Active Google redirect

ptsyu · 2008/12/14

[Active] Google redirect

Hello,
When i click on any link in google a new tab will pop up and take me to some virus webpage. I have McAfee and it tells me the site has issues. I am using Mozilla Firefox. Here is the Trend Micro HijackThis v2.0.2 log.
Than you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:03 PM, on 12/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\TYREIB~1\LOCALS~1\Temp\winloggn.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\SCMain.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\aol\aim toolbar 5.0\AolTbServer.exe
C:\DOCUME~1\TYREIB~1\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe "
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [1405971b] rundll32.exe "C:\WINDOWS\system32\dxwxvlwf.dll ",b
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe "
O4 - HKLM\..\Run: [xsgds4fgffght] C:\DOCUME~1\TYREIB~1\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe "
O4 - HKCU\..\Run: [xsgds4fgffght] C:\DOCUME~1\TYREIB~1\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\TYREIB~1\LOCALS~1\Temp\csrssc.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Stardust Screen Saver Control 2003.lnk = C:\WINDOWS\SCMain.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O22 - SharedTaskScheduler: KJhaiufhw3nrih7wefywjfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rsekd83jde.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BCMLogon - Broadcom Corporation - C:\WINDOWS\System32\BCMLogon.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 1: (no name) - http://www.weather.com/weather/local/16801?lswe=16801&lwsa=WeatherLocalUndeclared&from=searchbox

--
End of file - 11729 bytes

noahdfear · 2008/12/14

Hi ptsyu,

You've got some nasty stuff onboard there. Please visit the following webpage for instructions for downloading and running ComboFix

How to use ComboFix

Download ComboFix by sUBs from here, saving the file to your desktop.

Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows

Double click ComboFix.exe and follow the prompts.

It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.

ptsyu · 2008/12/15

noahdfear,
I tried to go to that website to download Combo Fix but it came up as page load error. I have gotten this for other sites as well. I tried to search it and go there but I just get redirected like before. Thanks

ptsyu

noahdfear · 2008/12/15

Do you have another computer available that you could download the file, and a usb, floppy or cd that you can transfer it with?

ptsyu · 2008/12/15

I tried getting combofix from two other computers and although i got it onto the usb drive and then onto my desktop, I would click it and the hour glass would come up for a second, then it just goes away and nothing happens. I tried to delete combo fix and try again but it said I could not delete it. I turned off my McAfee from doing anything. Any suggestion would be greatly appreciated.
ptsyu

noahdfear · 2008/12/15

Transfer it over again but this time give it a different name when saving to your computer. Something like bombo.exe should do nicely.

ptsyu · 2008/12/15

Thanks that worked. Here is the log.

ComboFix 08-12-14.05 - Ty Reiber 2008-12-15 12:49:44.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.647 [GMT -5:00]
Running from: c:\documents and settings\Ty Reiber\Desktop\Bombo.exe.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Ty Reiber\Local Settings\Temporary Internet Files\CPV.stt
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\awttsPfC.dll
c:\windows\system32\byXQHBQI.dll
c:\windows\system32\drivers\TDSSrvdc.sys
c:\windows\system32\dxwxvlwf.dll
c:\windows\system32\fwlvxwxd.ini
c:\windows\system32\hgGwUllI.dll
c:\windows\system32\hgGxYrRK.dll
c:\windows\system32\IllUwGgh.ini
c:\windows\system32\IllUwGgh.ini2
c:\windows\system32\jrwufa.dll
c:\windows\system32\pmnnNghH.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\rsekd83jde.dll
c:\windows\system32\TDSSbeat.dat
c:\windows\system32\TDSSkfkl.dll
c:\windows\system32\TDSSoaba.dll
c:\windows\system32\TDSSoxum.dll
c:\windows\system32\TDSSqkhc.dll
c:\windows\system32\TDSSqrde.log
c:\windows\system32\TDSSshkx.log
c:\windows\system32\TDSSurkb.dll
c:\windows\system32\TDSSvmxh.log
c:\windows\system32\TDSSxnpr.dll
c:\windows\system32\udmuklfv.dll
c:\windows\Tasks\ylupfeqd.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 )))))))))))))))))))))))))))))))
.

