Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Google Redirect [RESOLVED]


  • This topic is locked This topic is locked

#16
richardcy

richardcy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Alas, here is the log, so how does it look now?

ComboFix 08-04-22.1 - RY 2008-04-23 17:37:33.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.253 [GMT -4:00]
Running from: C:\Documents and Settings\RY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\RY\Desktop\CFScript.txt.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-22 18:41 . 2008-04-22 18:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-22 18:41 . 2008-04-22 18:41 <DIR> d-------- C:\Documents and Settings\RY\Application Data\Malwarebytes
2008-04-22 18:41 . 2008-04-22 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-15 18:26 . 2008-04-15 21:53 <DIR> d-------- C:\fixwareout
2008-04-14 22:25 . 2008-04-14 22:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-14 22:25 . 2008-04-14 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 02:11 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-16 02:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-15 03:22 --------- d-----w C:\Program Files\Easy Internet signup
2008-03-10 22:48 --------- d-----w C:\Documents and Settings\RY\Application Data\Move Networks
2007-06-29 22:37 92,064 ----a-w C:\Documents and Settings\RY\mqdmmdm.sys
2007-06-29 22:37 9,232 ----a-w C:\Documents and Settings\RY\mqdmmdfl.sys
2007-06-29 22:37 79,328 ----a-w C:\Documents and Settings\RY\mqdmserd.sys
2007-06-29 22:37 66,656 ----a-w C:\Documents and Settings\RY\mqdmbus.sys
2007-06-29 22:37 6,208 ----a-w C:\Documents and Settings\RY\mqdmcmnt.sys
2007-06-29 22:37 5,936 ----a-w C:\Documents and Settings\RY\mqdmwhnt.sys
2007-06-29 22:37 4,048 ----a-w C:\Documents and Settings\RY\mqdmcr.sys
2007-06-29 22:37 25,600 ----a-w C:\Documents and Settings\RY\usbsermptxp.sys
2007-06-29 22:37 22,768 ----a-w C:\Documents and Settings\RY\usbsermpt.sys
2006-10-09 17:03 0 ----a-w C:\Documents and Settings\RY\Application Data\wklnhst.dat
2006-03-22 05:10 15,487,432 ----a-w C:\Program Files\DivXPlay.exe
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( [email protected]_21.40.29.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-23 01:36:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-23 21:40:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 21:04 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-08 06:36 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-08 06:32 126976]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 12:11 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 11:27 860160]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 06:12 88209 C:\WINDOWS\AGRSMMSG.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2005-02-08 12:38 159744]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 13:59 794624]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 02:11 49152]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-13 19:04 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-02 03:01 98304]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 16:54 253952]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 16:24 290816]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-03-29 17:45 233534]
"ChangeResolution"="C:\hp\bin\ChangeResolution.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Motorola\\UID Extraction Tool\\UIDExtraction.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunesHelper.exe"=
"C:\\Program Files\\Valve\\hl.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S2 OracleXETNSListener;OracleXETNSListener;C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe [2006-02-02 00:49]
S3 mamotou;mamotou;C:\WINDOWS\system32\DRIVERS\mamotou.sys [2005-11-07 17:50]
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-04-14 00:07]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\RunGame.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4632a7e-d34a-11db-9b23-001500369210}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 21:44:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 17:41:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????9?8?4?9??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\oracle.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-04-23 17:44:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-23 21:44:31
ComboFix2.txt 2008-04-23 02:32:12
ComboFix3.txt 2008-04-23 01:41:01

Pre-Run: 32,212,074,496 bytes free
Post-Run: 32,242,454,528 bytes free

132 --- E O F --- 2008-04-16 10:27:32
  • 0

Advertisements


#17
richardcy

richardcy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I was wondering how to prevent this in the future, I did not download anything but often visit many car forums, is it possible that by visiting a site I could have gotten a virus?
  • 0

#18
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, malicious scripts can be embedded on a website and wreak havoc. Many users get infected like this.

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run and copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#19
richardcy

richardcy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Also, now when I open yahoo.com there is a small logo on the left hand side of the address bar that says "SU" with a circle around it, it's a bluish green with white leters logo. have you ever seen that? I don't remember it being there before, but when I go to geeks to go it has a red G there which is normal, but what is this "SU?" should i be concerend about that?
  • 0

#20
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Try clearing out your temp files to see if it helps:

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


That's just a favicon. For Yahoo it should have been a Y! instead of that SU icon. See if flushing out the temp files will help. Also do a hard refresh on the page (hold down Ctrl key and hit Refresh button - either F5 key or hit refresh icon on your browser).
  • 0

#21
richardcy

richardcy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
thanks so much!!! the hard refresh didnt work but the program did.
  • 0

#22
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP