Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Infection - Affects Search Engine Results


  • This topic is locked This topic is locked
14 replies to this topic

#1 AC Valentine

AC Valentine

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 17 February 2009 - 02:15 PM

I am currently experiencing problems when trying to access search results from Google or any other search engine. When I click on the link provided I am taken to a totally different webpage. Usually they begin with www.windowsclick........

Many thanks in advance for your assistance on this.

Regards

Ian

Here is my DSS report...

DDS (Ver_09-02-01.01) - NTFSx86
Run by Pauline Valentine at 18:56:02.82 on 17/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.666 [GMT 0:00]

FW: ZoneAlarm Pro Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IDT\WDM\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\QUALCOMM\QDLService\QDLService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\sttray.exe
C:\Program Files\HPQ\HP Connection Manager 1.1\bin\mdvsrv.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\SWsetup\HPQWWAN\HPMobileBroadband.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\PAULIN~1\LOCALS~1\Temp\perce.jpg.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\DOCUME~1\PAULIN~1\LOCALS~1\Temp\ysc20y.exe
D:\Programs\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.Yahoo.com
uDefault_Page_URL = hxxp://www.Yahoo.com
mDefault_Page_URL = hxxp://www.Yahoo.com
mStart Page = hxxp://www.Yahoo.com
uInternet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.serv...&prodOS=011
BHO: c:\windows\system32\hsfd83jfdg.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hsfd83jfdg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Cognac] c:\docume~1\paulin~1\locals~1\temp\perce.jpg.exe
uRun: [systeminit.exe] c:\docume~1\paulin~1\locals~1\temp\systeminit.exe
uRun: [jsf8uiw3jnjgffght] c:\docume~1\paulin~1\locals~1\temp\winlognn.exe
uRun: [tezrtsjhfr84iusjfo84f] c:\docume~1\paulin~1\locals~1\temp\csrssc.exe
uRun: [dii9i65qjn8wckian6qprz4warvu59gf5q] c:\docume~1\paulin~1\locals~1\temp\s9oniadlyns.exe
uRun: [kg54jhekc90mg5eb2nhlqoo7s2vpftyuxmf] c:\docume~1\paulin~1\locals~1\temp\exz1x1wrgl9e.exe
uRun: [afh8kcqdtwlc9mh2ebuqr1co3xvl2cr9w9duwkwmz] c:\docume~1\paulin~1\locals~1\temp\d1o1e5t3t.exe
uRun: [g6wx85xxxae6nc5t] c:\docume~1\paulin~1\locals~1\temp\njdjezwkgym.exe
uRun: [gqzrhp533cw] c:\docume~1\paulin~1\locals~1\temp\uw3oz4.exe
uRun: [fa4nvx4gjuiq6zqk0ue5t0ew9aiym1a] c:\docume~1\paulin~1\locals~1\temp\msgppqby4f89.exe
uRun: [jopn5y7kb9aw9wlvretsh8tkqtmwkb2aoe4gejznm10s54e7] c:\docume~1\paulin~1\locals~1\temp\z899hpflt0dfl.exe
uRun: [r4zxiub9zizm1g3xpx62eg22ay3mgg4c] c:\docume~1\paulin~1\locals~1\temp\zmf6ipc6ome1.exe
uRun: [mxxv4nd0lvy06n] c:\docume~1\paulin~1\locals~1\temp\d3iz49qoa.exe
uRun: [gtjtf0ekwuzcrtq44zpt180eppt60fe1hx9y8g49pb95uwxwmu] c:\docume~1\paulin~1\locals~1\temp\o5iiajshw9.exe
uRun: [ljkm741jg3iuqnk9dq9] c:\docume~1\paulin~1\locals~1\temp\lqhffl1.exe
uRun: [brk2bjhzjkwi] c:\docume~1\paulin~1\locals~1\temp\edtxmqcy.exe
uRun: [ni3u9gq2wtd02q21jn8wrkl0ani4mu7] c:\docume~1\paulin~1\locals~1\temp\tt7e6od2tw.exe
uRun: [nr35aksqq7wdkep7tzfc0] c:\docume~1\paulin~1\locals~1\temp\d8sa661opa.exe
uRun: [od5sbdethrxdm78l4g6c8mmor5wo8wc3jwcg2cizp6gb] c:\docume~1\paulin~1\locals~1\temp\h76fi0obcg.exe
uRun: [kd6q1cxbaxpfv75zdanv1zee8eqvzl94sl5j] c:\docume~1\paulin~1\locals~1\temp\zkkjrn8wl4m6.exe
uRun: [btb0uiolavfp6u7pthldv1i3qtbwxj3qsa] c:\docume~1\paulin~1\locals~1\temp\j8jbvtok6.exe
uRun: [kzrltkbvzmqefqfwylxfj] c:\docume~1\paulin~1\locals~1\temp\ifwfjv.exe
uRun: [ybqc5n03ff32] c:\docume~1\paulin~1\locals~1\temp\rqs4np.exe
uRun: [r4st14t7r3bjyosu5yxyc569k8m6a1jgaavinp9zni10kj5ahw] c:\docume~1\paulin~1\locals~1\temp\k8smev0j2r.exe
uRun: [cro6knxflx0sp7opyx509iyxnkztv6jd] c:\docume~1\paulin~1\locals~1\temp\iykuex.exe
uRun: [ugkrw60zzjq21wl7z258lypvnm10p2mvxrxr01a] c:\docume~1\paulin~1\locals~1\temp\berwrehrwxe.exe
uRun: [ie7jzbdviijss8e7qjexik6cwrkb46] c:\docume~1\paulin~1\locals~1\temp\vhxjcpr3d6a.exe
uRun: [f3xg8f75ofd882uar78v18vme9vsku52cxqlfk1o7y5xq38vd] c:\docume~1\paulin~1\locals~1\temp\osh2jsdtf.exe
uRun: [wnchi0z57zk8lkezzrgw79xqotm1rpi7p] c:\docume~1\paulin~1\locals~1\temp\j9xfllu3voc.exe
uRun: [ejg3lkbaqezu63qcm6iw7gvopb3zrjyh4vqhjlxcuh6hdswtj] c:\docume~1\paulin~1\locals~1\temp\meywb1.exe
uRun: [i5zc9yxgipjk6jqhq8cq31alj5yuugphs3ka3h0h6xl] c:\docume~1\paulin~1\locals~1\temp\vvn0oicj3l1v.exe
uRun: [ymf3ff0f4mupexuc7iz7oiktj7clkyhxcbq33jkm] c:\docume~1\paulin~1\locals~1\temp\mxqh5qd6vl.exe
uRun: [xyiy2tdzgwes84tfvbvrsa24013eyes0waylzskq] c:\docume~1\paulin~1\locals~1\temp\twx2o27i.exe
uRun: [lxw21vctobqsmcx8bkugh] c:\docume~1\paulin~1\locals~1\temp\zgn6jyoz.exe
uRun: [i4mza6tq8yj4c015godn1] c:\docume~1\paulin~1\locals~1\temp\zv1tyvau9ft.exe
uRun: [w558hryk7z1lgxa2ht93upr0lxlx60k3ysvngz9nvqsk] c:\docume~1\paulin~1\locals~1\temp\yqffxcvx8.exe
uRun: [wklkb7xqm98t31owsmex8tqr8frnwoj5l] c:\docume~1\paulin~1\locals~1\temp\dplvbpu2aq.exe
uRun: [es6wqra7awfredvolcg6euy1ls] c:\docume~1\paulin~1\locals~1\temp\p6yc3rgovr5fu.exe
uRun: [uiurp6jtw1ev0xtkpa0xjpe] c:\docume~1\paulin~1\locals~1\temp\p4cwcs07.exe
uRun: [g2987yc9rfvchi2jd8d0eeoj9ohp9es2coei6dzos] c:\docume~1\paulin~1\locals~1\temp\b23xuv.exe
uRun: [wniretgp5iagsune4bile373l77e0bqgrylbs7jedfc1ut6] c:\docume~1\paulin~1\locals~1\temp\b7mh3cbq29vkm.exe
uRun: [iw3j97x0a] c:\docume~1\paulin~1\locals~1\temp\susu9d49.exe
uRun: [ljp4s0bzl3vqi74isubm0fg345g9ex5qlrg5jklstxrw] c:\docume~1\paulin~1\locals~1\temp\q5t6t6plnpn5.exe
uRun: [ce870jhse9odi4yoxfh9vl63yro9qduwyfl1uc] c:\docume~1\paulin~1\locals~1\temp\ecup6w5g.exe
uRun: [poccw1e4futgs] c:\docume~1\paulin~1\locals~1\temp\snwvvyqatmn.exe
uRun: [rdm5acyxdzq9] c:\docume~1\paulin~1\locals~1\temp\ja281z.exe
uRun: [ax2dt9uju7rxki09pmlji] c:\docume~1\paulin~1\locals~1\temp\whuxv6n6r.exe
uRun: [gazpsefogl4orsuoo1cqu1lv0ep1siojn9fec4i1g7352n] c:\docume~1\paulin~1\locals~1\temp\ssifiaa.exe
uRun: [mtobqwwk81i1okcdahzhsv0andm8pjgawsaen9jzg00xwl] c:\docume~1\paulin~1\locals~1\temp\ax8270tce.exe
uRun: [o3pse70i50] c:\docume~1\paulin~1\locals~1\temp\stfmn5k3x.exe
uRun: [cit8g9aq8dnngmze847wt2hd9ncxs2wrcoi3td] c:\docume~1\paulin~1\locals~1\temp\kl7ubp.exe
uRun: [i3475d21zlrn7pf5artad5y0olg49n] c:\docume~1\paulin~1\locals~1\temp\fib2f8aj.exe
uRun: [xow6vyc4ijjpvyip6ycsvm3m6w44xudvik1040kctrvfmt] c:\docume~1\paulin~1\locals~1\temp\mvz383z.exe
uRun: [wji7t5dyr3e] c:\docume~1\paulin~1\locals~1\temp\gwvcytw5cn18.exe
uRun: [ux6abkcglk5a3xkq263thv2yunkuonboc46dfh06] c:\docume~1\paulin~1\locals~1\temp\mp5c7d7.exe
uRun: [oce7itp7jwhm9z139b2l5] c:\docume~1\paulin~1\locals~1\temp\jyyoweesnsx.exe
uRun: [lwo19r9s55c8bg4o] c:\docume~1\paulin~1\locals~1\temp\c4a6m0pu7z4k.exe
uRun: [mkz57orfenq5g6iz9o1hwkafi63y6k8tuxbzvywhbl] c:\docume~1\paulin~1\locals~1\temp\u0h72oglqaxd.exe
uRun: [meogxth64o7au9g9gvilx1n] c:\docume~1\paulin~1\locals~1\temp\iibksqe1hn.exe
uRun: [cvm6gv5536] c:\docume~1\paulin~1\locals~1\temp\t1b3yhguk5v.exe
uRun: [gzcey3gahn6midnwv5c7wrkkvg8wlsj5e] c:\docume~1\paulin~1\locals~1\temp\h4rt95.exe
uRun: [n9qfsrtiwh2uuo0dw] c:\docume~1\paulin~1\locals~1\temp\ylhwiu6s.exe
uRun: [mvigiez2a6v7hhhirsfqcc0ulau] c:\docume~1\paulin~1\locals~1\temp\yhvjx8sn0c5.exe
uRun: [n658h5yxp1cakfwhmze2s5m5ksx3h8u7] c:\docume~1\paulin~1\locals~1\temp\cp71an5iniczf.exe
uRun: [eee2f721cet05ejoo82rgqlt4c2ondd1r2l95ewgwbv4] c:\docume~1\paulin~1\locals~1\temp\i5gujg4wcsxz.exe
uRun: [gnq8aaklg8xpkxa6q3kcwz5hv7] c:\docume~1\paulin~1\locals~1\temp\reyozpopmz1.exe
uRun: [at54y1z8ct2tph6u0gyu5zbx4765i9pzcvfso8v1] c:\docume~1\paulin~1\locals~1\temp\n40a17gpsz7g.exe
uRun: [c53hpfkslgjzooj9gtr335jtb1lxhwd5] c:\docume~1\paulin~1\locals~1\temp\q0eex42.exe
uRun: [l1nkqtrej2woklziea5io9wnb5z0p] c:\docume~1\paulin~1\locals~1\temp\chevau.exe
uRun: [zau7leuqqi5vysn9sxckgzc0h7ts8eg] c:\docume~1\paulin~1\locals~1\temp\rfvv4kyyy51ze.exe
uRun: [uz58b22srkrf7lg0zaxd6iu2jq9gln] c:\docume~1\paulin~1\locals~1\temp\u4n2pxktk06q.exe
uRun: [ix2szad7w2yu4b0b3uxdwyv81e39] c:\docume~1\paulin~1\locals~1\temp\hu0p0qg5l7.exe
uRun: [ibvc9b03x6kq775ofhk3d66bea8] c:\docume~1\paulin~1\locals~1\temp\t6o6xh29pjdo.exe
uRun: [jjp7d3aupi7lw581kcwdm1mms19hag9w36k6] c:\docume~1\paulin~1\locals~1\temp\n74w12.exe
uRun: [n9bwmlcaiolew36q17qdq0idlgcyekkmm83u4v5] c:\docume~1\paulin~1\locals~1\temp\yh6j6rqo5q0bu.exe
uRun: [z8802qt5i] c:\docume~1\paulin~1\locals~1\temp\jjp2c1.exe
uRun: [rpceu64koa7qncbh2gz] c:\docume~1\paulin~1\locals~1\temp\jed2w2gef.exe
uRun: [u5waj4t1shafjys31tf45] c:\docume~1\paulin~1\locals~1\temp\ozqib9.exe
uRun: [c3r5xjv869ibzweu6s2mwx1k86nyr2scw7znjw] c:\docume~1\paulin~1\locals~1\temp\eqvxwz.exe
uRun: [u7n6ki6r0h4mr70rko34ey7ysoku5swrkpmwwi] c:\docume~1\paulin~1\locals~1\temp\em9kbw8nf.exe
uRun: [xh7f6jon18jr4yspol49m5gob0nvlvhoyvpm7adronkq35] c:\docume~1\paulin~1\locals~1\temp\tkt1jhlh437dn.exe
uRun: [bawcn21odwuhu6wtb8040yodmmc] c:\docume~1\paulin~1\locals~1\temp\hssb332.exe
uRun: [huwl6kd661b3aqhkhy4e96mpn] c:\docume~1\paulin~1\locals~1\temp\p6gutes6tma.exe
uRun: [eanmtld4ukyitgbtmxfcamql2f4re44u32pnwxsb5j8] c:\docume~1\paulin~1\locals~1\temp\zf1zi63zl4zcj.exe
uRun: [p9n84o1845rfslt7s4p1b6vevq10paoa1zkq4mvdfle0b3ix] c:\docume~1\paulin~1\locals~1\temp\yow1apj7ka4o.exe
uRun: [jcykhssi6wjq3pqj64y5d3zqzv48qp3knm] c:\docume~1\paulin~1\locals~1\temp\sqpy5aq4yys.exe
uRun: [li0ukza6l4joetjrz47] c:\docume~1\paulin~1\locals~1\temp\rgr37sin4yyz.exe
uRun: [j68hb0vftsmx5] c:\docume~1\paulin~1\locals~1\temp\lpripbi3xp.exe
uRun: [cwber7bcbuj66vmqbmx9379] c:\docume~1\paulin~1\locals~1\temp\o4y2bqbnji2.exe
uRun: [dwn3n9euolksq9wv0fd5nzw9t7jsjqhuuoy0p] c:\docume~1\paulin~1\locals~1\temp\w8r1v2kw079.exe
uRun: [jx1rujwq1qtim3yg] c:\docume~1\paulin~1\locals~1\temp\hwt4rtr33pw.exe
uRun: [s94busv7m] c:\docume~1\paulin~1\locals~1\temp\dhc6kuvpspy5g.exe
uRun: [iphnrn8av3] c:\docume~1\paulin~1\locals~1\temp\c2v8wei.exe
uRun: [phqzxv4rdmhmot1biju6fszb5vay2f77ey02ndtdrc11rpc] c:\docume~1\paulin~1\locals~1\temp\ch9csb4prv.exe
uRun: [ihhymcff352qkony076f0] c:\docume~1\paulin~1\locals~1\temp\cmsf1dzhi.exe
uRun: [pw04adu047uljq5ab3q469m02i8y71icutph6u07hxhnz] c:\docume~1\paulin~1\locals~1\temp\cygflax0hpeo.exe
uRun: [da56du6q1w25f6mmikydan4x3qkrwjre3ppznyfnxhc4u] c:\docume~1\paulin~1\locals~1\temp\bu2522.exe
uRun: [bwiuf9tvz9ib1k] c:\docume~1\paulin~1\locals~1\temp\mmwlad9ff.exe
uRun: [ojkp27t8b542m42bnn04y1e4mp1al4cbf7suzeh0xb52i5jan] c:\docume~1\paulin~1\locals~1\temp\ysc20y.exe
uRun: [fyue5pfkks6ftsbvjxdc] c:\docume~1\paulin~1\locals~1\temp\rtuy8m.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IDTSysTrayApp] sttray.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [coreworks] "c:\program files\hpq\hp connection manager 1.1\bin\gbxapp.exe" runatstartup
mRun: [HP Mobile Broadband] c:\swsetup\hpqwwan\HPMobileBroadband.exe /TrayMode
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [jsf8uiw3jnjgffght] c:\docume~1\paulin~1\locals~1\temp\winlognn.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\hsfd83jfdg.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hsfd83jfdg.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paulin~1\applic~1\mozilla\firefox\profiles\6oj85lfj.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R2 mdvsrv;HP Connection Manager Service;c:\program files\hpq\hp connection manager 1.1\bin\mdvsrv.exe [2008-8-21 575976]
R2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\qdlservice\QDLService.exe [2008-6-27 345336]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2008-12-18 112128]
R3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-2-15 353680]

=============== Created Last 30 ================

2009-02-16 20:34 268,648 a------- c:\windows\system32\mucltui.dll
2009-02-16 20:34 208,744 a------- c:\windows\system32\muweb.dll
2009-02-16 20:34 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-02-15 18:44 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-02-15 18:44 1,221,008 a------- c:\windows\system32\zpeng25.dll
2009-02-15 18:44 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-02-15 18:44 <DIR> --d----- c:\program files\Zone Labs
2009-02-15 18:44 352,606 a------- c:\windows\system32\vsconfig.xml
2009-02-15 18:43 <DIR> --d----- c:\windows\Internet Logs
2009-02-15 18:06 26,112 a------- c:\windows\system32\drivers\usbser.sys
2009-02-15 18:04 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2009-02-15 18:04 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-02-15 17:56 <DIR> --d----- C:\214ff4dfbbd7f122173d
2009-02-15 17:28 276 a------- c:\windows\system32\MRT.INI
2009-02-14 18:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2009-02-13 17:34 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-02-13 17:34 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-02-13 17:28 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-02-13 17:28 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-02-13 17:28 1,846,400 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-13 17:26 6,066,688 -------- c:\windows\system32\dllcache\ieframe.dll
2009-02-13 17:26 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-13 17:26 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-02-13 17:26 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-02-13 17:26 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2009-02-13 17:25 <DIR> --d----- c:\windows\system32\PreInstall
2009-02-13 17:25 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-13 17:18 <DIR> --d----- c:\documents and settings\pauline valentine\Bluetooth Software
2009-02-13 17:18 221,184 a------- c:\windows\system32\wmpns.dll
2009-02-13 17:17 873,134 a------- c:\windows\system32\oem1.inf
2009-02-13 17:17 <DIR> --d----- c:\docume~1\paulin~1\applic~1\TMP
2009-02-13 17:16 <DIR> --d----- c:\documents and settings\Pauline Valentine

==================== Find3M ====================

2009-02-14 18:42 15,000 a------- c:\windows\system32\hsfd83jfdg.dll
2009-02-14 18:42 106,496 a------- c:\windows\system32\fejokt.dll
2009-02-14 18:42 3,182 a------- c:\windows\ios.dat
2009-02-14 18:42 82,432 a------- c:\windows\kernel32.exe
2009-02-14 18:42 32,256 a------- c:\windows\system32\crypts.dll
2009-02-14 18:42 70,656 a------- c:\windows\system32\4weia1ty.exe
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 09:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-18 19:04 78,883 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-11 10:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-06-24 17:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 18:57:00.35 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 18 February 2009 - 06:51 AM

Please download Dr.Web CureIt to the Desktop:
  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Move incurable
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit. Reboot your PC in Normal Mode, and post DrWeb.csv in your next reply (Open it as Notepad)



NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall




Please post these logs in your next reply... Post each log in separate post

1. Dr. Web CureIt
2. ComboFix
3. A fresh HijackThis log

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 AC Valentine

AC Valentine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 18 February 2009 - 04:31 PM

perce.jpg.exe;c:\documents and settings\pauline valentine\local settings\temp;Trojan.Packed.458;Deleted.;
uacypdmrflx.sys;c:\windows\system32\drivers;BackDoor.Tdss.84;Deleted.;
hsfd83jfdg.dll;c:\windows\system32;Trojan.DownLoad.28089;Deleted.;
perce.jpg.exe;C:\Documents and Settings\Pauline Valentine\Local Settings\Temp;Trojan.Packed.458;Deleted.;
kernel32.exe;C:\WINDOWS;Trojan.MulDrop.30256;Deleted.;
4weia1ty.exe;C:\WINDOWS\system32;Trojan.Packed.458;Deleted.;
crypts.dll;C:\WINDOWS\system32;Trojan.DownLoad.29184;Deleted.;

#4 AC Valentine

AC Valentine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 18 February 2009 - 04:53 PM

ComboFix 09-02-17.02 - Pauline Valentine 2009-02-18 21:46:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.643 [GMT 0:00]
Running from: c:\documents and settings\Pauline Valentine\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\windows\ios.dat
c:\windows\system32\4weia1ty.exe.a_a
c:\windows\system32\c.ico
c:\windows\system32\fejokt.dll
c:\windows\system32\m.ico
c:\windows\system32\m3.ico
c:\windows\system32\p.ico
c:\windows\system32\s.ico
c:\windows\system32\sf.ico
c:\windows\system32\UACafqmeybx.dat
c:\windows\system32\UACbnexyrtk.dll
c:\windows\system32\UACjxjcfuwb.dll
c:\windows\system32\UACthqowqpn.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-18 to 2009-02-18 )))))))))))))))))))))))))))))))
.

2009-02-18 20:17 . 2009-02-18 20:17 <DIR> d-------- c:\documents and settings\Pauline Valentine\DoctorWeb
2009-02-16 20:35 . 2009-02-16 20:35 0 --a------ c:\windows\nsreg.dat
2009-02-16 20:34 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-02-16 20:34 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-02-16 20:34 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-02-15 18:44 . 2009-02-15 20:52 4,212 --ah----- c:\windows\system32\zllictbl.dat
2009-02-15 18:43 . 2009-02-18 21:41 <DIR> d-------- c:\windows\Internet Logs
2009-02-15 18:06 . 2008-04-14 00:15 26,112 --a------ c:\windows\system32\drivers\usbser.sys
2009-02-15 18:04 . 2009-02-15 18:04 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-02-15 18:04 . 2009-02-15 18:04 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2009-02-15 17:56 . 2009-02-15 17:56 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-02-15 17:56 . 2009-02-15 17:56 <DIR> d-------- C:\214ff4dfbbd7f122173d
2009-02-15 17:28 . 2009-02-15 17:28 276 --a------ c:\windows\system32\MRT.INI
2009-02-14 18:42 . 2009-02-18 20:09 81,408 --a------ c:\windows\system32\UACabwqwkrn.dll
2009-02-14 18:42 . 2009-02-17 13:11 5,189 --a------ c:\windows\system32\uacinit.dll
2009-02-13 17:34 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2009-02-13 17:34 . 2008-04-14 00:15 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2009-02-13 17:28 . 2008-09-15 12:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2009-02-13 17:28 . 2008-06-13 11:05 272,128 --------- c:\windows\system32\drivers\bthport.sys
2009-02-13 17:28 . 2008-06-13 11:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2009-02-13 17:26 . 2008-12-20 23:15 6,066,688 --------- c:\windows\system32\dllcache\ieframe.dll
2009-02-13 17:26 . 2008-09-04 17:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2009-02-13 17:26 . 2008-12-19 05:25 634,024 --------- c:\windows\system32\dllcache\iexplore.exe
2009-02-13 17:26 . 2008-10-15 16:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2009-02-13 17:26 . 2008-10-03 10:02 247,326 --------- c:\windows\system32\dllcache\strmdll.dll
2009-02-13 17:25 . 2009-02-13 17:25 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-13 17:18 . 2009-02-13 17:18 <DIR> d-------- c:\documents and settings\Pauline Valentine\Bluetooth Software
2009-02-13 17:18 . 2008-04-15 04:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-02-13 17:17 . 2008-12-18 18:53 <DIR> d-------- c:\documents and settings\Pauline Valentine\Application Data\TMP
2009-02-13 17:17 . 2008-12-18 18:54 <DIR> d-------- c:\documents and settings\Pauline Valentine\Application Data\InstallShield
2009-02-13 17:17 . 2008-05-15 15:53 873,134 --a------ c:\windows\system32\oem1.inf
2009-02-13 17:16 . 2009-02-18 20:17 <DIR> d-------- c:\documents and settings\Pauline Valentine
2009-02-13 17:15 . 2008-12-18 18:53 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\TMP
2009-02-13 17:15 . 2008-12-18 18:54 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-17 13:19 730,710 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2009-02-13 17:25 --------- d-----w c:\program files\Java
2009-01-16 21:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-19 02:33 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-19 02:33 --------- d-----w c:\program files\microsoft frontpage
2008-12-18 19:07 --------- d-----w c:\program files\Hewlett-Packard
2008-12-18 19:06 --------- d-----w c:\program files\Microsoft Works
2008-12-18 19:03 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-18 19:03 --------- d-----w c:\program files\HPQ
2008-12-18 19:03 --------- d-----w c:\program files\HP
2008-12-18 19:03 --------- d-----w c:\documents and settings\All Users\Application Data\QUALCOMM
2008-12-18 19:02 --------- d-----w c:\program files\Verizon Wireless
2008-12-18 19:02 --------- d-----w c:\program files\Telespree
2008-12-18 19:02 --------- d-----w c:\program files\Common Files\Telespree
2008-12-18 19:01 --------- d-----w c:\program files\Viewpoint
2008-12-18 19:01 --------- d-----w c:\program files\Common Files\AOL
2008-12-18 19:01 --------- d-----w c:\program files\AIM6
2008-12-18 19:01 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-18 19:00 --------- d-----w c:\program files\Common Files\Adobe
2008-12-18 18:59 --------- d-----w c:\program files\Common Files\Java
2008-12-18 18:54 1,294,200 ----a-w c:\windows\system32\drivers\BCMWL5.SYS
2008-12-18 18:54 --------- d-----w c:\program files\Synaptics
2008-12-18 18:54 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-18 18:54 --------- d-----w c:\program files\Broadcom
2008-12-18 18:53 --------- d-----w c:\program files\DIFX
2008-12-18 18:51 --------- d-----w c:\program files\WIDCOMM
2008-12-18 18:51 --------- d-----w c:\program files\IDT
2008-12-18 18:48 --------- d-----w c:\program files\Intel
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-06-24 17:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-08-30 442477]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-08-28 471040]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-31 1343488]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-13 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"coreworks"="c:\program files\HPQ\HP Connection Manager 1.1\bin\gbxapp.exe" [2008-08-21 780776]
"HP Mobile Broadband"="c:\swsetup\HPQWWAN\HPMobileBroadband.exe" [2008-07-08 439600]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"IDTSysTrayApp"="sttray.exe" [2008-08-30 c:\windows\sttray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-07-30 604776]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R2 mdvsrv;HP Connection Manager Service;c:\program files\HPQ\HP Connection Manager 1.1\bin\mdvsrv.exe [2008-08-21 575976]
R2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [2008-06-27 345336]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2008-12-18 112128]
S3 QCFilterhp;HP USB Composite Device Filter Driver;c:\windows\system32\drivers\qcfilterhp.sys [2008-12-18 5248]
S3 qcusbnethp;HP USB-NDIS miniport;c:\windows\system32\drivers\qcusbnethp.sys [2008-12-18 112640]
S3 qcusbserhp;HP USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbserhp.sys [2008-12-18 103680]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.Yahoo.com
mStart Page = hxxp://www.Yahoo.com
uInternet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.serv...&prodOS=011
FF - ProfilePath - c:\documents and settings\Pauline Valentine\Application Data\Mozilla\Firefox\Profiles\6oj85lfj.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-18 21:47:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-18 21:49:15
ComboFix-quarantined-files.txt 2009-02-18 21:49:12

Pre-Run: 52,871,675,904 bytes free
Post-Run: 52,871,966,720 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

164 --- E O F --- 2009-02-16 21:21:37

#5 AC Valentine

AC Valentine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 18 February 2009 - 05:03 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:01:35, on 18/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IDT\WDM\STacSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\igfxtray.exe
C:\QUALCOMM\QDLService\QDLService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\HPQ\HP Connection Manager 1.1\bin\mdvsrv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HPQ\HP Connection Manager 1.1\bin\gbxapp.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\hpq\hp connection manager 1.1\bin\gbx4log.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Pauline Valentine\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.serv...&prodOS=011
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IDTSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [coreworks] "C:\Program Files\HPQ\HP Connection Manager 1.1\bin\gbxapp.exe" runatstartup
O4 - HKLM\..\Run: [HP Mobile Broadband] c:\SWsetup\HPQWWAN\HPMobileBroadband.exe /TrayMode
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: HP Connection Manager Service (mdvsrv) - HP - C:\Program Files\HPQ\HP Connection Manager 1.1\bin\mdvsrv.exe
O23 - Service: Qualcomm Gobi Download Service (QDLService) - QUALCOMM, Inc. - C:\QUALCOMM\QDLService\QDLService.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV.exe

--
End of file - 5391 bytes

Edited by AC Valentine, 18 February 2009 - 05:21 PM.


#6 AC Valentine

AC Valentine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 18 February 2009 - 05:58 PM

Thanks fenzodahl512

After my last post I installed avast! and when I rebooted following install, it performed a full scan and detected a few more problem files, trjs in particular. When the os loaded I performed a 2nd full scan with Dr Web and no problems were reported. I tried IE and a few google searches and I was directed to the correct websites. After this I shut down the machine.

I shall await your response before switching on my computer again.

Kind regards

Ian

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 19 February 2009 - 02:51 AM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\UACabwqwkrn.dll
c:\windows\system32\uacinit.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 AC Valentine

AC Valentine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 19 February 2009 - 04:42 PM

ComboFix 09-02-18.01 - Pauline Valentine 2009-02-19 21:30:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.647 [GMT 0:00]
Running from: c:\documents and settings\Pauline Valentine\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Pauline Valentine\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090218-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\UACabwqwkrn.dll
c:\windows\system32\uacinit.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\UACabwqwkrn.dll
c:\windows\system32\uacinit.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-19 to 2009-02-19 )))))))))))))))))))))))))))))))
.

2009-02-18 22:09 . 2009-02-18 22:09 <DIR> d-------- c:\program files\Alwil Software
2009-02-18 22:09 . 2003-03-18 20:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-02-18 22:09 . 2003-03-18 19:14 499,712 --a------ c:\windows\system32\MSVCP71.dll
2009-02-18 22:09 . 2003-02-21 03:42 348,160 --a------ c:\windows\system32\MSVCR71.dll
2009-02-18 20:17 . 2009-02-18 20:17 <DIR> d-------- c:\documents and settings\Pauline Valentine\DoctorWeb
2009-02-16 20:35 . 2009-02-16 20:35 0 --a------ c:\windows\nsreg.dat
2009-02-16 20:34 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-02-16 20:34 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-02-16 20:34 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-02-15 18:44 . 2009-02-15 20:52 4,212 --ah----- c:\windows\system32\zllictbl.dat
2009-02-15 18:43 . 2009-02-18 21:41 <DIR> d-------- c:\windows\Internet Logs
2009-02-15 18:06 . 2008-04-14 00:15 26,112 --a------ c:\windows\system32\drivers\usbser.sys
2009-02-15 18:04 . 2009-02-15 18:04 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-02-15 18:04 . 2009-02-15 18:04 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2009-02-15 17:56 . 2009-02-15 17:56 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-02-15 17:56 . 2009-02-15 17:56 <DIR> d-------- C:\214ff4dfbbd7f122173d
2009-02-15 17:28 . 2009-02-15 17:28 276 --a------ c:\windows\system32\MRT.INI
2009-02-13 17:34 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2009-02-13 17:34 . 2008-04-14 00:15 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2009-02-13 17:28 . 2008-09-15 12:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2009-02-13 17:28 . 2008-06-13 11:05 272,128 --------- c:\windows\system32\drivers\bthport.sys
2009-02-13 17:28 . 2008-06-13 11:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2009-02-13 17:26 . 2008-12-20 23:15 6,066,688 --------- c:\windows\system32\dllcache\ieframe.dll
2009-02-13 17:26 . 2008-09-04 17:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2009-02-13 17:26 . 2008-12-19 05:25 634,024 --------- c:\windows\system32\dllcache\iexplore.exe
2009-02-13 17:26 . 2008-10-15 16:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2009-02-13 17:26 . 2008-10-03 10:02 247,326 --------- c:\windows\system32\dllcache\strmdll.dll
2009-02-13 17:25 . 2009-02-13 17:25 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-13 17:18 . 2009-02-13 17:18 <DIR> d-------- c:\documents and settings\Pauline Valentine\Bluetooth Software
2009-02-13 17:18 . 2008-04-15 04:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-02-13 17:17 . 2008-12-18 18:53 <DIR> d-------- c:\documents and settings\Pauline Valentine\Application Data\TMP
2009-02-13 17:17 . 2008-12-18 18:54 <DIR> d-------- c:\documents and settings\Pauline Valentine\Application Data\InstallShield
2009-02-13 17:17 . 2008-05-15 15:53 873,134 --a------ c:\windows\system32\oem1.inf
2009-02-13 17:16 . 2009-02-18 20:17 <DIR> d-------- c:\documents and settings\Pauline Valentine
2009-02-13 17:15 . 2008-12-18 18:53 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\TMP
2009-02-13 17:15 . 2008-12-18 18:54 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 17:25 --------- d-----w c:\program files\Java
2008-12-19 02:33 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-19 02:33 --------- d-----w c:\program files\microsoft frontpage
2008-06-24 17:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-18_21.48.22.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-05 21:11:35 1,256,296 ----a-w c:\windows\system32\aswBoot.exe
+ 2009-02-05 21:04:45 97,480 ----a-w c:\windows\system32\AvastSS.scr
+ 2009-02-05 21:05:11 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys
+ 2009-02-05 21:07:12 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
+ 2009-02-05 21:08:19 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys
+ 2009-02-05 21:08:10 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys
+ 2009-02-05 21:06:10 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys
+ 2009-02-05 21:07:23 114,768 ----a-w c:\windows\system32\drivers\aswSP.sys
+ 2009-02-05 21:06:20 51,376 ----a-w c:\windows\system32\drivers\aswTdi.sys
+ 2009-02-19 21:34:42 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5a0.dat
+ 2009-02-19 21:35:02 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_684.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-08-30 442477]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-08-28 471040]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-31 1343488]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-13 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"coreworks"="c:\program files\HPQ\HP Connection Manager 1.1\bin\gbxapp.exe" [2008-08-21 780776]
"HP Mobile Broadband"="c:\swsetup\HPQWWAN\HPMobileBroadband.exe" [2008-07-08 439600]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"IDTSysTrayApp"="sttray.exe" [2008-08-30 c:\windows\sttray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-07-30 604776]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-02-18 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-02-18 20560]
R2 mdvsrv;HP Connection Manager Service;c:\program files\HPQ\HP Connection Manager 1.1\bin\mdvsrv.exe [2008-08-21 575976]
R2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [2008-06-27 345336]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2008-12-18 112128]
S3 QCFilterhp;HP USB Composite Device Filter Driver;c:\windows\system32\drivers\qcfilterhp.sys [2008-12-18 5248]
S3 qcusbnethp;HP USB-NDIS miniport;c:\windows\system32\drivers\qcusbnethp.sys [2008-12-18 112640]
S3 qcusbserhp;HP USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbserhp.sys [2008-12-18 103680]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.Yahoo.com
uInternet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.serv...&prodOS=011
FF - ProfilePath - c:\documents and settings\Pauline Valentine\Application Data\Mozilla\Firefox\Profiles\6oj85lfj.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-19 21:35:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\IDT\WDM\stacsv.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\HPQ\HP Connection Manager 1.1\bin\gbx4log.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-02-19 21:39:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-19 21:39:55
ComboFix2.txt 2009-02-18 21:49:16

Pre-Run: 52,790,067,200 bytes free
Post-Run: 52,778,262,528 bytes free

159 --- E O F --- 2009-02-16 21:21:37

#9 AC Valentine

AC Valentine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 19 February 2009 - 04:47 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:46:45, on 19/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IDT\WDM\STacSV.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\sttray.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\QUALCOMM\QDLService\QDLService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HPQ\HP Connection Manager 1.1\bin\gbxapp.exe
C:\Program Files\HPQ\HP Connection Manager 1.1\bin\mdvsrv.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\program files\hpq\hp connection manager 1.1\bin\gbx4log.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Pauline Valentine\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.serv...&prodOS=011
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IDTSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [coreworks] "C:\Program Files\HPQ\HP Connection Manager 1.1\bin\gbxapp.exe" runatstartup
O4 - HKLM\..\Run: [HP Mobile Broadband] c:\SWsetup\HPQWWAN\HPMobileBroadband.exe /TrayMode
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: HP Connection Manager Service (mdvsrv) - HP - C:\Program Files\HPQ\HP Connection Manager 1.1\bin\mdvsrv.exe
O23 - Service: Qualcomm Gobi Download Service (QDLService) - QUALCOMM, Inc. - C:\QUALCOMM\QDLService\QDLService.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV.exe

--
End of file - 6128 bytes

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 20 February 2009 - 04:04 AM

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 AC Valentine

AC Valentine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 20 February 2009 - 10:47 AM

Hi

The computer seems to be running fine now. :thumbup2: Google search results are being directed correctly and no pop-ups are evident. :)

I am currently at work so will run the ESET Online Scanner when I get home later on.

Many thanks

Ian

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 20 February 2009 - 03:13 PM

Great.. Will wait for ESET Online result, and if everything is good, we'll do the cleanup step :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 AC Valentine

AC Valentine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 20 February 2009 - 03:31 PM

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3874 (20090220)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=d8fbc53104947c40848063566812bdd4
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-02-20 08:29:30
# local_time=2009-02-20 08:29:30 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 3
# scanned=148734
# found=2
# scan_time=1517
C:\Qoobox\Quarantine\C\WINDOWS\system32\fejokt.dll.vir a variant of Win32/Adware.IeDefender.NIC application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACabwqwkrn.dll.vir Win32/Olmarik.FY trojan (unable to clean - deleted) 00000000000000000000000000000000

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 20 February 2009 - 03:55 PM

Looks good to me.. Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware



Read these links about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm



Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbup2:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 AC Valentine

AC Valentine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 22 February 2009 - 01:43 PM

Hey

Thanks for all your help, everything appears to be working correctly.

Thanks for all your help.

Ian




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users