Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google Redirect [RESOLVED]

Started by richardcy , Apr 16 2008 05:30 AM

  • This topic is locked This topic is locked

#1
richardcy
Posted 16 April 2008 - 05:30 AM

richardcy

    Member

  • Member
  • PipPip
  • 14 posts
Hi I've been having this problem where I go to google but it redirects me to another link when I click something else. Once I simply opened google and another advertising page popped up. I did a bit of searching and it seems that everyone's problem is specific to their system? I'm not to sure. I'm running on XP and used a fixwareout from a trhead I read and it said to post it to get more help. Is there anything else I can do?



Can someone please help me. Thanks.


username "RY" - 04/15/2008 21:38:08 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"AGRSMMSG"="AGRSMMSG.exe"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"hpWirelessAssistant"="C:\\Program Files\\hpq\\HP Wireless Assistant\\HP Wireless Assistant.exe"
"HP Software Update"="C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"ChangeResolution"="C:\\hp\\bin\\ChangeResolution.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe"
"slaygj2tt"="C:\\WINDOWS\\system32\\slaygj2tt.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9"
"Aim6"=""
"slaygj2tt"="C:\\WINDOWS\\system32\\slaygj2tt.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
  • 0

Advertisements

#2
greyknight17
Posted 20 April 2008 - 04:47 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

There's still something left behind there that needs to be removed...

Download Malwarebytes ' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
richardcy
Posted 22 April 2008 - 06:18 PM

richardcy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
THank you so much for helping me I really appreciate it. I just ran the scan and posted the results, there are 5 files that it was unable to remove. I am awaiting your next response?

Malwarebytes' Anti-Malware 1.11
Database version: 672

Scan type: Full Scan (C:\|)
Objects scanned: 81147
Time elapsed: 43 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\AppCert\hb20g.dll (Trojan.Downloader) -> Unloaded module successfully.
C:\WINDOWS\system32\AppCert\prx992h.dll (Trojan.Downloader) -> Unloaded module successfully.
C:\WINDOWS\system32\AppCert\wnl32.dll (Trojan.Downloader) -> Unloaded module successfully.
C:\WINDOWS\system32\AppCert\wsil32.dll (Trojan.Downloader) -> Unloaded module successfully.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\AppCert (Trojan.Downloader) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\AppCert\filter.drv (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AppCert\hb14c.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AppCert\hb20g.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\AppCert\options.dat (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AppCert\prx992h.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\AppCert\wnl32.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\AppCert\wsil32.dll (Trojan.Downloader) -> Delete on reboot.

Edited by richardcy, 22 April 2008 - 06:20 PM.

  • 0

#4
greyknight17
Posted 22 April 2008 - 07:37 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
It got rid of all those files it found....

Where's the combofix log?
  • 0

#5
richardcy
Posted 22 April 2008 - 07:48 PM

richardcy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
this is going to sound retarded, but i can't find it? i'm very sorry what is the file path for the combo fix log?
  • 0

#6
richardcy
Posted 22 April 2008 - 07:50 PM

richardcy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
nevermind I found it, sorry here it is.

ComboFix 08-04-22.1 - RY 2008-04-22 21:32:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.201 [GMT -4:00]
Running from: C:\Documents and Settings\RY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\RY\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Tasks.\At1.job
C:\WINDOWS\system32\dbmsrpcnc.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_pwpyhymq
-------\Service_pwpyhymq


((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-22 18:44 . 2008-04-22 18:44 1,015,808 --a------ C:\WINDOWS\system32\libeay32.dll
2008-04-22 18:44 . 2008-04-22 18:44 638,208 --a------ C:\WINDOWS\system32\qdjwptbl.dat
2008-04-22 18:44 . 2008-04-22 18:44 196,608 --a------ C:\WINDOWS\system32\libssl32.dll
2008-04-22 18:44 . 2008-04-22 18:44 43,264 --a------ C:\WINDOWS\system32\tcwghctf.dat
2008-04-22 18:44 . 2008-04-22 18:44 36,608 --a------ C:\WINDOWS\system32\orstrtqt.dat
2008-04-22 18:44 . 2008-04-22 18:44 35,584 --a------ C:\WINDOWS\system32\nteuclru.dat
2008-04-22 18:44 . 20,608 C:\WINDOWS\system32\drivers\kvlvuxtk.dat
2008-04-22 18:41 . 2008-04-22 18:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-22 18:41 . 2008-04-22 18:41 <DIR> d-------- C:\Documents and Settings\RY\Application Data\Malwarebytes
2008-04-22 18:41 . 2008-04-22 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-15 18:26 . 2008-04-15 21:53 <DIR> d-------- C:\fixwareout
2008-04-14 22:25 . 2008-04-14 22:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-14 22:25 . 2008-04-14 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-14 19:53 . 2008-04-22 18:44 190,720 --a------ C:\WINDOWS\system32\olnsewxm.dat
2008-04-14 19:46 . 2004-08-04 04:00 88,064 --a------ C:\WINDOWS\system32\commdlgg.dll
2008-04-14 19:46 . 2008-04-22 18:44 83,456 --a------ C:\WINDOWS\system32\dbmsrpcnc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 02:11 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-16 02:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-15 03:22 --------- d-----w C:\Program Files\Easy Internet signup
2008-03-10 22:48 --------- d-----w C:\Documents and Settings\RY\Application Data\Move Networks
2007-06-29 22:37 92,064 ----a-w C:\Documents and Settings\RY\mqdmmdm.sys
2007-06-29 22:37 9,232 ----a-w C:\Documents and Settings\RY\mqdmmdfl.sys
2007-06-29 22:37 79,328 ----a-w C:\Documents and Settings\RY\mqdmserd.sys
2007-06-29 22:37 66,656 ----a-w C:\Documents and Settings\RY\mqdmbus.sys
2007-06-29 22:37 6,208 ----a-w C:\Documents and Settings\RY\mqdmcmnt.sys
2007-06-29 22:37 5,936 ----a-w C:\Documents and Settings\RY\mqdmwhnt.sys
2007-06-29 22:37 4,048 ----a-w C:\Documents and Settings\RY\mqdmcr.sys
2007-06-29 22:37 25,600 ----a-w C:\Documents and Settings\RY\usbsermptxp.sys
2007-06-29 22:37 22,768 ----a-w C:\Documents and Settings\RY\usbsermpt.sys
2006-10-09 17:03 0 ----a-w C:\Documents and Settings\RY\Application Data\wklnhst.dat
2006-03-22 05:10 15,487,432 ----a-w C:\Program Files\DivXPlay.exe
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F9056F7-7E14-4149-A9A5-BE712751404C}]
2004-08-04 04:00 88064 --a------ C:\WINDOWS\system32\commdlgg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFBAE86B-0E2A-44CE-B790-A656B51AC34A}]
2008-04-22 18:44 83456 --a------ c:\windows\system32\dbmsrpcnc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 21:04 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"slaygj2tt"="C:\WINDOWS\system32\slaygj2tt.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-08 06:36 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-08 06:32 126976]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 12:11 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 11:27 860160]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 06:12 88209 C:\WINDOWS\AGRSMMSG.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2005-02-08 12:38 159744]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 13:59 794624]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 02:11 49152]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-13 19:04 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-02 03:01 98304]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 16:54 253952]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 16:24 290816]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-03-29 17:45 233534]
"ChangeResolution"="C:\hp\bin\ChangeResolution.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"slaygj2tt"="C:\WINDOWS\system32\slaygj2tt.exe" [ ]
"combofix"="C:\WINDOWS\system32\CF14660.exe" [2004-08-04 04:00 388608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xqogvetq]
dbmsrpcnc.dll 2008-04-22 18:44 83456 C:\WINDOWS\system32\dbmsrpcnc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Motorola\\UID Extraction Tool\\UIDExtraction.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunesHelper.exe"=
"C:\\Program Files\\Valve\\hl.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R0 fopsqltd;fopsqltd;C:\WINDOWS\system32\drivers\kvlvuxtk.dat []
R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S2 OracleXETNSListener;OracleXETNSListener;C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe [2006-02-02 00:49]
S3 mamotou;mamotou;C:\WINDOWS\system32\DRIVERS\mamotou.sys [2005-11-07 17:50]
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-04-14 00:07]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
pwpyhymq

