Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems with google search


  • This topic is locked This topic is locked
12 replies to this topic

#1 Windshear

Windshear

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 04 April 2009 - 10:34 PM

When I use Google, when clicking on search results, it opens a new window with a strange website. Either a 404 page with a IP address, or it goes to a banner farm page.

here is a DDS generated HJT log.

Thanks in advance

Dave



DDS (Ver_09-03-16.01) - NTFSx86
Run by Dave at 13:19:46.52 on Sun 05/04/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_03
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2046.409 [GMT 10:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
C:\Windows\System32\CTHELPER.EXE
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\GetRight\GetRight.exe
C:\Program Files\PokerOffice\bin\javaw.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\MagicDisc\MagicDisc.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Explorer.exe
E:\Program Files\World of Warcraft\WoW.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\rundll32.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gmail.com/
uInternet Settings,ProxyOverride = *.local
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File
uRun: [<NO NAME>]
uRun: [StartCCC] d:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [WhatPulse] c:\program files\whatpulse\WhatPulse.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DAEMON Tools] "d:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [LanguageShortcut] "d:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [mxomssmenu] "d:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [POEngine] "c:\program files\pokeroffice\poengine.exe" c:\program files\PokerOffice
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [COMODO Internet Security] "d:\program files\comodo\comodo internet security\cfp.exe" -h
dRun: [CtxfiReg] CTXFIREG.exe /FAIL1
StartupFolder: c:\users\dave\appdata\roaming\micros~1\windows\startm~1\programs\startup\deskto~1.lnk - c:\program files\vghd\vghd.exe
StartupFolder: c:\users\dave\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\getright.lnk - c:\program files\getright\GetRight.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - d:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.25,85.255.112.165
TCP: {17C8196D-E0C6-4F68-9E4A-A16E2ED0F056} = 85.255.112.25,85.255.112.165
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\dave\appdata\roaming\mozilla\firefox\profiles\jdiguovk.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://search.shareazaweb.com/au/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-3 28544]
R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [2008-10-8 49664]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-4-3 51472]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-4-3 39184]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-4-4 108560]
R2 Maxtor Sync Service;Maxtor Service;d:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-4-3 33040]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2005-4-24 13225]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-04-05 12:34 <DIR> --d----- c:\program files\Trend Micro
2009-04-04 01:52 155,384 a------- c:\windows\system32\guard32.dll
2009-04-04 01:52 108,560 a------- c:\windows\system32\drivers\cmdguard.sys
2009-04-04 01:52 28,688 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-04-04 01:52 <DIR> --d----- c:\programdata\Comodo
2009-04-04 01:52 <DIR> --d----- c:\progra~2\Comodo
2009-04-03 21:31 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-04-03 21:31 <DIR> --d----- c:\program files\Panda Security
2009-04-03 21:15 51,472 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-04-03 21:15 39,184 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-04-03 21:15 33,040 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-04-03 21:15 12,560 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-04-03 21:15 <DIR> --d----- c:\programdata\PC Tools
2009-04-03 21:15 <DIR> --d----- c:\program files\ThreatFire
2009-04-03 21:15 <DIR> --d----- c:\progra~2\PC Tools
2009-04-03 20:45 <DIR> --d----- c:\windows\vbSkinner
2009-04-03 20:45 <DIR> --d----- c:\program files\PFConfig
2009-04-02 22:09 <DIR> --d----- c:\program files\Windows Mobile Resources
2009-04-01 04:01 <DIR> --d----- c:\programdata\ESET
2009-03-28 14:09 <DIR> --d----- c:\program files\PeerGuardian2
2009-03-28 03:29 <DIR> --d----- c:\users\dave\appdata\roaming\GrabPro
2009-03-28 03:29 <DIR> --d----- c:\program files\Orbitdownloader
2009-03-23 18:46 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-23 18:46 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-23 18:46 <DIR> --d----- c:\program files\iPod
2009-03-23 18:45 <DIR> --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-23 18:45 <DIR> --d----- c:\program files\iTunes
2009-03-23 18:45 <DIR> --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-23 18:33 <DIR> --d----- c:\program files\Bonjour
2009-03-22 18:59 415 ---shr-- C:\autorun.inf
2009-03-21 00:58 59 a------- c:\windows\pp.enc
2009-03-21 00:55 <DIR> --d----- c:\users\dave\appdata\roaming\Microgaming
2009-03-21 00:47 <DIR> --d----- C:\MicroGaming
2009-03-15 01:35 <DIR> --d----- c:\programdata\FLEXnet
2009-03-14 21:08 <DIR> --d----- c:\program files\common files\Macrovision Shared

==================== Find3M ====================

2009-04-04 01:53 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-04 01:53 51,200 a------- c:\windows\inf\infpub.dat
2009-04-04 01:53 86,016 a------- c:\windows\inf\infstor.dat
2009-03-20 07:39 173,672 a---h--- c:\windows\system32\mlfcache.dat
2008-11-20 23:43 174 a--sh--- c:\program files\desktop.ini
2008-11-20 23:36 665,600 a------- c:\windows\inf\drvindex.dat
2007-11-14 18:49 2,732,032 a------- c:\users\dave\ventrilo-3.0.0-Windows-i386.exe
2007-10-17 06:55 388,945 a------- c:\users\dave\MountImageGUI_0.2.zip
2007-10-17 06:51 10,127 a------- c:\users\dave\mountimage-1.0.0.zip
2007-10-17 06:50 9,479,520 a------- c:\users\dave\winzip111.exe
2007-10-15 15:32 3,719,120 a------- c:\users\dave\etax2007_1.exe
2007-10-13 21:28 124,607,748 a------- c:\users\dave\OOo_2.3.0_Win32Intel_install_wJRE_en-US.exe
2007-10-13 18:08 29,530,464 a------- c:\users\dave\avg75free_488a1157.exe
2006-11-02 22:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 22:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 22:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 22:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 13:21:12.02 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:33 PM

Posted 10 April 2009 - 06:47 PM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Windshear

Windshear
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 14 April 2009 - 03:53 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.


Yes I'm still having problems. Here is a fresh DDS log.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Dave at 18:40:51.09 on Tue 14/04/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_03
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2046.1104 [GMT 10:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
C:\Windows\System32\CTHELPER.EXE
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Windows\ehome\ehtray.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Program Files\PokerOffice\bin\javaw.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
D:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Dave\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gmail.com/
uInternet Settings,ProxyOverride = *.local
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File
uRun: [<NO NAME>]
uRun: [StartCCC] d:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [WhatPulse] c:\program files\whatpulse\WhatPulse.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DAEMON Tools] "d:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [LanguageShortcut] "d:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [mxomssmenu] "d:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [POEngine] "c:\program files\pokeroffice\poengine.exe" c:\program files\PokerOffice
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [COMODO Internet Security] "d:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
dRun: [CtxfiReg] CTXFIREG.exe /FAIL1
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.25,85.255.112.165
TCP: {17C8196D-E0C6-4F68-9E4A-A16E2ED0F056} = 85.255.112.25,85.255.112.165
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\dave\appdata\roaming\mozilla\firefox\profiles\jdiguovk.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://search.shareazaweb.com/au/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-3 28544]
R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [2008-10-8 49664]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-4-3 51472]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-4-3 39184]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-4-4 108560]
R2 Maxtor Sync Service;Maxtor Service;d:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-4-3 33040]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2005-4-24 13225]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-04-06 07:06 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-04-06 07:06 <DIR> --d----- c:\users\dave\appdata\roaming\WhatPulse
2009-04-06 06:22 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2009-04-05 12:34 <DIR> --d----- c:\program files\Trend Micro
2009-04-04 01:52 155,384 a------- c:\windows\system32\guard32.dll
2009-04-04 01:52 108,560 a------- c:\windows\system32\drivers\cmdguard.sys
2009-04-04 01:52 28,688 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-04-04 01:52 <DIR> --d----- c:\programdata\Comodo
2009-04-04 01:52 <DIR> --d----- c:\progra~2\Comodo
2009-04-03 21:31 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-04-03 21:31 <DIR> --d----- c:\program files\Panda Security
2009-04-03 21:15 51,472 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-04-03 21:15 39,184 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-04-03 21:15 33,040 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-04-03 21:15 12,560 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-04-03 21:15 <DIR> --d----- c:\programdata\PC Tools
2009-04-03 21:15 <DIR> --d----- c:\program files\ThreatFire
2009-04-03 21:15 <DIR> --d----- c:\progra~2\PC Tools
2009-04-03 20:45 <DIR> --d----- c:\windows\vbSkinner
2009-04-03 20:45 <DIR> --d----- c:\program files\PFConfig
2009-04-02 22:09 <DIR> --d----- c:\program files\Windows Mobile Resources
2009-04-01 04:01 <DIR> --d----- c:\programdata\ESET
2009-03-28 14:09 <DIR> --d----- c:\program files\PeerGuardian2
2009-03-28 03:29 <DIR> --d----- c:\users\dave\appdata\roaming\GrabPro
2009-03-28 03:29 <DIR> --d----- c:\program files\Orbitdownloader
2009-03-23 18:46 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-23 18:46 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-23 18:46 <DIR> --d----- c:\program files\iPod
2009-03-23 18:45 <DIR> --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-23 18:45 <DIR> --d----- c:\program files\iTunes
2009-03-23 18:45 <DIR> --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-23 18:33 <DIR> --d----- c:\program files\Bonjour
2009-03-22 18:59 415 ---shr-- C:\autorun.inf
2009-03-21 00:58 59 a------- c:\windows\pp.enc
2009-03-21 00:55 <DIR> --d----- c:\users\dave\appdata\roaming\Microgaming
2009-03-21 00:47 <DIR> --d----- C:\MicroGaming

==================== Find3M ====================

2009-04-04 01:53 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-04 01:53 51,200 a------- c:\windows\inf\infpub.dat
2009-04-04 01:53 86,016 a------- c:\windows\inf\infstor.dat
2009-03-20 07:39 173,672 a---h--- c:\windows\system32\mlfcache.dat
2008-11-20 23:43 174 a--sh--- c:\program files\desktop.ini
2008-11-20 23:36 665,600 a------- c:\windows\inf\drvindex.dat
2007-11-14 18:49 2,732,032 a------- c:\users\dave\ventrilo-3.0.0-Windows-i386.exe
2007-10-17 06:55 388,945 a------- c:\users\dave\MountImageGUI_0.2.zip
2007-10-17 06:51 10,127 a------- c:\users\dave\mountimage-1.0.0.zip
2007-10-17 06:50 9,479,520 a------- c:\users\dave\winzip111.exe
2007-10-15 15:32 3,719,120 a------- c:\users\dave\etax2007_1.exe
2007-10-13 21:28 124,607,748 a------- c:\users\dave\OOo_2.3.0_Win32Intel_install_wJRE_en-US.exe
2007-10-13 18:08 29,530,464 a------- c:\users\dave\avg75free_488a1157.exe
2006-11-02 22:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 22:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 22:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 22:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:41:30.56 ===============

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:33 PM

Posted 14 April 2009 - 08:18 AM

Ok. Let's do some cleaning :thumbup2:


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Windshear

Windshear
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 14 April 2009 - 10:12 AM

Ok. Let's do some cleaning :thumbup2:


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.



Uhm... When I try to run combofix, I get the following error messages:

32788R22FWJFW\n.com

Windows cannot find '32788R22FWJFW\n.com' Make sure you typed the name correctly, and then try again.


32788R22FWJFW\hidec.exe

Windows cannot find '32788R22FWJFW\hidec.exe' Make sure you typed the name correctly, and then try again.


I've tried running ComboFix from different locations, with no result. I haven't got any programs running except Firefox.

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:33 PM

Posted 14 April 2009 - 10:30 AM

Hi

Did you have Comodo Antivirus shut down as instructed?

If you had Comodo AV closed and still got the error then try running in safe mode.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Windshear

Windshear
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 14 April 2009 - 10:38 AM

New DDS Log

ComboFix log is attached to post.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Dave at 1:35:21.51 on Wed 15/04/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_03
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2046.1052 [GMT 10:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
C:\Windows\System32\CTHELPER.EXE
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\Program Files\PokerOffice\bin\javaw.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Windows\ehome\ehtray.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\PeerGuardian2\pg2.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\iS3\Anti-Spyware\IS3Updater.exe
C:\Windows\Explorer.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Dave\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gmail.com/
uInternet Settings,ProxyOverride = *.local
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File
uRun: [StartCCC] d:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [WhatPulse] c:\program files\whatpulse\WhatPulse.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DAEMON Tools] "d:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [LanguageShortcut] "d:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [mxomssmenu] "d:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [POEngine] "c:\program files\pokeroffice\poengine.exe" c:\program files\PokerOffice
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [COMODO Internet Security] "d:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
dRun: [CtxfiReg] CTXFIREG.exe /FAIL1
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\dave\appdata\roaming\mozilla\firefox\profiles\jdiguovk.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://search.shareazaweb.com/au/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-3 28544]
R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [2008-10-8 49664]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-4-4 108560]
R2 Maxtor Sync Service;Maxtor Service;d:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]
S2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2005-4-24 13225]

=============== Created Last 30 ================

2009-04-15 01:32 1,184 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-04-15 01:25 <DIR> --d----- C:\ComboFix
2009-04-15 01:19 161,792 a------- c:\windows\SWREG.exe
2009-04-15 01:19 98,816 a------- c:\windows\sed.exe
2009-04-15 00:51 <DIR> --d----- C:\32788R22FWJFW.1.tmp
2009-04-15 00:51 <DIR> --d----- C:\32788R22FWJFW.0.tmp
2009-04-06 07:06 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-04-06 07:06 <DIR> --d----- c:\users\dave\appdata\roaming\WhatPulse
2009-04-06 06:22 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2009-04-05 12:34 <DIR> --d----- c:\program files\Trend Micro
2009-04-04 01:52 155,384 a------- c:\windows\system32\guard32.dll
2009-04-04 01:52 108,560 a------- c:\windows\system32\drivers\cmdguard.sys
2009-04-04 01:52 28,688 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-04-04 01:52 <DIR> --d----- c:\programdata\Comodo
2009-04-04 01:52 <DIR> --d----- c:\progra~2\Comodo
2009-04-03 21:31 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-04-03 21:31 <DIR> --d----- c:\program files\Panda Security
2009-04-03 21:15 12,560 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-04-03 21:15 <DIR> --d----- c:\programdata\PC Tools
2009-04-03 21:15 <DIR> --d----- c:\progra~2\PC Tools
2009-04-03 20:45 <DIR> --d----- c:\windows\vbSkinner
2009-04-03 20:45 <DIR> --d----- c:\program files\PFConfig
2009-04-02 22:09 <DIR> --d----- c:\program files\Windows Mobile Resources
2009-04-01 04:01 <DIR> --d----- c:\programdata\ESET
2009-03-28 14:09 <DIR> --d----- c:\program files\PeerGuardian2
2009-03-28 03:29 <DIR> --d----- c:\users\dave\appdata\roaming\GrabPro
2009-03-28 03:29 <DIR> --d----- c:\program files\Orbitdownloader
2009-03-23 18:46 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-23 18:46 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-23 18:46 <DIR> --d----- c:\program files\iPod
2009-03-23 18:45 <DIR> --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-23 18:45 <DIR> --d----- c:\program files\iTunes
2009-03-23 18:45 <DIR> --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-23 18:33 <DIR> --d----- c:\program files\Bonjour
2009-03-21 00:58 59 a------- c:\windows\pp.enc
2009-03-21 00:55 <DIR> --d----- c:\users\dave\appdata\roaming\Microgaming
2009-03-21 00:47 <DIR> --d----- C:\MicroGaming

==================== Find3M ====================

2009-04-04 01:53 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-04 01:53 51,200 a------- c:\windows\inf\infpub.dat
2009-04-04 01:53 86,016 a------- c:\windows\inf\infstor.dat
2009-03-20 07:39 173,672 a---h--- c:\windows\system32\mlfcache.dat
2008-11-20 23:43 174 a--sh--- c:\program files\desktop.ini
2008-11-20 23:36 665,600 a------- c:\windows\inf\drvindex.dat
2007-11-14 18:49 2,732,032 a------- c:\users\dave\ventrilo-3.0.0-Windows-i386.exe
2007-10-17 06:55 388,945 a------- c:\users\dave\MountImageGUI_0.2.zip
2007-10-17 06:51 10,127 a------- c:\users\dave\mountimage-1.0.0.zip
2007-10-17 06:50 9,479,520 a------- c:\users\dave\winzip111.exe
2007-10-15 15:32 3,719,120 a------- c:\users\dave\etax2007_1.exe
2007-10-13 21:28 124,607,748 a------- c:\users\dave\OOo_2.3.0_Win32Intel_install_wJRE_en-US.exe
2007-10-13 18:08 29,530,464 a------- c:\users\dave\avg75free_488a1157.exe
2006-11-02 22:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 22:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 22:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 22:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 1:36:10.55 ===============

Attached Files



#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:33 PM

Posted 14 April 2009 - 04:45 PM

Hi

I recommend you uninstall P2P file sharing software there. Big part of infections are received from P2P networks nowadays.


Are you aware of those various txt files in root of your c: drive (c:\)? Delete those txt files you're not familiar with.


ComboFix runs were probably prevented by Threatfire. Disable it for now.


Uninstall old Adobe Reader versions and get the latest one here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader!


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 13.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


Post back its report & a fresh dds.txt log. How's the system running?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 Windshear

Windshear
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 16 April 2009 - 06:17 AM

Sorry about the delay between the replies, I can really only do anything internetty after 3am due to my internet being capped -_- zzz. And I also have to work.

Below is the latest DDS log, and I've attached the Kaspersky report.

The problem with Google seems to have been resolved - it doesn't do what it was doing previously, any more.

Other than that, haven't seen any other problems.



DDS (Ver_09-03-16.01) - NTFSx86
Run by Dave at 20:56:17.18 on Thu 16/04/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2046.1196 [GMT 10:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
C:\Windows\System32\CTHELPER.EXE
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PokerOffice\bin\javaw.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\ehome\ehtray.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\Windows\ehome\ehmsas.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Dave\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gmail.com/
uInternet Settings,ProxyOverride = *.local
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File
uRun: [StartCCC] d:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [WhatPulse] c:\program files\whatpulse\WhatPulse.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DAEMON Tools] "d:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [LanguageShortcut] "d:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [mxomssmenu] "d:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [POEngine] "c:\program files\pokeroffice\poengine.exe" c:\program files\PokerOffice
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [COMODO Internet Security] "d:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CtxfiReg] CTXFIREG.exe /FAIL1
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\dave\appdata\roaming\mozilla\firefox\profiles\jdiguovk.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://search.shareazaweb.com/au/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-3 28544]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-4-4 108560]
R2 Maxtor Sync Service;Maxtor Service;d:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]
RUnknown szkg5;szkg5; [x]
S2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2005-4-24 13225]

=============== Created Last 30 ================

2009-04-15 22:35 <DIR> --d----- c:\users\dave\appdata\roaming\Foxit
2009-04-15 22:35 <DIR> --d----- c:\program files\Foxit Software
2009-04-15 22:24 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-15 01:25 <DIR> --d----- C:\ComboFix
2009-04-15 01:19 161,792 a------- c:\windows\SWREG.exe
2009-04-15 01:19 98,816 a------- c:\windows\sed.exe
2009-04-15 00:51 <DIR> --d----- C:\32788R22FWJFW.1.tmp
2009-04-15 00:51 <DIR> --d----- C:\32788R22FWJFW.0.tmp
2009-04-06 07:06 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-04-06 07:06 <DIR> --d----- c:\users\dave\appdata\roaming\WhatPulse
2009-04-06 06:22 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2009-04-05 12:34 <DIR> --d----- c:\program files\Trend Micro
2009-04-04 01:52 155,384 a------- c:\windows\system32\guard32.dll
2009-04-04 01:52 108,560 a------- c:\windows\system32\drivers\cmdguard.sys
2009-04-04 01:52 28,688 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-04-04 01:52 <DIR> --d----- c:\programdata\Comodo
2009-04-04 01:52 <DIR> --d----- c:\progra~2\Comodo
2009-04-03 21:31 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-04-03 21:31 <DIR> --d----- c:\program files\Panda Security
2009-04-03 21:15 12,560 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-04-03 21:15 <DIR> --d----- c:\programdata\PC Tools
2009-04-03 21:15 <DIR> --d----- c:\progra~2\PC Tools
2009-04-03 20:45 <DIR> --d----- c:\windows\vbSkinner
2009-04-03 20:45 <DIR> --d----- c:\program files\PFConfig
2009-04-02 22:09 <DIR> --d----- c:\program files\Windows Mobile Resources
2009-04-01 04:01 <DIR> --d----- c:\programdata\ESET
2009-03-28 14:09 <DIR> --d----- c:\program files\PeerGuardian2
2009-03-28 03:29 <DIR> --d----- c:\users\dave\appdata\roaming\GrabPro
2009-03-28 03:29 <DIR> --d----- c:\program files\Orbitdownloader
2009-03-23 18:46 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-23 18:46 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-23 18:46 <DIR> --d----- c:\program files\iPod
2009-03-23 18:45 <DIR> --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-23 18:45 <DIR> --d----- c:\program files\iTunes
2009-03-23 18:45 <DIR> --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-23 18:33 <DIR> --d----- c:\program files\Bonjour
2009-03-21 00:58 59 a------- c:\windows\pp.enc
2009-03-21 00:55 <DIR> --d----- c:\users\dave\appdata\roaming\Microgaming
2009-03-21 00:47 <DIR> --d----- C:\MicroGaming

==================== Find3M ====================

2009-04-04 01:53 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-04 01:53 51,200 a------- c:\windows\inf\infpub.dat
2009-04-04 01:53 86,016 a------- c:\windows\inf\infstor.dat
2009-03-20 07:39 173,672 a---h--- c:\windows\system32\mlfcache.dat
2008-11-20 23:43 174 a--sh--- c:\program files\desktop.ini
2008-11-20 23:36 665,600 a------- c:\windows\inf\drvindex.dat
2007-11-14 18:49 2,732,032 a------- c:\users\dave\ventrilo-3.0.0-Windows-i386.exe
2007-10-17 06:55 388,945 a------- c:\users\dave\MountImageGUI_0.2.zip
2007-10-17 06:51 10,127 a------- c:\users\dave\mountimage-1.0.0.zip
2007-10-17 06:50 9,479,520 a------- c:\users\dave\winzip111.exe
2007-10-15 15:32 3,719,120 a------- c:\users\dave\etax2007_1.exe
2007-10-13 21:28 124,607,748 a------- c:\users\dave\OOo_2.3.0_Win32Intel_install_wJRE_en-US.exe
2007-10-13 18:08 29,530,464 a------- c:\users\dave\avg75free_488a1157.exe
2006-11-02 22:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 22:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 22:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 22:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 20:57:02.87 ===============

Attached Files



#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:33 PM

Posted 16 April 2009 - 12:47 PM

Hi again,

Looks like Kaspersky made some findings in email related stuff there.

Empty these email boxes (in Thunderbird):
C:\Users\Dave\AppData\Roaming\Thunderbird\Profiles\7hnh83vz.default\Mail\Local Folders\crap
C:\Users\Dave\AppData\Roaming\Thunderbird\Profiles\7hnh83vz.default\Mail\Local Folders\Trash

Check these email boxes (in Thunderbird) and delete all suspicious looking email messages in them:
C:\Users\Dave\AppData\Roaming\Thunderbird\Profiles\7hnh83vz.default\Mail\Local Folders\Inbox
C:\Users\Dave\AppData\Roaming\Thunderbird\Profiles\7hnh83vz.default\Mail\Local Folders\Old stuff

Are these some email message backups?
K:\WEREKITTEN\Backup Set 2009-04-05 125805\Backup Files 2009-04-05 125805\Backup files 13.zip
K:\WEREKITTEN\Backup Set 2009-04-05 125805\Backup Files 2009-04-05 125805\Backup files 7.zip
K:\WEREKITTEN\Backup Set 2009-04-05 125805\Backup Files 2009-04-13 040012\Backup files 11.zip

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 Windshear

Windshear
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 18 April 2009 - 02:44 AM

It's all good in the hood now, thanks very much for your help! :thumbup2:

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:33 PM

Posted 18 April 2009 - 04:39 AM

Ok. Thanks for the heads up :thumbup2:

In that case, let's uninstall ComboFix
  • Click START then RUN (or press window button+R)
  • Now type "c:\users\Dave\Desktop\ComboFix.exe" /u in the runbox and click OK.
You may delete dds.scr file and related logs too.

Remember keep system and antivirus protection up-to-date! :)

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:33 PM

Posted 28 April 2009 - 10:58 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users