Google and Yahoo redirect - Free Antivirus Forum

Google and Yahoo redirect

BullGuard Antivirus Forum > Virus Removal > Removal Help > Google and Yahoo redirect

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

ChuckiesChicken
New Member

Date Joined Oct 2009
Total Posts : 2

Posted 10-29-2009 7:42 (GMT +1)

Hello all.

It seems I have picked up an infection which makes Google and Yahoo redirect to an ad site OR go to a blank gray screen. I also noticed the autocomplete/suggest function in the search field stopped working around the same time. Strangely, searches from Bing.com work fine? BUT, I want to fix the problem before it becomes a larger issue.

Anyway, I have included Hijackthis, Malware Bytes, and Combofix scan logs. Any help would be appreciated. Thanks!

File Attachment :
hijackthis.log 7KB (application/octet-stream)

This file has been downloaded 33 time(s).

File Attachment :
mbam-log-2009-10-29 (14-26-00).log 1KB (application/octet-stream)

This file has been downloaded 15 time(s).

File Attachment :
ComboFix.log 23KB (application/octet-stream)

This file has been downloaded 28 time(s).

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 925

Posted 10-30-2009 4:10 (GMT +1)

Welcome to BG forums ChuckiesChicken,

I'll need you to post those logs here in your request thread, and then we can review things. You can check other request threads in the forum to see how it is done, if needed.

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

ChuckiesChicken
New Member

Date Joined Oct 2009
Total Posts : 2

Posted 10-30-2009 6:30 (GMT +1)

Sorry, I had previously posted them as attachments.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:48, on 10/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MB\MB.exe
C:\Program Files\HijackThese\HijackThese.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0cca191d-13a6-4e29-b746-314dee697d83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3B228FAC-4A35-4945-8E85-E1CA8E0D32C3} (AMMTestCalcDispName.UICalcDispName) - file://ike/AMM3EXT$/Packages/Revision.1/Egide_CalcDispName.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256125593980
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256128117002
O16 - DPF: {726734f8-2c27-4b6f-94fc-153cafa459ba} (AMMExtensionProject.UIExtension) - file://ike/AMM3EXT$/Packages/ChangeRev.dll
O16 - DPF: {8100d56a-5661-482c-bee8-afece305d968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8caf66b1-6fbd-11d4-9ad5-00105a2cdee1} (extEndThumbNail.UIEndThumbnail) - file://ike/AMM3EXT$/Packages/extEndThumbNail.dll
O16 - DPF: {9982718B-34DD-49F9-AF97-9D6C0147B13E} (Egide_CustomerSpec.UICustomerSpec) - file://ike/AMM3EXT$/Packages/Revision.1/Egide_CustomerSpec.cab
O16 - DPF: {A107A5C7-7982-4CCB-B9EE-81DBFEF16C83} (Egide_ECNNumber.UIECNNumber) - file://ike/AMM3EXT$/Packages/Revision.1/Egide_ECNNumber.cab
O16 - DPF: {A6862D90-1293-460B-ABD6-1419CA1DE146} (Egide_PartData.UIPartData) - file://ike/AMM3EXT$/Packages/Revision.1/Egide_PartData.cab
O16 - DPF: {C680530E-E9A4-4414-8480-A05E15261284} (Egide_ProcedureNumber.UIProcedureNumber) - file://ike/AMM3EXT$/Packages/Revision.1/Egide_ProcedureNumber.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA28FC1A-8AA9-4FD1-94F2-46D9EBAE591F} (Egide_PartNumber.UIPartNumber) - file://ike/AMM3EXT$/Packages/Revision.1/Egide_PartNumber.cab
O16 - DPF: {EA2E90D7-963A-4E78-966B-CF3ADAD125B7} (Egide_FixtureNumber.UIFixtureNumber) - file://ike/AMM3EXT$/Packages/Revision.1/Egide_FixtureNumber.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = enet.local
O17 - HKLM\Software\..\Telephony: DomainName = enet.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{94829590-5DEC-4269-AAE4-7004CB9AC790}: NameServer = 77.74.48.113
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = enet.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = enet.local
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Data Management Job Dispatch - Autodesk Inc - C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
O23 - Service: Autodesk EDM Server - - C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe

--
End of file - 6735 bytes

Malwarebytes' Anti-Malware 1.41
Database version: 3052
Windows 5.1.2600 Service Pack 3

10/29/2009 2:26:13 PM
mbam-log-2009-10-29 (14-26-00).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 231539
Time elapsed: 20 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\cleanup.exe.vir (Trojan.Banker) -> No action taken.

ComboFix 09-10-28.08 - user 10/29/2009 13:36.9.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2015.1619 [GMT -4:00]
Running from: c:\documents and settings\user.ENET\Desktop\123.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-29 16:38 . 2004-08-04 09:00 3584 ----a-w- c:\windows\system32\editreg32.exe
2009-10-29 15:01 . 2009-10-29 15:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-29 15:01 . 2009-10-29 15:01 -------- d-----w- c:\program files\Java
2009-10-29 11:59 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-29 11:59 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 11:59 . 2009-10-29 11:59 -------- d-----w- c:\program files\MB
2009-10-29 11:06 . 2009-10-29 11:07 -------- d-----w- C:\12338591
2009-10-28 13:37 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-28 13:37 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-28 13:24 . 2009-10-28 13:24 -------- d-----w- C:\123
2009-10-27 15:20 . 2009-10-27 15:20 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-21 12:40 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-10-21 12:40 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-21 12:36 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-10-21 12:35 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-10-21 12:32 . 2009-06-25 08:25 730112 ------w- c:\windows\system32\dllcache\lsasrv.dll
2009-10-21 12:32 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2009-10-21 12:32 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-10-21 12:32 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-10-21 12:32 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-10-21 12:32 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-10-21 12:32 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-10-21 12:32 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-10-21 12:32 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-10-21 12:32 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-21 12:32 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-10-01 14:51 . 2009-10-01 14:51 -------- d-----w- C:\FOUND.027

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 16:52 . 2009-09-28 15:03 3680 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-10-29 16:52 . 2009-09-28 15:03 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-29 16:52 . 2009-09-28 15:03 32 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-29 16:52 . 2009-09-28 15:03 16672 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-10-29 14:59 . 2009-04-01 21:02 666128 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-19 12:18 . 2007-12-04 20:15 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-19 12:18 . 2007-12-04 20:15 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-09-28 14:53 . 2009-09-28 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-09-28 14:33 . 2009-09-28 14:32 -------- d-----w- c:\program files\VS Revo Group
2009-09-28 11:55 . 2009-09-28 11:55 -------- d-----w- c:\program files\hebyvf
2009-09-21 12:27 . 2009-09-21 12:27 -------- d-----w- c:\program files\kcdthh
2009-09-16 11:16 . 2009-09-16 11:16 17708 ----a-w- c:\documents and settings\All Users\Application Data\abisi.dat
2009-09-16 11:16 . 2009-09-16 11:16 16405 ----a-w- c:\program files\Common Files\kapexaha.pif
2009-09-16 11:16 . 2009-09-16 11:16 15358 ----a-w- c:\documents and settings\All Users\Application Data\egynaq.bin
2009-09-16 11:16 . 2009-09-16 11:16 15187 ----a-w- c:\windows\alecu.sys
2009-09-16 11:16 . 2009-09-16 11:16 10182 ----a-w- c:\documents and settings\All Users\Application Data\sezoke.com
2009-09-15 13:04 . 2009-09-15 13:04 17790 ----a-w- c:\program files\Common Files\wabo.sys
2009-09-15 13:04 . 2009-09-15 13:04 16866 ----a-w- c:\documents and settings\All Users\Application Data\imyfenasoz.dat
2009-09-11 14:18 . 2004-08-04 09:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 12:15 . 2009-09-10 12:15 19597 ----a-w- c:\program files\Common Files\ajugabu.pif
2009-09-10 12:15 . 2009-09-10 12:15 17967 ----a-w- c:\documents and settings\user.ENET\Local Settings\Application Data\nihynocage.sys
2009-09-10 12:15 . 2009-09-10 12:15 16859 ----a-w- c:\program files\Common Files\mukirugoqa.lib
2009-09-10 12:15 . 2009-09-10 12:15 16715 ----a-w- c:\windows\system32\bewe.pif
2009-09-10 12:15 . 2009-09-10 12:15 16387 ----a-w- c:\documents and settings\user.ENET\Application Data\dinawygibi.bin
2009-09-10 12:15 . 2009-09-10 12:15 13750 ----a-w- c:\documents and settings\user.ENET\Local Settings\Application Data\palasi.dll
2009-09-10 12:15 . 2009-09-10 12:15 13028 ----a-w- c:\windows\vaduwymixi.sys
2009-09-10 12:15 . 2009-09-10 12:15 12410 ----a-w- c:\documents and settings\user.ENET\Application Data\jevo.dat
2009-09-04 21:03 . 2004-08-04 09:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 12:19 . 2009-09-01 12:19 19248 ----a-w- c:\windows\supakimaf.com
2009-09-01 12:19 . 2009-09-01 12:19 18248 ----a-w- c:\program files\Common Files\rasy.com
2009-09-01 12:19 . 2009-09-01 12:19 16230 ----a-w- c:\documents and settings\All Users\Application Data\ytexora.sys
2009-09-01 12:19 . 2009-09-01 12:19 10800 ----a-w- c:\windows\roca.pif
2009-08-29 08:08 . 2005-07-02 22:11 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 09:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-12 12:20 . 2009-08-12 12:20 17791 ----a-w- c:\windows\system32\niror.dll
2009-08-12 12:20 . 2009-08-12 12:20 13408 ----a-w- c:\program files\Common Files\esezifekub.ban
2009-08-12 12:20 . 2009-08-12 12:20 12942 ----a-w- c:\windows\hupy.bin
2009-08-12 12:20 . 2009-08-12 12:20 11933 ----a-w- c:\documents and settings\user.ENET\Application Data\yneqimezuc.scr
2009-08-12 12:20 . 2009-08-12 12:20 11090 ----a-w- c:\program files\Common Files\araneci.dat
2009-08-05 09:01 . 2004-08-04 09:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2005-03-01 20:57 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2005-03-01 20:34 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2007-07-01 03:48 . 2007-07-01 03:48 783 ----a-w- c:\program files\readme.txt
1999-12-31 23:00 . 1999-12-31 23:00 23 --sh--r- c:\windows\mtlid64s2.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-10-28_13.41.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-29 15:01 . 2009-10-29 15:01 149280 c:\windows\system32\javaws.exe
+ 2009-10-29 15:01 . 2009-10-29 15:01 145184 c:\windows\system32\javaw.exe
+ 2009-10-29 15:01 . 2009-10-29 15:01 145184 c:\windows\system32\java.exe
+ 2007-06-07 18:20 . 2009-10-29 12:58 3817472 c:\windows\Installer\2fb0b685.msi
- 2007-06-07 18:20 . 2009-10-28 13:10 3817472 c:\windows\Installer\2fb0b685.msi
+ 2009-10-29 15:01 . 2009-10-29 15:01 1757696 c:\windows\Installer\195d5.msi
+ 2009-10-29 12:43 . 2009-10-02 15:01 25198016 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-29 149280]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-08-17 90112]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-07-13 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3892104655-1871359474-3685075853-1170\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3892104655-1871359474-3685075853-1178\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3892104655-1871359474-3685075853-1215\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3892104655-1871359474-3685075853-1342\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3892104655-1871359474-3685075853-1373\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3892104655-1871359474-3685075853-1374\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3892104655-1871359474-3685075853-1375\Scripts\Logon\0\0]
"Script"=logon.bat

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"klnagent"=2 (0x2)
"AVP"=3 (0x3)
"aawservice"=2 (0x2)
"RoxLiveShare9"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/4/2007 2:58 PM 24344]
S1 16ed31e4;16ed31e4;c:\windows\system32\drivers\16ed31e4.sys --> c:\windows\system32\drivers\16ed31e4.sys [?]
S1 209c0839;209c0839;c:\windows\system32\drivers\209c0839.sys --> c:\windows\system32\drivers\209c0839.sys [?]
S1 c621abe5;c621abe5;c:\windows\system32\drivers\c621abe5.sys --> c:\windows\system32\drivers\c621abe5.sys [?]
S4 klnagent;Kaspersky Network Agent;c:\program files\Kaspersky Lab\NetworkAgent\klnagent.exe [3/9/2007 6:12 PM 91265]
S4 SQLAgent$AUTODESKVAULT;SQLAgent$AUTODESKVAULT;c:\program files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlagent.EXE [5/3/2005 9:42 PM 323584]

--- Other Services/Drivers In Memory ---

*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder

2009-10-29 c:\windows\Tasks\At25.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At26.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At27.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At28.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At29.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At30.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At31.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At32.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At33.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At34.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At35.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At36.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At37.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At38.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At39.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At40.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At41.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At42.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At43.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At44.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At45.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At46.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At47.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At48.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At49.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At50.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At51.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At52.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At53.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At54.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At55.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At56.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At57.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At58.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At59.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At60.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At61.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At62.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At63.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At64.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At65.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At66.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At67.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At68.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At69.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At70.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At71.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At72.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At73.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At74.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At75.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At76.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At77.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At78.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At79.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At80.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At81.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At82.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At83.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At84.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At85.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At86.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At87.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At88.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At89.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At90.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At91.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At92.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At93.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At94.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At95.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At96.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At145.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At146.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At147.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At148.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At149.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At150.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At151.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At152.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At153.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At154.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At155.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At156.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At157.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At158.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At159.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At160.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At161.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At162.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At163.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-28 c:\windows\Tasks\At164.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At165.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At166.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At167.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]

2009-10-29 c:\windows\Tasks\At168.job
- c:\windows\system32\b6878821.exe [2008-08-26 15:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
TCP: {94829590-5DEC-4269-AAE4-7004CB9AC790} = 77.74.48.113
DPF: {3B228FAC-4A35-4945-8E85-E1CA8E0D32C3} - file://ike/AMM3EXT$/Packages/Revision.1/Egide_CalcDispName.cab
DPF: {726734f8-2c27-4b6f-94fc-153cafa459ba} - file://ike/AMM3EXT$/Packages/ChangeRev.dll
DPF: {8caf66b1-6fbd-11d4-9ad5-00105a2cdee1} - file://ike/AMM3EXT$/Packages/extEndThumbNail.dll
DPF: {9982718B-34DD-49F9-AF97-9D6C0147B13E} - file://ike/AMM3EXT$/Packages/Revision.1/Egide_CustomerSpec.cab
DPF: {A107A5C7-7982-4CCB-B9EE-81DBFEF16C83} - file://ike/AMM3EXT$/Packages/Revision.1/Egide_ECNNumber.cab
DPF: {A6862D90-1293-460B-ABD6-1419CA1DE146} - file://ike/AMM3EXT$/Packages/Revision.1/Egide_PartData.cab
DPF: {C680530E-E9A4-4414-8480-A05E15261284} - file://ike/AMM3EXT$/Packages/Revision.1/Egide_ProcedureNumber.cab
DPF: {DA28FC1A-8AA9-4FD1-94F2-46D9EBAE591F} - file://ike/AMM3EXT$/Packages/Revision.1/Egide_PartNumber.cab
DPF: {EA2E90D7-963A-4E78-966B-CF3ADAD125B7} - file://ike/AMM3EXT$/Packages/Revision.1/Egide_FixtureNumber.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-29 13:40
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\user preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,26,94,c7,8e,90,25,ec,43,a5,dc,7b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,26,94,c7,8e,90,25,ec,43,a5,dc,7b,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'explorer.exe'(2116)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-10-29 13:42
ComboFix-quarantined-files.txt 2009-10-29 17:42
ComboFix2.txt 2009-10-29 17:25
ComboFix3.txt 2009-10-29 11:18
ComboFix4.txt 2009-10-28 13:44
ComboFix5.txt 2009-10-29 17:35

Pre-Run: 1,366,392,832 bytes free
Post-Run: 1,351,155,712 bytes free

- - End Of File - - 3774CD53A7881011D3D026DB5567A7D3

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 925

Posted 10-30-2009 10:12 (GMT +1)

This appears to be a business-owned system, by the looks of things like domains and logon scripts in use, and so really would require the business IT staff to address things. Other than the repairs we do here being really limited to personal computers, and the tools we use restricted from commercial use by their authors, what I might remove as unknown malware may actually be a legit function of this system's regular business use functions.

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Forum Information

Currently it is Saturday, November 21, 2009 9:49 AM (GMT +1)
There are a total of 73.028 posts in 17.116 threads.
In the last 3 days there were 14 new threads and 69 reply posts. View Active Threads