2008-12-15 01:12 . 2008-12-15 01:12 <DIR> d-------- C:\Deckard
2008-12-13 22:15 . 2008-12-13 22:16 3,905,915 --a------ C:\Los Lonely Boys - How far is Heaven.mp3
2008-12-13 22:12 . 2008-12-13 22:12 7,266,400 --a------ C:\No Doubt - Underneath It All.mp3
2008-12-13 22:09 . 2008-12-13 22:10 3,737,600 --a------ C:\Blake Shelton - Austin.mp3
2008-12-13 22:08 . 2008-12-13 22:11 3,564,032 --a------ C:\Faith Hill - There You'll Be.mp3
2008-12-13 22:07 . 2008-12-13 22:08 4,019,223 --a------ C:\Faith Hill - Breathe.mp3
2008-12-13 22:02 . 2008-12-13 22:03 4,741,456 --a------ C:\LeAnne Womack - I Hope You Dance.mp3
2008-12-13 22:02 . 2008-12-13 22:08 4,018,366 --a------ C:\Mariah Carey- We Belong Together.mp3
2008-12-13 21:58 . 2008-12-13 21:58 6,189,056 --a------ C:\Maroon 5 - She Will Be Loved.mp3
2008-12-13 21:46 . 2008-12-13 21:47 5,061,067 --a------ C:\Dave Matthews Band - Crash Into Me.mp3
2008-12-13 21:46 . 2008-12-13 21:47 4,667,951 --a------ C:\Goo Goo Dolls - Iris.mp3
2008-12-13 21:46 . 2008-12-13 21:48 3,986,957 --a------ C:\Sophie B. Hawkins - As I Lay Me Down.mp3
2008-12-13 21:44 . 2008-12-13 21:46 3,240,899 --a------ C:\Boys II Men - Boyz 2 men - Water Runs Dry.mp3
2008-12-09 22:44 . 2008-12-09 22:44 <DIR> d-------- c:\program files\iTunes
2008-12-09 22:44 . 2008-12-09 22:44 <DIR> d-------- c:\program files\iPod
2008-12-09 22:44 . 2008-12-09 22:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-09 22:41 . 2008-12-09 22:41 <DIR> d-------- c:\program files\QuickTime
2008-12-08 22:25 . 2008-12-08 22:25 6,245,859 --a------ C:\Brad Paisley & Allison Krauss - Whiskey Lullaby.mp3
2008-12-08 22:25 . 2008-12-08 22:46 3,960,960 --a------ C:\Toby Keith - I Love This Bar.mp3
2008-12-05 23:55 . 2008-12-05 23:56 10,007,272 --a------ C:\Jamey Johnson - In Color.mp3
2008-12-05 23:49 . 2008-12-05 23:56 4,276,761 --a------ C:\Taylor Swift - Picture To Burn.mp3
2008-12-05 23:49 . 2008-12-05 23:57 3,216,802 --a------ C:\Jason Michael Carroll - I Can Sleep When I'm Dead.mp3
2008-12-05 23:47 . 2008-12-05 23:56 3,383,418 --a------ C:\Sugarland - All I Want To Do.mp3
2008-12-05 23:45 . 2008-12-05 23:56 5,861,376 --a------ C:\Taylor Swift- Should've Said No.mp3
2008-12-05 23:45 . 2008-12-05 23:46 5,513,259 --a------ C:\Ashton Shepard - Sounds So Good.mp3
2008-12-05 23:45 . 2008-12-05 23:46 5,082,843 --a------ C:\George Strait -4 - River of Love.mp3
2008-12-05 23:43 . 2008-12-05 23:57 3,092,682 --a------ C:\Josh Gracin - Unbelievable.mp3
2008-12-05 23:40 . 2008-12-05 23:58 9,020,895 --a------ C:\Craig Morgan - Love Remembers.mp3
2008-12-05 23:40 . 2008-12-05 23:56 3,460,443 --a------ C:\Rascal Flatts - Here.mp3
2008-12-05 23:37 . 2008-12-05 23:38 6,441,288 --a------ C:\Carrie Underwood - Just A Dream.mp3
2008-12-02 16:38 . 2008-12-05 23:57 4,787,407 --a------ C:\Jason Mraz - Beautiful.mp3
2008-12-02 16:38 . 2008-12-05 23:57 4,125,297 --a------ C:\Jason Mraz - I'm Yours(1).mp3
2008-12-02 16:34 . 2008-12-05 23:56 3,520,640 --a------ C:\Zac Brown Band - Chicken Fried.mp3
2008-12-02 16:18 . 2008-12-05 23:56 3,946,442 --a------ C:\Taylor Swift - Love Story.mp3
2008-12-02 16:15 . 2008-12-05 23:57 1,368,698 --a------ C:\Dean Martin - Baby It's Cold Outside (Doris Day).mp3
2008-11-20 15:49 . 2008-11-23 12:53 481 --a------ c:\windows\system32\qwavecache.dat
2008-11-20 14:45 . 2008-11-20 14:45 <DIR> d-------- c:\documents and settings\MCX1
2008-11-20 14:38 . 2008-11-20 14:38 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-11-20 14:33 . 2008-04-15 09:53 295,424 --------- c:\windows\system32\dllcache\termsrv.dll
2008-11-18 14:41 . 2008-11-18 14:58 5,593,106 --a------ C:\Kenny Chesney - All I Want For Christmas is a Real Good Tan.mp3
2008-11-18 14:38 . 2008-11-18 14:39 2,430,456 --a------ C:\Christmas - Boys to Men - Silent Night.mp3
2008-11-18 14:32 . 2008-11-18 14:33 3,408,050 --a------ C:\Whitney Houston - Do You Hear What I Hear.mp3
2008-11-18 14:31 . 2008-11-18 14:33 4,615,590 --a------ C:\Nat King Cole - The Christmas Song.mp3
2008-11-18 14:25 . 2008-11-18 14:25 4,012,041 --a------ C:\Christmas Songs - Boyz II Men - Let It Snow.mp3
2008-11-18 14:25 . 2008-12-05 23:59 3,354,829 --a------ C:\Christmas - Bare Naked Ladies & Sarah Mclachlan - God Rest Ye Merry Gentlemen .mp3
2008-11-18 14:23 . 2008-11-18 14:23 2,252,844 --a------ C:\Nat King Cole - Oh come all ye faithfull.mp3
2008-11-18 14:21 . 2008-12-06 00:04 5,381,068 --a------ C:\Christmas Songs - Bon Jovi - i wish every day could be like xmas.mp3
2008-11-18 14:20 . 2008-11-18 14:20 5,681,180 --a------ C:\Josh Groban - Noel - 09 - The First Noel.mp3
2008-11-18 14:20 . 2008-11-18 14:20 3,927,899 --a------ C:\Christmas Music - Boyz II Men - The First Noel.mp3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-14 15:44 --------- d-----w c:\program files\Dl_cats
2008-12-13 18:00 --------- d-----w c:\documents and settings\Ty Reiber\Application Data\LimeWire
2008-12-10 19:25 --------- d-----w c:\program files\Google
2008-12-10 19:24 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-10 19:24 --------- d-----w c:\program files\AOL Games
2008-12-10 03:44 --------- d-----w c:\program files\Common Files\Apple
2008-11-14 19:23 --------- d-----w c:\program files\EA GAMES
2008-11-13 09:08 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-11-10 01:17 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-10 01:11 --------- d-----w c:\program files\Bonjour
2008-10-30 08:08 --------- d-----w c:\program files\McAfee
2008-10-27 17:20 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 20:53 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-10-23 20:52 --------- d-----w c:\documents and settings\Ty Reiber\Application Data\iWin
2008-10-22 01:53 --------- d-----w c:\program files\Pyware 3D Performer's Practice Tools
2008-03-29 22:47 10 ----a-w c:\program files\.autoreg
2007-02-08 06:37 251 ----a-w c:\program files\wt3d.ini
2008-03-29 22:47 69,632 ----a-w c:\program files\mozilla firefox\components\ffwt.dll
2006-10-24 02:17 88 --sh--r c:\windows\system32\AB5937B8DB.sys
2006-10-24 02:17 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EA756889-2338-43DB-8F07-D1CA6FB9C90D} "= "c:\program files\AOL\AIM Toolbar 5.0\aoltb.dll" [2008-03-07 1090912]

[HKEY_CLASSES_ROOT\clsid\{ea756889-2338-43db-8f07-d1ca6fb9c90d}]
[HKEY_CLASSES_ROOT\AOLTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{371A6A18-2D6A-4DF8-A4AA-61CA349B3C70}]
[HKEY_CLASSES_ROOT\AOLTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"updateMgr "= "c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-09 68856]
"Aim6 "= "c:\program files\AIM6\aim6.exe" [2008-08-06 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA "= "c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"DMXLauncher "= "c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup "= "c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Google Desktop Search "= "c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-22 169984]
"BuildBU "= "c:\dell\bldbubg.exe" [2006-08-22 61440]
"DLCFCATS "= "c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 73728]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NeroFilterCheck "= "c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SigmatelSysTrayApp "= "stsystra.exe" [2006-02-10 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-01-03 1392640]
Stardust Screen Saver Control 2003.lnk - c:\windows\SCMain.exe [2004-01-02 355328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC "=2 (0x2)
"WMPNetworkSvc "=3 (0x3)
"wltrysvc "=2 (0x2)
"iPod Service "=3 (0x3)
"gusvc "=3 (0x3)
"Apple Mobile Device "=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe "=
"c:\\WINDOWS\\system32\\dpvsetup.exe "=
"c:\\Program Files\\AIM\\aim.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\AIM6\\aim6.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP "= 3776:UDP:Media Center Extender Service
"3390:TCP "= 3390:TCP:Remote Media Center Experience

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; "c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-10-02 203280]
R2 Viewpoint Manager Service;Viewpoint Manager Service; "c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-16 24652]
S2 BCMLogon;BCMLogon;c:\windows\System32\BCMLogon.dll [2007-12-23 700416]
S3 NdisWDM;Dynex Wireless G USB Network Adapter Service;c:\windows\system32\DRIVERS\ndiswdm.sys [2007-12-23 198528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\loader.exe
\Shell\langenglish\command - i:\setup\i386\msetup.exe lang:english

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80ad45c6-07db-11dc-8bc0-001372e2cf99}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8f4871e-3e92-11db-8b8a-001372e2cf99}]
\Shell\AutoRun\command - f:\jdsecure\Windows\JDSecure31.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\hgGxYrRK.dll
BHO-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\rsekd83jde.dll
BHO-{E1D905F2-3E04-4901-B8DA-8181969B30E7} - c:\windows\system32\hgGwUllI.dll
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-pccguide.exe - c:\program files\Trend Micro\Internet Security 12\pccguide.exe
HKLM-Run-NapsterShell - c:\program files\Napster\napster.exe
HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe
SharedTaskScheduler-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\rsekd83jde.dll
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\hgGxYrRK.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ty Reiber\Application Data\Mozilla\Firefox\Profiles\ikwedq45.default\
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/weather/local/16801?lswe=16801&lwsa=WeatherLocalUndeclared&from=searchbox_localwx|http://www.google.com/|https://webmail.psu.edu/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 12:57:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\windows\ehome\RMSvc.exe
c:\windows\ehome\McrdSvc.exe
c:\windows\system32\dllhost.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-12-15 13:01:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-15 18:01:25
ComboFix2.txt 2008-03-31 17:21:02

Pre-Run: 59,468,849,152 bytes free
Post-Run: 59,414,450,176 bytes free

291 --- E O F --- 2008-12-11 09:06:46

noahdfear · 2008/12/15

Please delete the C:\Deckard folder and dss.exe
The variant of infection you had could have caused dss to render your machine unbootable, which is why dss is no longer used.

ComboFix did a good job of cleaning up. Lets get an online scan to see if anything else is hiding. Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.

Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

Click View scan report at the bottom.

Click the Save Report As... button.

Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.

Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Post the Kaspersky log here.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Log in or Sign up

Active Google redirect

ptsyu Inactive Thread Starter

noahdfear Inactive

ptsyu Inactive Thread Starter

noahdfear Inactive

ptsyu Inactive Thread Starter

noahdfear Inactive

ptsyu Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Active Google redirect

ptsyu Inactive Thread Starter

noahdfear Inactive

ptsyu Inactive Thread Starter

noahdfear Inactive

ptsyu Inactive Thread Starter

noahdfear Inactive

ptsyu Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches