Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

redirecting virus on google

(In Progress)
(!)

computerstuck's Avatar
computerstuck computerstuck is offline
Member with 36 posts.
THREAD STARTER
 
Join Date: Mar 2011
15-May-2012, 09:31 PM #1
redirecting virus on google
When I search on google, sometimes i get redirected to some websites. This seems to only happen in firefox, i believe. I have ran malwarebytes, spybot, and tdskiller.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:35 PM, on 5/23/2011
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.17037)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\RtHDVCpl.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\ModPS2Key.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://127.0.0.1:12831/application.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ?27.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PPVADownloader - {A986E409-30CC-4185-89BB-AB212C104524} - C:\Program Files\PPLive\PPVA\DownloaderManager.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\HssIE\HssIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [ModPS2] ModPS2Key.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQAtAEEANAA4ADkAUgA tADkAVQBKAEsARgAtAEUASwBLADMAWAA"&"inst=NwA3AC0ANAAyADMAMAAzADkANQA0ADAALQB UADUALQBVADgANQArADEALQBCAEEAKwAxAC0ASwBWADMAKwA3AC0AWABMACsAMQAtAEYAUAA5AC sANgAtAFQAQgA5ACsAMgAtAEYATAArADkALQBYAE8AMwA2ACsAMQAtAEYAOQBNADcAQwArADUAL QBGADkATQAxADAAQgArADIA"&"prod=90"&"ver=9.0.872
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: 使用UUSee加速播放 - C:\Program Files\uusee\geturltoplay.htm
O8 - Extra context menu item: 使用UUSee下载 - C:\Program Files\uusee\geturltodown.htm
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: 启动UUSee 网络电视 - {998A88A0-A355-809B-831C-B83A80000992} - C:\Program Files\uusee\UUSeePlayer.exe
O9 - Extra 'Tools' menuitem: 启动UUSee 网络电视 - {998A88A0-A355-809B-831C-B83A80000992} - C:\Program Files\uusee\UUSeePlayer.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} (DLoader Class) - http://dl.uc.sina.com/cab/downloader.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01...PUplden-us.cab
O16 - DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} (PPLive Lite Class) - http://dl.pplive.com/PluginSetup.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberGhost VPN Client (CGVPNCliSrvc) - mobile concepts GmbH - C:\Program Files\S.A.D\CyberGhost VPN\CGVPNCliService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: Hotspot Shield Monitoring Service (HssWd) - Unknown owner - C:\Program Files\Hotspot Shield\bin\hsswd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10287 bytes
computerstuck's Avatar
computerstuck computerstuck is offline
Member with 36 posts.
THREAD STARTER
 
Join Date: Mar 2011
19-May-2012, 09:52 AM #2
bump
Glaswegian's Avatar
Glaswegian   (Iain) Glaswegian is offline Glaswegian is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 3,823 posts.
 
Join Date: Dec 2004
Location: Erm...Glasgow?
21-May-2012, 05:34 PM #3
Hi

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed. Note that if you do not respond within 5 days I shall no longer check this thread for replies.

Please do not install or uninstall any programmes, or run any other scanners or software, unless I specifically ask you to do so. Also please copy and paste logs into the thread, rather than add them as attachments.


IMPORTANT - for Windows Vista and Windows 7 start all tools by using right click > Run as Administrator.




I'd like to see a Gmer log please.

Download GMER Rootkit Scanner from here to your desktop. It will be a randomly named executable.
  • Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click the exe file.
  • The program will begin to run, and perform an initial scan. If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.
  • In any case, after the initial scan is complete, click on the Save button, and save the log file somewhere you can easily find it, such as your desktop, and attach it in your reply.
computerstuck's Avatar
computerstuck computerstuck is offline
Member with 36 posts.
THREAD STARTER
 
Join Date: Mar 2011
23-May-2012, 05:03 PM #4
I dont know if I was supposed to click scan but when I opened it, it kind of searched for something and then nothing happened. I proceeded to save the long. Here it is.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-05-23 17:02:22
Windows 6.0.6000 Harddisk0\DR0 -> \Device\0000006a WDC_WD50 rev.12.0
Running: ykek695u.exe; Driver: C:\Users\Owner\AppData\Local\Temp\kwrcapow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----
Glaswegian's Avatar
Glaswegian   (Iain) Glaswegian is offline Glaswegian is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 3,823 posts.
 
Join Date: Dec 2004
Location: Erm...Glasgow?
23-May-2012, 05:31 PM #5
Hi again

That's fine thanks - let's proceed.


We will now use ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please read all the information carefully! If using Windows XP you should ensure you install the Recovery Console.

You MUST disable your AntiVirus and AntiSpyware applications - please read this thread as a guide. They may otherwise interfere with our tools and interrupt the cleansing process.

Please include the log C:\ComboFix.txt in your next reply for further review.
computerstuck's Avatar
computerstuck computerstuck is offline
Member with 36 posts.
THREAD STARTER
 
Join Date: Mar 2011
23-May-2012, 10:05 PM #6
Hi, Here is the log.

ComboFix 12-05-23.05 - Owner 05/23/2012 21:29:24.16.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2942.1996 [GMT -4:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Mozilla Firefox\plugins\npuuseep.dll
c:\programdata\UUSee
c:\programdata\UUSee\data.xml
c:\windows\struct~.ini
c:\windows\system32\avisynth.dll
c:\windows\system32\devil.dll
c:\windows\system32\gtapi_signed.dll
c:\windows\system32\nsis_loader.dll
c:\windows\system32\system
c:\windows\Update.bat
.
.
((((((((((((((((((((((((( Files Created from 2012-04-24 to 2012-05-24 )))))))))))))))))))))))))))))))
.
.
2012-05-24 01:47 . 2012-05-24 01:48 -------- d-----w- c:\users\Owner\AppData\Local\temp
2012-05-24 01:47 . 2012-05-24 01:47 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-05-24 01:47 . 2012-05-24 01:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-01 04:59 . 2012-05-01 04:59 -------- d-----w- c:\users\Owner\AppData\Roaming\AVG2012
2012-05-01 04:54 . 2012-05-01 05:18 -------- d-----w- c:\programdata\AVG2012
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 19:56 . 2011-09-25 17:58 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-28 03:05 . 2012-03-28 03:05 255352 ----a-w- c:\windows\system32\awrdscdc.ax
2012-02-27 05:01 . 2011-10-11 01:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2008-03-05 20:30 . 2008-03-05 20:30 97288 ------w- c:\program files\DSETUP.dll
2008-03-05 20:30 . 2008-03-05 20:30 527880 ------w- c:\program files\DXSETUP.exe
2008-03-05 20:30 . 2008-03-05 20:30 1694728 ------w- c:\program files\dsetup32.dll
2005-07-23 21:20 . 2005-07-23 21:20 638976 ----a-w- c:\program files\AutoClick.exe
2005-05-02 18:52 . 2005-05-02 18:52 45056 ----a-w- c:\program files\AxInterop.SHDocVw.dll
2005-05-02 18:52 . 2005-05-02 18:52 126976 ----a-w- c:\program files\Interop.SHDocVw.dll
2012-04-02 21:25 . 2011-04-02 17:33 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-01-18 4349952]
"CHotkey"="zHotkey.exe" [2006-11-07 547840]
"ShowWnd"="ShowWnd.exe" [2005-01-27 36864]
"ModPS2"="ModPS2Key.exe" [2006-11-07 53248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-20 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-20 92704]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQAtAEEANAA4ADkAUgA tADkAVQBKAEsARgAtAEUASwBLADMAWAA&inst=NwA3AC0ANAAyADMAMAAzADkANQA0ADAALQBUA DUALQBVADgANQArADEALQBCAEEAKwAxAC0ASwBWADMAKwA3AC0AWABMACsAMQAtAEYAUAA5ACsA NgAtAFQAQgA5ACsAMgAtAEYATAArADkALQBYAE8AMwA2ACsAMQAtAEYAOQBNADcAQwArADUALQB GADkATQAxADAAQgArADIA&prod=90&ver=9.0.872" [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorUser"= 2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PPTV.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\PPTV.lnk
backup=c:\windows\pss\PPTV.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PPS.lnk]
path=c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PPS.lnk
backup=c:\windows\pss\PPS.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigFix]
2006-11-16 23:04 2348584 ----a-w- c:\program files\BigFix\bigfix.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-09-14 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-10-26 01:10 652624 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-08-08 12:11 490952 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX7400 Series]
2007-02-15 10:00 179200 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATICDA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 22:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 18:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-04-04 19:56 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2012-04-04 19:56 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
2006-09-06 19:12 323216 ----a-w- c:\program files\Napster\napster.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPAP]
2011-09-02 12:46 446328 ----a-w- c:\program files\Common Files\PPLiveNetwork\PPAP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPLive]
2009-11-12 10:35 165280 ----a-w- c:\program files\PPLive\PPLive.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPLiveVA]
2010-04-27 03:23 71152 ----a-w- c:\program files\PPLive\PPVA\PPLiveVA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 18:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-02-09 01:38 296056 ----a-w- c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UUSEE]
2012-05-17 15:38 513440 ----a-w- c:\program files\Common Files\uusee\UUSeeMediaCenter.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UUSeeMediaCenter]
2012-05-17 15:38 513440 ----a-w- c:\program files\Common Files\uusee\UUSeeMediaCenter.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-11-02 12:36 201728 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-561803190-2091065021-3607023498-1000]
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
sina_live_deamon REG_MULTI_SZ sina_live_deamon
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wscsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-05 16:33]
.
2012-05-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-05 16:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.th123.com/v2
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 192.168.0.1
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\8bzescwt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-23 21:48
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-05-23 21:57:19
ComboFix-quarantined-files.txt 2012-05-24 01:57
ComboFix2.txt 2012-05-14 02:32
ComboFix3.txt 2010-06-22 21:18
ComboFix4.txt 2010-05-25 01:40
.
Pre-Run: 290,420,809,728 bytes free
Post-Run: 292,035,829,760 bytes free
.
- - End Of File - - CD1C169DBD2F1FA557B0AA8FD88725D9
Glaswegian's Avatar
Glaswegian   (Iain) Glaswegian is offline Glaswegian is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 3,823 posts.
 
Join Date: Dec 2004
Location: Erm...Glasgow?
24-May-2012, 04:58 PM #7
Hi again

How is your system running now?


Start Malwarebytes' Anti-Malware.

Choose the 'Update' tab and click Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:

-> Click on the Malwarebytes' Anti-Malware icon to launch the program.
-> Click on the Logs tab.
-> Click on the log at the bottom of those listed to highlight it.
-> Click Open.

Copy & Paste the entire report in your next reply.
computerstuck's Avatar
computerstuck computerstuck is offline
Member with 36 posts.
THREAD STARTER
 
Join Date: Mar 2011
24-May-2012, 10:04 PM #8
Hi,

Google still redirects me sometimes on firefox. Here is the log.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.24.05

Windows Vista x86 NTFS
Internet Explorer 7.0.6000.17037
Owner :: OWNER-PC [administrator]

5/24/2012 7:38:43 PM
mbam-log-2012-05-24 (19-38-43).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 383029
Time elapsed: 2 hour(s), 20 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Program Files\uusee\uninstuusee.exe (PUP.Uusee) -> Quarantined and deleted successfully.

(end)
Glaswegian's Avatar
Glaswegian   (Iain) Glaswegian is offline Glaswegian is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 3,823 posts.
 
Join Date: Dec 2004
Location: Erm...Glasgow?
25-May-2012, 04:14 PM #9
Quote:
Originally Posted by computerstuck View Post
Hi,

Google still redirects me sometimes on firefox. Here is the log.
Hi again

Can you be a bit more specific please. Is it only when using Firefox? Does it happen with other browers? Is it random or regular?
computerstuck's Avatar
computerstuck computerstuck is offline
Member with 36 posts.
THREAD STARTER
 
Join Date: Mar 2011
25-May-2012, 05:42 PM #10
Hi,

Yes, it seems that it only occurs on firefox. I just tried IE and it doesn't seem to happen. It is random. when I google something and i click that link, sometimes it goes through normally, and sometimes it redirects me to a website like this one http://63.209.69.107/search/web/fiat...1-8911_1234/v5

I tried looking up fiat, clicked a link and it took me there. Also, you know how some websites have their logo? like when you put it in tabs you can see their icon, like facebook, you know its that f. this one has an S that looks exactly like the one you get from scour.com
Glaswegian's Avatar
Glaswegian   (Iain) Glaswegian is offline Glaswegian is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 3,823 posts.
 
Join Date: Dec 2004
Location: Erm...Glasgow?
26-May-2012, 08:04 AM #11
Hi again

Thanks for the info.

Let’s see if we can clear that.


Combofix
  • Close any open browsers.
  • Open notepad and copy/paste the text in the box below into it:

Code:
ClearJavaCache::

Firefox::
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\8bzescwt.default\
FF - prefs.js: browser.search.defaulturl &#8211; 
hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
Looking at the image below as an example



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript onto ComboFix.exe.

If you receive a prompt saying there is an updated version of ComboFix available, please allow it to update.

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!


Please post the log C:\ComboFix.txt for further review.
computerstuck's Avatar
computerstuck computerstuck is offline
Member with 36 posts.
THREAD STARTER
 
Join Date: Mar 2011
26-May-2012, 12:40 PM #12
Before I do that, may I ask what is that going to clear? is it going to clear my bookmarks? or my URLs from the address bar?
Glaswegian's Avatar
Glaswegian   (Iain) Glaswegian is offline Glaswegian is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 3,823 posts.
 
Join Date: Dec 2004
Location: Erm...Glasgow?
27-May-2012, 03:30 PM #13
Hi

No - it's only targeting 2 settings that have 'redirect' as part of the name - in this case both appear to default pages when opening Firefox. Your bookmarks will not be affected.
computerstuck's Avatar
computerstuck computerstuck is offline
Member with 36 posts.
THREAD STARTER
 
Join Date: Mar 2011
31-May-2012, 09:04 PM #14
Hi, sorry for the delay. I was trying to check if IE had the same issues. IE does redirect too when i click on links from google sometimes. It's not only on firefox like i had said. I still ran combofix with the text file like you said. Here is the log.


ComboFix 12-05-31.02 - Owner 05/31/2012 20:38:45.18.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2942.1965 [GMT -4:00]
Running from: c:\users\Owner\Desktop\vpn\ComboFix.exe
Command switches used :: c:\users\Owner\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\UUSee
c:\programdata\UUSee\data.xml
.
.
((((((((((((((((((((((((( Files Created from 2012-05-01 to 2012-06-01 )))))))))))))))))))))))))))))))
.
.
2012-06-01 00:54 . 2012-06-01 00:54 -------- d-----w- c:\users\Owner\AppData\Local\temp
2012-06-01 00:54 . 2012-06-01 00:54 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-01 00:54 . 2012-06-01 00:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-31 02:34 . 2012-05-31 02:34 -------- d-----w- c:\program files\Oracle
2012-05-31 02:31 . 2012-04-04 22:47 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-24 02:02 . 2012-05-24 02:02 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-24 02:01 . 2012-05-24 02:01 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-24 02:01 . 2012-05-24 02:01 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 22:47 . 2011-02-21 01:11 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 19:56 . 2011-09-25 17:58 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-28 03:05 . 2012-03-28 03:05 255352 ----a-w- c:\windows\system32\awrdscdc.ax
2008-03-05 20:30 . 2008-03-05 20:30 97288 ------w- c:\program files\DSETUP.dll
2008-03-05 20:30 . 2008-03-05 20:30 527880 ------w- c:\program files\DXSETUP.exe
2008-03-05 20:30 . 2008-03-05 20:30 1694728 ------w- c:\program files\dsetup32.dll
2005-07-23 21:20 . 2005-07-23 21:20 638976 ----a-w- c:\program files\AutoClick.exe
2005-05-02 18:52 . 2005-05-02 18:52 45056 ----a-w- c:\program files\AxInterop.SHDocVw.dll
2005-05-02 18:52 . 2005-05-02 18:52 126976 ----a-w- c:\program files\Interop.SHDocVw.dll
2012-05-24 02:01 . 2011-04-02 17:33 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-01-18 4349952]
"CHotkey"="zHotkey.exe" [2006-11-07 547840]
"ShowWnd"="ShowWnd.exe" [2005-01-27 36864]
"ModPS2"="ModPS2Key.exe" [2006-11-07 53248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-20 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-20 92704]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQAtAEEANAA4ADkAUgA tADkAVQBKAEsARgAtAEUASwBLADMAWAA&inst=NwA3AC0ANAAyADMAMAAzADkANQA0ADAALQBUA DUALQBVADgANQArADEALQBCAEEAKwAxAC0ASwBWADMAKwA3AC0AWABMACsAMQAtAEYAUAA5ACsA NgAtAFQAQgA5ACsAMgAtAEYATAArADkALQBYAE8AMwA2ACsAMQAtAEYAOQBNADcAQwArADUALQB GADkATQAxADAAQgArADIA&prod=90&ver=9.0.872" [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorUser"= 2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PPTV.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\PPTV.lnk
backup=c:\windows\pss\PPTV.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PPS.lnk]
path=c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PPS.lnk
backup=c:\windows\pss\PPS.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigFix]
2006-11-16 23:04 2348584 ----a-w- c:\program files\BigFix\bigfix.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-09-14 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-10-26 01:10 652624 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-08-08 12:11 490952 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX7400 Series]
2007-02-15 10:00 179200 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATICDA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 22:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 18:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-04-04 19:56 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2012-04-04 19:56 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
2006-09-06 19:12 323216 ----a-w- c:\program files\Napster\napster.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPAP]
2011-09-02 12:46 446328 ----a-w- c:\program files\Common Files\PPLiveNetwork\PPAP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPLive]
2009-11-12 10:35 165280 ----a-w- c:\program files\PPLive\PPLive.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPLiveVA]
2010-04-27 03:23 71152 ----a-w- c:\program files\PPLive\PPVA\PPLiveVA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 15:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-02-09 01:38 296056 ----a-w- c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UUSEE]
2012-05-17 15:38 513440 ----a-w- c:\program files\Common Files\uusee\UUSeeMediaCenter.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UUSeeMediaCenter]
2012-05-17 15:38 513440 ----a-w- c:\program files\Common Files\uusee\UUSeeMediaCenter.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-11-02 12:36 201728 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-561803190-2091065021-3607023498-1000]
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
sina_live_deamon REG_MULTI_SZ sina_live_deamon
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wscsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-05 16:33]
.
2012-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-05 16:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.th123.com/v2
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 192.168.0.1
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\8bzescwt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-31 20:54
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-05-31 20:58:47
ComboFix-quarantined-files.txt 2012-06-01 00:58
ComboFix2.txt 2012-05-24 01:57
ComboFix3.txt 2012-05-14 02:32
ComboFix4.txt 2010-06-22 21:18
ComboFix5.txt 2012-06-01 00:02
.
Pre-Run: 290,902,380,544 bytes free
Post-Run: 290,898,296,832 bytes free
.
- - End Of File - - 408BE05F83A9B0EDADDC2A0D8CD3F52E
Glaswegian's Avatar
Glaswegian   (Iain) Glaswegian is offline Glaswegian is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 3,823 posts.
 
Join Date: Dec 2004
Location: Erm...Glasgow?
01-Jun-2012, 04:20 PM #15
Hi again

Thanks for the info – let’s look elsewhere.


Please download TDSSKiller.zip and extract TDSSKiller.exe to your desktop.

Execute TDSSKiller.exe by doubleclicking on it. Press Start Scan.


  • If Malicious objects are found, ensure Cure is selected (it should be by default)



  • Click Continue then click Reboot now



  • Once complete, a log will be produced at the root drive which is typically C:\

    For example, C:\TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt.

Please attach that log.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