-17 06:39 . 2009-03-31 09:35 -------- d-----w- c:\program files\Malwarebytes
2010-05-14 16:21 . 2010-05-14 16:21 354744 ----a-w- c:\documents and settings\snakes\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe
2010-05-14 16:21 . 2010-05-14 16:21 -------- d-----w- c:\documents and settings\snakes\Application Data\SanDisk
2010-05-05 02:04 . 2010-05-05 01:56 114 ----a-w- c:\windows\system32\nvUnsupRes.dat
2010-05-04 23:12 . 2007-08-02 00:32 46616 ----a-w- c:\documents and settings\snakes\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-04 14:17 . 2007-08-01 22:08 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-01 02:50 . 2010-05-01 02:50 3284 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2010-04-29 21:39 . 2009-03-31 09:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2009-03-31 09:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-19 22:04 . 2008-08-21 07:38 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-04-19 22:04 . 2008-08-21 07:38 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-04-16 16:09 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-12 23:29 . 2010-04-28 14:15 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-09 03:33 . 2010-04-09 03:31 20972440 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US65016901eupd.exe
2010-04-05 23:41 . 2010-04-30 14:59 669080 ----a-w- c:\documents and settings\snakes\Application Data\InstantAction\IAPlayer\iaplugin.0.7.37.0.dll
2009-10-28 16:57 . 2009-10-28 16:57 5306880 ----a-w- c:\program files\flashplayer_10_sa_debug.exe
2007-06-04 03:15 . 2009-09-22 15:23 118784 ----a-w- c:\program files\FreeMeter.exe
2006-08-16 21:43 . 2009-10-28 16:48 750592 ----a-w- c:\program files\SAFlashPlayer v8.0.15.0.Exe
2001-08-18 06:59 . 2010-04-07 17:06 28160 ----a-w- c:\program files\AnimateGifs.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA" [X]
"flockbox"="c:\program files\Lockbox\flockbox.exe" [2007-12-14 1071472]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-17 2043160]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]

c:\documents and settings\snakes\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Sony Handheld\HOTSYNC.EXE [2002-8-9 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RivaTuner.lnk - c:\program files\RivaTuner v2.24\RivaTuner.exe [2009-2-25 2781184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-23 14:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Vfufegigusob"=rundll32.exe "c:\windows\nebd97.dll",Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Alcmtr"=ALCMTR.EXE
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"
"nwiz"=nwiz.exe /install
"NWEReboot"=
"RTHDCPL"=RTHDCPL.EXE
"SkyTel"=SkyTel.EXE
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe"
"AcronisTimounterMonitor"=c:\program files\Seagate\DiscWizard\TimounterMonitor.exe
"DiscWizardMonitor.exe"=c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24\RivaTuner.exe" /S
"DSS"=c:\windows\BBSTORE\DSS\DSSAGENT.EXE
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"Qzogugofud"=rundll32.exe "c:\windows\ewujohehucucaqi.dll",Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Quicken\\qw.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Python\\pythonw.exe"=
"e:\\Games\\Outrun\\OR2006C2C.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"e:\\Games\\PrinceOfPersia\\Prince of Persia.exe"=
"e:\\Games\\PrinceOfPersia\\PrinceOfPersia_Launcher.exe"=
"e:\\Games\\TmNationsForever\\TmForever.exe"=
"c:\\Program Files\\Games\\Q3A\\quake3.exe"=
"e:\\Steam\\SteamApps\\common\\zuma deluxe\\Zuma.exe"=
"e:\\Steam\\SteamApps\\common\\bejeweled deluxe\\WinBej.exe"=
"e:\\Steam\\SteamApps\\common\\7 wonders 2\\Wonders2.exe"=
"e:\\Steam\\SteamApps\\common\\bookworm deluxe\\Bookworm.exe"=
"e:\\Steam\\SteamApps\\common\\luxor 3\\Luxor3.exe"=
"e:\\Steam\\SteamApps\\common\\bejeweled 2 deluxe\\WinBej2.exe"=
"e:\\Steam\\SteamApps\\common\\bejeweled twist\\BejeweledTwist.exe"=
"e:\\Steam\\SteamApps\\common\\everyday shooter\\EverydayShooter.exe"=
"e:\\Games\\TmNationsForever\\TmUnitedForever\\TmForever.exe"=
"e:\\Games\\TmNationsForever\\TrackMania Sunrise\\tmsunrise.exe"=
"e:\\Steam\\SteamApps\\common\\swkotor\\swkotor.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"e:\\Steam\\SteamApps\\common\\lumines\\lumines.exe"=
"e:\\Steam\\SteamApps\\common\\king's bounty - the legend\\kb.exe"=
"e:\\Steam\\SteamApps\\common\\king's bounty - the legend\\save_fixer.exe"=
"e:\\Games\\FUEL\\FUEL.exe"=
"c:\\Program Files\\Games\\shmups\\exception_trial\\exception_conflict\\exception_conflict.exe"=
"e:\\Steam\\SteamApps\\common\\torchlight\\Torchlight.exe"=
"e:\\Games\\The Ball UDK\\Binaries\\Win32\\UDK.exe"=
"e:\\Games\\Uru Live\\UruExplorer.exe"=
"e:\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\PopCap Games\\Peggle Nights\\PeggleNights.exe"=
"c:\\Program Files\\flashplayer_10_sa_debug.exe"=
"e:\\Steam\\SteamApps\\common\\trine\\trine_launcher.exe"=
"e:\\Steam\\SteamApps\\common\\deus ex\\System\\DeusEx.exe"=
"e:\\Games\\Burnout\\BurnoutLauncher.exe"=
"e:\\Games\\Burnout\\BurnoutConfigTool.exe"=
"e:\\Games\\Burnout\\BurnoutParadise.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"e:\\Far Cry 2\\bin\\FarCry2.exe"=
"e:\\Far Cry 2\\bin\\FC2Launcher.exe"=
"e:\\Far Cry 2\\bin\\FC2Editor.exe"=
"e:\\Far Cry 2\\bin\\FC2ServerLauncher.exe"=
"e:\\Steam\\SteamApps\\common\\grand theft auto iv\\GTAIV\\LaunchGTAIV.exe"=
"e:\\Steam\\SteamApps\\common\\defensegridtheawakening\\DefenseGrid.exe"=
"e:\\Steam\\SteamApps\\common\\rocket knight demo\\RocketKnight_ConfigTool.exe"=
"e:\\Steam\\SteamApps\\common\\mirrors edge\\Binaries\\MirrorsEdge.exe"=
"e:\\Steam\\SteamApps\\common\\mirrors edge\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"e:\\Steam\\SteamApps\\common\\thief deadly shadows\\System\\runme.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2291:UDP"= 2291:UDP:Windows Media Format SDK (firefox.exe)
"2294:UDP"= 2294:UDP:Windows Media Format SDK (firefox.exe)
"2295:UDP"= 2295:UDP:Windows Media Format SDK (firefox.exe)

R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [7/21/2008 8:00 AM 17264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/4/2009 10:28 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/4/2009 10:28 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/4/2009 10:28 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/4/2009 10:28 PM 297752]
S3 AmdTools;AMD Special Tools Driver;c:\windows\system32\DRIVERS\AmdTools.sys --> c:\windows\system32\DRIVERS\AmdTools.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\9.tmp --> c:\windows\system32\9.tmp [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/1/2009 4:04 PM 721904]
.
.
------- Supplementary Scan -------
.
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\snakes\Application Data\Mozilla\Firefox\Profiles\vth0gc3b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-3c1807pd - (no file)
HKLM-Run-nwiz - nwiz.exe
AddRemove-RAGS Player - e:\demos\New Folder\t\RAGS Suite\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-03 17:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\Ynbt41.sys 167936 bytes executable
C:\WINDOWS\Temp\TMP00020073A0D78164678575E3
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb002CA.log 131072 bytes
C:\WINDOWS\system32\ws2_32.dll:spoonfork2 30720 bytes executable
C:\Documents and Settings\misterbubbles\Cookies\company@thebitchmovie[2].txt 93 bytes
C:\Documents and Settings\misterbubbles\Desktop\torrents\Cucusoft.AVI.to.DVD.VCD.SVCD.MPEG.Converter.Pro.4.29\Cucusoft.AVI.to.DVD.VCD.SVCD.MPEG.Converter.Pro.4.29\Cucusoft_MPEG-AVI_to_VCD-DVD-SVCD-MPEG_Converter_v4.53_Pro_by_TSRH\file_id.diz 420 bytes
C:\Documents and Settings\misterbubbles\Desktop\torrents\Cucusoft.AVI.to.DVD.VCD.SVCD.MPEG.Converter.Pro.4.29\Cucusoft.AVI.to.DVD.VCD.SVCD.MPEG.Converter.Pro.4.29\Cucusoft_MPEG-AVI_to_VCD-DVD-SVCD-MPEG_Converter_v4.53_Pro_by_TSRH\tsrh.nfo 13072 bytes

scan completed successfully
hidden files: 7

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\9.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1957994488-1500820517-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:10,2b,c9,ec,11,d8,41,3d,f5,60,f5,46,b4,54,4f,1d,61,d9,71,6e,cf,25,4c,
a3,93,d7,35,4f,23,1e,5d,41,d9,98,20,f3,f0,85,28,f5,34,1f,43,68,df,4b,af,a9,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1957994488-1500820517-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:a9,36,18,5e,95,fe,90,53,3c,d8,1a,97,79,ee,9b,86,30,e3,62,00,2f,
c8,ef,88,5f,39,89,46,1c,a6,c2,8f,54,86,7c,a6,e8,20,c7,25,47,0f,17,36,f6,cc,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(892)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-07-03 03:29:16
ComboFix-quarantined-files.txt 2010-07-03 23:06

Pre-Run: 56,868,450,304 bytes free
Post-Run: 56,958,066,688 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - C8943D6205F8A40C3C3B26512CA812A3

4 Re: internet redirection google results on Tue Jul 06, 2010 4:11 am

Sneakyone


Secondary Administrator
Secondary Administrator
Hi, Smile

To disable CD Emulation programs using DeFogger please perform these steps:
  • Please download DeFogger to your desktop.
  • Once downloaded, double-click on the DeFogger icon to start the tool.
  • The application window will now appear. You should now click on the Disable button to disable your CD Emulation drivers
  • When it prompts you whether or not you want to continue, please click on the Yes button to continue
  • When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  • If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.




Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    http://www.helpmyos.com/malware-threat-removal-f6/internet-redirection-google-results-t2037.htm

    KillAll::

    Snapshot::

    File::
    c:\windows\nebd97.dll
    c:\windows\ewujohehucucaqi.dll
    C:\WINDOWS\Temp\TMP00020073A0D78164678575E3

    Registry::
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Vfufegigusob"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Qzogugofud"=-
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

    Driver::
    MEMSWEEP2
    SetupNTGLM7X
    Ynbt41

    Rootkit::
    C:\WINDOWS\system32\drivers\Ynbt41.sys
    c:\windows\system32\9.tmp

    Filelook::
    C:\WINDOWS\system32\ws2_32.dll

    ADS::
    C:\WINDOWS\system32\ws2_32.dll

    Collect::[4]
    c:\windows\Fhadirogod.dat
    c:\windows\Wlagaf.bin
    c:\windows\popcreg.dat
    c:\windows\popcinfot.dat

    Reboot::

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

5 Re: internet redirection google results on Wed Jul 07, 2010 2:55 am

Hidden Snake


Member
Member
did that. heres the log.

ComboFix 10-07-07.02 - snakes 07/07/2010 02:23:58.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1379 [GMT -6]
Running from: c:\documents and settings\snakes\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\snakes\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
File::
"c:\windows\nebd97.dll"
"c:\windows\ewujohehucucaqi.dll"
"C:\WINDOWS\Temp\TMP00020073A0D78164678575E3"
.

ADS - ws2_32.dll: deleted 19 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\9.tmp
c:\windows\nebd97.dll
c:\windows\ewujohehucucaqi.dll
c:\windows\Temp\TMP00020073A0D78164678575E3
c:\desktop.ini
c:\windows\Fhadirogod.dat
c:\windows\Wlagaf.bin
c:\windows\popcreg.dat
c:\windows\popcinfot.dat
c:\windows\system32\drivers\Ynbt41.sys

----- BITS: Possible infected sites -----

hxxp://82.98.231.102
hxxp://92.241.165.204
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------Legacy_MEMSWEEP2
-------Legacy_SetupNTGLM7X
-------Legacy_Ynbt41
-------Service_MEMSWEEP2
-------Service_SetupNTGLM7X
-------Service_Ynbt41


((((((((((((((((((((((((( Files Created from 2010-06-03 to 2010-07-03 )))))))))))))))))))))))))))))))
.

2010-07-03 20:04 . 2010-07-03 20:04 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-07-03 19:08 . 2010-07-03 20:22 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-03 19:07 . 2010-07-03 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-07-03 19:07 . 2010-07-03 19:07 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-07-03 04:06 . 2010-07-03 04:06 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-01 20:18 . 2010-07-01 20:18 -------- d-----w- c:\documents and settings\snakes\Application Data\WB Games
2010-07-01 07:17 . 2010-06-02 10:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-07-01 07:17 . 2010-06-02 10:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-07-01 07:17 . 2010-06-02 10:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-07-01 07:17 . 2010-05-26 17:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-07-01 07:17 . 2010-05-26 17:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-07-01 07:17 . 2010-05-26 17:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-07-01 07:17 . 2010-05-26 17:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-07-01 07:17 . 2010-05-26 17:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-07-01 07:17 . 2010-02-04 16:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-07-01 07:17 . 2010-02-04 16:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-07-01 07:17 . 2010-02-04 16:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-07-01 07:17 . 2010-02-04 16:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-06-25 08:52 . 2010-06-25 08:52 -------- d-----w- c:\documents and settings\snakes\Application Data\Moyea
2010-06-25 08:51 . 2010-06-25 08:51 -------- d-----w- c:\program files\Moyea
2010-06-25 00:10 . 2010-06-25 00:10 -------- d-----w- c:\program files\Chopper XP
2010-06-23 01:38 . 2010-06-30 17:26 -------- d-----w- c:\documents and settings\snakes\Application Data\vlc
2010-06-23 00:17 . 2010-06-23 00:17 -------- d-----w- c:\documents and settings\snakes\Application Data\AGameAWeek
2010-06-14 03:48 . 2010-06-14 03:48 -------- d-----w- c:\program files\Science Sleuths
2010-06-09 04:24 . 2010-06-09 04:24 -------- d-----w- c:\documents and settings\snakes\Application Data\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-03 20:23 . 2007-12-17 15:23 188152 ----a-w- c:\documents and settings\snakes\Application Data\Mozilla\Firefox\Profiles\vth0gc3b.default\FlashGot.exe
2010-07-03 20:13 . 2009-09-22 22:49 2140 ----a-w- c:\program files\totals.xml
2010-07-03 20:13 . 2009-09-22 22:49 1297 ----a-w- c:\program files\config.xml
2010-07-03 06:48 . 2009-09-30 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-03 04:04 . 2009-03-02 22:27 -------- d-----w- c:\program files\sysclean
2010-07-02 21:01 . 2009-11-23 15:47 1 ----a-w- c:\documents and settings\snakes\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-02 16:24 . 2007-08-01 22:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-01 20:10 . 2007-08-02 02:23 -------- d-----w- c:\program files\Games
2010-06-30 00:12 . 2008-02-11 20:47 -------- d-----w- c:\documents and settings\snakes\Application Data\gtk-2.0
2010-06-29 17:13 . 2007-08-15 03:26 -------- d-----w- c:\documents and settings\snakes\Application Data\Free Download Manager
2010-06-20 08:53 . 2009-08-02 04:23 -------- d-----w- c:\documents and settings\snakes\Application Data\uTorrent
2010-05-27 06:46 . 2007-08-16 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-26 15:29 . 2010-05-26 15:29 -------- d-----w- c:\program files\Ubisoft
2010-05-18 19:12 . 2010-04-09 03:33 -------- d-----w- c:\documents and settings\snakes\Application Data\dvdcss
2010-05-17 06:39 . 2009-03-31 09:35 -------- d-----w- c:\program files\Malwarebytes
2010-05-14 16:21 . 2010-05-14 16:21 354744 ----a-w- c:\documents and settings\snakes\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe
2010-05-14 16:21 . 2010-05-14 16:21 -------- d-----w- c:\documents and settings\snakes\Application Data\SanDisk
2010-05-05 02:04 . 2010-05-05 01:56 114 ----a-w- c:\windows\system32\nvUnsupRes.dat
2010-05-04 23:12 . 2007-08-02 00:32 46616 ----a-w- c:\documents and settings\snakes\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-04 14:17 . 2007-08-01 22:08 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-01 02:50 . 2010-05-01 02:50 3284 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2010-04-29 21:39 . 2009-03-31 09:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2009-03-31 09:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-19 22:04 . 2008-08-21 07:38 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-04-19 22:04 . 2008-08-21 07:38 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-04-16 16:09 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-12 23:29 . 2010-04-28 14:15 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-09 03:33 . 2010-04-09 03:31 20972440 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US65016901eupd.exe
2010-04-05 23:41 . 2010-04-30 14:59 669080 ----a-w- c:\documents and settings\snakes\Application Data\InstantAction\IAPlayer\iaplugin.0.7.37.0.dll
2009-10-28 16:57 . 2009-10-28 16:57 5306880 ----a-w- c:\program files\flashplayer_10_sa_debug.exe
2007-06-04 03:15 . 2009-09-22 15:23 118784 ----a-w- c:\program files\FreeMeter.exe
2006-08-16 21:43 . 2009-10-28 16:48 750592 ----a-w- c:\program files\SAFlashPlayer v8.0.15.0.Exe
2001-08-18 06:59 . 2010-04-07 17:06 28160 ----a-w- c:\program files\AnimateGifs.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\ws2_32.dll -- Unable to find Resource table header.
MD5: (Unable to calculate MD5)

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA" [X]
"flockbox"="c:\program files\Lockbox\flockbox.exe" [2007-12-14 1071472]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-17 2043160]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]

c:\documents and settings\snakes\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Sony Handheld\HOTSYNC.EXE [2002-8-9 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RivaTuner.lnk - c:\program files\RivaTuner v2.24\RivaTuner.exe [2009-2-25 2781184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-23 14:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Alcmtr"=ALCMTR.EXE
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"
"nwiz"=nwiz.exe /install
"NWEReboot"=
"RTHDCPL"=RTHDCPL.EXE
"SkyTel"=SkyTel.EXE
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe"
"AcronisTimounterMonitor"=c:\program files\Seagate\DiscWizard\TimounterMonitor.exe
"DiscWizardMonitor.exe"=c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24\RivaTuner.exe" /S
"DSS"=c:\windows\BBSTORE\DSS\DSSAGENT.EXE
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Quicken\\qw.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Python\\pythonw.exe"=
"e:\\Games\\Outrun\\OR2006C2C.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"e:\\Games\\PrinceOfPersia\\Prince of Persia.exe"=
"e:\\Games\\PrinceOfPersia\\PrinceOfPersia_Launcher.exe"=
"e:\\Games\\TmNationsForever\\TmForever.exe"=
"c:\\Program Files\\Games\\Q3A\\quake3.exe"=
"e:\\Steam\\SteamApps\\common\\zuma deluxe\\Zuma.exe"=
"e:\\Steam\\SteamApps\\common\\bejeweled deluxe\\WinBej.exe"=
"e:\\Steam\\SteamApps\\common\\7 wonders 2\\Wonders2.exe"=
"e:\\Steam\\SteamApps\\common\\bookworm deluxe\\Bookworm.exe"=
"e:\\Steam\\SteamApps\\common\\luxor 3\\Luxor3.exe"=
"e:\\Steam\\SteamApps\\common\\bejeweled 2 deluxe\\WinBej2.exe"=
"e:\\Steam\\SteamApps\\common\\bejeweled twist\\BejeweledTwist.exe"=
"e:\\Steam\\SteamApps\\common\\everyday shooter\\EverydayShooter.exe"=
"e:\\Games\\TmNationsForever\\TmUnitedForever\\TmForever.exe"=
"e:\\Games\\TmNationsForever\\TrackMania Sunrise\\tmsunrise.exe"=
"e:\\Steam\\SteamApps\\common\\swkotor\\swkotor.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"e:\\Steam\\SteamApps\\common\\lumines\\lumines.exe"=
"e:\\Steam\\SteamApps\\common\\king's bounty - the legend\\kb.exe"=
"e:\\Steam\\SteamApps\\common\\king's bounty - the legend\\save_fixer.exe"=
"e:\\Games\\FUEL\\FUEL.exe"=
"c:\\Program Files\\Games\\shmups\\exception_trial\\exception_conflict\\exception_conflict.exe"=
"e:\\Steam\\SteamApps\\common\\torchlight\\Torchlight.exe"=
"e:\\Games\\The Ball UDK\\Binaries\\Win32\\UDK.exe"=
"e:\\Games\\Uru Live\\UruExplorer.exe"=
"e:\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\PopCap Games\\Peggle Nights\\PeggleNights.exe"=
"c:\\Program Files\\flashplayer_10_sa_debug.exe"=
"e:\\Steam\\SteamApps\\common\\trine\\trine_launcher.exe"=
"e:\\Steam\\SteamApps\\common\\deus ex\\System\\DeusEx.exe"=
"e:\\Games\\Burnout\\BurnoutLauncher.exe"=
"e:\\Games\\Burnout\\BurnoutConfigTool.exe"=
"e:\\Games\\Burnout\\BurnoutParadise.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"e:\\Far Cry 2\\bin\\FarCry2.exe"=
"e:\\Far Cry 2\\bin\\FC2Launcher.exe"=
"e:\\Far Cry 2\\bin\\FC2Editor.exe"=
"e:\\Far Cry 2\\bin\\FC2ServerLauncher.exe"=
"e:\\Steam\\SteamApps\\common\\grand theft auto iv\\GTAIV\\LaunchGTAIV.exe"=
"e:\\Steam\\SteamApps\\common\\defensegridtheawakening\\DefenseGrid.exe"=
"e:\\Steam\\SteamApps\\common\\rocket knight demo\\RocketKnight_ConfigTool.exe"=
"e:\\Steam\\SteamApps\\common\\mirrors edge\\Binaries\\MirrorsEdge.exe"=
"e:\\Steam\\SteamApps\\common\\mirrors edge\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"e:\\Steam\\SteamApps\\common\\thief deadly shadows\\System\\runme.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2291:UDP"= 2291:UDP:Windows Media Format SDK (firefox.exe)
"2294:UDP"= 2294:UDP:Windows Media Format SDK (firefox.exe)
"2295:UDP"= 2295:UDP:Windows Media Format SDK (firefox.exe)

R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [7/21/2008 8:00 AM 17264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/4/2009 10:28 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/4/2009 10:28 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/4/2009 10:28 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/4/2009 10:28 PM 297752]
S3 AmdTools;AMD Special Tools Driver;c:\windows\system32\DRIVERS\AmdTools.sys --> c:\windows\system32\DRIVERS\AmdTools.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/1/2009 4:04 PM 721904]
.
.
------- Supplementary Scan -------
.
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\snakes\Application Data\Mozilla\Firefox\Profiles\vth0gc3b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-3c1807pd - (no file)
HKLM-Run-nwiz - nwiz.exe
AddRemove-RAGS Player - e:\demos\New Folder\t\RAGS Suite\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-07 02:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1957994488-1500820517-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:10,2b,c9,ec,11,d8,41,3d,f5,60,f5,46,b4,54,4f,1d,61,d9,71,6e,cf,25,4c,
a3,93,d7,35,4f,23,1e,5d,41,d9,98,20,f3,f0,85,28,f5,34,1f,43,68,df,4b,af,a9,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1957994488-1500820517-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:a9,36,18,5e,95,fe,90,53,3c,d8,1a,97,79,ee,9b,86,30,e3,62,00,2f,
c8,ef,88,5f,39,89,46,1c,a6,c2,8f,54,86,7c,a6,e8,20,c7,25,47,0f,17,36,f6,cc,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(892)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-07-07 02:51:45
ComboFix-quarantined-files.txt 2010-07-07 02:47

Pre-Run: 56,868,450,304 bytes free
Post-Run: 56,958,066,688 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - C8943D6205F8A40C3C3B26512CA812A3

6 Re: internet redirection google results on Wed Jul 07, 2010 3:03 am

Sneakyone


Secondary Administrator
Secondary Administrator
Hi, Smile

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:


    MIA::
    c:\windows\system32\ws2_32.dll

    Reboot::

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


========

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

7 Re: internet redirection google results on Wed Jul 07, 2010 10:42 pm

Hidden Snake


Member
Member
ok. here is combofix

ComboFix 10-07-07.02 - snakes 07/07/2010 10:27:16.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1379 [GMT -6]
Running from: c:\documents and settings\snakes\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\snakes\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - Kitty ate it Tongue

.

((((((((((((((((((((((((( Files Created from 2010-06-03 to 2010-07-03 )))))))))))))))))))))))))))))))
.

2010-07-03 20:04 . 2010-07-03 20:04 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-07-03 19:08 . 2010-07-03 20:22 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-03 19:07 . 2010-07-03 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-07-03 19:07 . 2010-07-03 19:07 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-07-03 04:06 . 2010-07-03 04:06 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-01 20:18 . 2010-07-01 20:18 -------- d-----w- c:\documents and settings\snakes\Application Data\WB Games
2010-07-01 07:17 . 2010-06-02 10:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-07-01 07:17 . 2010-06-02 10:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-07-01 07:17 . 2010-06-02 10:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-07-01 07:17 . 2010-05-26 17:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-07-01 07:17 . 2010-05-26 17:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-07-01 07:17 . 2010-05-26 17:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-07-01 07:17 . 2010-05-26 17:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-07-01 07:17 . 2010-05-26 17:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-07-01 07:17 . 2010-02-04 16:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-07-01 07:17 . 2010-02-04 16:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-07-01 07:17 . 2010-02-04 16:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-07-01 07:17 . 2010-02-04 16:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-06-25 08:52 . 2010-06-25 08:52 -------- d-----w- c:\documents and settings\snakes\Application Data\Moyea
2010-06-25 08:51 . 2010-06-25 08:51 -------- d-----w- c:\program files\Moyea
2010-06-25 00:10 . 2010-06-25 00:10 -------- d-----w- c:\program files\Chopper XP
2010-06-23 01:38 . 2010-06-30 17:26 -------- d-----w- c:\documents and settings\snakes\Application Data\vlc
2010-06-23 00:17 . 2010-06-23 00:17 -------- d-----w- c:\documents and settings\snakes\Application Data\AGameAWeek
2010-06-14 03:48 . 2010-06-14 03:48 -------- d-----w- c:\program files\Science Sleuths
2010-06-09 04:24 . 2010-06-09 04:24 -------- d-----w- c:\documents and settings\snakes\Application Data\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-03 20:23 . 2007-12-17 15:23 188152 ----a-w- c:\documents and settings\snakes\Application Data\Mozilla\Firefox\Profiles\vth0gc3b.default\FlashGot.exe
2010-07-03 20:13 . 2009-09-22 22:49 2140 ----a-w- c:\program files\totals.xml
2010-07-03 20:13 . 2009-09-22 22:49 1297 ----a-w- c:\program files\config.xml
2010-07-03 06:48 . 2009-09-30 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-03 04:04 . 2009-03-02 22:27 -------- d-----w- c:\program files\sysclean
2010-07-02 21:01 . 2009-11-23 15:47 1 ----a-w- c:\documents and settings\snakes\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-02 16:24 . 2007-08-01 22:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-01 20:10 . 2007-08-02 02:23 -------- d-----w- c:\program files\Games
2010-06-30 00:12 . 2008-02-11 20:47 -------- d-----w- c:\documents and settings\snakes\Application Data\gtk-2.0
2010-06-29 17:13 . 2007-08-15 03:26 -------- d-----w- c:\documents and settings\snakes\Application Data\Free Download Manager
2010-06-20 08:53 . 2009-08-02 04:23 -------- d-----w- c:\documents and settings\snakes\Application Data\uTorrent
2010-05-27 06:46 . 2007-08-16 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-26 15:29 . 2010-05-26 15:29 -------- d-----w- c:\program files\Ubisoft
2010-05-18 19:12 . 2010-04-09 03:33 -------- d-----w- c:\documents and settings\snakes\Application Data\dvdcss
2010-05-17 06:39 . 2009-03-31 09:35 -------- d-----w- c:\program files\Malwarebytes
2010-05-14 16:21 . 2010-05-14 16:21 354744 ----a-w- c:\documents and settings\snakes\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe
2010-05-14 16:21 . 2010-05-14 16:21 -------- d-----w- c:\documents and settings\snakes\Application Data\SanDisk
2010-05-05 02:04 . 2010-05-05 01:56 114 ----a-w- c:\windows\system32\nvUnsupRes.dat
2010-05-04 23:12 . 2007-08-02 00:32 46616 ----a-w- c:\documents and settings\snakes\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-04 14:17 . 2007-08-01 22:08 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-01 02:50 . 2010-05-01 02:50 3284 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2010-04-29 21:39 . 2009-03-31 09:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2009-03-31 09:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-19 22:04 . 2008-08-21 07:38 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-04-19 22:04 . 2008-08-21 07:38 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-04-16 16:09 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-12 23:29 . 2010-04-28 14:15 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-09 03:33 . 2010-04-09 03:31 20972440 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US65016901eupd.exe
2010-04-05 23:41 . 2010-04-30 14:59 669080 ----a-w- c:\documents and settings\snakes\Application Data\InstantAction\IAPlayer\iaplugin.0.7.37.0.dll
2009-10-28 16:57 . 2009-10-28 16:57 5306880 ----a-w- c:\program files\flashplayer_10_sa_debug.exe
2007-06-04 03:15 . 2009-09-22 15:23 118784 ----a-w- c:\program files\FreeMeter.exe
2006-08-16 21:43 . 2009-10-28 16:48 750592 ----a-w- c:\program files\SAFlashPlayer v8.0.15.0.Exe
2001-08-18 06:59 . 2010-04-07 17:06 28160 ----a-w- c:\program files\AnimateGifs.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA" [X]
"flockbox"="c:\program files\Lockbox\flockbox.exe" [2007-12-14 1071472]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-17 2043160]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]

c:\documents and settings\snakes\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Sony Handheld\HOTSYNC.EXE [2002-8-9 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RivaTuner.lnk - c:\program files\RivaTuner v2.24\RivaTuner.exe [2009-2-25 2781184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-23 14:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Alcmtr"=ALCMTR.EXE
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"
"nwiz"=nwiz.exe /install
"NWEReboot"=
"RTHDCPL"=RTHDCPL.EXE
"SkyTel"=SkyTel.EXE
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe"
"AcronisTimounterMonitor"=c:\program files\Seagate\DiscWizard\TimounterMonitor.exe
"DiscWizardMonitor.exe"=c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24\RivaTuner.exe" /S
"DSS"=c:\windows\BBSTORE\DSS\DSSAGENT.EXE
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Quicken\\qw.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Python\\pythonw.exe"=
"e:\\Games\\Outrun\\OR2006C2C.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"e:\\Games\\PrinceOfPersia\\Prince of Persia.exe"=
"e:\\Games\\PrinceOfPersia\\PrinceOfPersia_Launcher.exe"=
"e:\\Games\\TmNationsForever\\TmForever.exe"=
"c:\\Program Files\\Games\\Q3A\\quake3.exe"=
"e:\\Steam\\SteamApps\\common\\zuma deluxe\\Zuma.exe"=
"e:\\Steam\\SteamApps\\common\\bejeweled deluxe\\WinBej.exe"=
"e:\\Steam\\SteamApps\\common\\7 wonders 2\\Wonders2.exe"=
"e:\\Steam\\SteamApps\\common\\bookworm deluxe\\Bookworm.exe"=
"e:\\Steam\\SteamApps\\common\\luxor 3\\Luxor3.exe"=
"e:\\Steam\\SteamApps\\common\\bejeweled 2 deluxe\\WinBej2.exe"=
"e:\\Steam\\SteamApps\\common\\bejeweled twist\\BejeweledTwist.exe"=
"e:\\Steam\\SteamApps\\common\\everyday shooter\\EverydayShooter.exe"=
"e:\\Games\\TmNationsForever\\TmUnitedForever\\TmForever.exe"=
"e:\\Games\\TmNationsForever\\TrackMania Sunrise\\tmsunrise.exe"=
"e:\\Steam\\SteamApps\\common\\swkotor\\swkotor.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"e:\\Steam\\SteamApps\\common\\lumines\\lumines.exe"=
"e:\\Steam\\SteamApps\\common\\king's bounty - the legend\\kb.exe"=
"e:\\Steam\\SteamApps\\common\\king's bounty - the legend\\save_fixer.exe"=
"e:\\Games\\FUEL\\FUEL.exe"=
"c:\\Program Files\\Games\\shmups\\exception_trial\\exception_conflict\\exception_conflict.exe"=
"e:\\Steam\\SteamApps\\common\\torchlight\\Torchlight.exe"=
"e:\\Games\\The Ball UDK\\Binaries\\Win32\\UDK.exe"=
"e:\\Games\\Uru Live\\UruExplorer.exe"=
"e:\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\PopCap Games\\Peggle Nights\\PeggleNights.exe"=
"c:\\Program Files\\flashplayer_10_sa_debug.exe"=
"e:\\Steam\\SteamApps\\common\\trine\\trine_launcher.exe"=
"e:\\Steam\\SteamApps\\common\\deus ex\\System\\DeusEx.exe"=
"e:\\Games\\Burnout\\BurnoutLauncher.exe"=
"e:\\Games\\Burnout\\BurnoutConfigTool.exe"=
"e:\\Games\\Burnout\\BurnoutParadise.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"e:\\Far Cry 2\\bin\\FarCry2.exe"=
"e:\\Far Cry 2\\bin\\FC2Launcher.exe"=
"e:\\Far Cry 2\\bin\\FC2Editor.exe"=
"e:\\Far Cry 2\\bin\\FC2ServerLauncher.exe"=
"e:\\Steam\\SteamApps\\common\\grand theft auto iv\\GTAIV\\LaunchGTAIV.exe"=
"e:\\Steam\\SteamApps\\common\\defensegridtheawakening\\DefenseGrid.exe"=
"e:\\Steam\\SteamApps\\common\\rocket knight demo\\RocketKnight_ConfigTool.exe"=
"e:\\Steam\\SteamApps\\common\\mirrors edge\\Binaries\\MirrorsEdge.exe"=
"e:\\Steam\\SteamApps\\common\\mirrors edge\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"e:\\Steam\\SteamApps\\common\\thief deadly shadows\\System\\runme.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2291:UDP"= 2291:UDP:Windows Media Format SDK (firefox.exe)
"2294:UDP"= 2294:UDP:Windows Media Format SDK (firefox.exe)
"2295:UDP"= 2295:UDP:Windows Media Format SDK (firefox.exe)

R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [7/21/2008 8:00 AM 17264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/4/2009 10:28 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/4/2009 10:28 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/4/2009 10:28 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/4/2009 10:28 PM 297752]
S3 AmdTools;AMD Special Tools Driver;c:\windows\system32\DRIVERS\AmdTools.sys --> c:\windows\system32\DRIVERS\AmdTools.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/1/2009 4:04 PM 721904]
.
.
------- Supplementary Scan -------
.
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\snakes\Application Data\Mozilla\Firefox\Profiles\vth0gc3b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.


**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-07 10:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1957994488-1500820517-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:10,2b,c9,ec,11,d8,41,3d,f5,60,f5,46,b4,54,4f,1d,61,d9,71,6e,cf,25,4c,
a3,93,d7,35,4f,23,1e,5d,41,d9,98,20,f3,f0,85,28,f5,34,1f,43,68,df,4b,af,a9,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1957994488-1500820517-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:a9,36,18,5e,95,fe,90,53,3c,d8,1a,97,79,ee,9b,86,30,e3,62,00,2f,
c8,ef,88,5f,39,89,46,1c,a6,c2,8f,54,86,7c,a6,e8,20,c7,25,47,0f,17,36,f6,cc,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(892)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-07-07 10:36:12
ComboFix-quarantined-files.txt 2010-07-07 10:34

Pre-Run: 56,868,450,304 bytes free
Post-Run: 56,958,066,688 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - C8943D6205F8A40C3C3B26512CA812A3


and malware

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4290

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/7/2010 10:33:50 PM
mbam-log-2010-07-07 (12-33-50).txt

Scan type: Quick scan
Objects scanned: 120706
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

8 Re: internet redirection google results on Wed Jul 07, 2010 11:03 pm

Sneakyone


Secondary Administrator
Secondary Administrator
Hi, Smile

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

9 Re: internet redirection google results on Thu Jul 08, 2010 12:01 am

Hidden Snake


Member
Member
ESET came up clean. Now what?

10 Re: internet redirection google results on Thu Jul 08, 2010 12:13 am

Sneakyone


Secondary Administrator
Secondary Administrator
Hi, Smile

Your computer is now clean. Now, time to remove the tools used, and update your computer to prevent vulnerability.

Updating System Restore
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE.


You now have a clean restore point.

To get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do a calculation of temporary/old files, and then display a dialogue box.
  • Select the More Options Tab.
  • At the bottom will be a System Restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done.


========

Removing the tools
Now, to remove all of the tools we used and the files and folders they created, please do the following:

Download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


======

Update Programs
Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.



Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

=========

Here are some prevention tips I have provided:

1. Don't download files from untrusted websites or websites that seem suspious.

2. Don't use torrents they are a good way to get lots of malware.

3. Don't download and use cracks/warez/keygens they are illegal and are another good way to contract malware.

4. Disable autorun XP or Vista/7

5. Always make sure you have the latest Windows updates. windowsupdate.microsoft.com

6. Don't ever click on the links inside of a popup.

7. Make sure you know what you install you can make sure it is not know for being a virus by just simply searching about it on google.

8. Use a Site Advisor so you don't go to sites that will infect you. Mcafee Siteadvisor

9. Also there are many holes and flaws in Internet Explorer I recommend using Firefox 3 to keep you more safe.

10. Always keep your Java and Adobe updated.

11. Don't fall for the Scareware. What is Scareware? it is a website made to download a rogue Antivirus on your system that will scare you into buying their fake software due to false detections.

12. Always have a Firewall and a Antivirus.

Thanks for choosing Helpmyos! Smile

For more information please visit Here

Happy Internet Browsing!

11 Re: internet redirection google results on Thu Jul 08, 2010 2:19 am

Hidden Snake


Member
Member
Thanks. Redirects are gone, and it's all back to normal. Very Happy

Ad Bot

View previous topic View next topic Back to top  Message [Page 1 of 1]

SecuraGeek Forums » Malware/Threat Removal » internet redirection google results

Permissions in this forum:
You cannot reply to topics in this forum