Jump to content

Internet Search Engine Redirect Virus

Recommended Posts


When I type a search word or phrase in Google I get a list of proposed website, and then when I click on one of the listed websites, instead of goiing to that website, I am sent to a similar website (jump or redirect) that offers additional search services for the same word or phrase. This is also happening with yahoo and bing searches. Removed IE 7 version and uploaded IE 8 to attempt to correct. Still have issue. Found your websit and would appreciate any assistance, if possible.

I have followed inital instructions per your intro thread - "I'm infected - What do I do now?

mbam - no files detected

DeFogger - disabled

DSS - downloaded and logs attached

GMER - downloaded - results noted no virus found (the only check boxes check prior to scanning was Files and subfolder C:/ - not sure if that was the correct set up prior to running the scan) as such the ark.txt has nothing in it.

Thank you in advance for your assistance.

Below is the mbam log followed by the dss log. The compressed Attach.txt is also provided as an attachment


Malwarebytes' Anti-Malware 1.46


Database version: 4323

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/18/2010 1:33:59 AM

mbam-log-2010-07-18 (01-33-59).txt

Scan type: Quick scan

Objects scanned: 134822

Time elapsed: 25 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)


DSS Log is as follows:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Administrator at 1:49:23.35 on Sun 07/18/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.31 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch


C:\WINDOWS\System32\svchost.exe -k netsvcs


C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe


C:\Program Files\AVG\AVG9\avgcsrvx.exe



C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe



C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe



C:\Program Files\VTech\Whiz Kid\System\WhizKidTray.exe




C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\iPod\bin\iPodService.exe


C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/

mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp

uInternet Connection Wizard,ShellNext = hxxp://go.compaq.com/1Q00CDT/0409/bl7.asp

uInternet Settings,ProxyOverride = <local>

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File

TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [71900Tray] c:\program files\vtech\whiz kid\system\WhizKidTray.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Vrudobubobo] rundll32.exe "c:\windows\mhet50.dll",Startup

uRunOnce: [shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~3.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MS-RTC LM 8; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://pbskids.org/barney/children/games/featured_game.html"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe

mRun: [srmclean] c:\cpqs\scom\srmclean.exe

mRun: [setRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe

mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide

mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [JPJWatcher] c:\programdata\mattel\watcher\jpjwatcher.exe

mRun: [Ywofibazukoho] rundll32.exe "c:\windows\olifucize.dll",Startup

dRunOnce: [RunNarrator] Narrator.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: intuit.com\ttlc

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {50564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232210071593

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232210057156

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-31 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-2 29584]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-31 243024]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-15 921440]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]

S3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\drivers\adsfilter.sys --> c:\windows\system32\drivers\ADSFilter.sys [?]

S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\bw2ndis5.sys --> c:\windows\system32\drivers\BW2NDIS5.sys [?]

S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2007-6-19 18560]

=============== Created Last 30 ================

2010-07-18 06:36:13 0 ----a-w- c:\documents and settings\administrator\defogger_reenable

2010-07-18 04:43:08 0 d-sh--w- c:\documents and settings\administrator\IECompatCache

2010-07-18 04:33:37 0 d-sh--w- c:\documents and settings\administrator\PrivacIE

2010-07-18 04:32:28 0 d-sh--w- c:\documents and settings\administrator\IETldCache

2010-07-18 04:27:14 0 dc-h--w- c:\windows\ie8

2010-07-16 22:26:18 172 ----a-w- c:\windows\system32\MRT.INI

2010-07-16 02:41:53 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-15 14:11:39 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-07-01 03:31:31 0 d-----w- c:\docume~1\alluse~1\applic~1\MightyPlay

2010-07-01 03:31:31 0 d-----w- c:\docume~1\admini~1\applic~1\MightyPlay

2010-07-01 03:28:37 0 d-----w- C:\ProgramData

==================== Find3M ====================

2010-07-15 14:11:42 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-07-15 14:10:03 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll

============= FINISH: 1:52:42.76 ===============


Link to post
Share on other sites

Hello vortre

Welcome to Malwarebytes.


One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you still want to clean it please do the following


Download TDSSKiller and save it to your Desktop.

  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • If prompted to restart the computer type in Y then it will restart.
  • Or if you are prompted with a hidden service warning do go ahead and delete it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log


Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

No problem you should be noticing a difference already as the rootkit has been removed.

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.


* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Mbam complete

Two side notes ... not sure if this is pertinent to our work

1) the previous search engine redirects were not consistently occuring... it appears more random... every 2nd or 3rd generic search

2) using Lynks wireless G router too.

Log is as follows:

Malwarebytes' Anti-Malware 1.46


Database version: 4323

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/18/2010 2:11:46 PM

mbam-log-2010-07-18 (14-11-46).txt

Scan type: Quick scan

Objects scanned: 126364

Time elapsed: 8 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

completed @ 25 searches ... didn't seem to redirect

Then went through Eset instructions ... go throught to second step when Eset is initializing gives an apparent error notice "cannot get update. is proxy configured?" not sure what that means.

Link to post
Share on other sites


That is not a problem sometimes the online scanners don't work right try the followin:

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Link to post
Share on other sites

in and running Kaspersky...

Also prompted about updating Java... from Java 6 update 17 to Java 6 update 20... did that concurrently... however I will not run the update until Kaspersky is complet and log obtained.

Unfortunatly I have to go off-line again till after @ 9 CST. May be able to make a short post b/t then.

I respect your time and apologize for the inconvienence.

Thank you for your time and assistance.

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\29\47c98add-29356c81
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\77b0d7ae-248ec374

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

Link to post
Share on other sites

Last night - i updated to Java Version 6 Update 21....

This morining as instructed completed the ComboFix..... attached please find log


ComboFix 10-07-18.03 - Administrator 07/19/2010 7:47.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.295 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}


"c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\29\47c98add-29356c81"

"c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\77b0d7ae-248ec374"


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\29\47c98add-29356c81

c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\77b0d7ae-248ec374



((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))


2010-07-19 03:25 . 2010-06-22 09:36 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-19 03:12 . 2010-07-19 03:12 -------- d-----w- c:\windows\ie8updates

2010-07-19 03:09 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-07-19 03:09 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-07-19 03:09 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-07-18 19:36 . 2010-07-18 19:36 -------- d-----w- c:\program files\ESET

2010-07-18 04:43 . 2010-07-18 04:43 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2010-07-18 04:41 . 2010-07-18 04:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-07-18 04:33 . 2010-07-18 04:33 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2010-07-18 04:32 . 2010-07-18 04:32 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-07-18 04:27 . 2010-07-18 04:28 -------- dc-h--w- c:\windows\ie8

2010-07-16 22:18 . 2010-07-17 20:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\xnimexjaa

2010-07-16 02:41 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-15 14:11 . 2010-07-15 14:11 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-07-01 03:31 . 2010-07-01 03:31 -------- d-----w- c:\documents and settings\All Users\Application Data\MightyPlay

2010-07-01 03:31 . 2010-07-01 03:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\MightyPlay

2010-07-01 03:28 . 2010-07-01 03:28 -------- d-----w- C:\ProgramData


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


2010-07-19 12:37 . 2010-06-18 13:10 0 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat

2010-07-19 12:32 . 2007-11-21 12:29 -------- d-----w- c:\program files\Common Files\Java

2010-07-19 12:32 . 2007-11-21 12:29 -------- d-----w- c:\program files\Java

2010-07-19 03:26 . 2010-07-19 03:26 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-643fec65-n\msvcp71.dll

2010-07-19 03:26 . 2010-07-19 03:26 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7c6d53f6-n\decora-d3d.dll

2010-07-19 03:26 . 2010-07-19 03:26 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-643fec65-n\jmc.dll

2010-07-19 03:26 . 2010-07-19 03:26 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7c6d53f6-n\decora-sse.dll

2010-07-19 03:26 . 2010-07-19 03:26 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-643fec65-n\msvcr71.dll

2010-07-17 00:16 . 2010-04-25 05:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-15 14:12 . 2010-07-15 14:12 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-07-15 14:12 . 2010-07-15 14:12 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys

2010-07-15 14:11 . 2009-04-01 02:12 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-07-15 14:10 . 2009-04-01 02:12 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-07-15 14:09 . 2010-07-15 14:09 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe

2010-07-15 14:09 . 2010-07-15 14:09 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-07-15 14:09 . 2010-07-15 14:09 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe

2010-07-15 14:09 . 2010-07-15 14:09 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll

2010-06-30 01:44 . 2010-07-18 20:02 922400 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\JRERunOnce.exe

2010-06-02 13:41 . 2008-08-02 19:10 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-06 10:41 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2002-08-29 09:14 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 20:39 . 2010-04-25 05:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 20:39 . 2010-04-25 05:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))



*Note* empty entries & legit default entries are not shown



"71900Tray"="c:\program files\VTech\Whiz Kid\System\WhizKidTray.exe" [2007-05-11 2170880]


"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-03-11 155648]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-11 114688]

"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2002-05-28 69632]

"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]

"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2002-08-07 485376]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-24 233472]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]

"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]


"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-07-15 14:11 12536 ----a-w- c:\windows\system32\avgrsstx.dll


"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=


"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=


"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/31/2009 9:12 PM 216400]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/31/2009 9:12 PM 243024]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/15/2010 9:10 AM 921440]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 9:11 AM 308136]

S3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\ADSFilter.sys --> c:\windows\system32\DRIVERS\ADSFilter.sys [?]

S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]

S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [6/19/2007 2:21 AM 18560]


Contents of the 'Scheduled Tasks' folder

2009-12-19 c:\windows\Tasks\About QuickTime.job

- c:\documents and settings\All Users\Start Menu\Programs\QuickTime\About QuickTime.lnk [2010-01-14 03:35]

2010-07-19 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]

2010-07-01 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 03:18]



------- Supplementary Scan -------


uStart Page = hxxp://www.bing.com/

mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp

uInternet Connection Wizard,ShellNext = hxxp://go.compaq.com/1Q00CDT/0409/bl7.asp

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: intuit.com\ttlc

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab



catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-19 07:56

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0



--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4169045005-46986899-593284833-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)






--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(7592)









------------------------ Other Running Processes ------------------------


c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe


c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe

c:\program files\iPod\bin\iPodService.exe




Completion time: 2010-07-19 08:07:57 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-19 13:07

Pre-Run: 20,895,260,672 bytes free

Post-Run: 21,039,845,376 bytes free

- - End Of File - - D126FB0DBD4AA4A4F09AEE74F19F03BA

Link to post
Share on other sites

Great please delete this folder:

c:\documents and settings\Administrator\Local Settings\Application Data\xnimexjaa


  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.

Delete\uninstall anything else that we have used that is leftover.


After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.