# XP Security 2011 Virus, Google Redirect Virus, and Can't Open EXE files



## sonofagunderson (Mar 26, 2011)

Help ... Computer taken over by by XP 2011 Security virus and Google redirect virus. I used SuperANTIspyware to kill it, and it seemed to work, but I couldn't open any exe files. Then a week later the XP 2011 Security virus came back. I can't open the Hijackthis and GMER files because they're exe files, but I've attached the DDS logs. By the way my computer has two user profiles. One has the XP 2011 security virus and google redirect virus, and the one I'm on now hasn't been attacked yet, but I can't open exe files. What do I do?

.
DDS (Ver_11-03-05.01) - NTFSx86 
Run by laryza martell at 14:25:47.28 on Sun 03/27/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1435 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\ASTSRV.EXE
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\laryza martell\My Documents\Downloads\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://nytimes.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3061106
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Dzatupahogevope] rundll32.exe "c:\windows\irimegedekosubuk.dll",Startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\laryza~1\applic~1\mozilla\firefox\profiles\o60mj8ks.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\mozilla firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {C568174D-801F-4479-8D5B-7CC1D5EB2F79} - c:\documents and settings\bruno bier\local settings\application data\{C568174D-801F-4479-8D5B-7CC1D5EB2F79}
FF - Ext: XULRunner: {FBE9C2FC-BAC1-45D6-A074-8BC76ADC30C4} - c:\documents and settings\laryza martell\local settings\application data\{FBE9C2FC-BAC1-45D6-A074-8BC76ADC30C4}
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\docume~1\brunob~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\docume~1\brunob~1\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2009-9-2 57344]
R2 P1C1394;Phase One 1394 Camera Driver;c:\windows\system32\drivers\p1c1394.sys [2009-8-7 23808]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2008-9-19 65536]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-16 136176]
S3 B-Service;B-Service;c:\documents and settings\bruno bier\application data\mikogo\B-Service.exe [2009-5-23 185640]
.
=============== Created Last 30 ================
.
2011-03-27 16:50:14 388096 -c--a-r- c:\docume~1\laryza~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-03-27 16:50:12 -------- dc----w- C:\New Folder
2011-03-20 13:52:00 -------- dc----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
.
==================== Find3M ====================
.
2011-03-26 18:55:04 0 -c--a-w- c:\windows\Pkeyi.bin
2011-02-09 13:53:52 270848 -c--a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 -c--a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 -c--a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 -c--a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 -c--a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 -c--a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 -c--a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 14:26:34.43 ===============


----------



## JSntgRvr (Jul 1, 2003)

Hi, and Welcome.

Please download *exeHelper* to your desktop.

Then download ComboFix from *Here* or *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

*Run exeHelper first as follows:*


Double-click on *exeHelper.com* to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of *exehelperlog.txt* in your next reply. (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

*Then run Combofix as follows:*


Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._

*If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton*

-----------------------------------------------------------​

Close any open browsers. 
*WARNING: Combofix will disconnect your machine from the Internet as soon as it starts*
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------​
Double click on *combofix.exe* & follow the prompts.
Install the Recovery Console if prompted.
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" *.
***Note: Do not mouseclick combofix's window while it's running. That may cause it to stall***

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.


----------



## sonofagunderson (Mar 26, 2011)

Here are the exehelperlog and combofix logs:

exeHelper by Raktor
Build 20100414
Run at 21:53:34 on 03/27/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

ComboFix 11-03-27.02 - laryza martell 03/28/2011 7:49.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1564 [GMT -4:00]
Running from: c:\documents and settings\laryza martell\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\laryza martell\Local Settings\Application Data\{FBE9C2FC-BAC1-45D6-A074-8BC76ADC30C4}
c:\documents and settings\laryza martell\Local Settings\Application Data\{FBE9C2FC-BAC1-45D6-A074-8BC76ADC30C4}\chrome.manifest
c:\documents and settings\laryza martell\Local Settings\Application Data\{FBE9C2FC-BAC1-45D6-A074-8BC76ADC30C4}\chrome\content\_cfg.js
c:\documents and settings\laryza martell\Local Settings\Application Data\{FBE9C2FC-BAC1-45D6-A074-8BC76ADC30C4}\chrome\content\overlay.xul
c:\documents and settings\laryza martell\Local Settings\Application Data\{FBE9C2FC-BAC1-45D6-A074-8BC76ADC30C4}\install.rdf
c:\documents and settings\laryza martell\Local Settings\Application Data\oee.exe
c:\documents and settings\laryza martell\Local Settings\Application Data\wya.exe
c:\windows\irimegedekosubuk.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-28 )))))))))))))))))))))))))))))))
.
.
2011-03-27 16:50 . 2011-03-27 16:50 388096 -c--a-r- c:\documents and settings\laryza martell\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-27 16:50 . 2011-03-27 16:50 -------- dc----w- C:\New Folder
2011-03-20 13:52 . 2011-03-20 13:52 -------- dc----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-11 23:00 270848 -c--a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-11 23:00 186880 -c--a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-11 23:11 2067456 -c--a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-11 23:11 677888 -c--a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-11 23:00 439296 -c--a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-11 23:00 290048 -c--a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-11 23:00 1854976 -c--a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-09-13 1384448]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-6 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-4 81920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\PokerStars\\PokerStarsUpdate.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Dell Support\\DSAgnt.exe"=
"c:\\Program Files\\Dell Support\\DSHelp.exe"=
"c:\\Program Files\\PokerStars\\Tracer.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\docume~1\BRUNOB~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\docume~1\BRUNOB~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [9/2/2009 10:33 AM 57344]
R2 P1C1394;Phase One 1394 Camera Driver;c:\windows\system32\drivers\p1c1394.sys [8/7/2009 4:43 PM 23808]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [9/19/2008 4:03 AM 65536]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/16/2010 10:35 PM 136176]
S3 B-Service;B-Service;c:\documents and settings\bruno bier\Application Data\Mikogo\B-Service.exe [5/23/2009 6:04 PM 185640]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-17 02:35]
.
2011-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-17 02:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://nytimes.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\laryza martell\Application Data\Mozilla\Firefox\Profiles\o60mj8ks.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {C568174D-801F-4479-8D5B-7CC1D5EB2F79} - c:\documents and settings\bruno bier\Local Settings\Application Data\{C568174D-801F-4479-8D5B-7CC1D5EB2F79}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-OE_OEM - c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
HKLM-Run-Dzatupahogevope - c:\windows\irimegedekosubuk.dll
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-28 07:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'lsass.exe'(1004)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(3796)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-03-28 08:01:00 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-28 12:00
.
Pre-Run: 663,875,584 bytes free
Post-Run: 1,724,997,632 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 9F5F0AF9770B95AA7905C8670863EA1F


----------



## JSntgRvr (Jul 1, 2003)

I believe we got the bad guy.








Please download Malwarebytes' Anti-Malware from *Here*. Never download Malwarebytes' Anti-Malware from other sources.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:

*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.*

Perform an online scan at *Eset* and post the results.

I would recommend *AVAST* as an antivirus.


----------



## sonofagunderson (Mar 26, 2011)

virus came back and wouldn't let me go to any website, so I had to run another combofix which seemed to zap it at least temporarily. Then I did malwarebytes and Eset scan. Logs are provided in that order:

ComboFix 11-03-28.03 - laryza martell 03/28/2011 22:38:03.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1570 [GMT -4:00]
Running from: c:\documents and settings\laryza martell\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\laryza martell\Local Settings\Application Data\tdm.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-29 )))))))))))))))))))))))))))))))
.
.
2011-03-27 16:50 . 2011-03-27 16:50 388096 -c--a-r- c:\documents and settings\laryza martell\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-27 16:50 . 2011-03-27 16:50 -------- dc----w- C:\New Folder
2011-03-20 13:52 . 2011-03-20 13:52 -------- dc----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-11 23:00 270848 -c--a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-11 23:00 186880 -c--a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-11 23:11 2067456 -c--a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-11 23:11 677888 -c--a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-11 23:00 439296 -c--a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-11 23:00 290048 -c--a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-11 23:00 1854976 -c--a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-09-13 1384448]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-6 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-4 81920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\PokerStars\\PokerStarsUpdate.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Dell Support\\DSAgnt.exe"=
"c:\\Program Files\\Dell Support\\DSHelp.exe"=
"c:\\Program Files\\PokerStars\\Tracer.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\docume~1\BRUNOB~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\docume~1\BRUNOB~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [9/2/2009 10:33 AM 57344]
R2 P1C1394;Phase One 1394 Camera Driver;c:\windows\system32\drivers\p1c1394.sys [8/7/2009 4:43 PM 23808]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [9/19/2008 4:03 AM 65536]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/16/2010 10:35 PM 136176]
S3 B-Service;B-Service;c:\documents and settings\bruno bier\Application Data\Mikogo\B-Service.exe [5/23/2009 6:04 PM 185640]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-17 02:35]
.
2011-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-17 02:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://nytimes.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\laryza martell\Application Data\Mozilla\Firefox\Profiles\o60mj8ks.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {C568174D-801F-4479-8D5B-7CC1D5EB2F79} - c:\documents and settings\bruno bier\Local Settings\Application Data\{C568174D-801F-4479-8D5B-7CC1D5EB2F79}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-28 22:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'lsass.exe'(1004)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2011-03-28 22:44:17
ComboFix-quarantined-files.txt 2011-03-29 02:44
ComboFix2.txt 2011-03-28 12:01
.
Pre-Run: 1,698,783,232 bytes free
Post-Run: 1,683,406,848 bytes free
.
- - End Of File - - BDF2AB5B608D56AD9633085D4CA47566

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6199

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

3/28/2011 10:55:18 PM
mbam-log-2011-03-28 (22-55-18).txt

Scan type: Quick scan
Objects scanned: 181360
Time elapsed: 3 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\bruno bier\local settings\application data\ieh.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\bruno bier\local settings\application data\swh.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\fdctiv.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\documents and settings\bruno bier\application data\jsdfgs.bat (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\laryza martell\my documents\downloads\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

C:\Documents and Settings\bruno bier\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v006DBC2F\TheApp\STUBEXE\@[email protected]\RVG Software\Holdem Manager\HMImport.exe probably a variant of Win32/Agent.BVLZXIZ trojan cleaned by deleting - quarantined
C:\Documents and Settings\bruno bier\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v08404D5B\Native\STUBEXE\@[email protected]\RVG Software\Holdem Manager\DBControlPanel.exe probably a variant of Win32/Agent.KGEKTEB trojan cleaned by deleting - quarantined
C:\Documents and Settings\bruno bier\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v08404D5B\Native\STUBEXE\@[email protected]\RVG Software\Holdem Manager\HMHud.exe probably a variant of Win32/Agent.IVMSRVA trojan cleaned by deleting - quarantined
C:\Documents and Settings\bruno bier\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v236B29B5\Native\STUBEXE\@[email protected]\RVG Software\Holdem Manager\HMHud.exe probably a variant of Win32/Agent.CTLFQHC trojan cleaned by deleting - quarantined
C:\Documents and Settings\bruno bier\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v236B29B5\TheApp\STUBEXE\@[email protected]\RVG Software\Holdem Manager\HMImport.exe probably a variant of Win32/Agent.CEGEMYH trojan cleaned by deleting - quarantined
C:\Documents and Settings\bruno bier\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v501547F3\TheApp\STUBEXE\@[email protected]\RVG Software\Holdem Manager\HMImport.exe probably a variant of Win32/Agent.JPLTNQZ trojan cleaned by deleting - quarantined
C:\Documents and Settings\bruno bier\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v54C6D2F9\Native\STUBEXE\@[email protected]\RVG Software\Holdem Manager\HMHud.exe probably a variant of Win32/Agent.BFNVDXM trojan cleaned by deleting - quarantined
C:\Documents and Settings\bruno bier\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v54C6D2F9\TheApp\STUBEXE\@[email protected]\RVG Software\Holdem Manager\HMImport.exe probably a variant of Win32/Agent.EIRXCZ trojan cleaned by deleting - quarantined
C:\Documents and Settings\bruno bier\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v5B04D48C\Native\STUBEXE\@[email protected]\RVG Software\Holdem Manager\HMHud.exe probably a variant of Win32/Agent.HRTAPQU trojan cleaned by deleting - quarantined
C:\Documents and Settings\bruno bier\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v65ED1E19\Native\STUBEXE\@[email protected]\RVG Software\Holdem Manager\HMHud.exe probably a variant of Win32/Agent.HJJSWFN trojan cleaned by deleting - quarantined
C:\Documents and Settings\bruno bier\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v65ED1E19\TheApp\STUBEXE\@[email protected]\RVG Software\Holdem Manager\HMImport.exe probably a variant of Win32/Agent.CXLGMFC trojan cleaned by deleting - quarantined
C:\Documents and Settings\bruno bier\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7BC20518\Native\STUBEXE\@[email protected]\RVG Software\Holdem Manager\HMHud.exe probably a variant of Win32/Agent.PQGVNB trojan cleaned by deleting - quarantined
C:\Documents and Settings\bruno bier\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7BC20518\TheApp\STUBEXE\@[email protected]\RVG Software\Holdem Manager\HMImport.exe probably a variant of Win32/Agent.HNCVHWF trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\laryza martell\Local Settings\Application Data\oee.exe.vir a variant of Win32/Kryptik.MAG trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\laryza martell\Local Settings\Application Data\wya.exe.vir a variant of Win32/Kryptik.MAG trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\irimegedekosubuk.dll.vir a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP883\A0058180.exe a variant of Win32/Cimag.DL trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP883\A0058181.exe a variant of Win32/TrojanDownloader.FakeAlert.BDE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887\A0058433.exe a variant of Win32/Kryptik.MAG trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887\A0058434.exe a variant of Win32/Kryptik.MAG trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887\A0058435.dll a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887\A0058695.exe a variant of Win32/Kryptik.LTW trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887\A0058696.exe a variant of Win32/Kryptik.LZD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887\A0058697.dll a variant of Win32/Kryptik.JWO trojan cleaned by deleting - quarantined


----------



## JSntgRvr (Jul 1, 2003)

Download *OTL* to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
OTL should now start. Change the following settings
Change *Drivers* to *All*
Change *Standard Registry* to *All*
Under *File Scans*, change *File age* to *30*

Under the Custom Scan box paste this in


*netsvcs
set /c 
/md5start
UXTHEME.DLL
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys 
Userinit.exe
Explorer.exe
Winlogon.exe
Regedit.exe
SCLWAPI.dll
/md5stop
%SYSTEMDRIVE%\*.*
%systemroot%\System32\config\*.sav 
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job
*​
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. *OTL.Txt* and *Extras.Txt* (first run only). These are saved in the same location as OTL.
Please post the contents of the *OTL.txt* file and attach the *Extras.Txt*, if any, in your next reply.


*How is the computer doing? Has the virus returned after the previous scans?*


----------



## sonofagunderson (Mar 26, 2011)

Computer is running pretty good. But for one of the users I'm still getting a redirect after my first google search, and clicking on the link. It only happens the first time. For the other user I tried to load firefox and got a strange message: C:\Program Files\java\jre6\lib\deploy\jqs\ff\..\..\..\..\bin\jqsnotify.exe\ Application not found. That user is also having problems opening exe files (it will ask what program do you want to use to open the file). But I guess I can use exehelper for that. BTW did combofix, malwarebytes, otl, etc. scan both users by default. Because I didn't check off the scan all users box for otl. Attached is the otl extras file. Next reply will have the other otl log.


----------



## sonofagunderson (Mar 26, 2011)

Otl log is attached because I couldn't post copy and paste (maybe because it was too long).


----------



## JSntgRvr (Jul 1, 2003)

I would like to collect a few files for analysis.

Download the enclosed file. Save it next to Combofix.










Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

***Note** *

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.

If unable to automatically upload the file, Combofix created a zipped file in the C:\Qoobox\Quarantine folder labeled in the form of [4]-Submit_Date_Time.zip. Please have this file uploaded to the following location:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Indicate a link to this address and let me know when ready.


----------



## sonofagunderson (Mar 26, 2011)

Windows XP virus is back on the user profile that was orignally infected, but not the user file from which I ran the combofix cf script log. Still getting redirects from this second user profile. Here's that combofix cfscript log.

ComboFix 11-04-01.01 - laryza martell 04/01/2011 22:25:16.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1576 [GMT -4:00]
Running from: c:\documents and settings\laryza martell\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\laryza martell\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT"
"c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT"
"c:\windows\Pkeyi.bin"
"c:\windows\ViewNX.INI"
.
file zipped: c:\documents and settings\All Users\Application Data\4ffobyg0qq4to5t4836ckfdw208e21tkm04eb
file zipped: c:\documents and settings\All Users\Application Data\7d34t16snostcdvlr1fx05d0p28v406d1j3q6fah3hdl
file zipped: c:\documents and settings\All Users\Application Data\eiya28fw54ev3nrlildauwojpl3g4td
file zipped: c:\documents and settings\All Users\Application Data\l6qc140707qi6p1g667l23y6t7vv5vxiy
file zipped: c:\documents and settings\All Users\Application Data\ngwk31q64i4r13dcp26r1711q02jce0p7x45837458o0xw3
file zipped: c:\documents and settings\laryza martell\Local Settings\Application Data\4ffobyg0qq4to5t4836ckfdw208e21tkm04eb
file zipped: c:\documents and settings\laryza martell\Local Settings\Application Data\7d34t16snostcdvlr1fx05d0p28v406d1j3q6fah3hdl
file zipped: c:\documents and settings\laryza martell\Local Settings\Application Data\eiya28fw54ev3nrlildauwojpl3g4td
file zipped: c:\windows\system32\tliadjust34.dll
file zipped: c:\windows\system32\tliclean21.dll
file zipped: c:\windows\system32\tlidejpeg30.dll
file zipped: c:\windows\system32\tlidenoise30.dll
file zipped: c:\windows\system32\tlidetail11.dll
file zipped: c:\windows\system32\tlisimplify20.dll
file zipped: c:\windows\Yxevuyirogodini.dat
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
c:\windows\Pkeyi.bin
c:\windows\ViewNX.INI
.
.
((((((((((((((((((((((((( Files Created from 2011-03-02 to 2011-04-02 )))))))))))))))))))))))))))))))
.
.
2011-03-29 02:49 . 2011-03-29 02:49 -------- dc----w- c:\documents and settings\laryza martell\Application Data\Malwarebytes
2011-03-29 02:49 . 2010-12-20 22:09 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-29 02:49 . 2011-03-29 02:49 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-29 02:49 . 2011-03-29 02:49 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-29 02:49 . 2010-12-20 22:08 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys
2011-03-27 16:50 . 2011-03-27 16:50 388096 -c--a-r- c:\documents and settings\laryza martell\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-27 16:50 . 2011-03-27 16:50 -------- dc----w- C:\New Folder
2011-03-20 13:52 . 2011-03-20 13:52 -------- dc----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-11 23:00 270848 -c--a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-11 23:00 186880 -c--a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-11 23:11 2067456 -c--a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-11 23:11 677888 -c--a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-11 23:00 439296 -c--a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-11 23:00 290048 -c--a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((( [email protected]_02.42.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-02 02:11 . 2011-04-02 02:11 16384 c:\windows\Temp\Perflib_Perfdata_f4.dat
+ 2011-04-02 02:11 . 2011-04-02 02:11 16384 c:\windows\Temp\Perflib_Perfdata_218.dat
+ 2004-08-11 23:00 . 2011-04-02 02:15 80730 c:\windows\system32\perfc009.dat
- 2004-08-11 23:00 . 2011-03-29 02:29 80730 c:\windows\system32\perfc009.dat
+ 2004-08-11 23:00 . 2011-04-02 02:15 463768 c:\windows\system32\perfh009.dat
- 2004-08-11 23:00 . 2011-03-29 02:29 463768 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-09-13 1384448]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-6 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-4 81920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\PokerStars\\PokerStarsUpdate.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Dell Support\\DSAgnt.exe"=
"c:\\Program Files\\Dell Support\\DSHelp.exe"=
"c:\\Program Files\\PokerStars\\Tracer.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\docume~1\BRUNOB~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\docume~1\BRUNOB~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [9/2/2009 10:33 AM 57344]
R2 P1C1394;Phase One 1394 Camera Driver;c:\windows\system32\drivers\p1c1394.sys [8/7/2009 4:43 PM 23808]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [9/19/2008 4:03 AM 65536]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/16/2010 10:35 PM 136176]
S3 B-Service;B-Service;c:\documents and settings\bruno bier\Application Data\Mikogo\B-Service.exe [5/23/2009 6:04 PM 185640]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-17 02:35]
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-17 02:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://nytimes.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\laryza martell\Application Data\Mozilla\Firefox\Profiles\o60mj8ks.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {C568174D-801F-4479-8D5B-7CC1D5EB2F79} - c:\documents and settings\bruno bier\Local Settings\Application Data\{C568174D-801F-4479-8D5B-7CC1D5EB2F79}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-01 22:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'lsass.exe'(1000)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2011-04-01 22:31:39
ComboFix-quarantined-files.txt 2011-04-02 02:31
ComboFix2.txt 2011-03-29 02:44
ComboFix3.txt 2011-03-28 12:01
.
Pre-Run: 1,474,572,288 bytes free
Post-Run: 1,443,471,360 bytes free
.
- - End Of File - - 34E419B33F6EFA15F692A83E1DC64BD7
Upload was successful


----------



## JSntgRvr (Jul 1, 2003)

Files uploaded read clean.* How is the computer doing?*


----------



## sonofagunderson (Mar 26, 2011)

User profile that was initially infected is still infected with XP Security 2011 virus. User profile from which I've been running all the scans and processes that you have directed me to do is not infected with the XP security 2011 virus, but I am getting google redirects from this second user profile. 

Should I run the same scans ie combofix, malwarebytes, etc. from the user profile that was initially infected?


----------



## JSntgRvr (Jul 1, 2003)

> Should I run the same scans ie combofix, malwarebytes, etc. from the user profile that was initially infected?


It is a good idea. The profile however, must have administrative rights. Let me know the outcome.

Lets empty the temp folders:

Download *TFC by OldTimer* to your desktop

 Please double-click *TFC.exe* to run it. (*Note:* If you are running on Vista, right-click on the file and choose *Run As Administrator*).
It *will close all programs* when run, so make sure you have *saved all your work* before you begin.
Click the *Start* button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. *Let it run uninterrupted to completion*.
Once it's finished it should *reboot your machine*. If it does not, please *manually reboot the machine* yourself to ensure a complete clean.

Download *OTS.exe* by OldTimer to your Desktop.

Close any open browsers.
Double-click on *OTS.exe* to start the program.
Leave all settings as they appear as default, except for the following:
Under *File Age*, select *30*.
Under *Drivers*, select *"All"*.
Under *Registry*, select *"All"*.
Under *Additional Scans*, click on the* "Extras"* button.

Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the *Reply* button and attach the notepad file here *(Do not copy and paste in a reply, rather attach it to it).*


----------

