1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Google Redirect, again

Discussion in 'Malware and Virus Removal Archive' started by CCDiscoB, 2009/01/26.

  1. 2009/01/26
    CCDiscoB

    CCDiscoB Inactive Thread Starter

    Joined:
    2009/01/26
    Messages:
    6
    Likes Received:
    0
    [Resolved] Google Redirect, again

    Hello,

    I too am having the redirect issue. I've tried what I've read but don't want to go too far. Here is my HJT log:

    Thank you!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:53:07 PM, on 1/26/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
    C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServer.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hijackthis\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe "
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
    O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe "
    O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: avgrsstx.dll
    O21 - SSODL: sysutil - {245A2A0F-D455-52F6-5A0E-087CB478B256} - C:\Program Files\fktgvhd\sysutil.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
    O23 - Service: RosettaStoneLtdController - Rosetta Stone Ltd. - C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    --
    End of file - 8060 bytes
     
    CCDiscoB,
    #1
  2. 2009/01/26
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi CCDiscoB
    Welcome to WindowsBBS

    Please do the following.

    Jotti File Submission:
    • Please go to Jotti's malware scan
    • Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time
      • C:\Program Files\fktgvhd\sysutil.dll
    • Click on the submit button
    • Please post the results in your next reply.

    Now do this.

    Download RootRepeal to your Desktop.
    • Extract the compressed file to it's own folder.
    • Open the folder and doubleclick on RootRepeal.exe to run it.
    • Click on the Report tab, and then click on: Scan
    • A window opens asking what to include in the scan.
    • Check the following boxes then click OK:
      • Drivers
      • Files
      • Processes
      • SSDT
      • Stealth Objects
      • Hidden Services
    • You will then be asked which drive to scan.
    • Check C: (or the drive your operating system is installed on, if not C)
    • Click OK once again.
    The tool will begin scanning and may take a while to complete, so please be patient.

    When the scan finishes, click on: Save Report
    Name the log RootRepeal.txt and save it to your Documents folder (it should default there).

    Post the contents of the reports in a reply here

    Thanks
    Geri
     
    Geri,
    #2


  3. to hide this advert.

  4. 2009/01/27
    CCDiscoB

    CCDiscoB Inactive Thread Starter

    Joined:
    2009/01/26
    Messages:
    6
    Likes Received:
    0
    Thank you!
    I did as instructed. I was surprised to see how much the online scan found. Here are the results:

    Service load: 0% 100%

    File: sysutil.dll_
    Status: INFECTED/MALWARE
    MD5: 6a79b555ade407594e4b839c08447318
    Packers detected: -

    Scanner results
    Scan taken on 27 Jan 2009 15:06:20 (GMT)
    A-Squared Found Trojan.Win32.Obfuscated!IK
    AntiVir Found TR/BHO.Gen
    ArcaVir Found nothing
    Avast Found Win32:pureMorph
    AVG Antivirus Found nothing
    BitDefender Found Trojan.Generic.757904
    ClamAV Found nothing
    CPsecure Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found W32/Trojan-Obfuscated.1!Maximus (probable variant)
    F-Secure Anti-Virus Found Trojan.Win32.Obfuscated.gx
    G DATA Found Win32:pureMorph
    Ikarus Found Trojan.BHO
    Kaspersky Anti-Virus Found Trojan.Win32.Obfuscated.gx
    NOD32 Found nothing
    Norman Virus Control Found nothing
    Panda Antivirus Found Generic
    Sophos Antivirus Found Mal/EncPk-DG
    VirusBuster Found nothing
    VBA32 Found BScope.Trojan-Dropper.Dilos.obfs

    RootRepeal Report:
    ROOTREPEAL (c) AD, 2007-2008
    ==================================================
    Scan Time: 2009/01/27 09:14
    Program Version: Version 1.2.3.0
    Windows Version: Windows XP SP3
    ==================================================

    Drivers
    -------------------
    Name: dump_atapi.sys
    Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
    Address: 0xBAC2E000 Size: 98304 File Visible: No
    Status: -

    Name: dump_WMILIB.SYS
    Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
    Address: 0xF9798000 Size: 8192 File Visible: No
    Status: -

    Name: rootrepeal.sys
    Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
    Address: 0xB7B42000 Size: 45056 File Visible: No
    Status: -

    Hidden/Locked Files
    -------------------
    Path: C:\Documents and Settings\Dan\Application Data\Skype\ludesf15\config.xml
    Status: Could not get file information (Error 0xc0000008)

    SSDT
    -------------------
    #: 017 Function Name: NtAllocateVirtualMemory
    Status: Hooked by "<unknown>" at address 0x81ae52f0

    #: 041 Function Name: NtCreateKey
    Status: Hooked by "<unknown>" at address 0x81b57210

    #: 047 Function Name: NtCreateProcess
    Status: Hooked by "<unknown>" at address 0x81a8f240

    #: 048 Function Name: NtCreateProcessEx
    Status: Hooked by "<unknown>" at address 0x81ab03c8

    #: 053 Function Name: NtCreateThread
    Status: Hooked by "<unknown>" at address 0x81ae55c0

    #: 063 Function Name: NtDeleteKey
    Status: Hooked by "<unknown>" at address 0x81adbc90

    #: 065 Function Name: NtDeleteValueKey
    Status: Hooked by "<unknown>" at address 0x81afdf40

    #: 180 Function Name: NtQueueApcThread
    Status: Hooked by "<unknown>" at address 0x81ae5368

    #: 186 Function Name: NtReadVirtualMemory
    Status: Hooked by "<unknown>" at address 0x81ae5200

    #: 192 Function Name: NtRenameKey
    Status: Hooked by "<unknown>" at address 0x81ad91f0

    #: 213 Function Name: NtSetContextThread
    Status: Hooked by "<unknown>" at address 0x81ae5458

    #: 226 Function Name: NtSetInformationKey
    Status: Hooked by "<unknown>" at address 0x81b57198

    #: 228 Function Name: NtSetInformationProcess
    Status: Hooked by "<unknown>" at address 0x81ab00e0

    #: 229 Function Name: NtSetInformationThread
    Status: Hooked by "<unknown>" at address 0x81ae54d0

    #: 247 Function Name: NtSetValueKey
    Status: Hooked by "<unknown>" at address 0x81adbba0

    #: 253 Function Name: NtSuspendProcess
    Status: Hooked by "<unknown>" at address 0x81b55220

    #: 254 Function Name: NtSuspendThread
    Status: Hooked by "<unknown>" at address 0x81ae53e0

    #: 257 Function Name: NtTerminateProcess
    Status: Hooked by "<unknown>" at address 0x81afdb88

    #: 258 Function Name: NtTerminateThread
    Status: Hooked by "<unknown>" at address 0x81ae5548

    #: 277 Function Name: NtWriteVirtualMemory
    Status: Hooked by "<unknown>" at address 0x81ae5278

    Stealth Objects
    -------------------
    Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
    Process: System Address: 0xffb006c8 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
    Process: System Address: 0xffb00788 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
    Process: System Address: 0xffb00848 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
    Process: System Address: 0xffb00908 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
    Process: System Address: 0xffb009c8 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
    Process: System Address: 0xffb00a88 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
    Process: System Address: 0xffb017d8 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
    Process: System Address: 0xffb018a0 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
    Process: System Address: 0xffb01968 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
    Process: System Address: 0xffb01a30 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
    Process: System Address: 0xffb01af8 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
    Process: System Address: 0xffb01bc0 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
    Process: System Address: 0xffb01c88 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
    Process: System Address: 0xffb01d50 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
    Process: System Address: 0xffb01e18 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
    Process: System Address: 0xffb01ee0 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
    Process: System Address: 0xffb01fa8 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
    Process: System Address: 0xffb02148 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
    Process: System Address: 0xffb02210 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
    Process: System Address: 0xffb022d8 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
    Process: System Address: 0xffb023a0 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
    Process: System Address: 0xffb02468 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
    Process: System Address: 0xffb02530 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
    Process: System Address: 0xffb025f8 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
    Process: System Address: 0xffb026c0 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
    Process: System Address: 0xffb02788 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
    Process: System Address: 0xffb02850 Size: -

    Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
    Process: System Address: 0xffb02918 Size: -
     
    CCDiscoB,
    #3
  5. 2009/01/27
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    The RootRepeal Report was cut off I believe.

    Please look and see if there is a Hidden Services report and post it.

    Thanks
    Geri
     
    Geri,
    #4
  6. 2009/01/28
    CCDiscoB

    CCDiscoB Inactive Thread Starter

    Joined:
    2009/01/26
    Messages:
    6
    Likes Received:
    0
    The scan said 0 hidden services found
     
    CCDiscoB,
    #5
  7. 2009/01/28
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    OK good.

    Please do this.

    Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

    O21 - SSODL: sysutil - {245A2A0F-D455-52F6-5A0E-087CB478B256} - C:\Program Files\fktgvhd\sysutil.dll

    Now close all windows other than HiJackThis, then click Fix Checked.

    Close HJT.


    Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these folders (if present):

    C:\Program Files\fktgvhd

    Please reboot your computer.

    Post a new Hijackthis log.

    Let me know if you are still being redirected.

    Thanks
    Geri
     
    Geri,
    #6
  8. 2009/01/29
    CCDiscoB

    CCDiscoB Inactive Thread Starter

    Joined:
    2009/01/26
    Messages:
    6
    Likes Received:
    0
    I did as instructed. So far so good. Here is the HJT log:
    Thank you!!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:57:04 PM, on 1/29/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
    C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServer.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe "
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
    O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe "
    O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
    O23 - Service: RosettaStoneLtdController - Rosetta Stone Ltd. - C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    --
    End of file - 7774 bytes
     
    CCDiscoB,
    #7
  9. 2009/01/29
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    OK good.

    Now lets get a on line scan.

    Download ATF Cleaner by Atribune and save it to your Desktop.
    This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
    Double click ATF-Cleaner.exe to run the program.
    Check the boxes to the left of:

    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache
    Recycle bin

    The rest are optional - if you want it to remove everything check "Select All ".
    Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

    Now the scan.

    Please do an online scan with Kaspersky WebScanner

    It's best to disable real time protection applications as they sometimes interfere with the scan.
    Check this link for any applicable programs you may have.

    Click on “Accept” If your pop –up blocker blocks any windows from opening.

    Click Run on the window that opens.
    Windows Vista users you must open the web browser using the Run as Administrator command.
    • The program will launch and then begin downloading the latest definition files:
    • Under Scan on the left side.Click on My Computer
    • This will start the program and scan your system.
    • Click the “Scan Report” On the left side.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
    • Save the text file to your desktop.
    • Copy and paste that information in your next post.

    Please post the Kaspersky results.

    Thanks
    Geri
     
    Geri,
    #8
  10. 2009/01/30
    CCDiscoB

    CCDiscoB Inactive Thread Starter

    Joined:
    2009/01/26
    Messages:
    6
    Likes Received:
    0
    Here are the Kaspersky results:

    Needless to say I deleted those files

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7 REPORT
    Friday, January 30, 2009
    Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Friday, January 30, 2009 14:28:17
    Records in database: 1728662
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - My Computer:
    C:\
    D:\

    Scan statistics:
    Files scanned: 62635
    Threat name: 1
    Infected objects: 2
    Suspicious objects: 0
    Duration of the scan: 04:02:09


    File name / Threat name / Threats count
    C:\Documents and Settings\Dan\My Documents\My Music\Ini Kamoze - here Comes The Hotstepper.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
    C:\Documents and Settings\Dan\My Documents\My Music\ivy apartment.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1

    The selected area was scanned.
     
    CCDiscoB,
    #9
  11. 2009/01/30
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    OK good.

    You can delete RootRepeal.

    Let me know that everything is running OK

    Thanks
    Geri
     
    Geri,
    #10
  12. 2009/01/31
    CCDiscoB

    CCDiscoB Inactive Thread Starter

    Joined:
    2009/01/26
    Messages:
    6
    Likes Received:
    0
    Everything seems to running great! Thanks so much!
     
    CCDiscoB,
    #11
  13. 2009/01/31
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi CDDiscoB
    OK that's good to hear, you're welcome.

    Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Malware and Virus Removal Forums.
    http://www.windowsbbs.com/showthread.php?t=67958

    I'll mark this one resolved.

    Surf Safely
    Geri
     
    Geri,
    #12

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...