[InActive] Google redirecting problem

pleasehelp · 4th December 2008

Hi,
I have problem with google searches redirecting to other sites. Also many sites do not load, and tech forums and anti virus sites. I have run scan using AVG and spybot but they did not catch anything. Here is my log from hijack this. I would be grateful*1000 if anyone can please help me. Thanks in advance .

log >

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:31 AM, on 12/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Filseclab\xfilter\xfilter.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Memento\Memento.exe
C:\Program Files\Common Files\Filseclab\FilMsg.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\update.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\SoftwareInstallers\Internet_Download_Manager_noexpiryversion\IDMIECC.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [XFILTER] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Skype Recorder] "C:\Program Files\Skype Recorder\Skype Recorder.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Memento.lnk = C:\Program Files\Memento\Memento.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download All Links with IDM - D:\SoftwareInstallers\Internet_Download_Manager_noexpiryversion\IEGetAll.ht m
O8 - Extra context menu item: Download with IDM - D:\SoftwareInstallers\Internet_Download_Manager_noexpiryversion\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3B36B017-7E49-426B-95B0-B5CECD83C2E2} (IfolorUploader Control) - http://chkr-web.ifolor.net/ORDERINGG...oader_chkr.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {436ABEF3-3479-4703-B4A9-64268AEFFEE9} (SopCore Control) - http://www.joytopic.com/download/SOPCORE.CAB
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - http://cdn.smugmug.com/photos/active...0.0-040308.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 11105 bytes

**noahdfear** · 7th December 2008

Welcome to WindowsBBS pleasehelp

Please visit the following webpage for instructions for downloading and running ComboFix. If you cannot reach the site, skip this step.

How to use ComboFix

Download ComboFix by sUBs from here, saving the file to your desktop.

Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows
Double click ComboFix.exe and follow the prompts.
It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

pleasehelp · 8th December 2008

Hi,

I downloaded the file and when I run it, the sandtimer appears, and then goes away, the application doesnt launch, however it appears in the processes list when I see in Task manager. I disabled all antivirus programs, tried restarting PC and repeated this, but the program just doesnt run.

Please advice what to do..

Thanks..

Quote:

Originally Posted by noahdfear

Welcome to WindowsBBS pleasehelp

Please visit the following webpage for instructions for downloading and running ComboFix. If you cannot reach the site, skip this step.

How to use ComboFix

Download ComboFix by sUBs from here, saving the file to your desktop.

Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows
Double click ComboFix.exe and follow the prompts.
It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**noahdfear** · 9th December 2008

Please download a fresh copy and give it a different name prior to saving it to the computer, something like Combo.exe
Then try running Combo.exe

pleasehelp · 9th December 2008

Hi,

Thanks. I renamed it to combii and it worked. Here is the log :

--------
ComboFix 08-12-07.04 - Administrator 2008-12-09 22:59:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1085 [GMT 5.5:30]
Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\drivers\TDSSpxoe.sys
c:\windows\system32\TDSSehys.log
c:\windows\system32\TDSSirxy.dll
c:\windows\system32\TDSSmupe.dat
c:\windows\system32\TDSSncur.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSotpa.dll
c:\windows\system32\TDSSqiyk.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSwghd.log
c:\windows\system32\TDSSyavu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Legacy_ISODRIVE
-------\Service_ISODrive

((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-08 01:00 . 2008-12-08 01:00 <DIR> d-------- c:\program files\Western Digital
2008-12-08 00:57 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-12-08 00:57 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-12-02 23:23 . 2008-12-02 23:23 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-02 23:23 . 2008-12-02 23:23 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-02 23:23 . 2008-12-02 23:23 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-02 02:49 . 2008-12-02 02:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-12-02 02:42 . 2008-12-02 02:48 <DIR> d-------- c:\program files\CCleaner
2008-12-02 02:17 . 2008-12-02 02:17 <DIR> d-------- C:\!KillBox
2008-12-02 02:13 . 2008-12-02 02:13 <DIR> d-------- c:\program files\Trend Micro
2008-12-01 23:04 . 2008-12-01 23:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-23 01:03 . 2008-11-23 01:03 <DIR> d-------- c:\program files\ID3-TagIT 3
2008-11-23 01:03 . 2008-11-23 01:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\ID3-TagIT 3
2008-11-23 01:03 . 2008-11-23 01:16 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ID3-TagIT 3
2008-11-22 17:09 . 2008-11-22 17:16 <DIR> d-------- c:\program files\Orbitdownloader
2008-11-22 17:09 . 2008-11-27 23:15 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Orbit
2008-11-22 17:09 . 2008-11-22 17:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\GrabPro
2008-11-22 16:12 . 2008-11-22 16:12 <DIR> d-------- c:\program files\iPod
2008-11-22 16:12 . 2008-11-22 16:12 <DIR> d-------- c:\program files\Bonjour
2008-11-22 16:12 . 2008-11-22 16:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 15:59 . 2008-11-22 15:59 <DIR> d-------- c:\program files\Windows Installer Clean Up
2008-11-22 15:59 . 2008-11-22 15:59 <DIR> d-------- c:\program files\MSECACHE
2008-11-22 13:04 . 2008-11-22 16:12 <DIR> d-------- c:\program files\QuickTime
2008-11-22 13:03 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2008-11-21 23:16 . 2008-11-21 23:16 <DIR> d-------- c:\documents and settings\Administrator\Application Data\vlc
2008-11-18 21:47 . 2008-11-18 21:47 <DIR> d-------- c:\program files\RocketDock
2008-11-16 20:48 . 2008-11-16 20:48 76,640 --ah----- c:\windows\system32\mlfcache.dat
2008-11-15 13:48 . 2008-11-22 15:58 <DIR> d-------- c:\program files\tooble
2008-11-12 14:05 . 2008-11-15 14:09 <DIR> d-------- c:\program files\Skype Recorder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-27 10:45 100,924 ----a-r c:\windows\system32\ialmdnt5.dll
2008-12-08 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-07 20:07 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2008-12-07 19:27 --------- d-----w c:\documents and settings\Administrator\Application Data\skypePM
2008-12-04 19:34 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2008-12-04 19:14 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2008-12-04 18:23 --------- d-----w c:\program files\Google
2008-12-01 21:13 --------- d-----w c:\program files\Yahoo!
2008-12-01 20:23 --------- d-----w c:\program files\Lavasoft
2008-12-01 19:52 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-01 19:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 10:42 --------- d-----w c:\program files\Common Files\Apple
2008-11-18 15:39 --------- d-----w c:\program files\Ahead
2008-11-18 15:38 --------- d--h--r c:\documents and settings\Administrator\Application Data\yahoo!
2008-11-18 15:38 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2008-11-16 15:09 --------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2008-11-15 14:10 --------- d-----w c:\program files\UberIcon
2008-11-15 13:54 --------- d-----w c:\program files\Red Kawa
2008-11-15 13:54 --------- d-----w c:\program files\Ambient Design
2008-11-15 13:53 --------- d-----w c:\program files\AviSynth 2.5
2008-11-04 18:37 --------- d-----w c:\program files\Skype
2008-11-04 18:37 --------- d-----w c:\program files\Common Files\Skype
2008-11-04 18:37 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 07:22 --------- d-----w c:\program files\TVUPlayer
2008-10-16 08:43 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 08:43 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 08:42 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 08:42 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 08:39 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 08:39 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 08:39 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 08:38 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 08:36 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 08:36 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-30 11:13 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-13 15:54 273,234 ----a-w c:\windows\FotoFusionV4 Uninstaller.exe
2008-02-24 08:13 2,028 ----a-w c:\documents and settings\Administrator\Application Data\DiamondWare-WiFoneBook.dat
2007-06-14 16:16 130,072 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-08-21 04:41 8 --sh--r c:\windows\system32\D9693738BD.sys
2008-05-10 16:32 2,724 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-03-27 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 118784]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2006-06-09 467968]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-28 590848]
"XFILTER"="c:\program files\Filseclab\xfilter\xfilter.exe" [2005-07-27 897284]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-26 219136]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Memento.lnk - c:\program files\Memento\Memento.exe [2005-07-01 352320]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-20 22:57 176128 d:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 XPacket;Filseclab Packet Filter;c:\windows\system32\xpacket.sys [2007-12-27 124752]
R2 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [2008-04-30 242688]
S2 VQVWCTAL;VQVWCTAL; []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{1f25bfb0-c495-11dd-b744-0016411374c8}]
\Shell\AutoRun\command - G:\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{9f3c1953-3470-11dc-b49c-0016411374c8}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-12-08 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-23 12:59]
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{E79CE9F4-E240-41EB-DDF8-037069F374D6} - c:\windows\system32\LVUIQRC.dIl
HKLM-Run-Skype Recorder - c:\program files\Skype Recorder\Skype Recorder.exe
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe

.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download All Links with IDM - d:\softwareinstallers\Internet_Download_Manager_noexpiryversion\IEGetAll.ht m
IE: Download with IDM - d:\softwareinstallers\Internet_Download_Manager_noexpiryversion\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\idmmbc.dll
LSP: c:\program files\Filseclab\xfilter\XFILTER.DLL

O16 -: Microsoft XML Parser for Java - c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\IfolorUploader.ocx - O16 -: {3B36B017-7E49-426B-95B0-B5CECD83C2E2}
hxxp://chkr-web.ifolor.net/ORDERINGGENERAL/LowRes/app_support/ActiveX/IfolorUploader_chkr.cab
c:\windows\Downloaded Program Files\IfolorUploader.inf

O16 -: {436ABEF3-3479-4703-B4A9-64268AEFFEE9} - hxxp://www.joytopic.com/download/SOPCORE.CAB
c:\windows\Downloaded Program Files\SETUP.INF

c:\windows\system32\unicows.dll - c:\windows\Downloaded Program Files\ImageUploader5.ocx
O16 -: {BA162249-F2C5-4851-8ADC-FC58CB424243}
hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.1.10.0-040308.cab
c:\windows\Downloaded Program Files\ImageUploader5.inf
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\elbj0u5e.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com
FF -: plugin - c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll
FF -: plugin - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - d:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 23:04:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
d:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

- - - - - - - > 'lsass.exe'(968)
c:\windows\system32\idmmbc.dll
c:\program files\Filseclab\xfilter\XFILTER.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\system32\WgaTray.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\Tablet.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2008-12-09 23:09:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-09 17:39:03

Pre-Run: 7,232,614,400 bytes free
Post-Run: 7,591,956,480 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /bootlogo

262 --- E O F --- 2008-11-13 21:03:17

-----------

pleasehelp · 9th December 2008

The google doesnt redirect anymore, and I am now able to access all websites including anti-virus sites , yay, thanks a ton for the help..
Is there anything more I need to do?
Could you suggest a few software and firewalls I should run to prevent such attacks in future.

**noahdfear** · 10th December 2008

ComboFix did a great job of cleaning up.

1 registry entry to clear up. Highlight and copy the contents of the code box below.

Code:

reg delete "HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f3c1953-3470-11dc-b49c-0016411374c8}" /f
exit
cls

Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own.

Now, lets get an online scan to make sure we haven't missed something. Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Post the Kaspersky log here.

pleasehelp · 13th December 2008

Hi,

I scanned my computer as told, but when I clicked 'save report' it dint give any pop up to save the file.
So I am linking the screenshot of the result. It shows 8 infections.
Is this enough or shall I run the scan again and try to generate the report once again..

link :

http://i47.photobucket.com/albums/f1...per_report.jpg

**noahdfear** · 14th December 2008

I cannot see the filenames well enough to determine what they are. Anything in Qoobox has been quarantined by ComboFix. We're concerned only with the ones in the Windows folder. If you can list those, please do, otherwise rescan. Only the Windows folder needs scanned, so you can do a custom scan for that which will be much faster.