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\RunGame.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4632a7e-d34a-11db-9b23-001500369210}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 01:39:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 21:37:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????9?8?4?9??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fopsqltd]
"ImagePath"="system32\drivers\kvlvuxtk.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\oracle.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\Program Files\Apoint2K\ApntEx.exe
.
**************************************************************************
.
Completion time: 2008-04-22 21:41:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-23 01:40:54

Pre-Run: 32,254,373,888 bytes free
Post-Run: 32,272,863,232 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

168 --- E O F --- 2008-04-16 10:27:32
  • 0

#7
richardcy
Posted 22 April 2008 - 07:59 PM

richardcy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
thank you so much for your responses I really appreciate all this help.
  • 0

#8
greyknight17
Posted 22 April 2008 - 08:13 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Is this one of your games (do not double click on it if you don't know what it is)? -> D:\RunGame.exe

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

KILLALL::
Driver::
fopsqltd
File::
D:\RunGame.exe
C:\WINDOWS\system32\dbmsrpcnc.dll
C:\WINDOWS\system32\libeay32.dll
C:\WINDOWS\system32\qdjwptbl.dat
C:\WINDOWS\system32\libssl32.dll
C:\WINDOWS\system32\tcwghctf.dat
C:\WINDOWS\system32\orstrtqt.dat
C:\WINDOWS\system32\nteuclru.dat
C:\WINDOWS\system32\drivers\kvlvuxtk.dat
C:\WINDOWS\system32\olnsewxm.dat
C:\WINDOWS\system32\commdlgg.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F9056F7-7E14-4149-A9A5-BE712751404C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFBAE86B-0E2A-44CE-B790-A656B51AC34A}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"slaygj2tt"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"slaygj2tt"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xqogvetq]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetSvcs]
"pwpyhymq"=-

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is it running so far?

Edited by greyknight17, 22 April 2008 - 08:22 PM.

  • 0

#9
richardcy
Posted 22 April 2008 - 08:17 PM

richardcy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
that is not one of my games, i'm only running diablo II (old) and Need for speed underground (old)

so should i be concerend about that fake rungame.exe then?
  • 0

#10
greyknight17
Posted 22 April 2008 - 08:23 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I added it to the fix in my last reply....

Is the D: drive your second partition? Or is it a external hard drive or flash/thumb drive? If external drive, try running this:
Download the Flash Disinfector at http://www.techsuppo...Disinfector.exe and save it to your desktop. Double-click on it to run it and follow the on-screen instructions.

Run the Combofix instructions when ready and post the logs here.
  • 0

Advertisements

#11
richardcy
Posted 22 April 2008 - 08:34 PM

richardcy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
ok i ran the "notepad" file

and this is the log I got

also, my D: drive is my CDrw DVD drive, I shouldn't be worried about that right?


ComboFix 08-04-22.1 - RY 2008-04-22 22:24:45.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.269 [GMT -4:00]
Running from: C:\Documents and Settings\RY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\RY\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\commdlgg.dll
C:\WINDOWS\system32\dbmsrpcnc.dll
C:\WINDOWS\system32\drivers\kvlvuxtk.dat
C:\WINDOWS\system32\libeay32.dll
C:\WINDOWS\system32\libssl32.dll
C:\WINDOWS\system32\nteuclru.dat
C:\WINDOWS\system32\olnsewxm.dat
C:\WINDOWS\system32\orstrtqt.dat
C:\WINDOWS\system32\qdjwptbl.dat
C:\WINDOWS\system32\tcwghctf.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\commdlgg.dll
C:\WINDOWS\system32\dbmsrpcnc.dll
C:\WINDOWS\system32\drivers\kvlvuxtk.dat
C:\WINDOWS\system32\libeay32.dll
C:\WINDOWS\system32\libssl32.dll
C:\WINDOWS\system32\nteuclru.dat
C:\WINDOWS\system32\olnsewxm.dat
C:\WINDOWS\system32\orstrtqt.dat
C:\WINDOWS\system32\qdjwptbl.dat
C:\WINDOWS\system32\tcwghctf.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPSQLTD
-------\Service_fopsqltd


((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-22 18:41 . 2008-04-22 18:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-22 18:41 . 2008-04-22 18:41 <DIR> d-------- C:\Documents and Settings\RY\Application Data\Malwarebytes
2008-04-22 18:41 . 2008-04-22 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-15 18:26 . 2008-04-15 21:53 <DIR> d-------- C:\fixwareout
2008-04-14 22:25 . 2008-04-14 22:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-14 22:25 . 2008-04-14 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 02:11 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-16 02:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-15 03:22 --------- d-----w C:\Program Files\Easy Internet signup
2008-03-10 22:48 --------- d-----w C:\Documents and Settings\RY\Application Data\Move Networks
2007-06-29 22:37 92,064 ----a-w C:\Documents and Settings\RY\mqdmmdm.sys
2007-06-29 22:37 9,232 ----a-w C:\Documents and Settings\RY\mqdmmdfl.sys
2007-06-29 22:37 79,328 ----a-w C:\Documents and Settings\RY\mqdmserd.sys
2007-06-29 22:37 66,656 ----a-w C:\Documents and Settings\RY\mqdmbus.sys
2007-06-29 22:37 6,208 ----a-w C:\Documents and Settings\RY\mqdmcmnt.sys
2007-06-29 22:37 5,936 ----a-w C:\Documents and Settings\RY\mqdmwhnt.sys
2007-06-29 22:37 4,048 ----a-w C:\Documents and Settings\RY\mqdmcr.sys
2007-06-29 22:37 25,600 ----a-w C:\Documents and Settings\RY\usbsermptxp.sys
2007-06-29 22:37 22,768 ----a-w C:\Documents and Settings\RY\usbsermpt.sys
2006-10-09 17:03 0 ----a-w C:\Documents and Settings\RY\Application Data\wklnhst.dat
2006-03-22 05:10 15,487,432 ----a-w C:\Program Files\DivXPlay.exe
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( snapshot@2008-04-22_21.40.29.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-23 01:36:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-23 02:28:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 21:04 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-08 06:36 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-08 06:32 126976]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 12:11 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 11:27 860160]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 06:12 88209 C:\WINDOWS\AGRSMMSG.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2005-02-08 12:38 159744]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 13:59 794624]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 02:11 49152]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-13 19:04 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-02 03:01 98304]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 16:54 253952]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 16:24 290816]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-03-29 17:45 233534]
"ChangeResolution"="C:\hp\bin\ChangeResolution.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Motorola\\UID Extraction Tool\\UIDExtraction.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunesHelper.exe"=
"C:\\Program Files\\Valve\\hl.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S2 OracleXETNSListener;OracleXETNSListener;C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe [2006-02-02 00:49]
S3 mamotou;mamotou;C:\WINDOWS\system32\DRIVERS\mamotou.sys [2005-11-07 17:50]
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-04-14 00:07]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
pwpyhymq

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\RunGame.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4632a7e-d34a-11db-9b23-001500369210}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 02:29:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 22:29:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????9?8?4?9??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\oracle.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-04-22 22:32:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-23 02:32:07
ComboFix2.txt 2008-04-23 01:41:01

Pre-Run: 32,259,510,272 bytes free
Post-Run: 32,265,834,496 bytes free

161 --- E O F --- 2008-04-16 10:27:32
  • 0

#12
richardcy
Posted 22 April 2008 - 08:39 PM

richardcy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
does it apear that I am spyware free now? Google seems to be running fine for now...
  • 0

#13
richardcy
Posted 22 April 2008 - 08:52 PM

richardcy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I gotta get some rest now but i'll check for your response in the morning, Thank you so much and God bless for all your wonderful help.
  • 0

#14
greyknight17
Posted 23 April 2008 - 07:42 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
One more thing we need to take care of...

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

KILLALL::
Driver::
pwpyhymq
NetSvc::
pwpyhymq

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#15
richardcy
Posted 23 April 2008 - 03:36 PM

richardcy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
ok running the CFScript.txt file now
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP