Yahoo and Google Worng Search Results

[jcherreria]

ComboFix 09-01-19.05 - YJ CATERING 2009-01-20 11:25:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.766.491 [GMT -5:00]
Running from: c:\documents and settings\YJ CATERING\Desktop\ANTI\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
.

((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-15 11:11 . 2009-01-15 11:11 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-01-15 11:01 . 2009-01-15 11:01 1,374 --a------ c:\windows\imsins.BAK
2009-01-12 17:41 . 2009-01-12 17:41 <DIR> d-------- c:\program files\NOS
2009-01-12 17:41 . 2009-01-12 17:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-11 13:09 . 2009-01-11 13:09 <DIR> d-------- c:\program files\Trend Micro
2009-01-09 13:06 . 2009-01-09 13:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 13:06 . 2009-01-09 13:06 <DIR> d-------- c:\documents and settings\YJ CATERING\Application Data\Malwarebytes
2009-01-09 13:06 . 2009-01-09 13:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-09 13:06 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-09 13:06 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-08 12:50 . 2009-01-08 12:50 <DIR> d-------- c:\program files\CCleaner
2009-01-08 08:08 . 2009-01-20 11:24 21,991 --a------ c:\windows\system32\Config.MPF
2009-01-08 08:05 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-01-08 08:04 . 2009-01-08 08:04 <DIR> d-------- C:\mcafee_mcpr
2009-01-08 08:04 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-01-08 08:04 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-01-08 08:04 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-01-08 08:04 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-01-08 08:04 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-01-08 08:02 . 2009-01-08 08:03 <DIR> d-------- c:\program files\McAfee.com
2009-01-08 08:02 . 2009-01-08 08:04 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-08 08:01 . 2009-01-13 10:23 <DIR> d-------- c:\program files\McAfee
2009-01-08 07:55 . 2009-01-08 07:55 6 --a------ c:\windows\msoffice.ini
2009-01-06 12:44 . 2009-01-20 02:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 17:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-08 13:08 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-08 13:00 --------- d-----w c:\program files\Common Files\AOL
2009-01-08 12:58 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-01-08 12:57 --------- d-----w c:\documents and settings\YJ CATERING\Application Data\AOL
2009-01-06 17:45 --------- d-----w c:\program files\Google
2008-12-12 17:27 3,067,392 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 ------w c:\windows\system32\dllcache\srv.sys
2008-12-10 13:12 --------- d-----w c:\program files\Ahead
2008-12-10 13:09 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2008-12-10 13:08 --------- d-----w c:\program files\Common Files\Ahead
2008-12-07 14:19 --------- d-----w c:\program files\Cypherix LE
2008-12-05 18:38 --------- d-----w c:\program files\NCH Software
2008-12-05 18:38 --------- d-----w c:\documents and settings\YJ CATERING\Application Data\NCH Software
2008-12-05 18:38 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Software
2008-12-04 20:54 --------- d-----w c:\documents and settings\YJ CATERING\Application Data\Corel
2008-12-04 20:36 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-04 20:36 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2008-12-04 20:31 --------- d-----w c:\program files\Corel
2008-12-04 20:31 --------- d-----w c:\program files\Common Files\Corel
2008-12-04 20:31 --------- d-----w c:\documents and settings\All Users\Application Data\Corel
2008-12-04 18:12 --------- d-----w c:\program files\activePDF
2008-12-01 23:50 --------- d-----w c:\documents and settings\YJ CATERING\Application Data\AdobeUM
2008-11-30 13:14 --------- d-----r c:\documents and settings\YJ CATERING\Application Data\Brother
2008-11-29 17:53 --------- d-----w c:\program files\Microsoft.NET
2008-11-29 13:11 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-28 18:14 --------- d-----w c:\documents and settings\YJ CATERING\Application Data\McAfee.com Personal Firewall
2008-11-25 15:21 5,120 ----a-w C:\CLCNTRL.DAT
2008-11-25 14:54 --------- d-----w c:\documents and settings\YJ CATERING\Application Data\Motive
2008-11-22 21:19 --------- d-----w c:\program files\Common Files\Motive
2008-11-22 21:19 --------- d-----w c:\program files\att-nap
2008-11-22 21:18 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2008-11-22 20:24 --------- d-----w c:\program files\Pure Networks
2008-11-22 20:22 --------- d-----w c:\documents and settings\All Users\Application Data\Pure Networks
2008-11-22 20:20 --------- d-----w c:\program files\Common Files\Adobe
2008-11-22 19:57 --------- d-----w c:\program files\Common Files\Intuit
2008-11-22 19:56 --------- d-----w c:\program files\Common Files\AnswerWorks 4.0
2008-11-22 19:55 --------- d-----w c:\program files\Intuit
2008-11-22 19:55 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2008-11-22 19:53 --------- d-----w c:\program files\Common Files\SWF Studio
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-01-04 16:59 270,296 ----a-w c:\documents and settings\BPA Server\Application Data\GDIPFONTCACHEV1.DAT
2007-01-12 20:01 72 ----a-w c:\documents and settings\BPA Server\Application Data\ftpfile.dat
2006-03-07 16:56 69 ----a-w c:\documents and settings\BPA Server\printertest.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-21 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-12 180269]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"aux"= wdmaud.sys

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAMMonitor]
--a------ 2005-08-02 10:00 4147200 c:\program files\X-Charge\XChrgSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-05-21 14:42 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-09-12 14:32 208941 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2004-07-25 13:45 1277952 c:\program files\Support.com\BellSouth\hcenter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-09-12 14:32 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Corel\\Graphics10\\Register\\NAVBrowser.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Lime Wire\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:DHCP Discovery Service

R4 cypherixservice;Cypherix service;cypherixsrv.exe --> cypherixsrv.exe [?]
R4 cyphxdrv;cyphxdrv;c:\windows\system32\drivers\cyphxdrv.sys [2008-12-07 100728]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-08-07 46112]
R4 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-11 14336]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-12 33752]
S4 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-08 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://go.purenetworks.com/redir/click/survey/uninstall/?pn=nm&a=3.3.6289.0&b=Pure&dc=DLINK0.routersetup&dt=OEM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\YJ CATERING\Application Data\Mozilla\Firefox\Profiles\mzdl95rg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1439.6872\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 11:28:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-01-20 11:30:26
ComboFix-quarantined-files.txt 2009-01-20 16:30:16
ComboFix2.txt 2009-01-20 15:07:12

Pre-Run: 57,583,915,008 bytes free
Post-Run: 57,571,356,672 bytes free

220 --- E O F --- 2009-01-15 16:03:18

[Blade81]

Running from: c:\documents and settings\YJ CATERING\Desktop\ANTI\ComboFix.exe

Hi

Seems like you didn't run ComboFix with CFScript.txt file I made you create. Please try that part again

[Blade81]

Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.