Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Google/Yahoo Redirect Virus


  • This topic is locked This topic is locked

#46
paltan

paltan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 50 posts

Please download Dr.Web CureIt . Save it to your desktop:

  • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the pop-up window to allow the scan.
  • This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, select Complete scan.
  • Click the green arrow Posted Image at the right, and the scan will start.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.
  • Please post the Dr.Web.txt report in your next reply
  • Close Dr.Web Cureit.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner.

Log:
A0013803.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP32;Program.RemoteAdmin.283;Incurable.Moved.;


Please let me know if I did something wrong. This just looks too short to be correct for a 3 hour scan.
Thanks for your help.

Edited by paltan, 14 August 2010 - 10:15 AM.

  • 0

Advertisements


#47
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

Lets see if this helps at all with the redirects:

Please go to Start > Control Panel > Network Connections
Select your Local Network.
Click Properties, then select Internet Protocol (TCP/IP).
Click Properties.

You will see a window titled Internet Protocol (TCP/IP) Properties.

Click on Use the following DNS server addresses:
Preferred DNS server: 8.8.8.8
Alternate DNS server: 8.8.4.4

Click OK.



NEXT:



Flush DNS
  • Now go to Start > Run > type: cmd
  • Press OK or Hit Enter.
  • At the command prompt, type or copy/paste: ipconfig /flushdns (note the space between “..g /f…” it needs to be there)
  • Hit Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.


Reboot your computer and see how things are working after doing the above.
  • 0

#48
paltan

paltan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 50 posts

Hello,

Lets see if this helps at all with the redirects:

Please go to Start > Control Panel > Network Connections
Select your Local Network.
Click Properties, then select Internet Protocol (TCP/IP).
Click Properties.

You will see a window titled Internet Protocol (TCP/IP) Properties.

Click on Use the following DNS server addresses:
Preferred DNS server: 8.8.8.8
Alternate DNS server: 8.8.4.4

Click OK.



NEXT:



Flush DNS

  • Now go to Start > Run > type: cmd
  • Press OK or Hit Enter.
  • At the command prompt, type or copy/paste: ipconfig /flushdns (note the space between “..g /f…” it needs to be there)
  • Hit Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.


Reboot your computer and see how things are working after doing the above.


Hello, that didn't work either SweetTech. I downloaded Google Chrome over the weekend and that works fine. Thought you might want to know that. Thanks
  • 0

#49
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

Are you familiar with what exactly this program is for: DynDNS Updater 3.0 ?

Remove Program
We need to remove a program. To do this please do the following:
  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):
  • Internet Explorer Default Page
  • Yahoo! Toolbar


NEXT:



Reset IE8

  • Please download this Microsoft FixIt and save it to the desktop.
  • Double click on MicrosoftFixit50195.exe select I Agree and click on Next.
  • Follow the on-screen prompts.
  • You may delete MicrosoftFixit50195.exe when finished and or keep it if any problems in the future with IE8.
  • Next time IE8 is launched you will be prompted to reapply settings again, this is normal.

Note: Any add-ons will require to be reapplied after the above reset.



How are things running any better?
  • 0

#50
paltan

paltan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 50 posts

Hello,

Are you familiar with what exactly this program is for: DynDNS Updater 3.0 ?

Remove Program
We need to remove a program. To do this please do the following:

  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):
  • Internet Explorer Default Page
  • Yahoo! Toolbar


NEXT:



Reset IE8

  • Please download this Microsoft FixIt and save it to the desktop.
  • Double click on MicrosoftFixit50195.exe select I Agree and click on Next.
  • Follow the on-screen prompts.
  • You may delete MicrosoftFixit50195.exe when finished and or keep it if any problems in the future with IE8.
  • Next time IE8 is launched you will be prompted to reapply settings again, this is normal.

Note: Any add-ons will require to be reapplied after the above reset.



How are things running any better?


The darn thing is still redirecting. DynDNS Updater 3.0 is something by Kana Solution. The website is http://www.kanasolution.com. It says it was to fix a bug in creating ini file algorithm. Whatever that means. I removed Yahoo Toolbar but Internet Explorer Default Page was not there.
  • 0

#51
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

Open notepad by going to START > RUN and type notepad.exe in the box that appears. In the window that pops up please copy and paste the following:

@echo off
If exist "c:\program files\Analog Devices\Core\smax4pnp.exe" del /q "c:\program files\Analog Devices\Core\smax4pnp.exe"
copy "c:\program files\Analog Devices\Core\bak\smax4pnp.exe" "c:\program files\Analog Devices\Core"

If exist "c:\program files\Citrix\GoToMyPC\g2svc.exe" del /q "c:\program files\Citrix\GoToMyPC\g2svc.exe"
copy "c:\program files\Citrix\GoToMyPC\g2svc.exe" "c:\program files\Citrix\GoToMyPC"

If exist "c:\program files\HP\HP Software Update\hpwuSchd2.exe" del /q "c:\program files\HP\HP Software Update\hpwuSchd2.exe"
copy "c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe" "c:\program files\HP\HP Software Update"

In Notepad click on the "File" menu > Save As... Under "File name" type fix.bat and Change "Save as type" to All Files, save it to a place you will remember.

Posted Image

Double click on fix.bat



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

  • 0

#52
paltan

paltan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 50 posts

Hello,

Open notepad by going to START > RUN and type notepad.exe in the box that appears. In the window that pops up please copy and paste the following:

@echo off
If exist "c:\program files\Analog Devices\Core\smax4pnp.exe" del /q "c:\program files\Analog Devices\Core\smax4pnp.exe"
copy "c:\program files\Analog Devices\Core\bak\smax4pnp.exe" "c:\program files\Analog Devices\Core"

If exist "c:\program files\Citrix\GoToMyPC\g2svc.exe" del /q "c:\program files\Citrix\GoToMyPC\g2svc.exe"
copy "c:\program files\Citrix\GoToMyPC\g2svc.exe" "c:\program files\Citrix\GoToMyPC"

If exist "c:\program files\HP\HP Software Update\hpwuSchd2.exe" del /q "c:\program files\HP\HP Software Update\hpwuSchd2.exe"
copy "c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe" "c:\program files\HP\HP Software Update"

In Notepad click on the "File" menu > Save As... Under "File name" type fix.bat and Change "Save as type" to All Files, save it to a place you will remember.

Posted Image

Double click on fix.bat



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


Hello, ESET did not find any threats.
  • 0

#53
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Please confirm that you created and ran the batch file above. Are you still being redirected?
  • 0

#54
paltan

paltan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 50 posts

Please confirm that you created and ran the batch file above. Are you still being redirected?


Yes, I did try to run the batch file but when I double clicked to open it and run it, a black window flashed open for a second and nothing happened. I could not read what it said because it flashed too fast. I tried a number of times but I don't think it did anything.
  • 0

#55
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Do me a favor and re-run ComboFix. Run the scan normal. It may prompt you to update, please allow it to do so, and post the log it produces in your next reply.
  • 0

Advertisements


#56
paltan

paltan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 50 posts
[quote name='SweetTech' timestamp='1281982128' post='1887303']
Do me a favor and re-run ComboFix. Run the scan normal. It may prompt you to update, please allow it to do so, and post the log it produces in your next reply.
[/quote

Here is the log

ComboFix 10-08-15.04 - Palladium Tan 08/16/2010 13:39:58.11.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2000 [GMT -5:00]
Running from: c:\documents and settings\Palladium Tan\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gotomon.log
.
---- Previous Run -------
.
c:\windows\system32\gotomon.log

.
((((((((((((((((((((((((( Files Created from 2010-07-16 to 2010-08-16 )))))))))))))))))))))))))))))))
.

2010-08-16 15:17 . 2010-08-16 15:17 -------- d-----w- c:\documents and settings\Palladium Tan\Local Settings\Application Data\PCHealth
2010-08-15 17:14 . 2010-08-15 17:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\DroidExplorer
2010-08-15 17:13 . 2010-08-15 17:13 1868800 ----a-r- c:\documents and settings\Palladium Tan\Application Data\Microsoft\Installer\{4B745BD6-9AEE-49CF-9DA3-B1BEF136AD71}\AppIcon.exe
2010-08-15 17:13 . 2010-08-15 17:14 -------- d-----w- c:\program files\Droid Explorer
2010-08-15 14:44 . 2010-08-15 14:45 -------- d-----w- c:\documents and settings\Palladium Tan\Local Settings\Application Data\Temp
2010-08-14 01:48 . 2010-08-14 01:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-13 15:09 . 2010-08-13 15:09 -------- d-----w- c:\documents and settings\Palladium Tan\DoctorWeb
2010-08-13 01:02 . 2010-08-13 01:02 -------- d-----w- c:\documents and settings\Palladium Tan\Local Settings\Application Data\VS Revo Group
2010-08-13 01:02 . 2009-12-30 17:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-08-13 01:02 . 2010-08-13 01:02 -------- d-----w- c:\program files\VS Revo Group
2010-08-12 18:24 . 2010-08-12 18:24 -------- d-----w- C:\_OTL
2010-08-07 01:34 . 2010-08-07 01:34 -------- d-----w- c:\program files\CCleaner
2010-08-06 22:27 . 2010-08-13 20:21 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-06 22:26 . 2010-08-07 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-08-06 22:26 . 2010-08-06 22:26 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-06 20:26 . 2010-08-06 20:26 -------- d-----w- c:\documents and settings\Palladium Tan\Application Data\Malwarebytes
2010-08-06 20:26 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-06 20:26 . 2010-08-06 21:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-06 20:26 . 2010-08-06 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-06 20:26 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-06 16:51 . 2010-08-06 16:51 388096 ------r- c:\documents and settings\Palladium Tan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-05 23:43 . 2010-08-05 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner
2010-08-05 23:42 . 2010-08-06 15:44 -------- d-----w- c:\program files\Frontline Registry Cleaner
2010-08-05 14:30 . 2010-08-05 14:30 -------- d-----w- c:\program files\Trend Micro
2010-08-05 02:40 . 2010-08-05 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-08-05 02:35 . 2010-08-05 02:39 -------- d-----w- c:\documents and settings\Palladium Tan\Application Data\GetRightToGo
2010-08-05 01:23 . 2010-08-05 01:23 503808 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\msvcp71.dll
2010-08-05 01:23 . 2010-08-05 01:23 499712 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\jmc.dll
2010-08-05 01:23 . 2010-08-05 01:23 348160 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\msvcr71.dll
2010-08-05 01:23 . 2010-08-05 01:23 61440 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3fc3e528-n\decora-sse.dll
2010-08-05 01:23 . 2010-08-05 01:23 12800 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3fc3e528-n\decora-d3d.dll
2010-08-05 01:23 . 2010-07-17 10:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-28 16:53 . 2010-07-28 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-07-28 16:46 . 2010-07-28 17:34 104247 ----a-w- c:\windows\hpoins04.dat
2010-07-28 16:46 . 2004-06-22 15:04 17176 ------w- c:\windows\hpomdl04.dat
2010-07-28 16:45 . 2004-06-22 15:05 90112 ----a-w- c:\windows\system32\hpovst08.dll
2010-07-28 16:45 . 2004-06-22 15:05 581632 ----a-w- c:\windows\system32\hpotscl.dll
2010-07-28 16:23 . 2010-07-28 16:23 -------- d-----w- c:\temp\FixEngine
2010-07-28 16:23 . 2010-07-28 16:23 10134 ------r- c:\documents and settings\Palladium Tan\Application Data\Microsoft\Installer\{4CCC7F68-A437-4559-A840-F5E010934951}\ARPPRODUCTICON.exe
2010-07-28 16:10 . 2010-07-28 16:10 -------- d-----w- c:\program files\Common Files\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-16 18:38 . 2005-02-27 23:58 -------- d-----w- c:\program files\PCCW
2010-08-16 15:50 . 2005-02-08 13:19 -------- d-----w- c:\program files\Yahoo!
2010-08-14 01:48 . 2006-11-17 20:04 -------- d-----w- c:\program files\PokerStars
2010-08-13 15:39 . 2005-02-07 15:44 -------- d-----w- c:\program files\UltraVNC
2010-08-11 15:24 . 2005-01-08 03:09 -------- d-----w- c:\program files\Java
2010-08-05 13:43 . 2008-06-11 13:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-05 01:23 . 2005-01-08 03:09 -------- d-----w- c:\program files\Common Files\Java
2010-07-28 16:53 . 2005-01-22 03:54 -------- d-----w- c:\program files\HP
2010-07-07 19:38 . 2010-07-07 19:38 137216 ------w- c:\documents and settings\All Users\Application Data\WorldWinner\shared\fmod.dll
2010-07-07 19:38 . 2010-07-07 19:38 339968 ------w- c:\documents and settings\All Users\Application Data\WorldWinner\dealornodeal\dealornodeal.dll
2010-07-07 19:38 . 2010-07-07 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\WorldWinner
2010-07-01 02:59 . 2009-10-27 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-30 12:31 . 2004-08-04 11:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 11:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-22 14:38 . 2009-05-08 16:00 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-22 14:38 . 2010-06-22 14:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-22 14:37 . 2009-05-08 16:00 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-21 15:27 . 2004-08-04 11:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 11:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-08-04 11:00 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 11:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-05-31 14:49 . 2008-05-25 15:09 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
1998-05-15 05:00 . 2005-02-27 23:58 73184 -c--a-w- c:\program files\Common Files\dao2535.tlb
1998-04-27 05:00 . 2005-02-27 23:58 570128 ----a-w- c:\program files\Common Files\Dao350.dll
2002-08-01 00:55 . 2009-10-16 20:39 108 -csh--w- c:\windows\WSYS049.SYS
2005-04-10 17:36 . 2005-02-01 02:30 848 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_14.11.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-16 18:45 . 2010-08-16 18:45 16384 c:\windows\temp\Perflib_Perfdata_898.dat
+ 2010-08-15 17:13 . 2010-08-15 17:13 17408 c:\windows\ASSEMBLY\GAC_32\DroidExplorer.ShellExtension\0.8.7.1__931a9d34e4cfb6db\DroidExplorer.ShellExtension.dll
+ 2010-08-15 17:13 . 2010-08-15 17:13 3064320 c:\windows\Installer\1f05f7.msi
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-03-24 22:05 . 2004-10-14 19:42 1404928 c:\program files\Analog Devices\Core\bak\smax4pnp.exe
2007-03-24 22:05 . 2004-10-14 20:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

2007-01-30 21:57 . 2007-01-12 23:45 249904 c:\program files\Citrix\GoToMyPC\bak\g2svc.exe
2008-04-09 12:43 . 2007-06-20 16:09 258856 c:\program files\Citrix\GoToMyPC\g2svc.exe

2007-05-08 21:24 . 2007-05-08 21:24 54840 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
2004-02-12 18:38 . 2004-02-12 18:38 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

2006-03-08 17:23 . 2007-12-20 04:06 579072 c:\qoobox\Quarantine\C\Program Files\Grisoft\AVG7\bak\avgcc.exe.vir

2005-12-05 17:23 . 2007-12-20 04:06 406528 c:\qoobox\Quarantine\C\Program Files\Grisoft\AVG7\bak\avgemc.exe.vir

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Palladium Tan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-15 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-22 2065760]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 258856]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-06-20 16:09 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\PCCW\\Pccw.exe"=
"c:\\WINDOWS\\SYSTEM32\\FTP.EXE"=
"c:\\Program Files\\Nichesoft\\TanTrack\\TanTrack.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Citrix\\GoToMyPC\\g2svc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/8/2009 11:00 AM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/8/2009 11:00 AM 243024]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [6/22/2010 9:37 AM 921952]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [6/22/2010 9:38 AM 308136]
R2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe --> EpStsSrv.exe [?]
R2 Esdpdx01;Esdpdx01;c:\windows\SYSTEM32\DRIVERS\ESDPDX01.SYS [12/25/2003 1:00 PM 95485]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\SYSTEM32\DRIVERS\tap0801.sys [4/12/2006 4:36 AM 23552]
R3 TMUSB;EPSON USB Device Driver for TM/BA/EU Printers;c:\windows\SYSTEM32\DRIVERS\TMUSBXP.SYS [12/27/2003 1:00 AM 40320]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 DroidExplorerService;DroidExplorer Service;c:\program files\Droid Explorer\DroidExplorer.Service.exe [8/1/2010 12:20 PM 253952]
S3 MagEpNt;MagEpNt;c:\windows\SYSTEM32\DRIVERS\magepnt.sys [2/27/2005 6:58 PM 26304]
S3 Revoflt;Revoflt;c:\windows\SYSTEM32\DRIVERS\revoflt.sys [8/12/2010 8:02 PM 27064]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-558789043-3926735607-631273063-1005Core.job
- c:\documents and settings\Palladium Tan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-15 14:44]

2010-08-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-558789043-3926735607-631273063-1005UA.job
- c:\documents and settings\Palladium Tan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-15 14:44]

2010-08-16 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?r998=1239739352
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--fd864c10-f423-45bb-8447-230cc71ef3c3/online/diner_dash/en/DinerDash.1.0.0.80.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(816)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\netdde.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\EpStsSrv.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\OpenVPN\bin\openvpnserv.exe
c:\windows\system32\ESDUSBMon.EXE
c:\program files\OpenVPN\bin\openvpn.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\windows\system32\fxssvc.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-16 13:49:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-16 18:49
ComboFix2.txt 2010-08-11 14:57
ComboFix3.txt 2010-08-11 14:15
ComboFix4.txt 2010-08-10 16:50
ComboFix5.txt 2010-08-16 18:14

Pre-Run: 55,124,185,088 bytes free
Post-Run: 55,130,316,800 bytes free

- - End Of File - - B389E261516EB0C9F76CC0EAF463F3F0
  • 0

#57
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
AWF::
c:\program files\Analog Devices\Core\bak\smax4pnp.exe
c:\program files\Citrix\GoToMyPC\bak\g2svc.exe
c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe

Suspect::[100]
c:\windows\Installer\1f05f7.msi

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
  • 0

#58
paltan

paltan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 50 posts

Hello,

ComboFix Script

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
AWF::
c:\program files\Analog Devices\Core\bak\smax4pnp.exe
c:\program files\Citrix\GoToMyPC\bak\g2svc.exe
c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe

Suspect::[100]
c:\windows\Installer\1f05f7.msi

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


ComboFix 10-08-15.04 - Palladium Tan 08/16/2010 14:15:50.12.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1996 [GMT -5:00]
Running from: c:\documents and settings\Palladium Tan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Palladium Tan\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\windows\Installer\1f05f7.msi
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gotomon.log

.
((((((((((((((((((((((((( Files Created from 2010-07-16 to 2010-08-16 )))))))))))))))))))))))))))))))
.

2010-08-16 15:17 . 2010-08-16 15:17 -------- d-----w- c:\documents and settings\Palladium Tan\Local Settings\Application Data\PCHealth
2010-08-15 17:14 . 2010-08-15 17:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\DroidExplorer
2010-08-15 17:13 . 2010-08-15 17:13 1868800 ----a-r- c:\documents and settings\Palladium Tan\Application Data\Microsoft\Installer\{4B745BD6-9AEE-49CF-9DA3-B1BEF136AD71}\AppIcon.exe
2010-08-15 17:13 . 2010-08-15 17:14 -------- d-----w- c:\program files\Droid Explorer
2010-08-15 14:44 . 2010-08-15 14:45 -------- d-----w- c:\documents and settings\Palladium Tan\Local Settings\Application Data\Temp
2010-08-14 01:48 . 2010-08-14 01:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-13 15:09 . 2010-08-13 15:09 -------- d-----w- c:\documents and settings\Palladium Tan\DoctorWeb
2010-08-13 01:02 . 2010-08-13 01:02 -------- d-----w- c:\documents and settings\Palladium Tan\Local Settings\Application Data\VS Revo Group
2010-08-13 01:02 . 2009-12-30 17:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-08-13 01:02 . 2010-08-13 01:02 -------- d-----w- c:\program files\VS Revo Group
2010-08-12 18:24 . 2010-08-12 18:24 -------- d-----w- C:\_OTL
2010-08-07 01:34 . 2010-08-07 01:34 -------- d-----w- c:\program files\CCleaner
2010-08-06 22:27 . 2010-08-13 20:21 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-06 22:26 . 2010-08-07 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-08-06 22:26 . 2010-08-06 22:26 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-06 20:26 . 2010-08-06 20:26 -------- d-----w- c:\documents and settings\Palladium Tan\Application Data\Malwarebytes
2010-08-06 20:26 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-06 20:26 . 2010-08-06 21:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-06 20:26 . 2010-08-06 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-06 20:26 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-06 16:51 . 2010-08-06 16:51 388096 ------r- c:\documents and settings\Palladium Tan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-05 23:43 . 2010-08-05 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner
2010-08-05 23:42 . 2010-08-06 15:44 -------- d-----w- c:\program files\Frontline Registry Cleaner
2010-08-05 14:30 . 2010-08-05 14:30 -------- d-----w- c:\program files\Trend Micro
2010-08-05 02:40 . 2010-08-05 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-08-05 02:35 . 2010-08-05 02:39 -------- d-----w- c:\documents and settings\Palladium Tan\Application Data\GetRightToGo
2010-08-05 01:23 . 2010-08-05 01:23 503808 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\msvcp71.dll
2010-08-05 01:23 . 2010-08-05 01:23 499712 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\jmc.dll
2010-08-05 01:23 . 2010-08-05 01:23 348160 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\msvcr71.dll
2010-08-05 01:23 . 2010-08-05 01:23 61440 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3fc3e528-n\decora-sse.dll
2010-08-05 01:23 . 2010-08-05 01:23 12800 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3fc3e528-n\decora-d3d.dll
2010-08-05 01:23 . 2010-07-17 10:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-28 16:53 . 2010-07-28 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-07-28 16:46 . 2010-07-28 17:34 104247 ----a-w- c:\windows\hpoins04.dat
2010-07-28 16:46 . 2004-06-22 15:04 17176 ------w- c:\windows\hpomdl04.dat
2010-07-28 16:45 . 2004-06-22 15:05 90112 ----a-w- c:\windows\system32\hpovst08.dll
2010-07-28 16:45 . 2004-06-22 15:05 581632 ----a-w- c:\windows\system32\hpotscl.dll
2010-07-28 16:23 . 2010-07-28 16:23 -------- d-----w- c:\temp\FixEngine
2010-07-28 16:23 . 2010-07-28 16:23 10134 ------r- c:\documents and settings\Palladium Tan\Application Data\Microsoft\Installer\{4CCC7F68-A437-4559-A840-F5E010934951}\ARPPRODUCTICON.exe
2010-07-28 16:10 . 2010-07-28 16:10 -------- d-----w- c:\program files\Common Files\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-16 19:14 . 2005-02-27 23:58 -------- d-----w- c:\program files\PCCW
2010-08-16 15:50 . 2005-02-08 13:19 -------- d-----w- c:\program files\Yahoo!
2010-08-14 01:48 . 2006-11-17 20:04 -------- d-----w- c:\program files\PokerStars
2010-08-13 15:39 . 2005-02-07 15:44 -------- d-----w- c:\program files\UltraVNC
2010-08-11 15:24 . 2005-01-08 03:09 -------- d-----w- c:\program files\Java
2010-08-05 13:43 . 2008-06-11 13:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-05 01:23 . 2005-01-08 03:09 -------- d-----w- c:\program files\Common Files\Java
2010-07-28 16:53 . 2005-01-22 03:54 -------- d-----w- c:\program files\HP
2010-07-07 19:38 . 2010-07-07 19:38 137216 ------w- c:\documents and settings\All Users\Application Data\WorldWinner\shared\fmod.dll
2010-07-07 19:38 . 2010-07-07 19:38 339968 ------w- c:\documents and settings\All Users\Application Data\WorldWinner\dealornodeal\dealornodeal.dll
2010-07-07 19:38 . 2010-07-07 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\WorldWinner
2010-07-01 02:59 . 2009-10-27 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-30 12:31 . 2004-08-04 11:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 11:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-22 14:38 . 2009-05-08 16:00 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-22 14:38 . 2010-06-22 14:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-22 14:37 . 2009-05-08 16:00 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-21 15:27 . 2004-08-04 11:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 11:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-08-04 11:00 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 11:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-05-31 14:49 . 2008-05-25 15:09 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
1998-05-15 05:00 . 2005-02-27 23:58 73184 -c--a-w- c:\program files\Common Files\dao2535.tlb
1998-04-27 05:00 . 2005-02-27 23:58 570128 ----a-w- c:\program files\Common Files\Dao350.dll
2002-08-01 00:55 . 2009-10-16 20:39 108 -csh--w- c:\windows\WSYS049.SYS
2005-04-10 17:36 . 2005-02-01 02:30 848 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-03-24 22:05 . 2004-10-14 19:42 1404928 c:\program files\Analog Devices\Core\bak\smax4pnp.exe
2007-03-24 22:05 . 2004-10-14 20:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

2007-01-30 21:57 . 2007-01-12 23:45 249904 c:\program files\Citrix\GoToMyPC\bak\g2svc.exe
2008-04-09 12:43 . 2007-06-20 16:09 258856 c:\program files\Citrix\GoToMyPC\g2svc.exe

2007-05-08 21:24 . 2007-05-08 21:24 54840 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
2004-02-12 18:38 . 2004-02-12 18:38 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

2006-03-08 17:23 . 2007-12-20 04:06 579072 c:\qoobox\Quarantine\C\Program Files\Grisoft\AVG7\bak\avgcc.exe.vir

2005-12-05 17:23 . 2007-12-20 04:06 406528 c:\qoobox\Quarantine\C\Program Files\Grisoft\AVG7\bak\avgemc.exe.vir

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Palladium Tan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-15 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-22 2065760]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 258856]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-06-20 16:09 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\PCCW\\Pccw.exe"=
"c:\\WINDOWS\\SYSTEM32\\FTP.EXE"=
"c:\\Program Files\\Nichesoft\\TanTrack\\TanTrack.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Citrix\\GoToMyPC\\g2svc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/8/2009 11:00 AM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/8/2009 11:00 AM 243024]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [6/22/2010 9:37 AM 921952]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [6/22/2010 9:38 AM 308136]
R2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe --> EpStsSrv.exe [?]
R2 Esdpdx01;Esdpdx01;c:\windows\SYSTEM32\DRIVERS\ESDPDX01.SYS [12/25/2003 1:00 PM 95485]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\SYSTEM32\DRIVERS\tap0801.sys [4/12/2006 4:36 AM 23552]
R3 TMUSB;EPSON USB Device Driver for TM/BA/EU Printers;c:\windows\SYSTEM32\DRIVERS\TMUSBXP.SYS [12/27/2003 1:00 AM 40320]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 DroidExplorerService;DroidExplorer Service;c:\program files\Droid Explorer\DroidExplorer.Service.exe [8/1/2010 12:20 PM 253952]
S3 MagEpNt;MagEpNt;c:\windows\SYSTEM32\DRIVERS\magepnt.sys [2/27/2005 6:58 PM 26304]
S3 Revoflt;Revoflt;c:\windows\SYSTEM32\DRIVERS\revoflt.sys [8/12/2010 8:02 PM 27064]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-558789043-3926735607-631273063-1005Core.job
- c:\documents and settings\Palladium Tan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-15 14:44]

2010-08-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-558789043-3926735607-631273063-1005UA.job
- c:\documents and settings\Palladium Tan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-15 14:44]

2010-08-16 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?r998=1239739352
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--fd864c10-f423-45bb-8447-230cc71ef3c3/online/diner_dash/en/DinerDash.1.0.0.80.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-16 14:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(2524)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\windows\system32\netdde.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\EpStsSrv.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\OpenVPN\bin\openvpnserv.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\OpenVPN\bin\openvpn.exe
c:\windows\system32\ESDUSBMon.EXE
c:\windows\system32\fxssvc.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-16 14:24:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-16 19:24
ComboFix2.txt 2010-08-16 18:49
ComboFix3.txt 2010-08-11 14:57
ComboFix4.txt 2010-08-11 14:15
ComboFix5.txt 2010-08-16 19:14

Pre-Run: 55,088,705,536 bytes free
Post-Run: 55,120,564,224 bytes free

- - End Of File - - CCD55D30FEC7F165C777C17EBB3A8C12
  • 0

#59
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

VirusTotal File Scan
Please go to: VirusTotal
  • Posted Image
  • Click the Browse button and search for the following file: c:\program files\HP\HP Software Update\hpwuSchd2.exe
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"

Please repeat the above process for the following files below:
c:\program files\Citrix\GoToMyPC\g2svc.exe
c:\program files\Analog Devices\Core\smax4pnp.exe

Please post the results in your next reply
  • 0

#60
paltan

paltan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 50 posts

Hello,

VirusTotal File Scan
Please go to: VirusTotal

  • Posted Image
  • Click the Browse button and search for the following file: c:\program files\HP\HP Software Update\hpwuSchd2.exe
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"

Please repeat the above process for the following files below:
c:\program files\Citrix\GoToMyPC\g2svc.exe
c:\program files\Analog Devices\Core\smax4pnp.exe

Please post the results in your next reply



The page will not come up, I get a message "http 404 not found"
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP