TechSpot

Google redirect virus

By lemika
Dec 8, 2011
  1. Hello!
    i have a google redirect virus.
    I have followed the instruction and here are the result. I hope you will be able to help me. this virus is killing me!

    1.

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8293

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/2/2011 6:05:28 PM
    mbam-log-2011-12-02 (18-05-27).txt

    Scan type: Quick scan
    Objects scanned: 178463
    Time elapsed: 21 minute(s), 45 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\Saban\application data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
     
  2. lemika

    lemika TS Rookie Topic Starter Posts: 36

    here is GMER

    2.

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-12-08 13:43:39
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400BB-75FRA0 rev.77.07W77
    Running: g1tyw5o3.exe; Driver: C:\DOCUME~1\Saban\LOCALS~1\Temp\awtdrpow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:120] 822F4121
    Thread System [4:412] 8214BB90

    ---- EOF - GMER 1.0.15 ----
     
  3. lemika

    lemika TS Rookie Topic Starter Posts: 36

    dds

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Saban at 13:44:06 on 2011-12-08
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.250 [GMT -5:00]
    .
    AV: AVG Anti-Virus 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Skype\Phone\Skype.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: H - No File
    uURLSearchHooks: H - No File
    uURLSearchHooks: H - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: PriceGongCtrl Class: {d2a2595c-4fe4-4315-aa9b-19dbd6271b71} - c:\program files\pricegong\1.5.0\PriceGongIE.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    {e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [Google Update] "c:\documents and settings\saban\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [<NO NAME>]
    mRun: [hpbdfawep] "c:\program files\hp\dfawep\bin\hpbdfawep.exe" 1
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=QUFTWUwtR1o5VzItTlFIWEMtUVRJUlctWVlKQlktUQ"&"inst=NzYtOTY4NzE2NjY4LVNUMTJPSSsxLUREVCsw"&"prod=92"&"ver=2012.0.1873"&"mid=16f4a4c63c3c47d1b752d145b75a3023-f7ea3a8800fd4d1b7344d3
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 uzeyodq1;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uzeyodq1.sys [2010-3-17 11264]
    R4 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriver.sys --> c:\windows\system32\drivers\AVGIDSDriver.Sys [?]
    R4 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\avgidseh.sys --> c:\windows\system32\drivers\AVGIDSEH.Sys [?]
    R4 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilter.sys --> c:\windows\system32\drivers\AVGIDSFilter.Sys [?]
    R4 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshim.sys --> c:\windows\system32\drivers\AVGIDSShim.Sys [?]
    R4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys --> c:\windows\system32\drivers\avgrkx86.sys [?]
    R4 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
    S0 cerc6;cerc6; [x]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    .
    =============== Created Last 30 ================
    .
    2011-12-02 22:35:36 -------- d-----w- c:\documents and settings\saban\application data\Malwarebytes
    2011-12-02 22:34:44 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-12-02 22:34:36 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-02 22:34:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-02 19:35:54 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
    2011-11-29 18:00:09 -------- d-----w- c:\program files\iPod
    2011-11-29 17:59:37 -------- d-----w- c:\program files\iTunes
    2011-11-29 17:43:16 -------- d-----w- c:\program files\Bonjour
    .
    ==================== Find3M ====================
    .
    2011-11-07 19:11:55 11264 ----a-w- c:\windows\DCEBoot.exe
    2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    .
    ============= FINISH: 13:45:01.20 ===============
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I will tell you right up that Price Gong comes with a price of it's own!

    There is another log from DDS named Attach.txt Please paste in you next reply.
    ================================
    There are quite a few entries to remove. We can do some of them with the following:

    AVG will have to be temporarily uninstall as Combofix will not run with it:
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
      ***Please note: if you have downloaded Combofix to a flash drive, then run it on the infected machine> the Recovery Console will not install- just bypass and go on.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =======================================
    Please run the Eset online virus scan:

    For Internet Explorer:> start here:
    • Open the ESETOnlineScan
      -------------
      Note: If you are using a browser other than Internet Explorer> start here:
    • Open Eset Smart Installer
    • Click on the esetsmartinstaller_enu.exelink and save to the desktop.
    • Double click on the desktop icon to run.
    • After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    • Continue with the directions.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =======================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  5. lemika

    lemika TS Rookie Topic Starter Posts: 36

    attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 7/15/2009 6:35:00 PM
    System Uptime: 12/8/2011 3:07:41 PM (19 hours ago)
    .
    Motherboard: Dell Computer Corp. | | 0F4491
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/533mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 37 GiB total, 8.15 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: PCI Modem
    Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
    Manufacturer:
    Name: PCI Modem
    PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
    Service:
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: PCI Input Device
    Device ID: PCI\VEN_1102&DEV_7004&SUBSYS_10031102&REV_00\4&1C660DD6&0&11F0
    Manufacturer:
    Name: PCI Input Device
    PNP Device ID: PCI\VEN_1102&DEV_7004&SUBSYS_10031102&REV_00\4&1C660DD6&0&11F0
    Service:
    .
    Class GUID:
    Description: Multimedia Audio Controller
    Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_01741028&REV_02\3&172E68DD&0&FD
    Manufacturer:
    Name: Multimedia Audio Controller
    PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_01741028&REV_02\3&172E68DD&0&FD
    Service:
    .
    ==== System Restore Points ===================
    .
    RP351: 9/12/2011 10:35:31 AM - System Checkpoint
    RP352: 9/13/2011 12:08:16 PM - System Checkpoint
    RP353: 9/14/2011 5:08:08 PM - Software Distribution Service 3.0
    RP354: 9/19/2011 9:27:20 AM - System Checkpoint
    RP355: 9/20/2011 10:06:55 AM - System Checkpoint
    RP356: 9/22/2011 9:12:28 AM - System Checkpoint
    RP357: 9/23/2011 11:23:12 AM - System Checkpoint
    RP358: 9/27/2011 9:12:37 AM - System Checkpoint
    RP359: 9/28/2011 10:08:13 AM - System Checkpoint
    RP360: 9/29/2011 3:00:25 AM - Software Distribution Service 3.0
    RP361: 10/3/2011 9:27:38 AM - System Checkpoint
    RP362: 10/4/2011 1:07:56 PM - System Checkpoint
    RP363: 10/5/2011 1:14:11 PM - System Checkpoint
    RP364: 10/6/2011 1:39:27 PM - System Checkpoint
    RP365: 10/10/2011 12:00:18 PM - System Checkpoint
    RP366: 10/12/2011 12:03:40 PM - System Checkpoint
    RP367: 10/13/2011 1:15:35 PM - System Checkpoint
    RP368: 10/13/2011 5:50:12 PM - Software Distribution Service 3.0
    RP369: 10/18/2011 2:21:27 PM - System Checkpoint
    RP370: 10/20/2011 11:03:09 AM - System Checkpoint
    RP371: 10/24/2011 5:21:11 PM - System Checkpoint
    RP372: 10/26/2011 3:27:39 PM - System Checkpoint
    RP373: 10/28/2011 4:04:14 PM - System Checkpoint
    RP374: 11/2/2011 11:35:13 AM - System Checkpoint
    RP375: 11/4/2011 11:20:04 AM - System Checkpoint
    RP376: 11/8/2011 11:24:00 AM - Installed AVG 2012
    RP377: 11/8/2011 11:24:51 AM - Installed AVG 2012
    RP378: 11/9/2011 5:15:20 PM - Software Distribution Service 3.0
    RP379: 11/11/2011 3:27:38 PM - System Checkpoint
    RP380: 11/11/2011 6:00:47 PM - Software Distribution Service 3.0
    RP381: 11/14/2011 10:40:28 AM - System Checkpoint
    RP382: 11/15/2011 5:59:14 PM - System Checkpoint
    RP383: 11/16/2011 6:29:07 PM - System Checkpoint
    RP384: 11/18/2011 11:15:38 AM - System Checkpoint
    RP385: 11/21/2011 11:01:55 AM - System Checkpoint
    RP386: 11/22/2011 12:23:27 PM - System Checkpoint
    RP387: 11/24/2011 11:37:02 AM - System Checkpoint
    RP388: 11/25/2011 6:19:38 PM - System Checkpoint
    RP389: 11/26/2011 7:05:36 PM - System Checkpoint
    RP390: 11/27/2011 8:05:31 PM - System Checkpoint
    RP391: 11/29/2011 12:50:19 PM - Installed iTunes
    RP392: 12/1/2011 6:00:00 PM - System Checkpoint
    RP393: 12/5/2011 11:40:03 AM - System Checkpoint
    RP394: 12/6/2011 3:40:09 PM - System Checkpoint
    RP395: 12/8/2011 10:54:05 AM - System Checkpoint
    RP396: 12/8/2011 1:40:38 PM - Removed AVG 2012
    RP397: 12/8/2011 1:43:09 PM - Removed AVG 2012
    RP398: 12/8/2011 2:03:50 PM - Installed AVG 2012
    RP399: 12/8/2011 2:09:50 PM - Installed AVG 2012
    .
    ==== Installed Programs ======================
    .
    Acrobat.com
    Adobe AIR
    Adobe Community Help
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.1
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AVG 2012
    BitTorrentBar Toolbar
    Bonjour
    Google Chrome
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP LaserJet P1000 series
    HPCarePackCore
    HPCarePackProducts
    hppMSRedist
    hppusgP1000
    HPSSupply
    Intel(R) PRO Network Adapters and Drivers
    iTunes
    MarketResearch
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2572067)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Office XP Professional with FrontPage
    Microsoft Silverlight
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    MrvlUsgTracking
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 and SOAP Toolkit 3.0
    MSXML 6.0 Parser
    PriceGong 1.5.0
    QuickTime
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Skype Click to Call
    Skype™ 5.5
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB972636)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/8/2011 2:55:56 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Apple Mobile Device service to connect.
    12/8/2011 2:55:56 PM, error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    12/6/2011 1:33:02 PM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
    12/5/2011 12:47:30 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/5/2011 12:47:13 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    12/2/2011 6:10:42 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
    12/2/2011 4:55:23 PM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 2 time(s).
    12/2/2011 2:51:18 PM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).
    .
    ==== End Of File ===========================
     
  6. lemika

    lemika TS Rookie Topic Starter Posts: 36

    combofix

    Hello! thank you for helping me.
    I have an issue with Combofix. it got stocked. I tried it twice. it finished 50 steps, then started deleting some files and got stocked. I have waited for 30 minutes each time. may be I have to be more patient. but this is my job computer, I have to work . but this programm blocked everything.I will try to run it during weekend and post you the result on Monday.
    thank u
     
  7. lemika

    lemika TS Rookie Topic Starter Posts: 36

    combofix.exe

    ComboFix 11-12-09.03 - Saban 12/09/2011 18:02:25.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.285 [GMT -5:00]
    Running from: c:\documents and settings\Saban\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Saban\Application Data\PriceGong
    c:\documents and settings\Saban\Application Data\PriceGong\Data\mru.xml
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-10 to 2011-12-10 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-08 19:13 . 2011-12-09 15:27 -------- d-----w- c:\program files\AVG Secure Search
    2011-12-02 22:35 . 2011-12-02 22:35 -------- d-----w- c:\documents and settings\Saban\Application Data\Malwarebytes
    2011-12-02 22:34 . 2011-12-02 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-12-02 19:35 . 2011-12-02 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2011-11-29 18:00 . 2011-11-29 18:00 -------- d-----w- c:\program files\iPod
    2011-11-29 17:59 . 2011-11-29 18:03 -------- d-----w- c:\program files\iTunes
    2011-11-29 17:43 . 2011-11-29 17:43 -------- d-----w- c:\program files\Bonjour
    2011-11-28 21:14 . 2011-11-28 21:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-07 19:11 . 2011-11-07 19:11 11264 ----a-w- c:\windows\DCEBoot.exe
    2011-10-10 14:22 . 2009-07-15 22:29 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 15:41 . 2008-04-14 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 15:41 . 2008-04-14 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-09-26 17353352]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 uzeyodq1;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uzeyodq1.sys [3/17/2010 8:54 AM 11264]
    S0 cerc6;cerc6; [x]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2011-12-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003Core.job
    - c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
    .
    2011-12-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003UA.job
    - c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
    .
    2011-12-09 c:\windows\Tasks\HP WEP.job
    - c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 18:28]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
    AddRemove-HP LaserJet P1000 series - c:\program files\Avago-HP\{615c3b97-30bf-4420-a56a-7550e81e62f4}\uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-09 18:59
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2011-12-09 19:07:09
    ComboFix-quarantined-files.txt 2011-12-10 00:06
    .
    Pre-Run: 12,923,858,944 bytes free
    Post-Run: 14,961,184,768 bytes free
    .
    - - End Of File - - F8F342EA9EA219A56D6BFDA52B59BACF
     
  8. lemika

    lemika TS Rookie Topic Starter Posts: 36

    esets

    here is the last one

    C:\Documents and Settings\Saban\Desktop\Helen\Mus\WinRAR\??????? ???????????\Keygen_FFF\Keygen.exe a variant of Win32/Keygen.AI application
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    For the Eset entry:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :
      :Files 
      C:\Documents and Settings\Saban\Desktop\Helen\Mus\WinRAR\??????? ???????????\Keygen_FFF\Keygen.exe
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =======================================
    The entry in Eset indicates you are using a keygen to pirate software.

    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    =====================================
    I would appreciate it if you would give me some information about the system problems you are having.
    When you say 'Google redirect', do you mean that when you do qa search using Google that you are sent to a site other than what you choose?
    Are there any other problems?
    Are you still being redirected?
    What did you do to get Combofix running? What does "stocked" mean?
    You said Combofix did some deletions, but they don't show up in the log.
     
  10. lemika

    lemika TS Rookie Topic Starter Posts: 36

    All processes killed
    Error: Unable to interpret <:> in the current context!
    ========== FILES ==========
    File/Folder C:\Documents and Settings\Saban\Desktop\Helen\Mus\WinRAR\??????? ???????????\Keygen_FFF\Keygen.exe not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 41620 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 16384 bytes
    ->Temporary Internet Files folder emptied: 618910 bytes

    User: Saban
    ->Temp folder emptied: 24154094 bytes
    ->Temporary Internet Files folder emptied: 124276149 bytes
    ->FireFox cache emptied: 84668221 bytes
    ->Google Chrome cache emptied: 13669210 bytes
    ->Flash cache emptied: 2874948 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 2402044 bytes
    %systemroot%\System32 .tmp files removed: 4198417 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 1577193 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 247.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 12142011_151522

    Files moved on Reboot...
    C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_228.dat moved successfully.

    Registry entries deleted on Reboot...
     
  11. lemika

    lemika TS Rookie Topic Starter Posts: 36

    CKScanner - Additional Security Risks - These are not necessarily bad
    scanner sequence 3.MN.11.HBAPNN
    ----- EOF -----
     
  12. lemika

    lemika TS Rookie Topic Starter Posts: 36

    Hey! thank you for your help!
    I still get the problem. yes, it does send me to sites different from what i chose. and sometimes it even redirect me when while checking my email I click on the website I got an email from.
    and when I open google it redirects me to google.lt or uk most of the time.

    as for combofix. I left it for the weekend. it just took longer then I thought i would. here is the full report I got after the scan. I sent it to you before. let me know if I need to rerun the combofix.

    ComboFix 11-12-09.03 - Saban 12/09/2011 18:02:25.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.285 [GMT -5:00]
    Running from: c:\documents and settings\Saban\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Saban\Application Data\PriceGong
    c:\documents and settings\Saban\Application Data\PriceGong\Data\mru.xml
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-10 to 2011-12-10 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-08 19:13 . 2011-12-09 15:27 -------- d-----w- c:\program files\AVG Secure Search
    2011-12-02 22:35 . 2011-12-02 22:35 -------- d-----w- c:\documents and settings\Saban\Application Data\Malwarebytes
    2011-12-02 22:34 . 2011-12-02 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-12-02 19:35 . 2011-12-02 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2011-11-29 18:00 . 2011-11-29 18:00 -------- d-----w- c:\program files\iPod
    2011-11-29 17:59 . 2011-11-29 18:03 -------- d-----w- c:\program files\iTunes
    2011-11-29 17:43 . 2011-11-29 17:43 -------- d-----w- c:\program files\Bonjour
    2011-11-28 21:14 . 2011-11-28 21:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-07 19:11 . 2011-11-07 19:11 11264 ----a-w- c:\windows\DCEBoot.exe
    2011-10-10 14:22 . 2009-07-15 22:29 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 15:41 . 2008-04-14 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 15:41 . 2008-04-14 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-09-26 17353352]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 uzeyodq1;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uzeyodq1.sys [3/17/2010 8:54 AM 11264]
    S0 cerc6;cerc6; [x]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2011-12-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003Core.job
    - c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
    .
    2011-12-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003UA.job
    - c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
    .
    2011-12-09 c:\windows\Tasks\HP WEP.job
    - c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 18:28]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
    AddRemove-HP LaserJet P1000 series - c:\program files\Avago-HP\{615c3b97-30bf-4420-a56a-7550e81e62f4}\uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-09 18:59
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2011-12-09 19:07:09
    ComboFix-quarantined-files.txt 2011-12-10 00:06
    .
    Pre-Run: 12,923,858,944 bytes free
    Post-Run: 14,961,184,768 bytes free
    .
    - - End Of File - - F8F342EA9EA219A56D6BFDA52B59BACF
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- my fault on OTM. IT can't read the encoding

    Please uninstall the WinRar program and any associated files.
    Then run Eset again.

