lesser-equity

Magazine
Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

ChangerDNS.ad+more, Redirecting Google Links

Register Site Spy Member List Donate Search Today's Posts Mark Forums Read Forum Rules

Register


Default ChangerDNS.ad+more, Redirecting Google Links
Whenever I google something and click on it it takes me to some random site, this usually happens the 2nd time I google, although sometimes it happens the first time, and I have to copy/paste the link to get to the site. I ran the steps about removing all that ...


Reply
Page 1 of 2 1 2
 
Thread Tools
  #1  
Old 13th Jun 2009, 12:35
abz
New Member Group
  
Skill Level: Beginner
Posts: 8
Default ChangerDNS.ad+more, Redirecting Google Links
Whenever I google something and click on it it takes me to some random site, this usually happens the 2nd time I google, although sometimes it happens the first time, and I have to copy/paste the link to get to the site.

I ran the steps about removing all that malware/trojans/etcs. While I was doing these steps, my browser kept on 'loading' random sites at the bottom, but nothing ever changed.

Superantispyware gave me something the 1st time, but I didn't save it and the computer reset, I ran it again and I got nothing this time.

MBAM:

Malwarebytes' Anti-Malware 1.37
Database version: 2271
Windows 5.1.2600 Service Pack 3

6/13/2009 7:31:29 AM
mbam-log-2009-06-13 (07-31-29).txt

Scan type: Quick Scan
Objects scanned: 84130
Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Abed\Application Data\asd.bat (Rogue.WinPCDefender) -> Quarantined and deleted successfully.


HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:26 AM, on 6/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\juice.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wcreplays.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll (file missing)
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (file missing)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (file missing)
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [HTV Agent] C:\Documents and Settings\Abed\Desktop\HTV\HTV.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\Abed\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ProxyFirewall] C:\Program Files\ProxyFirewall\ProxyFirewall.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [NudgeMania] C:\Program Files\NudgeMania\NudgeMania.exe
O4 - HKCU\..\Run: [Rundll32] C:\WINDOWS\system32\Rundll32.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Startup: Might and Magic VIII.lnk = C:\Program Files\3DO\Might and Magic VIII\Register\Remind32.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe (file missing)
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/p.../PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/m010g/EN/install/gtdownlr.cab
O16 - DPF: {428088E0-96DB-4960-99D5-3C809C5A7D74} (GamOnUpdate Control) - http://www.wcgzone.com/GamOnUpdate.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1200786505725
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1200790722984
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9bbee86597ef4) (gupdate1c9bbee86597ef4) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10412 bytes

I use firefox as my browser, newest version.

Thanks.
  #2  
Old 13th Jun 2009, 13:59
Malware Group
  
Skill Level: Advanced
Posts: 301
Default ChangerDNS.ad+more, Redirecting Google Links
Howdy there and welcome to Computer Juice

I'm Steve and I will be helping you thoughout this fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

=====================================

Go to Start menu > Select Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.
__________________
Proud member of ASAP & UNITE
__________________

My System: Steves Rig

Processor(s):
AMD Athlon 64x2 6000+
Motherboard:
ASUS M3N78 Pro
RAM Memory:
Corsair 4GB Dual Channel
Graphics Card(s):
NVIDIA GeForce 8400 GS
Sound Card:
Onboard
Hard Drive(s):
640GB Western Digital HD
Optical Drive(s):
LG Lightscribe
Case / PSU:
Cooling:
Stock HSF
Network / Internet:
20Mb Virgin Media Broadband
Monitor(s):
Hanns-G 19" Widescreen
Operating System(s):
Vista Premium 64x
  #3  
Old 13th Jun 2009, 14:43
abz
New Member Group
  
Skill Level: Beginner
Posts: 8
Default ChangerDNS.ad+more, Redirecting Google Links
ComboFix 09-06-13.03 - Abed 06/13/2009 16:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.655 [GMT -5:00]
Running from: c:\documents and settings\Abed\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\SKYNETalqsmvof.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SKYNETaodacfou.dat
c:\windows\system32\SKYNETbfvkilue.dat
c:\windows\system32\SKYNETneibmfar.dll
c:\windows\system32\SKYNETwfesrblu.dll
c:\windows\system32\UACrqskmlldkvrcvvr.log
c:\windows\system32\UACxpdrxfrkwdfmyby.dat
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\drivers\SKYNETalqsmvof.sys
c:\windows\system32\SKYNETaodacfou.dat
c:\windows\system32\SKYNETbfvkilue.dat
c:\windows\system32\SKYNETneibmfar.dll
c:\windows\system32\SKYNETwfesrblu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETrlnwtbdk
-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-05-13 to 2009-06-13 )))))))))))))))))))))))))))))))
.

2009-06-13 12:39 . 2009-06-13 12:39 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-13 12:38 . 2009-06-13 12:38 152576 ----a-w- c:\documents and settings\Abed\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-13 12:36 . 2009-06-13 12:36 -------- d-----w- c:\program files\Trend Micro
2009-06-13 12:26 . 2009-06-13 12:26 -------- d-----w- c:\documents and settings\Abed\Application Data\Malwarebytes
2009-06-13 12:26 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-13 12:26 . 2009-06-13 12:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-13 12:26 . 2009-06-13 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-13 12:26 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-13 10:58 . 2009-06-13 12:47 117760 ----a-w- c:\documents and settings\Abed\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-06-13 10:57 . 2009-06-13 10:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-13 10:57 . 2009-06-13 10:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-13 10:57 . 2009-06-13 10:57 -------- d-----w- c:\documents and settings\Abed\Application Data\SUPERAntiSpyware.com
2009-06-13 10:49 . 2009-06-13 10:49 -------- d-----w- c:\program files\CCleaner
2009-06-12 09:42 . 2009-06-12 09:42 541696 ----a-w- c:\documents and settings\Abed\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\octosh...011-0-main.dll
2009-06-08 04:12 . 2009-06-08 04:12 -------- d-----w- c:\documents and settings\Abed\Local Settings\Application Data\Blizzard Entertainment
2009-06-06 12:55 . 2009-06-06 12:55 -------- d-----w- c:\documents and settings\Abed\Application Data\GRETECH
2009-06-06 12:54 . 2009-06-06 12:54 -------- d-----w- c:\program files\GRETECH
2009-06-06 01:32 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-06-06 01:32 . 2008-04-13 17:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-06-06 01:32 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-06-06 01:32 . 2008-04-13 23:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-05-20 21:24 . 2009-05-20 21:24 -------- d-----w- c:\windows\system32\wbem\Repository
2009-05-17 00:59 . 2009-05-17 00:59 -------- d-----w- c:\documents and settings\Abed\Application Data\Logitech
2009-05-17 00:58 . 2009-05-17 00:58 -------- d-----w- c:\documents and settings\Abed\Application Data\Leadertech
2009-05-17 00:58 . 2009-05-17 00:58 53248 ----a-r- c:\documents and settings\Abed\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2009-05-17 00:54 . 2007-11-15 15:06 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2009-05-17 00:54 . 2007-11-15 15:07 76304 ----a-w- c:\windows\system32\KemXML.dll
2009-05-17 00:54 . 2007-11-15 15:07 117264 ----a-w- c:\windows\system32\KemWnd.dll
2009-05-17 00:54 . 2007-11-15 15:07 141840 ----a-w- c:\windows\system32\KemUtil.dll
2009-05-17 00:54 . 2007-11-15 15:07 170512 ----a-w- c:\windows\system32\kemutb.dll
2009-05-17 00:53 . 2009-05-17 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-05-17 00:53 . 2009-05-17 00:58 -------- d-----w- c:\program files\Common Files\Logishrd
2009-05-17 00:53 . 2009-05-17 00:53 -------- d-----w- c:\program files\Logitech
2009-05-17 00:52 . 2009-05-17 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-13 21:35 . 2008-04-01 23:08 -------- d-----w- c:\program files\Steam
2009-06-13 21:31 . 2008-01-20 01:58 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000001-00001102-00000004-00581102}.dat
2009-06-13 21:31 . 2008-01-20 01:58 24 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000001-00001102-00000004-00581102}.dat
2009-06-13 21:08 . 2008-05-08 21:26 -------- d-----w- c:\program files\MSN 1
2009-06-13 12:42 . 2008-01-24 03:09 -------- d-----w- c:\program files\Java
2009-06-13 10:55 . 2008-12-05 22:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-13 09:40 . 2008-01-19 23:46 -------- d-----w- c:\program files\Warcraft III
2009-06-13 03:31 . 2009-01-16 02:19 -------- d-----w- c:\program files\Garena
2009-06-10 11:30 . 2008-01-26 13:05 -------- d-----w- c:\documents and settings\Abed\Application Data\mIRC
2009-06-10 11:28 . 2008-01-26 13:05 -------- d-----w- c:\program files\mIRC
2009-06-09 10:49 . 2008-01-21 06:02 -------- d-----w- c:\program files\World of Warcraft
2009-06-04 06:09 . 2008-06-12 23:41 -------- d-----w- c:\program files\Diablo II
2009-05-30 18:04 . 2008-03-04 23:15 -------- d-----w- c:\documents and settings\Abed\Application Data\uTorrent
2009-05-17 00:56 . 2009-05-17 00:56 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_0 1005.Wdf
2009-05-17 00:56 . 2009-05-17 00:56 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_0 1005.Wdf
2009-05-17 00:56 . 2009-05-17 00:56 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_C oinstaller_Critical.Wdf
2009-05-17 00:53 . 2008-01-20 00:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-13 20:47 . 2009-05-13 13:50 -------- d-----w- c:\documents and settings\Abed\Application Data\Winamp
2009-05-13 13:51 . 2009-05-13 13:50 -------- d-----w- c:\program files\Winamp
2009-05-07 15:32 . 2002-09-03 13:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-03 18:08 . 2009-05-03 18:08 -------- d-----w- c:\documents and settings\Abed\Application Data\Talkback
2009-05-01 01:15 . 2009-05-01 01:15 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-05-01 00:27 . 2009-05-01 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-05-01 00:25 . 2009-05-01 00:25 -------- d-----w- c:\program files\Pando Networks
2009-04-26 17:55 . 2009-04-26 17:55 488960 ----a-w- c:\documents and settings\Abed\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\octosh...240-0-main.dll
2009-04-26 17:55 . 2009-04-26 17:55 319488 ----a-w- c:\documents and settings\Abed\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-04-26 17:54 . 2009-04-26 17:54 1878984 ----a-w- c:\documents and settings\Abed\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-04-20 14:40 . 2008-01-19 23:47 -------- d-----w- c:\program files\McAfee
2009-04-20 14:39 . 2009-01-31 00:40 -------- d-----w- c:\program files\Xfire
2009-04-18 08:31 . 2009-01-31 00:40 -------- d-----w- c:\documents and settings\Abed\Application Data\Xfire
2009-04-18 07:45 . 2009-04-18 07:45 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2009-04-17 12:26 . 2002-09-03 13:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 18:17 . 2009-04-14 18:17 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-03-25 16:06 . 2008-01-19 23:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 16:06 . 2008-01-19 23:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 16:06 . 2008-01-19 23:48 79880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 16:06 . 2008-01-19 23:48 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 16:05 . 2008-01-19 23:48 34216 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-03-20 04:38 . 2008-01-19 23:51 93207 ----a-w- c:\windows\War3Unin.dat
2009-03-19 15:42 . 2009-04-07 01:26 217088 ----a-w- c:\documents and settings\Abed\Application Data\Mozilla\Firefox\Profiles\zj2wd98u.default\ext ensions\NPDyyno@dyyno.com\Plugins\npDyyno.dll
2008-02-04 22:08 . 2008-02-04 22:08 13123836 ----a-w- c:\program files\GGClient_setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Steam"="c:\program files\Steam\Steam.exe" [2009-06-13 1217784]
"Octoshape Streaming Services"="c:\program files\Octoshape Streaming Services\Abed\OctoshapeClient.exe" [2006-02-13 214648]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"Rundll32"="c:\windows\system32\Rundll32.exe" [2008-04-14 33280]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-13 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-10 37888]
"WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-02-08 40960]
"kmw_run.exe"="kmw_run.exe" - c:\windows\system32\kmw_run.exe [2002-12-23 102400]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-09-21 55824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-5-16 784912]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 15:10 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steamapps\\inatrance2\\counter-strike\\hl.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Octoshape Streaming Services\\Abed\\OctoshapeClient.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Documents and Settings\\Abed\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\inatrance2\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Tortun\\gui.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Documents and Settings\\Abed\\Desktop\\wtvClient.exe"=
"c:\\Program Files\\Xfire\\dppm_source.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Documents and Settings\\Abed\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octosh ape.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Warcraft III\\pickup.listchecker.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.0.9767-to-3.1.1.9806-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.1.9806-to-3.1.1.9835-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"58121:TCP"= 58121:TCP:Pando Media Booster
"58121:UDP"= 58121:UDP:Pando Media Booster
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/6/2009 8:44 PM 24652]
S2 gupdate1c9bbee86597ef4;Google Update Service (gupdate1c9bbee86597ef4);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 iscFlash;iscFlash;\??\c:\windows\SYSTEM32\DRIVERS\ iscflash.sys --> c:\windows\SYSTEM32\DRIVERS\iscflash.sys [?]
S3 mcdevice;mcdevice;c:\windows\system32\drivers\mcde vice.sys [8/16/2008 3:17 PM 323584]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-19 15:53]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-19 15:53]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
HKCU-Run-ProxyFirewall - c:\program files\ProxyFirewall\ProxyFirewall.exe
HKCU-Run-Vidalia - c:\program files\Vidalia Bundle\Vidalia\vidalia.exe
HKCU-Run-NudgeMania - c:\program files\NudgeMania\NudgeMania.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-HTV Agent - c:\documents and settings\Abed\Desktop\HTV\HTV.exe
HKLM-Run-MSWheel - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wcreplays.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {428088E0-96DB-4960-99D5-3C809C5A7D74} - hxxp://www.wcgzone.com/GamOnUpdate.cab
FF - ProfilePath -
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-13 16:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\n pggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-583907252-839522115-1004\Software\Microsoft\SystemCertificates\Address Book*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(1876)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\LINKSY~1\LinksysAdvisor.exe
.
************************************************** ************************
.
Completion time: 2009-06-13 16:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-13 21:38

Pre-Run: 23,767,912,448 bytes free
Post-Run: 23,702,818,816 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

288 --- E O F --- 2009-06-10 10:09




µTorrent
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 8.1.2
Adobe Setup
Adobe Shockwave Player 11
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AIM 6
Apple Software Update
Audacity 1.2.6
Canon S820D
CCleaner (remove only)
CDDRV_Installer
CoffeeCup Free FTP
Counter-Strike
Counter-Strike: Source
DefilerPak 1.22 (Remove Only)
Diablo II
Disc2Phone
Download Updater (AOL LLC)
Drivers Install For Linksys Easylink Advisor
DVD
DyynoPlayer 0.8.6f.2
erLT
Fraps
FreeCap version 3.18
Game Cam 2.1
Garena
GOM Player
Google Toolbar for Internet Explorer
Google Update Helper
Hero Editor V0.90
Heroes of Might and Magic V Collector Edition
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
ICCup Launcher
ijji FireFox Launcher 1.0
IrfanView (remove only)
Java(TM) 6 Update 14
Kensington MouseWorks
Keycraft (remove only)
KhalInstallWrapper
LimeWire 4.16.3
Linksys EasyLink Advisor 1.6 (0032)
Logitech SetPoint
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Might and Magic® VIII: Day of the Destroyer(TM)
mIRC
Mozilla Firefox (3.0.11)
MSXML 6.0 Parser (KB933579)
Octoshape add-in for Adobe Flash Player
Octoshape Streaming Services
Pando Media Booster
PDF Settings
PowerISO
PPLive 1.9
QuickTime
SA31xx Device Manager & Media Converter
Sci-Fi Voice Pack
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
StarCraft
StealthBot v2.6 Revision 3 (remove only)
Steam
SUPERAntiSpyware Free Edition
Synacast Plug-in 1.3.15
Tor 0.2.0.32
Tortun 0.8
TubeHunter Ultra
Tweak UI
Update for Windows Internet Explorer 8 (KB961813)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Ventrilo Client
Viewpoint Media Player
Warcraft III: All Products
WebFldrs XP
Winamp
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8 Release Candidate 1
Windows Live Messenger
Windows Media Format Runtime
Windows XP Service Pack 3
WinPcap 4.0.2
WinRAR archiver
Wireshark 1.0.2
World of Warcraft
Xfire (remove only)
XML Paper Specification Shared Components Pack 1.0
  #4  
Old 13th Jun 2009, 23:52
Malware Group
  
Skill Level: Advanced
Posts: 301
Default ChangerDNS.ad+more, Redirecting Google Links
Hi there

Things are looking much better already, still a little bit of work to do yet though.

I see you have Viewpoint installed. Please read this article: http://www.clickz.com/news/article.php/3561546
Unless you are using AOL as an ISP I would recommend removing it. You can download the Viewpoint killer from the link below and follow the prompts.
http://www.prprogramsstudios.us.tc//

Combofix

1. Close any open browsers.

2.Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Code:
Skipfix::

RegLock::
[HKEY_USERS\S-1-5-21-682003330-583907252-839522115-1004\Software\Microsoft\SystemCertificates\Address Book*]
Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

**Vista users - right click IE/Firefox icon and run as administrator

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.


This animation will guide you through the process:


**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back with the results from Kaspersky and update me on how things are running now
__________________
Proud member of ASAP & UNITE
  #5  
Old 14th Jun 2009, 14:02
abz
New Member Group
  
Skill Level: Beginner
Posts: 8
Default ChangerDNS.ad+more, Redirecting Google Links
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, June 14, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, June 14, 2009 12:36:24
Records in database: 2342804
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 116206
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:45:00


File name / Threat name / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETwfes rblu.dll.vir Infected: Trojan.Win32.Small.bzc 1

The selected area was scanned.


I think I deleted combofix on accident, but it wasn't in my recycle bin so I'm not sure. Should I redownload it and drop the txt in it?
  #6  
Old 14th Jun 2009, 23:32
Malware Group
  
Skill Level: Advanced
Posts: 301
Default ChangerDNS.ad+more, Redirecting Google Links
Hi there

From what I see all is looking good log wise, the items found by Kaspersky do not pose a risk, one is simply a MIRC client, the other is in combofix's quarantine folder which will be nflushed out when we uninstal the tool

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.
There is a newer version of Adobe Acrobat Reader available.
  • Please go to this link Adobe Acrobat Reader Download Link
  • Click Download
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts


When the installation is complete go to Add/Remove Programs and uninstall all previous versions.

Please download combofix rfom one of the locations below...

Link 1
Link 2
Link 3


Once done....

Carry out the instructions as regarding the txt as instructed im my previous post

Once done.
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

IMPORTANT

The following will uninstall combofix and implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Now that you appear to be free from malware lets help you stay that way!

Update windows on a regular basis - If you do not have automatic updates enabled then visit Microsoft's Update Page and update your computer from there.

Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.
Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here

Safer Browsing
Use software such as Web of Trust to help you stay away from unsuspecting sites that have malicious purposes.
Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser
Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

NB: Please note that although your browser may be more secure without active x it will not throw a ring of steel around your computer. If you purposly visit sites that are dubious in nature then infection will prevail.

Computer Maintenance
Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy can help you stay clear. Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware- Please note that these products can also be run as free without a licience as a scan on demand scanner.

Secure your router
Change your routers default username and password, do not leave it at factory preset, doing so makes it easy for unauthorised access.

Encrypt your network. Set your wireless network encryption to a minimum level of WPA-PSK [TKIP]. This will help prevent any unauthorised users "piggybacking" onto your network and stealing your bandwidth which you have rightly paid for.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> How to prevent Malware - By miekiemoes
-> I'm not pulling your leg, honest - By Sandi Hardmeie

**Kindly respond one more time and let me know if we may consider this thread resolved.
__________________
Proud member of ASAP & UNITE
  #7  
Old 15th Jun 2009, 14:12
abz
New Member Group
  
Skill Level: Beginner
Posts: 8
Default ChangerDNS.ad+more, Redirecting Google Links
ComboFix 09-06-15.03 - Abed 06/15/2009 15:45.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.457 [GMT -5:00]
Running from: c:\documents and settings\Abed\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Abed\Desktop\CFScript.txt.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 )))))))))))))))))))))))))))))))
.

2009-06-13 12:39 . 2009-06-13 12:39 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-13 12:38 . 2009-06-13 12:38 152576 ----a-w- c:\documents and settings\Abed\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-13 12:36 . 2009-06-13 12:36 -------- d-----w- c:\program files\Trend Micro
2009-06-13 12:26 . 2009-06-13 12:26 -------- d-----w- c:\documents and settings\Abed\Application Data\Malwarebytes
2009-06-13 12:26 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-13 12:26 . 2009-06-13 12:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-13 12:26 . 2009-06-13 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-13 12:26 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-13 10:58 . 2009-06-13 12:47 117760 ----a-w- c:\documents and settings\Abed\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-06-13 10:57 . 2009-06-13 10:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-13 10:57 . 2009-06-13 10:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-13 10:57 . 2009-06-13 10:57 -------- d-----w- c:\documents and settings\Abed\Application Data\SUPERAntiSpyware.com
2009-06-13 10:49 . 2009-06-13 10:49 -------- d-----w- c:\program files\CCleaner
2009-06-12 09:42 . 2009-06-12 09:42 541696 ----a-w- c:\documents and settings\Abed\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\octosh...011-0-main.dll
2009-06-08 04:12 . 2009-06-08 04:12 -------- d-----w- c:\documents and settings\Abed\Local Settings\Application Data\Blizzard Entertainment
2009-06-06 12:55 . 2009-06-06 12:55 -------- d-----w- c:\documents and settings\Abed\Application Data\GRETECH
2009-06-06 12:54 . 2009-06-06 12:54 -------- d-----w- c:\program files\GRETECH
2009-06-06 01:32 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-06-06 01:32 . 2008-04-13 17:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-06-06 01:32 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-06-06 01:32 . 2008-04-13 23:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-05-20 21:24 . 2009-05-20 21:24 -------- d-----w- c:\windows\system32\wbem\Repository
2009-05-17 00:59 . 2009-05-17 00:59 -------- d-----w- c:\documents and settings\Abed\Application Data\Logitech
2009-05-17 00:58 . 2009-05-17 00:58 -------- d-----w- c:\documents and settings\Abed\Application Data\Leadertech
2009-05-17 00:58 . 2009-05-17 00:58 53248 ----a-r- c:\documents and settings\Abed\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2009-05-17 00:54 . 2007-11-15 15:06 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2009-05-17 00:54 . 2007-11-15 15:07 76304 ----a-w- c:\windows\system32\KemXML.dll
2009-05-17 00:54 . 2007-11-15 15:07 117264 ----a-w- c:\windows\system32\KemWnd.dll
2009-05-17 00:54 . 2007-11-15 15:07 141840 ----a-w- c:\windows\system32\KemUtil.dll
2009-05-17 00:54 . 2007-11-15 15:07 170512 ----a-w- c:\windows\system32\kemutb.dll
2009-05-17 00:53 . 2009-05-17 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-05-17 00:53 . 2009-05-17 00:58 -------- d-----w- c:\program files\Common Files\Logishrd
2009-05-17 00:53 . 2009-05-17 00:53 -------- d-----w- c:\program files\Logitech
2009-05-17 00:52 . 2009-05-17 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-15 20:35 . 2008-01-19 23:46 -------- d-----w- c:\program files\Warcraft III
2009-06-15 19:57 . 2008-05-08 21:26 -------- d-----w- c:\program files\MSN 1
2009-06-15 19:52 . 2009-01-16 02:19 -------- d-----w- c:\program files\Garena
2009-06-15 19:50 . 2008-01-20 11:30 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-15 06:47 . 2008-06-12 23:41 -------- d-----w- c:\program files\Diablo II
2009-06-15 00:00 . 2008-04-01 23:08 -------- d-----w- c:\program files\Steam
2009-06-13 21:31 . 2008-01-20 01:58 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000001-00001102-00000004-00581102}.dat
2009-06-13 21:31 . 2008-01-20 01:58 24 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000001-00001102-00000004-00581102}.dat
2009-06-13 12:42 . 2008-01-24 03:09 -------- d-----w- c:\program files\Java
2009-06-13 10:55 . 2008-12-05 22:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-10 11:30 . 2008-01-26 13:05 -------- d-----w- c:\documents and settings\Abed\Application Data\mIRC
2009-06-10 11:28 . 2008-01-26 13:05 -------- d-----w- c:\program files\mIRC
2009-06-09 10:49 . 2008-01-21 06:02 -------- d-----w- c:\program files\World of Warcraft
2009-05-30 18:04 . 2008-03-04 23:15 -------- d-----w- c:\documents and settings\Abed\Application Data\uTorrent
2009-05-17 00:56 . 2009-05-17 00:56 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_0 1005.Wdf
2009-05-17 00:56 . 2009-05-17 00:56 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_0 1005.Wdf
2009-05-17 00:56 . 2009-05-17 00:56 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_C oinstaller_Critical.Wdf
2009-05-17 00:53 . 2008-01-20 00:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-13 20:47 . 2009-05-13 13:50 -------- d-----w- c:\documents and settings\Abed\Application Data\Winamp
2009-05-13 13:51 . 2009-05-13 13:50 -------- d-----w- c:\program files\Winamp
2009-05-07 15:32 . 2002-09-03 13:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-03 18:08 . 2009-05-03 18:08 -------- d-----w- c:\documents and settings\Abed\Application Data\Talkback
2009-05-01 01:15 . 2009-05-01 01:15 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-05-01 00:27 . 2009-05-01 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-05-01 00:25 . 2009-05-01 00:25 -------- d-----w- c:\program files\Pando Networks
2009-04-26 17:55 . 2009-04-26 17:55 488960 ----a-w- c:\documents and settings\Abed\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\octosh...240-0-main.dll
2009-04-26 17:55 . 2009-04-26 17:55 319488 ----a-w- c:\documents and settings\Abed\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-04-26 17:54 . 2009-04-26 17:54 1878984 ----a-w- c:\documents and settings\Abed\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-04-20 14:40 . 2008-01-19 23:47 -------- d-----w- c:\program files\McAfee
2009-04-20 14:39 . 2009-01-31 00:40 -------- d-----w- c:\program files\Xfire
2009-04-18 08:31 . 2009-01-31 00:40 -------- d-----w- c:\documents and settings\Abed\Application Data\Xfire
2009-04-18 07:45 . 2009-04-18 07:45 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2009-04-17 12:26 . 2002-09-03 13:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 18:17 . 2009-04-14 18:17 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-03-25 16:06 . 2008-01-19 23:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 16:06 . 2008-01-19 23:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 16:06 . 2008-01-19 23:48 79880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 16:06 . 2008-01-19 23:48 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 16:05 . 2008-01-19 23:48 34216 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-03-20 04:38 . 2008-01-19 23:51 93207 ----a-w- c:\windows\War3Unin.dat
2009-03-19 15:42 . 2009-04-07 01:26 217088 ----a-w- c:\documents and settings\Abed\Application Data\Mozilla\Firefox\Profiles\zj2wd98u.default\ext ensions\NPDyyno@dyyno.com\Plugins\npDyyno.dll
2008-02-04 22:08 . 2008-02-04 22:08 13123836 ----a-w- c:\program files\GGClient_setup.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-06-13_21.34.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-15 15:18 . 2009-06-15 15:18 16384 c:\windows\Temp\Perflib_Perfdata_810.dat
+ 2009-06-14 23:59 . 2009-06-14 23:59 16384 c:\windows\Temp\Perflib_Perfdata_120.dat
+ 2008-01-19 23:26 . 2009-06-15 20:42 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-19 23:26 . 2009-06-13 17:07 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-19 23:26 . 2009-06-15 20:42 32768 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
- 2008-01-19 23:26 . 2009-06-13 17:07 32768 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Steam"="c:\program files\Steam\Steam.exe" [2009-06-13 1217784]
"Octoshape Streaming Services"="c:\program files\Octoshape Streaming Services\Abed\OctoshapeClient.exe" [2006-02-13 214648]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"Rundll32"="c:\windows\system32\Rundll32.exe" [2008-04-14 33280]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-13 148888]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-10 37888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-02-08 40960]
"kmw_run.exe"="kmw_run.exe" - c:\windows\system32\kmw_run.exe [2002-12-23 102400]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-09-21 55824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-5-16 784912]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 15:10 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steamapps\\inatrance2\\counter-strike\\hl.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Octoshape Streaming Services\\Abed\\OctoshapeClient.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Documents and Settings\\Abed\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\inatrance2\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Tortun\\gui.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Documents and Settings\\Abed\\Desktop\\wtvClient.exe"=
"c:\\Program Files\\Xfire\\dppm_source.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Documents and Settings\\Abed\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octosh ape.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Warcraft III\\pickup.listchecker.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.0.9767-to-3.1.1.9806-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.1.9806-to-3.1.1.9835-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"58121:TCP"= 58121:TCP:Pando Media Booster
"58121:UDP"= 58121:UDP:Pando Media Booster
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Abed\L OCALS~1\Temp\VEU2E6.tmp --> c:\docume~1\Abed\LOCALS~1\Temp\VEU2E6.tmp [?]
S2 gupdate1c9bbee86597ef4;Google Update Service (gupdate1c9bbee86597ef4);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 iscFlash;iscFlash;\??\c:\windows\SYSTEM32\DRIVERS\ iscflash.sys --> c:\windows\SYSTEM32\DRIVERS\iscflash.sys [?]
S3 mcdevice;mcdevice;c:\windows\system32\drivers\mcde vice.sys [8/16/2008 3:17 PM 323584]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-19 15:53]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-19 15:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wcreplays.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {428088E0-96DB-4960-99D5-3C809C5A7D74} - hxxp://www.wcgzone.com/GamOnUpdate.cab
FF - ProfilePath -
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-15 15:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\G arenaPEngine]
"ImagePath"="\??\c:\docume~1\Abed\LOCALS~1\Temp\VE U2E6.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\n pggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-583907252-839522115-1004\Software\Microsoft\SystemCertificates\Address Book*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(8984)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-06-15 15:51
ComboFix-quarantined-files.txt 2009-06-15 20:51
ComboFix2.txt 2009-06-13 21:38

Pre-Run: 23,249,760,256 bytes free
Post-Run: 23,353,303,040 bytes free

252 --- E O F --- 2009-06-10 10:09



I ran a scan last night, and it said I had 2 detections. 1 was from the ones we fixed already, but another is one I found on the first day, it was called Artemis with numbers and exclamation, there was no information on mcafees site. The first time it showed up it went away after I scanned, and now it popped up again. It was in Windows/
  #8  
Old 15th Jun 2009, 15:45
Malware Group
  
Skill Level: Advanced
Posts: 301
Default ChangerDNS.ad+more, Redirecting Google Links
Hi there abz

I notice that you have Malwarebytes Antimalware (MBAM) installed
I want you to run a scan for me..
First I want you to update MBAM so we have the latest definitions onboard
Please open Malwarebytes Antimalware
Now click on the update tab
Next - Click on the Check for updates button
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Post back the resulting log , keep me updated on how things are
__________________
Proud member of ASAP & UNITE
  #9  
Old 15th Jun 2009, 16:17
abz
New Member Group
  
Skill Level: Beginner
Posts: 8
Default ChangerDNS.ad+more, Redirecting Google Links
Malwarebytes' Anti-Malware 1.37
Database version: 2285
Windows 5.1.2600 Service Pack 3

6/15/2009 6:16:04 PM
mbam-log-2009-06-15 (18-16-04).txt

Scan type: Quick Scan
Objects scanned: 85693
Time elapsed: 10 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



When I refresh this page at the bottom left it says loading computer-juce, then sometimes other things pop up, like swiji dot com, or tribal- infusion or something. But I have no problems going to google anymore.
  #10  
Old 15th Jun 2009, 16:37
Malware Group
  
Skill Level: Advanced
Posts: 301
Default ChangerDNS.ad+more, Redirecting Google Links
Hi there abz

Quote:
When I refresh this page at the bottom left it says loading computer-juce, then sometimes other things pop up, like swiji dot com, or tribal- infusion or something.
The info that you are seeing there is info which is related to the Compuer juice forums and the sites sponsors and is nothing to worry about. Did McAfee give a full filename and filepath to the offending file, was a log generated at all?
__________________
Proud member of ASAP & UNITE
Reply
Page 1 of 2 1 2

Donate

Register

Bookmarks

Similar Threads
Thread Thread Starter Forum Replies Last Post
I Think My Pc is Infected!! Google Links Are Being Redirected to Other Sites katee82 Virus, Spyware & Security 8 24th Aug 2009 10:23
Search Engine's Redirecting to Advertisements Jacko2983 Virus, Spyware & Security 4 3rd Aug 2009 02:32
Internet Explorer/ Google Redirecting, Firefox Wont Work at All ... Any Ideas? mctw Virus, Spyware & Security 1 11th Mar 2009 18:44
Redirecting atomicjenn01 Virus, Spyware & Security 4 3rd Feb 2008 16:21
Google bringing antivirus tools to google desktop Pamela22 Web Design, Hosting & SEO 6 3rd Jun 2007 17:38
Thread Tools



Arabic Bulgarian Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Latvian Lithuanian Norwegian Polish Portuguese Romanian Russian Serbian Slovak Spanish Swedish Thai Turkish Ukrainian

Copyright ©2006 - 2009 Computer Juice.
Contact - Privacy - Sitemap - Top

Powered by vBulletin® Copyright ©2000 - 2009 Jelsoft Enterprises Ltd. SEO by vBSEO ©2009, Crawlability, Inc.