    Either the WinRar program has been pirated or some download using it. However, I don't understand how this scan can come up clean when it's a keygen file!
    CKScanner - Additional Security Risks - These are not necessarily bad
    scanner sequence 3.MN.11.HBAPNN
    ----- EOF -----
     
  14. lemika

    lemika TS Rookie Topic Starter Posts: 36

    I have removed winrar. but i installed it after I run essets. but i will run it again anyway.
     
  15. lemika

    lemika TS Rookie Topic Starter Posts: 36

    C:\Documents and Settings\Saban\Desktop\Helen\Mus\WinRAR\??????? ???????????\Keygen_FFF\Keygen.exe a variant of Win32/Keygen.AI application




    it gave me the same message
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You will need to manually remove the entry. The price of WinRAR is $29.00. Using a keygen for the license and/or key means that the program was pirated. Instead of paying for it, a torrent site was visited.

    HackTool:Win32/Keygen is the detection for a tool that generates keys for illegally-obtained versions of various software products.

    I don't see it in the list of installed programs but it is somewhere on the system:
    C:\Documents and Settings\Saban\Desktop\Helen\Mus\WinRAR

    Look for WinRar entries and any with keygen in them.
    Account name is Saban. Location is the Desktop.
    ================================
    Please rerun the following. Do not remove any of the content:
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    =====================================
     
  17. lemika

    lemika TS Rookie Topic Starter Posts: 36

    Here you go

    CKScanner - Additional Security Risks - These are not necessarily bad
    scanner sequence 3.MN.11.CWLBUI
    ----- EOF -----
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please update and rescan with the Eset Online Virus scan.

    Did you locate the WinRar and keygen entries to remove?
     
  19. lemika

    lemika TS Rookie Topic Starter Posts: 36

    HERE YOU GO. i RERUN IT

    C:\System Volume Information\_restore{987B1B85-12D5-430C-923E-7A4B948FE860}\RP406\A0083724.exe a variant of Win32/Keygen.AI application


    i HAVE REMOVED A WINRAR
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Holiday Notice! I will not be working on the threads Sat. Dec. 24 or Sunday Dec. 25. I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.
    ----------------------------------------
    After running the App Remover to uninstall AVG, links to 2 free AV programs were left for you to choose which to install in the meantime. It appears you did not do that and have no aV on the system. Please go back to that reply and choose one of them.
    ======================================
    This is unusual. You may have a configuration problem> the redirects usually happen when you've done a search and chosen one of the hits> but instead of getting the one you chose, you get some other site, frequently a 'search' site.
    ============================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    
    ClearJavaCache::
    DDS::
    uURLSearchHooks: H - No File
    uURLSearchHooks: H - No File
    uURLSearchHooks: H - No File
    BHO: PriceGongCtrl Class: {d2a2595c-4fe4-4315-aa9b-19dbd6271b71} - c:\program files\pricegong\1.5.0\PriceGongIE.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    {e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
    Reboot::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Please update the Adobe Reader:aVisit this Adobe Reader site and get current v10.xx. Uninstall any earlier updates as they are vulnerabilities.
    =====================================
    There's not much in the log: Please uninstall Price Gone in Add/Remove Programs. Then use Windows Explorer to access My Computer> Local Drive (C)> Programs> find the folder for Price Gong and do a right click> Delete to remove it.
    =================================
    Bit Torrent is a file sharing program: P2P Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe.
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
    ======================================
    To run HijackThis:
    First, set up a Directory for HijackThis as follows:
    Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
    Exit Explorer
    You now have a folder C:\HijackThis
    -----------------------------------------
    Download HijackThis and save to your desktop.
    • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
    • Extract it to the directory on your hard drive you created C:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.
    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  21. lemika

    lemika TS Rookie Topic Starter Posts: 36

    ComboFix 11-12-28.03 - Saban 12/28/2011 9:37.5.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.91 [GMT -5:00]
    Running from: c:\documents and settings\Saban\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Saban\Desktop\CFScript.txt.txt
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\pricegong\1.5.0\PriceGongIE.dll
    .
    c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-23 20:35 . 2011-12-23 20:35 -------- d-----w- c:\documents and settings\Saban\Application Data\Sammsoft
    2011-12-23 20:35 . 2011-12-26 14:50 -------- d-----w- c:\documents and settings\Saban\Local Settings\Application Data\AskToolbar
    2011-12-23 20:34 . 2011-12-23 20:36 -------- d-----w- c:\program files\Ask.com
    2011-12-23 20:34 . 2011-12-23 20:34 -------- d-----w- c:\program files\ARO 2011
    2011-12-14 20:15 . 2011-12-14 20:15 -------- d-----w- C:\_OTM
    2011-12-12 14:09 . 2011-12-12 14:09 -------- d-----w- c:\program files\ESET
    2011-12-08 19:13 . 2011-12-09 15:27 -------- d-----w- c:\program files\AVG Secure Search
    2011-12-02 22:35 . 2011-12-02 22:35 -------- d-----w- c:\documents and settings\Saban\Application Data\Malwarebytes
    2011-12-02 22:34 . 2011-12-02 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-12-02 19:35 . 2011-12-02 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2011-11-29 18:00 . 2011-11-29 18:00 -------- d-----w- c:\program files\iPod
    2011-11-29 17:59 . 2011-11-29 18:03 -------- d-----w- c:\program files\iTunes
    2011-11-29 17:43 . 2011-11-29 17:43 -------- d-----w- c:\program files\Bonjour
    2011-11-28 21:14 . 2011-11-28 21:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-23 13:25 . 2008-04-14 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-07 19:11 . 2011-11-07 19:11 11264 ----a-w- c:\windows\DCEBoot.exe
    2011-11-04 19:20 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-11-01 16:07 . 2008-04-14 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:33 . 2008-04-14 12:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52 . 2008-04-14 00:01 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-18 11:13 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-10-10 14:22 . 2009-07-15 22:29 692736 ----a-w- c:\windows\system32\inetcomm.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-09-26 17353352]
    "AROReminder"="c:\program files\ARO 2011\aro.exe" [2011-11-11 2315120]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
    "ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-07-26 397992]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 uzeyodq1;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uzeyodq1.sys [3/17/2010 8:54 AM 11264]
    S0 cerc6;cerc6; [x]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2011-12-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003Core.job
    - c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
    .
    2011-12-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003UA.job
    - c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
    .
    2011-12-28 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2011-07-26 23:23]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\Saban\Application Data\Mozilla\Firefox\Profiles\l22j95ne.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine -
    FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2790392&SearchSource=13
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
    FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
    FF - Ext: Support.com Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-28 09:49
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(616)
    c:\windows\system32\WININET.dll
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-28 09:55:54 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-28 14:55
    ComboFix2.txt 2011-12-28 14:30
    ComboFix3.txt 2011-12-10 00:07
    .
    Pre-Run: 14,506,586,112 bytes free
    Post-Run: 14,493,413,376 bytes free
    .
    - - End Of File - - 59B91B0AF13C9EEBCAB20CF186BD27C4
     
  22. lemika

    lemika TS Rookie Topic Starter Posts: 36

    Hello! happy holidays!

    I have downloaded Adobe Reader MUI 10.1 - Multiple Languages

    I can not find Price Gone. if I am not mistaken I saw ComboFix removing this program. but I did removed it from My Computer> Local Drive (C)> Programs
     
  23. lemika

    lemika TS Rookie Topic Starter Posts: 36

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:29:32 AM, on 12/28/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Ask.com\Updater\Updater.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Saban\Desktop\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: (no name) - - (no file)
    R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O4 - HKLM\..\Run: [hpbdfawep] "C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe" 1
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [AROReminder] C:\Program Files\ARO 2011\aro.exe -rem
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} (Photo Upload Plugin Class) - http://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    --
    End of file - 4784 bytes
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please note: Since we started, you have just recently gotten the AskBar on the system. You must check all download screens before you download and uncheck any pre-checked items. The Ask Bar is frequently one of them: It looks like it was bundled with ARO 2012.
    ==================================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Folder::
    c:\documents and settings\Saban\Local Settings\Application Data\AskToolbar
    c:\program files\Ask.com
    c:\program files\ARO 2011
    c:\program files\AVG Secure Search
    Extra::
    File::
    Firefox::
    Firefox-: - Profile - c:\documents and settings\Saban\Application Data\Mozilla\Firefox\Profiles\l22j95ne.default\
    Firefox-: prefs.js- Search.DefaultURL
    Firefox-: prefs.js- Searchengine.defaultURL
    Firefox-: prefs.js- Startup.Homepage
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AROReminder"=-
    Clearjavacache::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      i8042prt.sys
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    =======================================
    Please reopen HijackThis to 'do system scan only.' check each of the following, if present:

    C:\Program Files\Ask.com\Updater\Updater.exe
    R3 - URLSearchHook: (no name) - - (no file)
    R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
    O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
    O4 - HKCU\..\Run: [AROReminder] C:\Program Files\ARO 2011\aro.exe -rem


    Close all Windows except HijackThis and click on "Fix Checked."
    ===================================================
    Go to Add/Remove Programs and uninstall the following, if found:
    Any Ask entries
    Bit Torrent Toolbar
    Conduit Engine
    ARO 2012
    When finished, use Windows Explorer to access Computer> Local Drive> Programs> Look for program folder for each of the programs you uninstalled and do a right click> Delete on each.
    ===============================================
    Remove this Scheduled Tasks: Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.

    • Right click on the following Task> Delete.
      c:\windows\Tasks\Scheduled Update for Ask Toolbar (c:\program files\Ask.com\UpdateTask.exe)
      ===============================================
      Don't forget to Update Adobe Reader v9.0 to v10.xx
      =============================================
      Note: I have removed ARO 2012 It is a registry optimizer. We don't recommend registry 'cleaners' to anyone. The risk far outweighs any benefit.
      ============================================
      Please open Firefox> Tools> Add ons> Extensions> Remove the following:
      Ext: Conduit Engine
      Ext: BitTorrentBar Community Toolbar
      Ext: Support.com Toolbar: (this is another entry from ask.com) -
      ============================================
      Please let me know how the system is doing when you finish the above, then reboot.
     
  25. lemika

    lemika TS Rookie Topic Starter Posts: 36

    ComboFix 11-12-29.05 - Saban 12/29/2011 16:30:38.6.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.312 [GMT -5:00]
    Running from: c:\documents and settings\Saban\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Saban\Desktop\CFScript.txt.txt
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-29 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-29 15:35 . 2011-12-29 15:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-28 16:52 . 2011-12-28 16:52 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2011-12-28 15:18 . 2011-12-28 15:18 -------- d-----w- C:\HijackThis
    2011-12-23 20:35 . 2011-12-23 20:35 -------- d-----w- c:\documents and settings\Saban\Application Data\Sammsoft
    2011-12-23 20:35 . 2011-12-26 14:50 -------- d-----w- c:\documents and settings\Saban\Local Settings\Application Data\AskToolbar
    2011-12-23 20:34 . 2011-12-23 20:36 -------- d-----w- c:\program files\Ask.com
    2011-12-23 20:34 . 2011-12-23 20:34 -------- d-----w- c:\program files\ARO 2011
    2011-12-14 20:15 . 2011-12-14 20:15 -------- d-----w- C:\_OTM
    2011-12-12 14:09 . 2011-12-12 14:09 -------- d-----w- c:\program files\ESET
    2011-12-08 19:13 . 2011-12-09 15:27 -------- d-----w- c:\program files\AVG Secure Search
    2011-12-02 22:35 . 2011-12-02 22:35 -------- d-----w- c:\documents and settings\Saban\Application Data\Malwarebytes
    2011-12-02 22:34 . 2011-12-02 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-12-02 19:35 . 2011-12-02 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-23 13:25 . 2008-04-14 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-07 19:11 . 2011-11-07 19:11 11264 ----a-w- c:\windows\DCEBoot.exe
    2011-11-04 19:20 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-11-01 16:07 . 2008-04-14 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:33 . 2008-04-14 12:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52 . 2008-04-14 00:01 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-18 11:13 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-10-10 14:22 . 2009-07-15 22:29 692736 ----a-w- c:\windows\system32\inetcomm.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot_2011-12-28_14.24.46 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-12-28 17:02 . 2011-12-28 17:02 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-15 22:36 . 2011-12-28 17:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2009-07-15 22:36 . 2011-11-08 15:44 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2011-12-28 17:02 . 2011-12-28 17:02 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2011-12-28 16:57 . 2011-12-28 16:57 22016 c:\windows\Installer\5e31d0.msi
    + 2011-12-28 16:52 . 2011-12-28 16:52 28160 c:\windows\Installer\5e31cb.msi
    + 2011-12-28 16:52 . 2011-12-28 16:52 24064 c:\windows\Installer\5e31c6.msi
    + 2011-06-06 17:55 . 2011-06-06 17:55 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\ViewerPS.dll
    + 2011-06-06 17:55 . 2011-06-06 17:55 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\reader_sl.exe
    + 2011-06-06 17:55 . 2011-06-06 17:55 88992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlr.dll
    + 2011-06-06 17:55 . 2011-06-06 17:55 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\eula.exe
    + 2011-06-06 17:55 . 2011-06-06 17:55 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrotextextractor.exe
    + 2011-06-06 17:55 . 2011-06-06 17:55 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32Info.exe
    + 2011-06-06 17:55 . 2011-06-06 17:55 63912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acroiehelpershim.dll
    + 2011-06-06 17:55 . 2011-06-06 17:55 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroIEHelper.dll
    + 2011-06-06 17:55 . 2011-06-06 17:55 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\Acrofx32.dll
    + 2011-12-29 15:35 . 2011-12-29 15:35 247968 c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe
    + 2011-12-29 15:35 . 2011-12-29 15:35 335520 c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.dll
    + 2011-06-06 17:55 . 2011-06-06 17:55 249232 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\sqlite.dll
    + 2011-06-06 17:55 . 2011-06-06 17:55 394136 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\pdfshell.dll
    + 2011-06-06 17:55 . 2011-06-06 17:55 103848 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlrShim.exe
    + 2011-06-06 17:55 . 2011-06-06 17:55 183696 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\nppdf32.dll
    + 2011-06-06 17:55 . 2011-06-06 17:55 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AiodLite.dll
    + 2011-06-06 17:55 . 2011-06-06 17:55 102808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRdIF.dll
    + 2011-06-06 17:55 . 2011-06-06 17:55 755088 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroPDF.dll
    + 2011-06-06 17:55 . 2011-06-06 17:55 296344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrobroker.exe
    + 2011-06-06 17:55 . 2011-06-06 17:55 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\a3dutils.dll
    + 2011-12-28 16:52 . 2011-12-28 16:52 2295808 c:\windows\Installer\5e31bd.msi
    + 2011-06-06 17:55 . 2011-06-06 17:55 2215312 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\rt3d.dll
    + 2011-06-06 17:55 . 2011-06-06 17:55 6543768 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\authplay.dll
    + 2011-06-06 17:55 . 2011-06-06 17:55 1240992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AdobeCollabSync.exe
    + 2011-06-06 17:55 . 2011-06-06 17:55 1480600 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.exe
    + 2011-09-05 21:51 . 2011-09-05 21:51 13135872 c:\windows\Installer\5e31be.msp
    + 2011-06-06 17:55 . 2011-06-06 17:55 24731544 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-09-26 17353352]
    "AROReminder"="c:\program files\ARO 2011\aro.exe" [2011-11-11 2315120]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-12-28 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
    "ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-07-26 397992]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 uzeyodq1;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uzeyodq1.sys [3/17/2010 8:54 AM 11264]
    S0 cerc6;cerc6; [x]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/28/2011 11:52 AM 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/28/2011 11:52 AM 136176]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2011-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-12-28 16:52]
    .
    2011-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-12-28 16:52]
    .
    2011-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003Core.job
    - c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
    .
    2011-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003UA.job
    - c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
    .
    2011-12-29 c:\windows\Tasks\HP WEP.job
    - c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 18:28]
    .
    2011-12-29 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2011-07-26 23:23]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\Saban\Application Data\Mozilla\Firefox\Profiles\l22j95ne.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine -
    FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2790392&SearchSource=13
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
    FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
    FF - Ext: Support.com Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-PriceGong - c:\program files\PriceGong\uninst.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-29 16:40
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3460)
    c:\windows\system32\WININET.dll
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\program files\Microsoft Office\Office10\msohev.dll
    c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
    .
    Completion time: 2011-12-29 16:44:04
    ComboFix-quarantined-files.txt 2011-12-29 21:44
    ComboFix2.txt 2011-12-28 14:55
    ComboFix3.txt 2011-12-28 14:30
    ComboFix4.txt 2011-12-10 00:07
    .
    Pre-Run: 14,070,751,232 bytes free
    Post-Run: 14,231,277,568 bytes free
    .
    - - End Of File - - 22F4FAC0FFD9AFC320CA8A3269D9627A
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...